by Michael Borgia, Dsu-Wei Yuen, Andrew Lorentz, and Michael Buckalew
While ransomware attacks usually grab the headlines, business email compromise (BEC) attacks continue to cause massive financial losses for businesses. The FBI’s Internet Crime Complaint Center (IC3), reported BEC losses in the United States of nearly $2.4 billion in 2021.[1] And the problem grew worse during the COVID-19 pandemic: losses from BECs increased 65 percent globally from July 2019 to December 2021.[2]
BECs typically involve a variety of social engineering techniques (for example, domain spoofing) to obtain credentials for a corporate email account. Once inside the email account, attackers typically search for discussions of upcoming vendor payments or other financial transactions and trick victims into transferring funds to an attacker-controlled bank account, instead of the account of the legitimate recipient. A very common type of BEC involves an attacker posing as a company’s vendor and emailing “updated” bank account details for electronic payment of the vendor’s invoices. While these misdirected funds sometimes can be recovered through quick reporting to the involved financial institutions and law enforcement, recovery efforts often are difficult. Attackers promptly disperse the funds by transferring them to multiple foreign bank accounts or converting them to cryptocurrency and transferring them to multiple wallets.
After a BEC occurs, a question arises: who is responsible for replacing unrecoverable funds that were fraudulently directed to an account used by an attacker? Is it the company whose systems were hacked, allowing the attacker to pose as a legitimate vendor? The company that was misled and initiated the payment to the attacker-controlled account? A recent Virginia federal court decision in Studco v. 1st Advantage provides a different answer: the financial institution that received fraudulently directed funds. The court held that the financial institution was liable under the Uniform Commercial Code (UCC) Article 4A, which governs fund transfers, because it failed to act on certain alerts it received about the recipient bank account from its own anti-money laundering (AML) software.
The Studco case creates potentially worrisome precedent for financial institutions. As BEC losses continue to mount, victims may use the Studco decision to attempt recover their losses from financial institutions that receive fraudulently misdirected payments. Moreover, regulators looking to address BEC-related losses may push financial institutions to assume more liability for fraudulent transactions like these. As discussed in a prior post, the Consumer Financial Protection Bureau has been considering ways to have financial institutions assume more liability for when their customers are tricked into transferring funds to a fraudster’s account. Legislators may consider a similar approach to try to address BEC losses.
Studco v. 1st Advantage Decision
As the result of a BEC, funds intended for one of Studco’s vendors were fraudulently transferred to an attacker-controlled account held at 1st Advantage, a credit union, through a series of transactions. Studco argued that under UCC Article 4A, as enacted in Virginia[3] and 48 other states, 1st Advantage was not permitted to accept the incoming funds because it “knew” that the intended payee was different from the designated accountholder. The court agreed and, on January 12, 2023, after a bench trial, awarded Studco damages in the full amount of the diverted payments (approximately $559,000) along with attorney’s fees and costs.[4]
In this case, funds sent from Studco’s account to 1st Advantage listed the intended recipient—Studco’s vendor Olympic Steel—but referenced an account number held by an unrelated individual at 1st Advantage. These transactions generated warnings in 1st Advantage’s systems of the apparent discrepancy between the intended recipient and the accountholder. Significantly, there was little indication that 1st Advantage had actual knowledge of this discrepancy when it accepted payment orders. Rather, the court held that such knowledge was imputed to 1st Advantage based on numerous unmonitored alerts generated by the credit union’s AML software on account opening discrepancies, the fraudulently diverted payments, and their attempted withdrawal by the accountholder, and other commonly known indicia that the account was being used for fraudulent purposes. The court’s effective creation of a “should have known” standard into the relevant provision of UCC Article 4A is in sharp contrast to many other court decisions that have required proof of actual knowledge by the recipient institution of the discrepancy between named payee and actual accountholder at the time the payment was credited to the designated account. Many courts considering a financial institution’s liability for misdirected payments have given significant weight to comment 2 to UCC Article 4A, which states: “If the beneficiary’s bank has both the account number and name of the beneficiary supplied by the originator of the funds transfer, it is possible for the beneficiary’s bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneficiary’s bank the benefits of automated payment are lost” (emphasis added).[5]
The Studco court also cited requirements from the UCC and Nacha Operating Rules for ACH transactions[6] that financial institutions act in a commercially reasonable manner or exercise ordinary care when processing ACH payments. The court held 1st Advantage fell short of this standard by failing to flag the recipient account because Olympic Steel did not have an account at 1st Advantage and 1st Advantage accepted ACH payments from Studco intended for Olympic Steel. The court stated that 1st Advantage “did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If 1st Advantage had exercised due diligence, the misdescription would have been discovered during the first ACH transfer.” In relying on these obligations from the UCC and Nacha rules, the court created additional grounds of recovery for victims of BECs and others whose funds are fraudulently directed to attackers’ accounts.
Looking Ahead
Studco’s successful use of unmonitored AML alerts to obtain compensatory damages for the fraudulently directed payments provides yet another reason (on top of the usual AML-related reasons) for financial institutions to engage in regular risk-based tuning and calibration of their AML monitoring software. Financial institutions should calibrate these systems so that only alerts relevant to AML-related issues are generated, and should maintain staffing levels in their fraud and compliance teams that allows them to review and handle alerts in a timely manner. Institutions should avoid generating excessive alerts, beyond what the institution needs for its AML compliance program. The Studco court made clear that financial institutions “cannot ignore their own systems to prevent fraud in order to claim that they did not have actual knowledge of said fraud.”[7] Institutions also should be concerned by third-party use of AML alerts to impute to the bank knowledge of suspicious or criminal activity. The bank’s defense against any such assertions could be handicapped by Suspicious Activity Report (SAR) confidentiality rules preventing the bank from fully disclosing the outcome of any alert or investigation into suspicious activity.
Finally, although the recipient financial institution was found liable in Studco, sender financial institutions should also take note of how the court’s reading of UCC 4A could affect them as well. In particular, sender institutions should consider whether their security procedures for verifying the authenticity of business-to-business payment orders are “commercially reasonable” under UCC 4A.
Whether the Studco decision is an outlier or marks a turning point in the case law remains to be seen. Even so, with the case law on who is responsible for BEC-related losses still developing, the Studco decision stands out and could present an avenue to victim companies whose funds are misdirected to fraudulent accounts. And for their part, regulators may look at Studco as presenting a model for better incentivizing financial institutions to fight BECs and not let AML alerts go unmonitored.
Footnotes:
[1] https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf. By comparison, losses from ransomware attacks reported to IC3 were $49.2 million in 2021. Id.
[2] https://www.ic3.gov/Media/Y2022/PSA220504. Of course, actual BEC losses could be significantly higher, as many BEC incidents go unreported.
[3] Va. Code. Ann. § 8.4A.
[4] Studco Building Systems US LLC v. 1st Advantage Federal Credit Union, No. 2:20-cv-00417 (Slip. Op.) (Jan. 12, 2023 E.D. Va.). The court had initially also awarded punitive damages of $200,000 to Studco in an opinion that has since been replaced, and later found in the docketed opinion that Studco had not provided sufficient evidence for their award. 1st Advantage has appealed the decision to the Fourth Circuit (23-1148). Meanwhile, Studco has moved the district court to amend its opinion and enter an award of $350,000 in punitive damages for, among other things, 1st Advantage violating “obligations to implement a minimally effective program to detect suspicious activity under the Bank Secrecy Act.”
[5] See VA Code Ann. § 8.4A-207, comment 2.
[6] Nacha, originally known as the National Automated Clearinghouse Association (NACHA), is an industry organization that governs the ACH network. The Nacha Operating Rules set forth the roles and responsibilities of financial institutions and other organizations in processing ACH transactions.
[7] Studco, Slip Op. at 30.
Michael Borgia and Andrew Lorentz are partners, Dsu-Wei Yuen is a counsel, and Michael Buckalew is a regulatory analyst at Davis Wright Tremaine LLP. This post first appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.