This is every consumer’s and business owner’s worst nightmare. One morning you open your email and see that large numbers of checks are bouncing. “That’s odd,” you think. There should be plenty of money in your account. Even though you know that there is money in your account, your heart still skips a few beats.
You remain nervous while waiting for the bank’s phone to answer. Still, you think it is some silly mistake.
There is no mistake. Your account has no funds. Overnight someone transferred all the money out of your account. The money (YOUR money) was wired to some far off place, well beyond the reach of the local police.
Unfortunately, we hear this story frequently. “Can I sue my bank?” is the first question we hear after listening to the story. This post looks at the liability of a bank for unauthorized fund transfers. We hope to help you know whether you have a case against the bank.
Unauthorized Fund Transfers – Consumer
The Electronic Funds Transfer Act (EFTA) governs most consumer electronic banking. Later in this post we discuss commercial fund transfers.
Definition of an Electronic Funds Transfer
According to the Federal Reserve, EFTA covers six types of consumer electronic fund transfers. They are:
• transfers through automated teller machines (ATMs);
• point-of-sale (POS) terminals (these are the credit card readers found in most stores);
• automated clearinghouse (ACH) systems (this includes direct deposit and automatic payroll deposits);
• telephonic payment plans in which periodic or recurring transfers are contemplated;
• remote banking programs; and
• remittance transfers (think international money transfers such as those offered by Western Union or Moneygram).
Liability for Unauthorized Transfer
Assuming the theft or loss came from a personal account, consumers have little to fear if they regularly monitor their account and promptly report problems.
According to EFTA, an “access device” is a “card, code, or other means of access to a consumer’s account or a combination of these used by the consumer to initiate EFTs. Access devices include debit cards, personal identification numbers (PINs), telephone transfer and telephone bill payment codes, and other means to initiate an EFT to or from a consumer account.” (The term “access device” will become important in a minute.)
Please note that conventional checks are not considered to be access devices.
If you lose your “access device” (your PIN number or debit card) and report within 2 days of discovering the loss, your liability is generally limited to $50.
If you report between 2 and 60 days after learning of the loss, your liability is limited to $500. The rules say that once you get a statement, the clock begins ticking whether or not you open your mail or review your statement on line.
If you wait beyond 60 days, your liability may be unlimited. In other words, check your statements!
If there is a loss not involving an access device and you report within 60 days, you have no liability.
Wait more than 60 days and once again your liability is unlimited.
What is an Unauthorized Electronic Fund Transfer?
The EFTA law defines an unauthorized transfer as a transfer initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The two key concepts are “consumer authorization” and benefit to the consumer.
If you give your pin number to your significant other, there is probably no liability on the part of the bank if he or she cleans out the account. If you tell your bank to issue a new PIN number and they delay, however, they become liable. In that scenario, there was no authorization nor did you receive any benefit.
Federal law allows banks to place daily limits on how much money may be electronically transferred from a consumer account. Often the limit is $500 per day. If your account had a balance of tens of thousands of dollars one day and was drained the next, chances are that the theft was done with a cloned credit card. The transactional limits are designed to protect both the banks and the customer.
State and Federal Law
Some states have their own electronic funds transfer laws. Like EFTA, these are laws are generally consumer driven. States can regulate electronic transfers but the federal law generally rules if there is a conflict.
Commercial Accounts and Unauthorized Transfers
The Uniform Commercial Code, adopted by most states, governs wire and ACH transfers from commercial accounts. The general rule is that the bank is responsible if a third party initiates an unauthorized transfer from a customer’s account. There are exceptions to the rule, however.
UCC Article 4A allows the risk of loss to be shifted back to the consumer in two ways.
First, if the bank can show that the person initiating the transfer had actual or apparent authority, the risk of loss is on the customer. Let’s say that your bookkeeper is embezzling money. He or she may have actual and/or apparent authority to access your account. Although you didn’t authorize your assistant to steal money, the bank had the right to assume that she / he had authority to access the account.
In this scenario, the customer’s only recourse may be against the thief. Absent unusual circumstances, the bank probably is not liable.
In the second exception, banks can transfer the risk onto the customer if they can show that the bank and the customer agreed to a security procedure –and- the procedure is commercially reasonable –and- the bank acted in good faith and in compliance with that procedure.
This probably sounds like a bunch of jargon or legalese. So, let’s look at a real example.
Choice Escrow v. BancorpSouth Bank
Choice Escrow is a title company located in Missouri. They maintained a trust account at BancorpSouth Bank. The company used the trust account to receive money from lenders and to pay off sellers of properties and prior lien holders. It was quite common for there to be both frequent and high dollar activity in the account.
In 2010, Internet fraudsters stole $440,000 from Choice. The money was wired to an account in Cypress. No one at Choice had authorized the transfer or even heard of the recipient of the money.
When Choice was not able to track down the missing money, it sued BancorpSouth. The question before the court was quite simple. Who should bear the risk of loss when a wire transfer is fraudulently undertaken by a third-party unconnected to either the issuing bank or its customer.?
After numerous motions, hearings and appeals, the case made its way to the 8th Circuit Court of Appeals in St. Louis. There a three judge panel ruled for the bank. Although the customer lost, the reasoning of the court is quite helpful. It is also a helpful ruling since Missouri adopted the UCC and shares almost the same law as most other states.
In a typical wire transfer, the customer transmits instructions to the bank to transfer money from its account to the account belonging to a third party. This instruction is called the payment order. Because the customer is not physically present at the bank, the bank uses security procedures, such as passwords and PIN numbers, to verify that the person sending the payment order is the customer. Obviously, the procedures in this case failed.
BancorpSouth offered commercial customers four levels of security. These included unique passwords and user names for each of Choice’s employees, device authentication software to insure the bank recognized the computer making the transfer request, daily dollar limits and two party authentication.
Like many commercial customers, Choice only chose the most basic safety controls. Because they rejected some of the security offerings of the bank, BancorpSouth wisely made Choice sign a waiver.
In November of 2009, a year before the unauthorized funds transfer took place, Choice got wind of a phishing scam designed to steal passwords. A Choice manager emailed the bank and asked if the bank could limit wire transfers to foreign banks. A banker promptly responded and said they could not implement such a protocol and reminded Choice that it had previously rejected better options:
“We discussed this when we setup InView and you decided to waive the dual control. Would you like to consider adding it now? This is the best solution, that way if someone in the company is compromised then the hacker would not be able to initiate a wire with just the one user's information.”
You probably know how the story proceeds. One of two authorized employees downloaded malware and contracted a computer virus. Her passwords and authentications were compromised. Hackers were able to initiate a wire and steal $440,000.
In a unanimous decision, the judges ruled that the bank’s security offerings were commercially reasonable. Here, in this case, the customer rejected some of the security offerings of the banks.
Much of the litigation today concerns whether the bank’s security offerings were commercially reasonable. At least one higher court has ruled that a user id and password is not commercially reasonable if it is only backed by challenge questions. Anyone hacking an account or installing malware on a single computer could learn the answers to all the security questions if only one user needed to authenticate a transfer. (This is why BancorpSouth offered two party authentication.)
Lender Liability Lawyers – Lawyers That Sue Banks
Sadly, unauthorized fund transfers are becoming a regular event. Rarely is the money recovered from the thief. This is especially true when the money is wired overseas.
The lender liability lawyers at MahanyLaw and Judge, Lang & Katers concentrate on lawsuits against banks. If you were defrauded by a bank or financial services company, chances are we can help.
Most lender liability lawyers represent the banks. There are few law firms that limit their claims to suing banks. Those that do sue banks often charge $600 or more per hour. We are different, we offer Midwest rates and service but with national reach.
If you were defrauded by a bank, give us a call. Attorney Chris Katers can be reached at [hidden email] or by phone at 414-777-0778. The author of this post, attorney Brian Mahany, can be reached at [hidden email]. All inquiries kept strictly confidential.
[Please note that we get dozens of call each day from people seeking representation on consumer matters. Unfortunately, we do not handle these cases. Our lost threshold is generally $5 million in actual losses but we sometimes make exceptions.]