Europe may have an answer to U.S. wire transfer fraud questions

Citigroup's Wave Of Job Cuts Poised To Start As Soon As Monday
In an ongoing case, Citi and the New York attorney general are disputing who is responsible for wire transfer fraud that drained a customer's retirement savings.
Nathan Howard/Bloomberg

A move by Citigroup to dismiss what it called a "misguided" and "imaginative" wire-fraud lawsuit by the New York attorney general has gotten a mixed reception among bankers, many of whom sympathize with Citi's pushback while others say banks can do more to protect their customers.

The move also highlights ongoing debates in the U.S. and abroad about who should be liable when a consumer loses money to a bank spoofing scam. While Europe is moving toward holding banks liable, the U.S. has not seen any such proposals.

Letitia James, the state's attorney general, sued Citibank in January for inadequate responses to "obvious red flags of identity theft and account takeover" cases, allowing fraud to take place, including against one customer who had $40,000 stolen from her via wire transfer after she clicked on a fraudulent link she received in a text message. Citi denied her case, according to the lawsuit.

According to James' office, the customer "did not provide any information" after clicking on the fraudulent link she received. Yet, after clicking the link, an unauthorized user changed her online banking password, enrolled her account in online wire transfer services, tried and failed to make a wire transfer of $39,999, then successfully executed a $40,000 transfer, which constituted most of her savings after a recent retirement.

This month, Citigroup filed a motion to dismiss the case, acknowledging a recent rise in online wire fraud but arguing that banks are not liable for reimbursing customers who got scammed through wire fraud schemes.

"There is no denying that the problem is real," the bank wrote, but the New York state AG's lawsuit "defies longstanding, settled understandings" of banks' liability in cases of fraud.

In reaction to the motion to dismiss the case, bankers on LinkedIn largely responded in defense of their institutions.

"In this case, it seems the victim clicked a link that appeared to be from Citi," said Ana Campaneria-Villarini, director of corporate fraud for BankUnited. "Well, the victim fell for it! It's sad but shouldn't be the fault of the bank. Why should the banks be liable?"

Many responders sympathized to varying degrees. One commenter, Elena Michaeli, a fraud and cybersecurity consultant, pointed out that while banks have little recourse when a victim provides their banking credentials to a fraudster, banks have much more data and tools at their disposal than consumers.

In Europe, lawmakers have proposed changes that could entitle consumers to refunds in cases of bank spoofing, where a fraudster pretends to be the consumer's bank and tricks them into parting with their money. Only in cases of "gross negligence" — for example, if the victim falls for the same scheme more than once, or if the spoof is not convincing — would the payment service provider escape refund liability, according to the proposed regulation.

The plaintiffs allege that the banks did not catch obvious red flags or implement proper safeguards such as requiring two employees to approve each transaction.

January 6

The proposals also create a legal basis for payment service providers to voluntarily exchange personal data of their users, subject to information sharing arrangements, for the purposes of reducing fraud. The legislation would require such information sharing to happen in compliance with Europe's General Data Protection Regulation.

The proposals are under review by the European Parliament and Council, and while exact timelines are not yet known, any changes to fraud loss liability and data sharing arrangements could take 18 to 24 months to enter into force once agreed upon by member states of the European Union.

"It is currently anticipated that the legislative proposals will enter into force in 2026," wrote global law firm DLA Piper in a blog post about the proposals.

In the U.S., the Department of the Treasury recently alluded to the lack of a legal basis for sharing fraud data between banks voluntarily in a recent report on artificial intelligence. "Most financial institutions" interviewed expressed the need for better collaboration in the domain of fraud prevention, according to the report.

"Sharing of fraud data would support the development of sophisticated fraud detection tools and better identification of emerging trends or risks," the report said, which likened such data sharing to similar arrangements banks have for sharing cybersecurity threat and anti-money-laundering data.

As for who is liable in cases where a consumer falls victim to fraud and shares their banking credentials to someone impersonating their bank, neither U.S. lawmakers nor regulators have put forward proposals to change the current standard in which customers are generally liable for wire transfer fraud tactics they fall for.

In a parallel case, consumers are sometimes liable when they fall for scams and mistakenly send payments through person-to-person payment networks like Zelle. The closest a regulator has come to changing the fraud liability standard for P2P payments was guidance that the Consumer Financial Protection Bureau was expected to issue in response to increasing fraud on Zelle in 2022. However, such guidance has not reached the agency's rulemaking agenda; rather, the agency has proposed that it should examine payment markets run by the likes of Apple, Google and PayPal to ensure they comply with existing consumer protection laws.

For reprint and licensing requests for this article, click here.
Technology Citigroup GDPR Fraud European Union Europe
MORE FROM AMERICAN BANKER