Cases in which companies are hacked or otherwise duped into making wire transfers are on the rise. To recover their losses, companies have increasingly resorted to litigation against the banks that receive the allegedly improperly wired funds. Their efforts have proved to be unsuccessful largely because Article 4A of the Uniform Commercial Code (“UCC”), which governs wire transfers and typically preempts tort claims under common law.
A recent decision, Bud’s Goods & Provisions Corp. v. HSBC Bank, USA et al., issued by the District Court of Massachusetts, dismissed tort claims brought against the defendant bank by the plaintiff company regarding a fraudulent wire transfer. The conduct at issue occurred both in New York and Massachusetts. The court applied New York law, noting that both parties agreed that New York and Massachusetts law on this issue are the same.
This case involved an elaborate fraudulent scheme where an unknown fraudster hacked the email account of the CEO of plaintiff, Bud’s Goods & Provisions Corp. The fraudster was then able to not only intercept communications between the CEO and a vendor, but also duped both of them into believing that they were communicating with one another. At one point, the fraudster provided to the CEO false wiring instructions to misdirect funds that were meant to pay the vendor’s invoice to a bank account that did not belong to the vendor.
The company instructed its bank, Century Bank, to wire funds in accordance with the wiring instructions. The payment order identified the beneficiary’s name, Lam Yan Wun Merton, and his bank account number held at HSBC Bank. It also included a notation that the payment was intended to satisfy “M. Holland and Son’s Constructions Inc. Invoice 4 Abbington Construction Project Invoice #3620.”
In UCC Article 4A terms, the company was the “sender” of the wire transfer instructions; the company’s own bank, Century Bank, was the “receiving bank;” Mr. Merton was the “beneficiary;” and HSBC Bank was the “beneficiary’s bank.”
The company sued John Doe (the anonymous fraudster), Mr. Merton, and HSBC Bank, claiming negligence, aiding and abetting fraud, and conversion. The claims against HSBC Bank were premised on the theory that the bank was or should have been aware that Mr. Merton’s account was being used for fraudulent activity. Specifically, the company argued that the payment order included a notation that the payment was intended to satisfy the invoice of a corporate vendor but the account into which the funds were transferred was a personal account held under the name of an individual. The company maintained that the inconsistency within the payment order with respect to the identification of the intended beneficiary should have put HSBC Bank on notice that there was a problem. The company also alleged that the volume, amount and nature of the monetary transactions associated with Mr. Merton’s account should have raised red flags for HSBC that fraudulent activity was occurring.
HSBC Bank moved to dismiss all claims on the ground that Article 4A of the UCC preempted the common law claims. In the alternative, HSBC Bank argued that the claims should be dismissed for failure to state a claim.
In ruling on HSBC’s motion to dismiss, the court distinguished plaintiff’s claims related to HSBC’s processing of the wire transfer from plaintiff’s claims premised on HSBC’s actions before and after the transfer. The court noted that, under the UCC, a beneficiary’s bank is not liable when a sender mistakenly authorizes wire transfer to the beneficiary’s account even if the sender was fraudulently induced to do so by a third party. Thus, and insofar as they related to the processing of the wire transfer, the court concluded that the torts claims were preempted by the UCC, which provides no cause of action against HSBC under the circumstances.
The court also dismissed the tort claims premised on HSBC’s alleged failure to properly monitor Mr. Merton’s account for indicia of fraud. It held that, because a bank owes no duty of care to a non-customer, and because the plaintiff company itself was not a customer of HSBC, the negligence claim failed as a matter of law. Finally, the court concluded that, because the allegation that HSBC should have known of the fraudulent conduct is insufficient to raise the inference of actual knowledge – an essential element of the claim – the aiding and abetting fraud claim also failed as a matter of law. The court dismissed the claim without prejudice, however. This left the company the option to re-file if it was able to assert plausible facts that would support a claim that HSBC had actual knowledge of fraudulent conduct relating to account of its customer.
Other recent decisions from the Northern District of Illinois, Trivedi v. Bank of America, et al., and the District of New Jersey, Scura Wigfield Heyer Stevens & Cammarota LLP v. Citibank NA et al., have come to the same conclusion, finding no liability on the part of banks under similar circumstances.