Wire transfer risk: why banks will not reimburse fraudulent ACH cash transfers

Book Excerpt

Chapter 11-Perception Change

Pages 140- 144

Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity

ISBN- 13: 978-1-4027-5695-5

Plausible Deniability

joelopez276pxWhen it comes to who gets to eat the losses from fraudulent activity, banks draw a marked distinction between individual consumers and small-business owners. Banks don’t need the trust of its small-business customers in the same way they need consumers’ trust. That’s because small businesses must have access to banking services to survive. As the financial industry pushes Internet-based commerce to the fore, small businesses have had no choice but to go along for the ride under terms dictated by their banks.

Consider what happened to Joe Lopez, founder of Ahlo, a Miami-based ink and toner cartridge wholesaler. An irrepressible man with close-cropped dark hair, brown eyes, and a radiant smile, Lopez built Ahlo from scratch to annual sales of $20 million the old-fashioned way, one deal at a time. When it came time to pay his suppliers or receive payment from clients, Lopez made it a practice to drive down to his neighborhood Bank of America branch and execute wire transfers in person.

On each such trip to the bank, a teller never failed to urge Lopez to make the switch to an online business account, for convenience’s sake. In October 2003, Lopez relented and opened an online business account. Not once during any of the relentless sales pitches, nor during the software installation, did any of the bank’s representatives drill down on the security risks of online banking.

“They said it was safe,” Lopez recalls from his office in a gritty industrial neighborhood.

On the morning of April 6, 2004, Lopez had a lot on his mind. His wife was nearing the end of a difficult pregnancy, and an important payment of $25,000 was due from a client in Venezuela. After accompanying his wife to a doctor’s visit, Lopez hustled back to his office and logged on to his online business account. Noting an entry showing a large deposit from his Venezuelan client, he breathed a sigh of relief.

But then a wave of nausea struck. Lopez felt his left arm go numb. Below the deposit entry was a notation describing a fresh wire transfer of $90,348.65 to Deutsche Bank. “I thought I was going to vomit,” he recalls, shaking his head. Ahlo had no business dealings in Europe.

Lopez immediately reported the robbery to a supervisor at Bank of America headquarters in North Carolina, who shut down online access and assigned a case number. The next day, Lopez and his assistant, Soraya Ahamed, worked the phones to retrieve Ahlo’s cash. It became clear the bank was taking no steps to do so. “The bank didn’t do nothing,” says Ahamed, Lopez’s sister-in-law. “I thought Joe was going to have a heart attack.”

Receiving no instructions from Bank of America, Deutsche, the intermediary bank, carried out instructions to forward the $90,348.65 to a personal account at Parex Bank in Riga, Latvia. The benefactor? A mysterious figure named Yanson Arnold, who showed up at Parex Bank the morning of April 7 and quietly withdrew $20,000 in cash.

Back in America, Joyce Munoz, a Bank of America customer-service manager, advised Lopez that a wire recall was under way and that Ahlo’s account would soon be restored. Teresa Jones, a wire-room supervisor in North Carolina, subsequently told Lopez that the bank would issue a “provisional credit” to Ahlo in the amount of $90,348.65.

Relieved, Lopez resumed normal business dealings. After confirming the posting of the provisional credit, Lopez wired $25,908.74 to supplier Simon & Arrington in Fort Myers, Florida. A few hours later, Audrey Collins, from Bank of America corporate security, notified Lopez that the provisional credit for $90,348.65 had been frozen, pending further investigation of Arnold’s claim of proper ownership of the money.

Two weeks later, Lopez’s financial world came crashing down. He received a letter from Richard Heilbron, Jr., the bank’s assistant general counsel. Heilbron took the position that since the theft could be traced to a security breach of Lopez’s computer, the bank “was not in a position” to return Ahlo’s cash.

The U.S. Secret Service, which is charged with investigating financial fraud, had gotten involved. Agents discovered a common data-stealing program, called Coreflood, embedded on Lopez’s hard drive. A likely scenario: Lopez’s teenaged son may have unwittingly surfed to a tainted Web page that implants Coreflood surreptitiously, bypassing the firewall and antivirus software Lopez assumed kept his home computer network safe. Coreflood carried a keylogger that took note when Lopez logged onto Ahlo’s online business account and transmitted his user name and password back to the thief.

Armed with the Secret Service report, Heilbron invoked a provision of the Uniform Commercial Code, a collection of rules setting legal limitations and defining liability for commercial businesses. On the surface, the UCC has the imprimatur of independence because it is overseen by two private organizations: the National Conference of Commissioners on Uniform State Laws, and the American Law Institute.

In reality, attorneys representing financial institutions heavily influenced drafting of the rules, says Mark Budnitz, a professor at Georgia State University’s College of Law. The banking industry interests saturate the UCC. For instance, Section 202 of Article 4A of the UCC provides that a customer order—authorized or not—is valid once the customer and bank agree on security and authentication procedures.

The rules make the bank responsible for “consequential damages” only if the bank explicitly agrees to be liable for such damages. Of course, most banks take pains to omit any such contract language. Thus the UCC has become a legal rampart for financial institutions to fend off a variety of lawsuits, says Budnitz. “The fingerprints of the lawyers representing financial institutions are all over this,” says Budnitz. “That’s not necessarily bad, because they understand the practicality of bank operations.”

Practical daily operations are one thing. Yet banks can also use the UCC as a club to sweep aside claims from small-business customers like Lopez who are increasingly becoming victims of cybercrime. Budnitz has suggested adding provisions to various sections of the UCC so as to level the playing field somewhat for consumers and small businesses. But he says his ideas were shot down by attorneys representing financial institutions.

Indeed, in a letter to Lopez’s attorney, Heilbron cited Article 4A of the UCC as rationale for assigning full responsibility for the robbery of Ahlo to Lopez.

The bank’s internal investigation can “discount fraud or hacking at our end and . . . as a matter of law, the loss resulting from the payment order, even if unauthorized, is to be borne by your client and not the bank.”

Bank of America canceled the $90,348.65 credit back to Lopez. Since normal business dealings had drawn Lopez’s account down, at that point, to about $77,000, the bank claimed that Lopez was overdrawn $13,532.96. “Talk about adding salt to the wounds,” Lopez says.

Arnold, the Latvian, would quietly slip into the shadows $20,000 richer, leaving $70,000 frozen at Parex Bank. Heilbron advised Lopez that Parex refused to return the money, and Bank of America had no legal recourse because it was a victim of fraud.

An exasperated Lopez was forced to sue the bank in February 2005, alleging breach of contract, negligence, breach of fiduciary duty, fraud and deceit, and intentional misrepresentation. He faced very long odds of prevailing. Corporate defense lawyers get paid handsomely by the hour to delay, distract, dissuade, and ultimately destroy individual plaintiffs. They maintain an unwavering focus on the endgame: making an example of the upstart plaintiff to discourage other individuals from filing similar lawsuits.

A time-honored corporate legal defense tactic is to engage in plausible deniability. It involves taking a position that can be defended by a very narrow interpretation of the facts, then daring the plaintiff to disprove the argument. To fend off Lopez, and discourage other small-business online account users from getting the same idea, Bank of America resorted to plausible deniability. After USA Today published a cover story about Lopez’s plight in November 2005, Bank of America in mid-2006 agreed to a settlement.

Lopez’s attorney, Ralph Patino, says his client was made whole but is constrained by the terms of the settlement from saying anything more. Patino says cybercrooks are preying on small merchants like never before, and an increasing number are left twisting in the wind. He says he’s heard anecdotally about scores of small business that lose several thousands of dollars through theft from their online business accounts and are never able to recover any of it.

“I know it’s happening on a wide scale. What’s happening is you’re getting individual merchants losing small amounts of money, $5,000, $10,000, $15,000, a crack and they have no legal recourse because no one in the world is going to sue Bank of America over $15,000,” Patino says.

Bank of America spokeswoman Betty Reiss said it was difficult for the bank to respond to Patino’s assertion since she had “no idea where the attorney is getting his information or what it is based on.” Reiss laid out the bank’s final position: the Lopez case had nothing to do with online banking. “It is a wire transfer product used over a PC. But it was not online banking,” says Reiss.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone