We finally arrived at judgement day for receiving banks (the entity that receives the payment transaction from the sending bank where the customer has an account that is being defrauded in fraud/scam activity). It is no longer speculation. The decision made in a recent court case may have set a precedent for receiving banks to have to start paying for scam losses in 2023. We are now starting to see a shift in reimbursement for scams affecting receiving banks.

In a surprise opinion, in the United Stated District Court for the Eastern District of Virginia, there was a ruling in January 2023 that 1^st Advantage Federal Credit Union (1^st Advantage) must pay almost $700,000 to Studco Building Systems for a business email compromise (BEC) fraud loss. The credit union is not even the bank for the customer that got scammed with a spoofed email by the fraudster. How did this happen? 

The court case was driven on facts about the receiving credit union, 1^st Advantage, not providing commercially reasonable security based on the Uniform Commercial Code (UCC) Article 4A and the NACHA Operating Rules, around transactions involving a personal account at 1^st Advantage. Some of the key points from the court document are outlined below:

• 1^st Advantage opened a new personal account for the account in question and did not verify the address.
• The inbound deposits from Studco to 1^st Advantage were ACH transactions with a NACHA code of CCD (business-to-business transactions) and sent to a personal account at 1^st Advantage.
• The inbound ACH transaction amounts were anomalous for a personal account.
• The inbound ACH transactions, because of the size of each transaction, should have triggered a new account alert.
• 1^st Advantage had anti-money laundering software that detected anomalies and these anomalies were ignored.
• The ACH inbound deposit name, Olympic Steel Inc., did not match the personal account name at 1^st Advantage account.
• 1^st Advantage alerts on hundreds or thousands of mismatched names daily.  Each of the four inbound ACH transactions alerted for name mismatch.  No one at 1^st Advantage is notified when these alerts are generated.
• The owner of the 1^st Advantage account tried to send two international wires, but 1^st Advantage was alerted by an OFAC control based on the destination of the wires.  1^st Advantaged declined sending the wires.
• 1^st Advantage Compliance department started an investigation because of the declined wires.
• Subsequently, the owner of the 1^st Advantage account was still able to remove the remaining balances.  

Testimony by an expert witness labeled a number of these activities as not commercially reasonable (security) under UCC 4A and the NACHA Operating Rules.

According to the court document, there were a number of not commercially reasonably activities.  So, this case did not hang on just one issue.  There was one concerning point brought out by Davis Wright Tremaine LLP attorneys that needs to be mentioned: 

“Significantly, there was little indication that 1st Advantage had actual knowledge of such discrepancy (payee name) at the time it accepted the payment orders – rather, such knowledge was imputed to 1st Advantage based on numerous unmonitored alerts generated by its anti-money laundering (AML) software on account opening discrepancies, the fraudulently diverted payments, and their attempted withdrawal by the accountholder, and other commonly known indicia that the account was being used for fraudulent purposes. …. The Studco court's effective reading of a "should have known" standard into the misdescription of beneficiary provision under UCC Article 4A is in sharp contrast to many other courts that have required proof of actual knowledge by the recipient institution of the discrepancy between named payee and actual accountholder at the time the payment was credited to the designated account.”

In additional analysis by Davis Wright Tremaine LLP, they also warn “sender institutions to consider whether their security procedures for verifying the authenticity of business-to-business payment orders are ‘commercially reasonable” under UCC 4A.”

Unless the appeals court reverses this opinion, we could see many more BEC fraud loss cases using this approach of suing the receiving bank, and this could be retroactive to a large number of previous BEC cases (subject to the statute of limitations).  Remember, in 2022 alone, the FBI’s IC3 2022 report show $2.7 billion in losses and almost 22,000 cases in the U.S.  So, this decision is a potential game changer.  And for most of these cases, there has been no reimbursement by the sending bank.

Future Impact on Legislation and Regulatory Requirements

What is unclear is how this court case could affect future thinking for the Consumer Financial Protection Bureau, the FDIC, and future FFIEC online security guidelines.

New changes to reimbursement rules for Zelle transactions have long been anticipated. Effective later this year, in the U.S., Zelle receiving banks will be required to reimburse 100% of funds for selective ‘impersonation’ scams. This could amount to an estimated $50-100 million per year in scam reimbursement.  The other Zelle scams will still typically not be reimbursed.

The UK is already taking action. On June 7^th, the Payment Systems Regulator (PSR) released its draft approach for requiring APP scam reimbursement in the UK (subject to final legislation later this year).  This basically puts the receiving banks and payment companies in the chain of APP scam reimbursement for the first time (as discussed last year).  Receiving FIs will be required to pay 50% of all APP scam losses, as defined by the PSR (with sending banks paying the other 50%).  This could cost receiving banks in the UK more than £100 million per year, starting in early 2024.  The purpose of the split between both sending and receiving banks is for both sides of the transaction to be incentivized to act and improve controls around scam transactions.

Recommendations for Receiving Banks to Implement Better Controls

 For receiving banks, the following areas should be fully reviewed and brought up to date to commercially reasonable security to help prevent these types of BEC lawsuits:

·      Review online account opening and post-transaction controls

·      Review inbound transaction behavioral biometric and anomaly detection controls

·      Employ Confirmation of Payee (name matching to receiving account name) controls

·      Review NACHA Operating Rules

·      Review alert handling

·      Ensure AML and Fraud departments are working closely when assessing alerts

·      Have a sound money mule detection/removal program

Summary

It is fair to say that the next year will be tough for receiving banks. Prior to the past 12 months, receiving banks were never even mentioned (or even thought of) as part of scam reimbursement.  Now, they are front and center. A worry could be that receiving banks, especially the smaller ones, do not have good controls around inbound transactions, online account opening and money mule detection/mitigation. Thus, decisions like the one mentioned in this blog and other legislative and payment network changes could disproportionately affect smaller institutions.

Time will tell.  But, as we always see, the UK will be first in new reporting, with the PSR planning to report APP scam activity reimbursement information in the fall by top sending and receiving banks.  This will help explain if there could be a disparate impact among the size of FIs.  It is unclear whether similar reporting is on the roadmap for Zelle.