Email Fraud Ruling Against a CU Could Create Troubling Precedent

A business email compromise case involving a Virginia credit union that is before the Fourth Circuit Court of Appeals in Richmond may create a concerning precedent for financial institutions victimized by fraudulent misdirected payments that costs billions of dollars in losses.

The $950 million 1st Advantage Federal Credit Union filed its appeal earlier this year to reverse a judgement by U.S. District Court Judge Raymond A. Jackson in Norfolk, which found the Yorktown-based financial cooperative liable for fraudulent fund transfers when it failed to act on anti-money laundering alerts and suspicious activity from a member’s account and payments made to that account from Studco Building Systems. The judge ordered the credit union to pay Studco Building Systems (SBS) compensatory damages of $558,868, plus $591,568 in attorney fees and $56,168 in expenses stemming from a business email compromise (BEC) lawsuit. Based in Webster, N.Y., SBS manufactures steel framing systems.

Although Judge Jackson initially awarded the manufacturer punitive damages, he later denied the company’s request for punitive damages. SBS, which appealed that ruling in July before the same Appeals Court, is seeking $350,000 in punitive damages.

“The Studco case creates a potentially worrisome precedent for financial institutions,” attorneys and a regulatory analyst for the national law firm Davis Wright Tremaine LLP in Seattle wrote in their blog post. “As BEC losses continue to mount, victims may use the Studco decision to attempt [to] recover their losses from financial institutions that receive fraudulently misdirected payments.”

According to the FBI’s 2022 Internet Crime Report, BEC losses in that year total more than $2.7 billion up from $1.8 billion in 2020. The number of BEC cases also increase from 19,639 in 2020 to 21,832 in 2022. Globally, losses from BEC fraud jumped a whopping 65% from July 2019 to December 2021, but as DWT lawyers pointed out, the actual losses could be significantly higher because many BEC incidents go unreported.

The event that led to this credit union lawsuit began on Aug. 9, 2018, when an eight-year member identified in this article as L.T. opened a personal account. The member, identified as a merchant coordinator, told 1st Advantage the personal account would be used for real estate transactions.

On Oct. 1, 2018, SBS received a spoofed email from an unknown third-party purporting to be Olympic Steel, a client of SBS. The spoofed email fraudulently instructed SBS to change its banking remittance information to L.T.’s personal account.

From Oct. 1 to Nov. 13, 2018, SBS made four ACH deposits totaling $558,868 to L.T.’s account. By the end of November, the account balance was $11.12 following a series of in-branch cashier’s check withdrawals, several domestic wires and two attempted international wire transfers.

The international wires were canceled by the credit union after it received an alert from the Office of Foreign Assets Control. Even though the credit union launched an investigation after getting that alert, the domestic wire transfers were not cancelled, according to court documents. When a 1st Advantage compliance manager questioned L.T. about the ACH transfers on Nov. 23, the member said it was part of a job with another person who was doing real estate transactions and that the member was conducting those ACH transactions based on that job, court documents showed.

The Virginia Commercial Code required 1st Advantage to reject ACH deposits if it knew that there was a misdescription between the intended beneficiary, Olympic Steel and the purported owner of the account, L.T., receiving the ACH.

According to Virginia law, an organization has actual knowledge for a particular transaction from the time it would have been brought to the individual’s attention if the organization had exercised due diligence. An organization exercises due diligence if it maintains reasonable routines for communicating significant information to the person conducting the transaction and there is reasonable compliance with the routines.

“While it is true that 1st Advantage had no duty to proactively discover a misdescription of the account information, the evidence at trial illustrated that 1st Advantage did not maintain reasonable routines for communicating significant information to the person conducting the transaction,” Judge Jackson wrote in his ruling. “If 1st Advantage had exercised due diligence, the misdescription would have been discovered during the first ACH transfer.”

Undisputed testimony during a bench trial showed when L.T. opened the personal account in question, it triggered an ID verification warning that the credit union’s system was unable to verify that address provided by L.T. Nevertheless the retail staff at the branch “qualified the information” based on L.T. other accounts with the credit union.

In addition to this initial warning about the personal account, 1st Advantage failed to establish a reasonable routine to monitor alerts that warned of suspicious activity regarding L.T.’s account.

“Actual knowledge of the misdescription can be imputed on 1st Advantage because the transfers generated real-time warning that the name of the intended beneficiary (Olympic Steel) did not match the name of the owner of the account, (L.T.), receiving the ACH. Notably, Olympic Steel has never had an account at 1st Advantage and could not open an account at 1st Advantage,” Judge Jackson wrote. “Further, all ACH transactions were coded CCD (which indicates a corporate payment) yet were still allowed into the account, which was opened as a personal account. Even though 1st Advantage claimed to receive hundreds of thousands of similar alerts daily, there was no system in place to escalate pertinent alerts of high value transactions to those handling such transactions. Instead, 1st Advantage ignored all warnings generated by their systems designed and used for the purpose of detecting fraudulent or suspicious activity.”

1st Advantage argued for a contributory negligence defense that would have prevented Studco from collecting compensatory damages because the manufacturer was negligent when it was duped by the spoofed email.

Judge Jackson, however, said that the defense holds no merit because 1st Advantage had the responsibility to act in a commercially reasonable manner in handling the in-person withdrawal of money from the account.

In his ruling, Judge Jackson also noted the facts discussed during the trial did not sufficiently prove that 1st Advantage provided false information that hindered Studco’s ability to recover the funds.

The Appeals Court will most likely not render its decision until next year.