Fourth Circuit Limits Beneficiary Bank Liability in BEC Schemes, Requires Actual Knowledge

Business email compromise (BEC) fraud, driven by technology and increasing sophistication by criminal organizations, has become a major issue for both consumers and financial institutions. According to a September 2024 publication by the FBI, reported BEC scams have involved over $55 billion in losses during a 10-year period, with the scale of losses accelerating. Because it relies upon reported losses, this number surely understates the scale of these crimes. This trend of increasing BEC fraud has implications for financial institutions in regard to their litigation risks, compliance programs and automated monitoring systems.

Case Background

In Studco Building Systems US, LLC v. 1st Advantage Credit Union, the plaintiff, a metal fabricator, paid invoices from its longtime supplier using Automated Clearing House (ACH) payments. One or more hackers, who were never identified, sent the plaintiff "spoofed" emails, purportedly from the supplier, stating that the supplier was changing banks and directing the plaintiff to thereafter make its ACH payments to a new account maintained at the defendant's credit union. As the U.S. Court of Appeals for the Fourth Circuit noted, the plaintiff "did not verify the emails or the bank change to confirm the instructions, even though the communications contained several indicators of the emails' inauthenticity[,]" such poor grammar and inconsistent phone numbers and email addresses.

The plaintiff thereafter sent ACH payments totaling over $550,000 to what it believed was the supplier's new account but was in fact a personal account held by a longtime individual customer of the credit union, who also had been duped by the scam and believed that the deposits into and withdrawals from her account were for real estate transactions. The ACH transfers submitted by the plaintiff identified the account by its number and the name of the supplier – although, only the number matched because the account was held in the name of the duped individual customer. Once received, the funds were quickly dispersed, never to be recovered.

The credit union's monitoring platform for ACH transfers – part of its anti-money laundering (AML) systems employed to comply with the Bank Secrecy Act (BSA) – automatically generated warnings for ACH transactions when the payee identified by the party transmitting the funds did not match exactly the name of the credit union customer holding the account receiving the funds. The platform "generated hundreds to thousands of warnings related to mismatched names on a daily basis, but the system did not notify anyone when a warning was generated, nor did [the credit union] review the reports as a matter of course." No one at the credit union ever read any of the ACH-related alerts, including the ones at issue here.

The plaintiff sued the credit union, claiming that its failure to discover that the scammers had misdescribed the account into which the ACH funds were to be deposited violated Virginia Code Section 8.4A-207, which codified Section 4A-207 of the Uniform Commercial Code (UCC). The plaintiff claimed that if the credit union had maintained sufficient security standards and handled the transfers in a commercially reasonable manner, the loss would have been avoided, specifically because the credit union should have stopped the transfers when the payment orders did not match the name of the payee's account.

After a bench trial, the U.S. District Court for the Eastern District of Virginia ruled in favor of the plaintiff on this theory, as well on a related bailment claim. The court determined that the credit union would have discovered the mismatch between the intended payee and the recipient if it had exercised due diligence. Specifically, the district court noted that the credit union 1) opened the account even though doing so triggered an "ID verification warning" stating that the system was unable to verify the address provided, 2) failed to establish a reasonable routine for monitoring the ACH alerts, which were systematically ignored due to their sheer volume, and 3) acted unreasonably in accepting the deposits into the personal account, which was a new account with a small starting balance, followed by multiple high-value commercial transactions.

The credit union appealed the district court's ruling. In support of the credit union's appeal, amicus briefs were submitted by multiple credit union trade groups, the Clearing House Association and National Automated Clearing House Association (NACHA), which governs the ACH network. NACHA's support of the credit union's position is noteworthy, because the district court opinion heavily referenced NACHA rules, and the plaintiff's expert was involved in writing NACHA's rules as a former president of the organization.

Fourth Circuit's Analysis and Ruling

The Fourth Circuit reversed the holding of the district court, finding that when a financial institution receives transfers according to the account number specified in the payment order, it has no liability under UCC Section 4A-207 unless the financial institution has actual knowledge of the misdescription. Contrary to the district court's finding, the Fourth Circuit stressed that "knowledge" in this context means actual, subjective knowledge of an individual, not imputed or constructive knowledge attained by assessing what different facts may have been known by different people across an organization. In short, the Fourth Circuit held that "should have known" is insufficient for beneficiary bank liability, and the financial institution may accept payments via automated processes as long the account numbers match.

The Fourth Circuit explained that "[a]llowing the beneficiary bank to deposit transferred funds automatically, based only on account number, promotes efficiency and certainty to the system. Thus, if the beneficiary's bank deposits the funds into the account associated with the number designated in the payment order and it has no knowledge of any misdescription at the time of the deposit, it has no further liability." Instead, the Fourth Circuit reasoned that the UCC places the "risk of loss" on the person(s) who dealt directly with the scammer(s). Otherwise, the "efficiency benefits of an automated system are undermined if a bank is not able to rely on its automated system but must independently verify there is no conflict between a beneficiary name and an account number."

Under the UCC, the credit union was entitled to rely upon the account number provided by the plaintiff, even though automatic alerts were generated and even though no one at the credit union reviewed those alerts, because no one at the credit union had actual knowledge of the misdescription and fraud.

Importantly, the Fourth Circuit rejected the finding of the district court that the credit union had "actual knowledge" because it would or should have identified the fraud with the exercise of "due diligence." Relying on precedent from the U.S. Court of Appeals for the Eleventh Circuit, the Fourth Circuit ruled that a beneficiary bank may rely on the account number in a payment order and that the beneficiary bank has no duty to determine whether there is a conflict between the account number and name on the account. Given the volume of financial transactions and reliance of banks upon automated systems, as well as the dispersal of knowledge across individuals, systems and departments in large institutions, this is a key finding.

The Concurrence and Privity Requirements of UCC Section 4A-207

Judge James Andrew Wynn filed a concurrence with the Fourth Circuit's majority opinion, agreeing "with the majority's interpretation of the [UCC], which allows a bank to process an ACH deposit based solely on account number so long as the bank does not have actual knowledge of a misdescription between the account name and account number" and "that an 'individual' bank employee must have actual knowledge of the misdescription at the time of deposit." However, Judge Wynn stated that the evidence indicated that the credit union may have received actual knowledge of a misdescription prior to the final two ACH transfers.

Nonetheless, the concurrence agreed with the reversal of the district court's judgment because the UCC's misdescription provision imposes a privity requirement. This privity condition requires the plaintiff to seek recovery of its funds from its own bank, which could then pursue the beneficiary bank, rather than directly from the defendant credit union, which had not occurred here.

Though the majority opinion did not address the privity requirement, the lack of privity between the defendant and plaintiff was a focus of the Clearing House Association/NACHA amicus brief and has figured prominently in other cases in the BEC context.

Implications and Takeaways

The Studco opinion provides clear guidance and aligns with precedent from the Eleventh Circuit regarding the potential liability of beneficiary banks in BEC scams and other frauds:

• Beneficiary banks may rely upon their automated verification and security systems to honor payment orders according to the designated number of the recipient account, as long as the banks' systems are deemed to be "commercially reasonable."
• "Actual knowledge" under the UCC means actual, subjective knowledge by an individual bank employee, rather than imputed, constructive knowledge. A contrary finding would undermine the safeguards of the UCC.
• The Fourth Circuit's reaffirmation that an actual knowledge requirement should not be conflated with imputed knowledge – or with what a bank should have done to attain actual knowledge – has important implications in related litigations, such as claims that a bank "knew" about a customer's scheme to defraud investor or consumer plaintiffs as a result of the bank's BSA/AML monitoring and compliance systems.
• Financial institutions must remain vigilant regarding BEC scams and wire fraud schemes in which the customer is duped into voluntarily sending money to scammers, such as elder abuse and so-called "pig butchering" schemes. Some courts have reached outcomes different than that of the Fourth Circuit, and plaintiffs will continue to sue sender and recipient banks under several theories, including negligence, breach of contract and fraud. Further, financial institutions will continue to file cross-claims against other parties in the payment system.
• Consistent with the principle that the UCC generally places the risk of loss upon the party with the most direct contact with the scammers, customers themselves must remain vigilant against becoming victims of BEC scams and other frauds. Spoofed emails and invoices can usually be defeated by a telephone call to the purported sender.

Holland & Knight's Financial Services Litigation Team aggressively defends companies and financial institutions against individual and class action litigation. In addition, Holland & Knight's Financial Services Regulatory Team assists clients with compliance questions.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.