Wire fraud cases, arising from what the Federal Bureau of Investigation calls “business email compromise,” are on the rise. In 2018, the FBI reported that business email compromise and other internet-enabled theft, fraud, and exploitation resulted in $2.7 billion of financial loss. See FBI – IC3 Annual Report Released. Surprisingly, even sophisticated parties and publicly traded companies are getting caught. In this type of scheme, once the money is wired, it typically is hard to trace and recover the funds. Who bears liability in these cases, and what claims can be asserted? These questions regularly arise in wire fraud cases, which often involve very large numbers and the imposition of loss on unsuspecting parties.
In a typical business email compromise scheme, the fraudster impersonates a senior executive or trusted business partner reaching out to a member of the staff, and changing an account number or providing new wiring instructions to pay a debt, conduct a real estate closing, or fulfill a purchase order. The recipient of the email does not notice what can be very subtle differences in an email address, such as a hyphen, a capitalized letter, or an underscore. In some instances, the email accounts are compromised. Under either scenario, multifactor authentication is not a requirement and the recipient complies with the request, believing the requestor to be the CEO or trusted partner. The money is wired by the sending bank to the fraudster’s account at the receiving bank (which usually has no idea its customer is a fraudster), and there is very little that the sending or receiving bank can do to claw the money back. Both banks are insulated by the UCC, and common law claims of negligence and breach of contract ordinarily are preempted.
Article 4A of the Uniform Commercial Code defines the duties, liabilities, and rights of parties to a funds transfer. States enacted Article 4A to provide norms and ensure predictability with respect to fund transfers:
A deliberate decision was . . . made to use precise and detailed rules to assign responsibility, define behavioral norms, allocate risks and establish limits on liability, rather than to rely on broadly stated, flexible principles. In the drafting of these rules, a critical consideration was that the various parties to funds transfers need to be able to predict risk with certainty, to insure against risk, to adjust operational and security procedures, and to price funds transfer services appropriately. This consideration is particularly important given the very large amounts of money that are involved in funds transfers.
§4A – 102, Cmt.
Typically, common law claims are displaced by the UCC. Unless a party can allege that negligence by the bank occurred outside of the four corners of the wire transfer transaction, there usually is preemption. If the negligence occurred before or after the wire transfer process, then a common law negligence claim may be appropriate; however, these factual circumstances are very rare and other common law defenses such as causation and standing can bar the claims.
Recently, the United States Court of Appeals for the Eleventh Circuit analyzed claims of negligence and Article 4A in the context of a business email fraud scheme. See Peter E. Shapiro, P.A. v. Wells Fargo Bank. The case involved familiar parties: two lawyers involved in a closing, a fraudster, and the two banks involved in the wire transaction. Plaintiff Peter E. Shapiro, a Florida lawyer who was engaged by family members to handle the sale of a car dealership in upstate New York, received payment instructions by email from a lender’s lawyer directing that a loan payoff be wired to a bank account at M&T in New York. Then, Shapiro received another set of wire instruction by email purporting to be from the same lender’s lawyer, but actually from a fraudster, this time directing the wire to an account at Wells Fargo Bank. Shapiro did not speak to the sender of the instructions and caused his bank to wire $504,611.13 to the fraudster’s Wells Fargo account. Defendant Wells Fargo received the wire transfer and processed it relying on the account number, notwithstanding that there was a name mismatch between the beneficiary and the account holder.
Shapiro sued Wells Fargo by alleging that it should not have processed the wire because the bank’s automated systems knew that the beneficiary identified in the wire was not the owner of the Wells Fargo account identified in the payment order. Shapiro asserted claims of common law negligence and violation of the Florida statute codifying UCC Article 4A. The Florida statute and Article 4A expressly state that, “if the beneficiary’s bank does not know that the name and number refer to different persons, it may rely on the [account] number as the proper identification of the beneficiary of the order.” See Fla. Stat. § 670.207(2)(a). The district court dismissed the common law negligence claim on preemption grounds and granted summary judgment for Wells Fargo on the Article 4A claim. The Eleventh Circuit affirmed.
The Eleventh Circuit found that Article 4A displaced the common law negligence claim, given that it specifically defines the duties, rights, and liabilities of the parties in a misdescription-of-beneficiary case. The Court found that Shapiro’s argument that Wells Fargo had a duty to refuse to accept the wire because of the misdescribed beneficiary conflicted with the express language of the UCC. The Court found that Shapiro’s UCC claim also failed. Article 4A provides that in cases involving payment orders that identify both an account name and account number, where the bank lacks “actual knowledge” that the account name and number do not match, the beneficiary bank – in this case, Wells Fargo – may rely on the number as the proper identification of the beneficiary of the order. The Court relied on the comments to section 4A-207:
A very large percentage of payment orders issued to the beneficiary’s bank by another bank are processed by automated means using machines capable of reading orders on standard formats that identify the beneficiary by an identifying number or the number of a bank account. The processing of the order by the beneficiary’s bank and the crediting of the beneficiary’s account are done by use of the identifying or bank account number without human reading of the payment order itself. The process is comparable to that used in automated payment of checks. The standard format, however, may also allow the inclusion of the name of the beneficiary and other information which can be useful to the beneficiary’s bank and the beneficiary but which plays no part in the process of payment. If the beneficiary’s bank has both the account number and name of the beneficiary supplied by the originator of the funds transfer, it is possible for the beneficiary’s bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneficiary’s bank the benefits of automated payment are lost.
Noting that Article 4A expressly states that a beneficiary’s bank does not need to determine whether the name and number refer to the same person, the Court found that no violation of UCC Article 4A had occurred.
Lawyers for parties who are victims of wire fraud frequently attempt to craft claims alleging common law negligence outside of the actual wire transaction itself in order to avoid the preemption challenges which regularly appear in these cases. For example, we frequently see cases alleging that the beneficiary bank was negligent in opening the account of the fraudster or failed to take prompt action to stop withdrawals from the fraudster’s account after the beneficiary bank was on notice of the wire fraud. Typically, however, the victim has no relationship with the beneficiary’s bank which can give rise to a common law duty of care. Standing and causation arguments can also be raised as defenses.
These cases teach that courts often cannot provide easy redress to victims of wire fraud, nor can recovery be had from the financial institutions with deep pockets who are parties to the wire transaction. A victim of business email compromise must chase down the fraudster, which is often difficult, or seek reimbursement via a claim on an applicable insurance policy. The best steps that parties can take to avoid these losses are precautionary, rather than reactive. Companies and financial institutions of all sizes should develop a relationship with local FBI contacts who can assist in freezing funds and tracking fraudsters. Companies must also continue to educate employees, implement protocols to create multiple steps before funds can be wired, and use due care in reviewing and responding to emails, including placing phone calls to verify the authenticity and accuracy of email instructions.
Let’s be careful out there.