After a Wire Transfer, That’s Not Your Money Anymore
Posted on 06/22/2022 at 11:10 AM by John Lande
A daily stream of headlines highlights cybersecurity incidents affecting both large and small organizations.
In the face of this coverage, most organizations have learned the importance of cybersecurity, and taken basic steps to secure their information technology. However, many still fail to recognize the substantial risk cyber-fraudsters pose to their organization’s funds in the bank.
The modern banking system has, with good reason, given organizations a sense of security that their funds are safe. Bank runs, frauds, and failures are virtually non-existent, so depositors no longer worry about their money evaporating after it is deposited. What many organizations fail to understand, however, is that modern rules governing transferring funds prioritize speed and finality over accuracy. This means banks may process wire and other electronic funds transfers even if there is evidence the transaction is initiated by or for fraudsters.
Fraudsters, perhaps unwittingly, have exploited this feature of the U.S. payment system to devastating effect. Many organizations only realize when it is too late that banks will process a wire transfer initiated at the request of or by fraudsters, and the transfer is irrevocable.
The case of Lucky Star Enterprises III, LLC v. Wells Fargo Bank, N.A., illustrates these issues in stark detail. The case began with a fact pattern that has become common. Lucky Star owns and operates fitness centers, and hired a construction company to remodel one of them. A Lucky Star employee received an email that appeared to be from the contractor with an invoice for $125,621.85. The Lucky Star employee followed the email’s instructions, and wired the funds to an account at Wells Fargo from Lucky Star’s U.S. Bank account.
Unbeknownst to the Lucky Star employee, the Wells Fargo account did not actually belong to the contractor. Even though the account number on the Lucky Star wire transfer matched the account number for the account at Wells Fargo, the name on the Wells Fargo account belonged to fraudsters.
Lucky Star learned after the transfer that the “contractor” account was actually controlled by fraudsters who eventually wired the funds overseas. While the court’s decision does not say it, fraudsters had probably either spoofed the contractor’s email account or taken control of it.
The wrinkle in this case is that before fraudsters could wire the funds overseas, Wells Fargo flagged the accounts as potentially fraudulent. Lucky Star and U.S. Bank contacted Wells Fargo and requested that Wells Fargo return the funds. Wells Fargo did not, however, and fraudsters later moved the funds overseas, beyond anyone’s reach.
Lucky Star sued Wells Fargo, but the United States District Court for the Western District of Washington dismissed the case. To do so, the District Court relied on Article 4A of the Uniform Commercial Code (“UCC”). Lucky Star argued that Wells Fargo should never have deposited the wire transfer in the account at Wells Fargo, because the name on the account did not match the name that Lucky Star included on the wire transfer. The Court rejected this argument, because under the UCC:
When the payment order describes the beneficiary “both by name and . . . bank account number and the name and [account] number identify different persons,” the beneficiary’s bank “may rely on the number as the proper identification of the beneficiary of the order” if it “does not know that the name and number refer to different persons.”
(emphasis added). In other words, Lucky Star may have instructed Wells Fargo to “deposit funds for Contractor in Account 1234,” but Wells Fargo was entitled to simply look at the account number and deposit the funds in “Account 1234,” even though that account may have been under the name “Fraudsters, Inc.”
Under the UCC, banks are entitled to ignore conflicting names on wire transfers and deposit funds based on the account number associated with the transfer. The only exception to this rule is if a human being at Wells Fargo knew at the time the funds were first deposited in the account that there was a mismatch between the name on the transfer and the name on the account. Since all wire transfers are processed electronically, the chance of a Wells Fargo employee learning of the mismatch was virtually impossible.
This basic principle under UCC Article 4A has allowed fraudsters to take advantage of organizations of all kinds and sizes. Lucky Star and the UCC reflect the fact that in the United States, the system for processing payments prioritizes speed and finality over accuracy. Once a transfer is complete banks do not need to return the funds, even when there is evidence of an unauthorized transfer.
This is not to say, however, that organizations have no remedy. This blog previously covered a case where an organization was allowed to sue its bank for sending an unauthorized transfer. This blog has also covered how financial institutions can mitigate their risk of liability for unauthorized transfers by updating their agreements and security procedures. Each unauthorized transfer case has to be evaluated based on the specific circumstances.
However, the bottom line for organizations is that a financial institution may not be responsible for correcting an unauthorized or fraudulent funds transfer. Organizations of all kinds and sizes should take steps to secure the controls for sending payments—Lucky Star could have called to verify the contractor’s bank account number. The banking system will make sure the payment gets where an organization sends it, but organizations may not always like where the payment ends up.
Shareholder Attorney John Lande is chair of Dickinson Law's Cybersecurity, Data Breach, & Privacy practice group. For more information on his practice, click here.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.