The State of New York initiated this proceeding against a large financial institution (the “bank”) for various violations of federal and state law that “demonstrated persistent fraud or illegality in the carrying on, conducting or transaction of business.” N.Y. Exec. L. § 63(12). The allegations arose from the theft of consumer funds from the bank’s accounts. The bank offered its clients online banking services, including electronic money transfers. Unfortunately, the mobilization of banking has increased the sophistication and complexity of scams aimed at stealing money from consumers. Specifically, scammers had fraudulently stolen money from individuals through wire transfers. The scammers accomplished this by instructing the bank to wire money to another bank where the scammers had “dummy accounts” and then instructing the bank to debit the consumer’s bank account. The State claims the bank had unsatisfactory security measures that allowed the wire transfer fraud to go unnoticed. Further, the State claimed that the bank had made inadequate investigations and had inadequate remedies for the fraud and had made “misleading statements regarding its security protocols.” Therefore, the State brought an action claiming that the bank had (1) made unauthorized wire transfers; (2) made unauthorized intrabank “consolidation” transfers; (3) failed to disclose its security measures in its terms and conditions; (4) “fail[ed] to refund fraudulently initiated Payment Orders;” (5) violated New York’s SHIELD Act; (6) violated the Red Flags Rule; (7) committed fraud; and (8) engaged in deceptive practices. The bank filed a motion to dismiss the State’s claims in its entirety.
In New York v. Citibank, N.A., 24-CV-659, 2025 WL 251302, 2025 U.S. Dist. LEXIS 10136 (S.D.N.Y. Jan. 21, 2025) (opinion not yet released for publication), the court granted the bank’s motion to dismiss in part and denied it in part. First, the court denied the motion to dismiss the first claim. The State argued that the bank had violated the Electronic Funds Transfer Act of 1978 (EFTA), 15 U.S.C. § 1693 et seq, by completing the unauthorized wire transfers following the scammers’ fraudulent payment orders. The bank argued that the statute was inapplicable “to transfers from a consumer’s account made to pay for a wire transfer” because there is an “exemption” in the definition of an electronic fund transfer that would exclude it from liability under the EFTA. 15 U.S.C. § 1693a(7)(B). The court began by interpreting the statutory text to determine whether “an electronic payment, initiated by a consumer and facilitated in part by an interbank wire, are regulated by the EFTA.” The court found that the “exemption” in § 1693a(7)(B) limits its applicability to transfers that are “(1) ‘made by a financial institution,’ (2) ‘on behalf of a consumer,’ (3) ‘by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer.’” The State argued that the unauthorized wire transfers do not fall within this exemption because they “do not involve consumer funds or a consumer’s accounts, since only banks…have access to those networks.” The court found that the “plain meaning of subsection (7)(B) does not apply to electronic transfers of funds between consumers and their financial institutions, even when made ancillary to an interbank wire.” Thus, the “exemption” did not apply to the “fraudulent Payment Order resulting in a debit from a consumer account in connection with a wire transfer” that occurred here, and the bank may be liable for EFTA violations. Second, the court addressed the State’s claim that a violation of the EFTA occurred “when [the] scammers ‘consolidate[d] funds from multiple accounts into one account’ in order to seal a larger sum of money,” and denied the motion to dismiss the claim. The EFTA defines an unauthorized transfer to be a transfer “from a consumer’s account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit.” 15 U.S.C. § 1693(12). The bank argued that the EFTA did not apply to these transactions because its customers did not lose money during the intrabank transfer and, thus, did, in fact, “‘receive the benefits’ of such transfers.” However, the State argued that the bank’s customers were still harmed because the transfers permitted larger fraud to occur, made detecting fraud more difficult, and moved funds to an account that did not generate interest. The court concluded that the “unauthorized consolidations” of the bank’s customers’ funds provided no benefit. Therefore, the bank’s motion to dismiss the second claim was denied. Third, the State claimed that the bank failed to adequately disclose its security protocols, in violation of 15 U.S.C. § 1693c, and had its customers waive their EFTA rights, in violation § 1693l. The bank disputed both claims, arguing that it was not required to disclose its security protocols, and that the agreement did not require its customers to waive their EFTA rights. The State argued that although the EFTA does not explicitly require disclosure, it does prohibit “using insufficiently understandable terms” when the bank does disclose its protocols. The court determined that the statute did not require the bank to include security protocols “unless these protocols constitute[d] an ‘element, prerequisite or limitation’ on the offer to transfer,” and, therefore, granted the bank’s motion to dismiss. 15 U.S.C. § 1693c(a). However, the court denied the bank’s motion to dismiss the claim that it violated the EFTA by requiring its customers to waive their EFTA rights. The State argued that the “language in the User Agreement changes the allocation of the burden of proof for allocating liability under the EFTA,” violating § 1693l. The court found that the State had “adequately alleged” that the terms limited a statutory right in violation of § 1693l. Fourth, the court found that the State’s claim that the bank had “fail[ed] to refund fraudulently initiated Payment Orders” in violation of UCC Article 4A-204(1) must be dismissed as it previously determined that the “allegedly fraudulent Payment Orders…are governed by the EFTA” and, thus, are excluded from Article 4A. N.Y. UCC §4-A-108. Next, the court found that the State’s fifth and sixth claims were preempted or barred by the Fair Credit Reporting Act (FCRA). The state argued that the bank had violated the SHIELD Act, which requires businesses, including banks, to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information” that it possesses. N.Y. Gen. Bus. L. § 899-bb. The court held that 15 U.S.C. § 1681t(b)(5)(F) of the FCRA preempted application of the SHIELD act because the claims did not “concern conduct different from that underlying…FCRA claim.” Manes v. JPMorgan Chase Bank, N.A., No. 20-CV-11059, 2022 WL 671631 (S.D.N.Y. Mar. 7, 2022). The court also granted the motion to dismiss the State’s claim that the bank violated the Red Flags Rule by failing to discover and prevent such “red flags.” 16 C.F.R. § 681.1. The court held that the state “cannot have it both ways; either it is seeking to enforce the Rule in violation of Section 1681m(h)(8)(B), or it is seeking to enforce an identical version of the Rule encoded in New York’s Executive Law.” The court stated that “federal law does not permit states to redress liability imposed by regulations enacted pursuant to 15 U.S.C. § 1681m.” Finally, the court addressed the State’s seventh and eighth claims that the bank committed fraud and engaged in deceptive practices in violation of N.Y. Exec. L. § 63(12) and N.Y. Gen. Bus. L. § 349. The court held that the State had adequately supported its claim with evidence that the bank made “incorrect statements…to particular customers about the security of their accounts, and…their rights under their EFTA or their need to complete affidavits prior to [it] conducting an investigation or issuing…reimbursement.” Therefore, the court denied the bank’s motion to dismiss these claims under these circumstances.
By Hayden Mariott [email protected]
Edited By Kristin Meurer [email protected]
Edited By Ashley Boyce [email protected]