A move by
The move also highlights ongoing debates in the U.S. and abroad about who should be liable when a consumer loses money to a bank spoofing scam. While Europe is moving toward holding banks liable, the U.S. has not seen any such proposals.
Letitia James, the state's attorney general,
According to James' office, the customer "did not provide any information" after clicking on the fraudulent link she received. Yet, after clicking the link, an unauthorized user changed her online banking password, enrolled her account in online wire transfer services, tried and failed to make a wire transfer of $39,999, then successfully executed a $40,000 transfer, which constituted most of her savings after a recent retirement.
This month,
"There is no denying that the problem is real," the bank wrote, but the New York state AG's lawsuit "defies longstanding, settled understandings" of banks' liability in cases of fraud.
In reaction to the motion to dismiss the case, bankers on LinkedIn largely responded in defense of their institutions.
"In this case, it seems the victim clicked a link that appeared to be from
Many responders sympathized to varying degrees. One commenter, Elena Michaeli, a fraud and cybersecurity consultant, pointed out that while banks have little recourse when a victim provides their banking credentials to a fraudster, banks have much more data and tools at their disposal than consumers.
In Europe, lawmakers
The plaintiffs allege that the banks did not catch obvious red flags or implement proper safeguards such as requiring two employees to approve each transaction.
The proposals also create a legal basis for payment service providers to voluntarily exchange personal data of their users, subject to information sharing arrangements, for the purposes of reducing fraud. The legislation would require such information sharing to happen in compliance with Europe's General Data Protection Regulation.
The proposals are under review by the European Parliament and Council, and while exact timelines are not yet known, any changes to fraud loss liability and data sharing arrangements could take 18 to 24 months to enter into force once agreed upon by member states of the European Union.
"It is currently anticipated that the legislative proposals will enter into force in 2026," wrote global law firm DLA Piper in
In the U.S., the Department of the Treasury recently alluded to
"Sharing of fraud data would support the development of sophisticated fraud detection tools and better identification of emerging trends or risks," the report said, which likened such data sharing to similar arrangements banks have for sharing cybersecurity threat and anti-money-laundering data.
As for who is liable in cases where a consumer falls victim to fraud and shares their banking credentials to someone impersonating their bank, neither U.S. lawmakers nor regulators have put forward proposals to change the current standard in which customers are generally liable for wire transfer fraud tactics they fall for.
In a parallel case, consumers are sometimes liable when they fall for scams and mistakenly send payments through person-to-person payment networks like Zelle. The closest a regulator has come to changing the fraud liability standard for P2P payments was guidance that the Consumer Financial Protection Bureau was