June 19 • 2023
New court judgement confirms liability on beneficiary banks for scams in some cases
Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.
Written by Rob Tharle, Head of Product
The UK is now on a trajectory for 100% consumer reimbursement and 50/50 liability split between sending and beneficiary banks, it worth turning again to what is happening on the other side of the pond.
Historically, authorised frauds and scams have clearly laid liability at the victim’s door. This is on the basis they authorised the transaction, as opposed to unauthorised transactions, which will usually be refunded in full or in part as covered by EFTA Reg E.
Reg E covers many electronic transfers, like ACH, Zelle and RTP, but not Fedwire, so that for unauthorised transactions, namely those undertaken by a third party (fraudster) without consent, consumers liability is very limited.
We have seen some movement in terms of how the CFPB interpret Reg E. Guidance in the last year or so has confirmed that this includes cases where the victim has been scammed into providing credentials to a fraudster. However, It does not cover those transactions where the customer has authorised transactions directly themselves.
On the back of Senator Warren’s campaigning, we have seen some movement from Zelle, albeit the details are scant. Supposedly there will be reimbursement, potentially in line with the Reg E position above, and that liability will be on the beneficiary institution.
Is this about to change?
A recent judgement, involving a corporate victim and a Credit Union, could about to change all of this. The case was held in a Federal Court and is currently being appealed, but if it stands, this will be a new precedent.
Financial Institutions, (FI’s) are often reluctant to go to court precisely to avoid setting precedents if they lose the case. It will be interesting to see what happens with the appeal and any further similar cases that come to court. The judgement can be read here and here and make interesting reading. A short summary of the case is as follows:
The victim, a company based in New York State, had a bad actor compromise their emails systems. Understanding that a key supplier was changing their banking details, they intercepted and replace the genuine email with their own fraudulent one. A clear case of Business Email Compromise (BEC).
This resulted in funds being paid, by ACH, into an account at the Credit Union. The account was a new personal account opened for a long-standing customer of the credit union.
Multiple payments were paid in and quickly withdrawn over a period of a few months before the alarm was raised. A tale we’ve heard many times before. However, the court upheld two counts and the Credit Union is forced to pay the losses amounting to over $550,000.
What was different in this case?
The judgement focusses on the control, or lack thereof, at the FI. The key points being:
- Not taking proper account of the warnings generated at account opening either to block or mark the account as higher risk.
- Having no documented processes to manage (and therefore ignoring) account name mismatch warnings generated for inbound ACH.
- No alerts generated for high value unusual payments (that had the hallmarks of mule behaviour) into the new account.
- Staff not recognising the risk of the transactions when processing them or when reviewing for other compliance reasons.
Together these meant they failed to meet the requirements of the NACHA ACH rules and the UCC Art 4A regulations and Va. Code Ann. § 8.4A-207.
This therefore boils down to two key points:
- Lack of commercially reasonable risk processes and procedures to detect fraud
- Not exercising sufficient ordinary care over the ACH transfers
What does this mean for other FIs?
This does seem to open up liability on Banks and Credit Unions as beneficiaries in certain circumstances, namely:
Civil liability if they do not:
- Exercise proper control and due diligence to detect and prevent fraud and operate their account opening and payments systems correctly
Regulatory risk from not:
- Identifying, alerting, investigating and reporting (where relevant) suspicious transactions – SAR
The key here is to have the systems, processes and procedures in place and embedded, that show the risk are being managed. Implementing and managing these polices and processes, should help avoid liability.
This adds weight to the growing argument that beneficiary FI’s need to do more to detect and prevent both mule accounts and transactions to & from them if liability is to be avoided. Further, these controls can also reduce ongoing costs throughout the customer lifecycle, as well as protecting customers.
What does a good look like?
To make improvements FI’s should utilise additional rules in the ACH and other payments systems, fraud and AML processing systems to:
- Check on a risk-based methodology for clear mis-matches between account name and account numbers and act accordingly
- Alert and investigate high risk new accounts with unusual transactions in first 90 days for fraud &/or money laundering, depending on transactions and profile
- Ensure staff in fraud, AML and sanctions teams can identify suspicious behaviour and manage or refer to the appropriate teams
- Branch staff can recognise transactions that should be referred as suspicious and know the processes to follow
- Proper records of investigations are kept in Fraud, AML and other Compliance teams
To assist in the identification of high-risk accounts and transactions, FI’s can ingest external data to help identify known mule accounts and mules at:
- Account Opening
- Ongoing Due Diligence
- Outbound Payments
- Inbound Payments
In addition, they can help customers report fraud and scams quickly to improve the chances of recovery. The FED, building on its FED Fraud Classifier, has kicked off a working group to better define scams and improve the reporting of them.
All of the above should be part of a multi-layered control framework as is required to support real time payments, such as Fed Now.
Clearly, this is an important decision happening at a time, when scams are big news, so expect this to continue to generate discussion and interest at FI’s. It is clear that more needs to be done, as covered here recently, so we’ll awaiting developments with interest.
At CYBERA we’re on a mission to stop money laundering and help protect customers from scams and other financial cybercrime. We close gaps that allow cyber criminals to thrive by sharing crime data in real-time with financial institutions, fintech, and crypto exchanges, and coordinating a global response to support customers who have become victims of financial cybercrime.
CYBERA WATCHLIST™ helps support firms to reduce fraud and money laundering and meet regulatory requirements as part of a holistic fraud and financial crime strategy.
Financial Institutions (FIs) can check against the CYBERA WATCHLIST™ for confirmed mule accounts when processing payments. For outbound & inbound payments, where there is a match on either IBAN (Account Number & Sort code) or on Name the transaction can be flagged as high risk.
At account opening and ongoing CDD, email, phone and name can be used to match to CYBERCRIME WATCHLIST™ to reduce opening new mule accounts.
CYBERA VSR™ further supports by providing users with alerts of any of their accounts reported as mules directly in their dashboard.
Unlike other data sources, CYBERA is a global solution, so is well placed to support the increasing levels of cross-border real-time payments.