A CYBER LAW WIN FOR BANKING!
After years of bad press, banking giant Wells Fargo Bank, N.A. ("Wells Fargo") received a small reprieve in the United States District Court for the Eastern District of Pennsylvania after a favorable verdict dismissed negligence following a fraudulent wire transfer. While courts generally bar claims by non-customers against banks, this matter stemmed from a fraudulent wire transfer traveling through an open account at Wells Fargo. Interestingly, the Eastern District of Pennsylvania noted that the victim could/should have exercised basic cyber hygiene (like confirming account information), equally arming him to prevent the fraud.
In Fragale v. Wells Fargo Bank, N.A., CIVIL ACTION NO. 20-1667 (E.D.Pa. 2020), plaintiff Frank Fragale alleged that Wells Fargo negligently permitted a fraudulent wire transfer, which cost Mr. Fragale $166,054.96. According to Mr. Fragale, Wells Fargo failed to exercise reasonable care in two ways:
(1) Allowed a fraudulent account to be opened at one of its banks; and
(2) Allowed the immediate withdrawal of a large sum of money after it was transferred to a newly opened, fraudulent account.
In response, Wells Fargo filed a Motion to Dismiss the claims, arguing that the negligence claim was preempted by Pennsylvania Uniform Commercial Code ("PUCC") Article 4A ("Article 4A") and that Plaintiff failed to allege that Wells Fargo owed him a duty of care as a non-customer. The court declined to find Article 4A applicable but agreed with Wells Fargo that no duty of care was sufficiently pled.
Article 4A Argument:
The Eastern District of Louisiana in Fragale held that Article 4A generally applies to electronic wire transfers and provides "the exclusive means of determining the rights, duties and liabilities of the affected parties in any situation covered by particular provisions of the Article;” thereby prohibiting outside legal actions. However, by definition, Article 4A only governs transfers between the originator's wire fund instruction ("beginning with the originator's payment order") and the beneficiary bank's acceptance of the wire transferred funds ("completed by acceptance by the beneficiary's bank of a payment order").
In Fragale, the Plaintiff's claims are premised only on the opening of an account at Wells Fargo and the subsequent withdrawal of the same funds. Plaintiff expressly excluded an action premised on the wire transfer itself and the fraudulent transfer occurred after the opening of the account. Accordingly, the Court found that claims of negligence in the opening of an account outside of Article 4A’s purview were not preempted.
The Court’s next topic of inquiry was whether Wells Fargo owed the Plaintiff, a non-customer of Wells Fargo, a duty of care. Plaintiff argued that Wells Fargo owed him “common law duty” when Wells Fargo allowed the fraudster to open an account to receive the fraudulent wire transfer and immediately withdraw the same funds. While Plaintiff argued that Wells Fargo knew that criminal conduct regularly occurs through fraudulently-opened accounts, Plaintiff failed to allege “anywhere near the degree of specific facts necessary to show that Wells Fargo was on notice of the likelihood that the Account was part of a fraudulent scheme to which a non-customer like Plaintiff would fall victim.”
Continuing, the Court stated that “[a]t most, Plaintiff has alleged that banks like Wells Fargo were generally on notice that such schemes exist. However, Plaintiff does not allege any facts to suggest that when Wells Fargo actually opened the Account, it should have been on notice that this particular account was being opened for criminal or fraudulent purposes.” Plaintiff also failed to show that Wells Fargo was on notice that it was "likely" that the subsequent withdrawals were part of some fraudulent scheme.
The Court next examined Plaintiff’s allegations in terms of social utility. While the Court found “there is obvious social utility in banks taking action to prevent fraudulent banking activity” to discourage criminals, this factor alone could not fully-support Plaintiff’s claims. Although, the Court stated that such an analysis was “particularly significant.”
Indeed, imposing a duty on Wells Fargo “to verify the identity of each person opening an account and to take unspecified measures before allowing withdrawals of recently transferred sums of money from newly-opened accounts” is already required under existing banking regulations. However, such “minimal effort by Wells Fargo” does not of itself warrant imposing a duty upon Wells Fargo to protect non-customers. The Court further hesitated to find liability in the immediate withdrawal of such substantial sums to avoid unnecessary restrictions on well-intentioned, law-abiding customers.
Finally, the Court held that the Plaintiff, not Wells Fargo, was best positioned to prevent the fraud. Per the Court, Mr. Fragale “could have undertaken efforts to confirm with his own title company that the transaction was set to close, that the e-mail he received was in fact from his title company or an authorized agent thereof, or that the title company maintained a bank account at Wells Fargo.” Instead, Plaintiff failed to show that he undertook any acts in his own defense to confirm that his title company had the account at Wells Fargo to which he wired the funds. In finding that Mr. Fragale “was at least equally situated with Wells Fargo to prevent his harm,” this opinion demonstrates the growing trend of requiring cyber-crime victims to demonstrate his/her own cyber hygiene efforts.