The League – Fostering Financial Wellbeing for All

Fourth Circuit Court reverses decision in ACH fraud case

News Compliance Courier

Written by

in

NEWS: Last month, the U.S. Court of Appeals for the Fourth Circuit reversed a district court’s decision holding a credit union liable for a funds transfer in a business email compromise (BEC) scam case where the credit union lacked “actual knowledge” of the mismatch between the account number and beneficiary.  The crux of the case involved the application of the Uniform Commercial Code (UCC) Article 4A, which governs the rights and duties of parties involved in funds transfers that involve a misdescription.  

Background

In Studco Building Systems US, LLC v 1st Advantage Credit Union, the plaintiff paid invoices from its longtime supplier using ACH payments. The hackers sent the plaintiff “spoofed” emails, purportedly from the supplier, stating that the supplier was changing banks and directing the plaintiff to make its ACH payments to a new account at the credit union. The plaintiff thereafter sent ACH payments totaling over $550,000 to what it believed was the supplier’s new account but was in fact a personal account held by a longtime individual member of the credit union, who had also been duped by the same scammers. The plaintiff then sued the credit union, claiming that its failure to discover that scammers had misdescribed the account into which the ACH funds were to be deposited violated Virginia Code Section 8.4A-207, which codified Section 4A-207 of the UCC.  The plaintiff claimed that if the credit union had maintained sufficient security standards and handled the ACH transfers in a commercially reasonable manner, the loss would have been avoided, specifically because the credit union should have stopped the transfers when the payment orders did not match the name of the payee’s account.

The U.S. District Court for the Eastern District of Virginia ruled in favor of the plaintiff on the misdescription claim. The court determined that the credit union would have discovered the mismatch between the intended payee and the recipient if it had exercised due diligence. Specifically, the district court noted that the credit union 1) opened the account even though doing so triggered an “ID verification warning,” 2) failed to establish a reasonable routine for monitoring the ACH alerts, which were systematically ignored due to their sheer volume, and 3) acted unreasonably in accepting the deposits into the personal account, which was a new account with a small starting balance, followed by multiple high-value commercial transactions.

Fourth Circuit Analysis and Ruling

The credit union appealed the district court’s ruling. In support of the credit union’s appeal, amicus briefs were submitted by multiple credit union trade groups (The Virginia Credit Union League, NAFCU and CUNA (n/k/a America’s Credit Unions)), the Clearing House Association and the National Automated Clearing House Association (NACHA).  NACHA’s support of the credit union’s position is noteworthy, because the district court opinion heavily referenced NACHA rules.

The Fourth Circuit reversed the holding of the district court, finding that when a financial institution receives transfers according to the account number specified in the payment order, it has no liability under UCC Section 4A-207 unless the financial institution has actual knowledge of the misdescription. Contrary to the district court’s finding, the Fourth Circuit stressed that “knowledge” in this context means actual, subjective knowledge of an individual, not imputed or constructive knowledge attained by assessing what different facts may have been known by different people across an organization.  It was therefore error for the district court to construe “actual knowledge” to mean knowledge that could have been obtained with “due diligence.”  In short, the Fourth Circuit held that “should have known” is insufficient for beneficiary bank liability, and the financial institution may accept payments via automated processes as long as the account numbers match.  

The Fourth Circuit held that the credit union, as the receiving financial institution, was not liable under § 4A-207 because it did not have actual knowledge of the misdescription at the time funds were received via ACH transfer. The court found that the credit union had no duty to verify the name and number match and that even though the credit union’s automated system generated internal alerts regarding the misdescription, this did not constitute actual knowledge. The credit union received the funds through the ACH system and automatically deposited them into the account, without any human intervention, as it was entitled to do under the UCC.  It was not the credit union’s custom to review its system generated reports, nor would it have been practical to review them, as they numbered in the hundreds to thousands each day. Instead, the credit union relied on the account number that the business provided, in accordance with the Uniform Commercial Code, and correctly deposited the funds into that account. Because the credit union had no actual knowledge of the misdescription at the time the deposits were made, it incurred no liability for making the deposits.  

The Fourth Circuit explained that “[a]llowing the beneficiary bank to deposit transferred funds automatically, based only on account number, promotes efficiency and certainty to the system. Thus, if the beneficiary’s bank deposits the funds into the account associated with the number designated in the payment order and it has no knowledge of any misdescription at the time of the deposit, it has no further liability.” Instead, the Fourth Circuit reasoned that the UCC places the “risk of loss” on the person(s) who dealt directly with the scammer(s). Otherwise, the “efficiency benefits of an automated system are undermined if a bank is not able to rely on its automated system but must independently verify there is no conflict between a beneficiary name and an account number.”

The Fourth Circuit’s decision brings clarity to misdescription claims and prevents the imposition of a watchdog requirement on financial institutions in their processing of ACH transactions and wires. 

Key takeaways

  • Credit unions must remain vigilant regarding BEC scams and wire fraud schemes in which your member is duped into voluntarily sending money to scammers. Some courts have reached outcomes different than that of the Fourth Circuit, and plaintiffs will continue to sue sender and recipient financial institutions under several theories, including negligence, breach of contract and fraud. 
  • Consistent with the principle that the UCC generally places the risk of loss upon the party with the most direct contact with the scammers, the decision also emphasizes the need for members themselves to remain vigilant against becoming victims of BEC scams and other frauds. Spoofed emails and invoices can usually be defeated by a telephone call to the purported sender. 
  • Note that Wisconsin’s own version of UCC § 4A-207, found in Wis. Stats. s. 410.207 – Misdescription of beneficiary, is similar to Virginia’s UCC.  Our statute states in part that the beneficiary bank “may rely on the number as the proper identification of the beneficiary of the order. The beneficiary’s bank need not determine whether the name and number refer to the same person.” 
  • The U.S. Court of Appeals for the Fourth Circuit hears appeals from the federal district courts in the states of Maryland, North Carolina, South Carolina, Virginia and West Virginia. Since the 4th Circuit does not include Wisconsin, our courts here could come to a different conclusion.
  • Despite the UCC being the dominant governing rule in this case, Originating Depository Financial Institutions (ODFIs) are reminded that it is also critical to fully understand your liability under the Nacha Rules. All ODFIs bear full responsibility for entries they originate and warrant to each Receiving Depository Financial Institution (RDFI) that the entry has been properly authorized by the originator and the receiver, and that the originator’s authorization has not been revoked or terminated. An ODFI indemnifies every RDFI and ACH Operator from and against any and all claims, demands, losses, liabilities, and expenses including attorneys’ fees and costs, that result directly or indirectly from a breach of warranty. The Rules go on to state that an RDFI must accept entries that are received with respect to an account maintained at the RDFI and in doing so may rely solely on the account number contained in the entry for the purpose of posting, regardless of whether the name of the receiver in the entry matches the name associated with the account number in the entry.

Helpful Resources

More posts