The shifts in customer behavior driven by the global COVID pandemic were a boon for digital payments – consumer adoption in the U.S. reached 82% in 2021, up from 78% in 2020 and 72% in 2016. However, the industry "sector" that arguably benefited the most from the shift to digital is a species of fraud known as "business email compromise" (BEC) – between May 2018 and July 2019, there was a 100% increase in identified BEC global loss exposure, for a total $26 billion. Between July 2019 and December 2021, there was a 65% increase in identified global loss exposure, for a total $43 billion. The FBI Internet Crime Complaint Center reported BEC losses in the United States of nearly $2.4 billion in 2021, but the actual number is likely much higher given the large number of such incidents that go unreported. For context, despite ransomware attacks generally being more widely publicized, reported losses from such attacks were "only" $49.2 million in 2021. Given the ever-increasing amounts lost by both consumers and businesses to fraud, regulators and politicians will undoubtedly continue to push financial institutions to assume more liability for fraudulent transactions, as discussed in a prior post.
Victims of BEC fraud sometimes seek recovery of losses in court but generally find that the Uniform Commercial Code Article 4A provides only limited remedies. However, in the BEC context, a Virginia federal district court recently found a recipient credit union liable for a series of fraudulently directed ACH payments arising from a BEC incident. The defrauded business (Studco) argued that under UCC Article 4A, which governs funds transfers, Va. Code. Ann. § 8.4A-207 (as enacted in 49 states), the recipient credit union (1st Advantage FCU) could not accept the incoming ACH payment orders because 1st Advantage "knew" that the intended payee was different from the designated accountholder. The court agreed and ordered 1st Advantage to pay Studco the full amount of the diverted payments (approximately $558,000) along with attorney's fees and costs.
Significantly, there was little indication that 1st Advantage had actual knowledge of such discrepancy at the time it accepted the payment orders – rather, such knowledge was imputed to 1st Advantage based on numerous unmonitored alerts generated by its anti-money laundering (AML) software on account opening discrepancies, the fraudulently diverted payments, and their attempted withdrawal by the accountholder, and other commonly known indicia that the account was being used for fraudulent purposes. The UCC defines the time an organization has "knowledge" to run from the time, inter alia, "it would have been brought to the individual's attention if the organization had exercised due diligence." Va. Code § 8.1A-202(f). However, courts have previously given significant weight to the UCC commentary to the misdescription of beneficiary provision, which states that "[i]f the beneficiary's bank has both the account number and name of the beneficiary supplied by the originator of the funds transfer, it is possible for the beneficiary's bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneficiary's bank the benefits of automated payment are lost." VA Code Ann. § 8.4A-207, comment 2. Courts have therefore generally looked to the bank's state of knowledge at the time the payment was credited to the recipient's account, which essentially occurs instantaneously for electronic payments, and therefore precludes any consideration of fraud, AML or similar alerts.
The Studco court's effective reading of a "should have known" standard into the misdescription of beneficiary provision under UCC Article 4A is in sharp contrast to many other courts that have (for the reasons discussed above) required proof of actual knowledge by the recipient institution of the discrepancy between named payee and actual accountholder at the time the payment was credited to the designated account. The Studco court also cited UCC and Nacha Rules requirements for financial institutions to act in a commercially reasonable manner or exercise ordinary care, effectively also reading an additional reversal right on the part of a defrauded sender into the UCC and Nacha Rules. Unless reversed on appeal, Studco therefore creates a precedent that can be used to hold financial institutions that accept an incoming payment to a fraudster or money mule's account responsible for the lost funds if the financial institution's systems note a discrepancy in the account name and intended recipient. Financial institutions "cannot ignore their own systems to prevent fraud in order to claim that they did not have actual knowledge of said fraud."
Studco's reliance on unmonitored and uncleared AML alerts against 1st Advantage to obtain compensatory damages for a wire transfer to a fraudulent account provides yet another reason for financial institutions to engage in regular risk-based tuning and calibration of their AML monitoring software to ensure that only relevant alerts are generated, and to maintain staffing levels in their fraud and compliance teams that allows them to review any decision alerts in a timely manner. Institutions should also be concerned by third-party use of AML alerts to argue knowledge under the UCC on the part of a bank when an institution's defense may be handicapped by Suspicious Activity Report (SAR) confidentiality rules preventing them from fully disclosing the outcome of any alert or investigation into suspicious activity.
Finally, although the recipient financial institution was found liable in Studco, sender financial institutions should also take note of this potential softening in courts' reading of UCC 4A in favor of senders. In particular, sender institutions should consider whether their security procedures for verifying the authenticity of B2B payment orders are "commercially reasonable" under UCC 4A. Consumer finance regulators should also pay close attention to whether recipient financial institutions are incentivized by the liability shift in Studco to take more vigorous action against BEC fraudsters and money mules among theirs customers and to consider whether further expansion of sender institution liability is necessary or desirable in combatting fraud.
 Studco Building Systems US LLC v. 1st Advantage Federal Credit Union, case number 2:20-cv-00417 (Slip. Op.) (Jan. 12, 2023, E.D. Va.),.
 The court had initially also awarded punitive damages of $200,000 to Studco in an opinion that has since been replaced, and later found in the docketed opinion that Studco had not provided sufficient evidence for their award. 1st Advantage has appealed the decision to the Fourth Circuit (23-1148). Meanwhile, Studco has moved the district court to amend its opinion and enter an award of $350,000 in punitive damages for, among other things, violating "obligations to implement a minimally effective program to detect suspicious activity under the Bank Secrecy Act."
 Studco, Slip Op. at 30.