Why do hackers hack? It’s a simple question. While hackers have multiple motivations – for the challenge of it, for political reasons, to promote causes, etc., by and large hackers hack because there’s money in it. This is why we have seen an evolution in both tools and methodologies of hacking – from stealing credit card numbers to stealing data to cyber extortion and direct theft of funds. In many of these cases – from phishing, vishing, business e-mail compromise, SIM swapping, social engineering and similar offenses, the goal of the hacker is to cause funds to be sent electronically from your bank account (or similar account) to theirs. You know, theft.

Fortunately, for consumers, Congress anticipated exactly this kind of fraud. Back in 1978 when the bulk of consumer financial transactions were either in cash or paper checks, the banking industry began to move to electronic funds transfers for consumers. ATM machines (yes, the M stands for Machine) began to allow ordinary consumers to make deposits, withdrawals and funds transfers electronically. The law related to liability for “bad checks” — the Uniform Commercial Code or UCC was ill-equipped to deal with questions of lost debit cards, fraudulent funds transfers, and online scams. In 1978, Congress passed the Electronic Funds Transfer Act noting specifically that “the use of electronic systems to transfer funds provides the potential for substantial benefits to consumers. However, due to the unique characteristics of such systems, the application of existing consumer protection legislation is unclear, leaving the rights and liabilities of consumers, financial institutions and intermediaries in electronic fund transfers undefined.”

Under the act, Congress had to apportion civil liability between banks and consumers for fraudulent electronic funds transfers. Consumers who detected fraudulent transactions and alerted the bank within a reasonable time had limited liability ($50) for the fraud. This included both fraudulent transfers and withdrawals — so if someone stole your debit card and cleaned out your account, (even if you wrote your PIN number —  yes, N stands for number — on the card) you had limited liability, provided you were not “in on” the fraud. Almost all banks agreed to “eat” the $50, so there was, as a practical matter, no liability to the consumer.

Why? Because electronic banking was a boon to banks. ATMs were a lot cheaper than tellers. Bits and bytes were easier and cheaper to transfer than paper money. The risk of fraud (bad checks) was significantly lower. People choose their financial institutions based on the convenience of ATMs. So allaying the fears of consumers in the Carter Administration about “e-banking” was good business. People were hooked.

The EFTA, unlike the UCC, did not apportion blame or responsibility. It did not look at whether the consumer was negligent in permitting the funds transfer. It only looked at whether the funds transfer was “authorized.” If not, the bank had to make the consumer whole. The UCC – which applies to commercial transactions (non-consumer transactions) looks at things like whether the bank had “commercially reasonable” security procedures — if yes, then the bank dumps liability for the fraud on the consumer. And, when you open a commercial bank account, the bank provides a convenient statement in the contract that you agree that the security of the bank (which you have no access to or ability to negotiate) is “commercially reasonable.” Caveat emptor. Not so for consumer transactions. There, the liability rested firmly on the bank. Again, the goal was to get consumers hooked on eBanking. And they were hooked.

So were hackers. The Frank Abignale’s who specialized in check fraud quickly migrated to hacking, spamming and social engineering. But the banks remained on the hook for this fraud, mostly (but not exclusively) because they were in the best position to avoid the harm. When we moved from ATM fraud to e-banking fraud, to online funds transfer fraud, to web-app fraud and then to cryptocurrency fraud, the numbers began to add up. So did the bank’s response.

The NY AG Lawsuit Against Citibank

Earlier this year, New York Attorney General Letitia James filed a civil lawsuit against Citibank. The lawsuit alleges that fraud victims who were Citi banking customers were told by Citi tellers, fraud investigators and others that, as a condition of seeking recovery of funds fraudulently transferred by hackers, the customer had to execute a “hold harmless” letter. As the civil complaint notes:

… when panicked consumers notify Citi of fraudulent activity on their accounts, there is no mention of the EFTA. Nor did Citi take immediate action in the past to recover amounts it wired out. Instead, Defendant’s representatives frequently assure consumers (falsely) that their money and accounts are secure and then instruct consumers to visit their local branches. When consumers arrive at local branches, Defendant’s representatives likewise say nothing about the EFTA. They instruct consumers to complete the form “Affidavits of Unauthorized Online Wire Transfers,” often telling consumers that Citi will not take any action to investigate their fraud claims until the affidavits are executed and notarized. Defendant’s representatives also encourage consumers to include details on how they were scammed in those affidavits. Unsuspecting consumers complete these affidavits believing they are necessary for Citi to investigate claims and reclaim their stolen funds. In fact, under cover of these coerced affidavits, Citi treats consumers’ claims as subject to narrow commercial laws governing wire transfers rather than the EFTA’s robust protections for unauthorized electronic payments. Citi then summarily rejects claims for reimbursement and instead blames consumers, relying on the same information that Defendant’s representatives encourage consumers to share with Citi.

The Complaint alleges that Citi treated consumer transactions like commercial ones, denying liability, refusing to investigate and compelling consumers to waive their rights under the EFTA and “hold harmless” the bank under circumstances where Congress imposed liability on the banks. Rather than provide better security to consumers, the bank simply denied liability, obtained waivers and took no action. The complaint further alleges:

Citi permits scammers to alter contact information, usernames and passwords, upgrade accounts to access online wire transfer services, and consolidate funds across multiple accounts, all without subjecting to robust scrutiny scammers’ subsequent requests to initiate large-dollar wire transfers that will empty consumers’ accounts; Citi fails to employ tools that effectively monitor and respond to anomalous consumer or account activity, such as wire transfers that are the first ever involving consumers’ accounts, that are for out-of-the-ordinary amounts based on past activity, or that will effectively empty consumers’ accounts; and even when alerted to fraudulent activity, Citi does not effectively secure consumers’ bank accounts, which remain vulnerable to scammers.

So much for Congress’ finding that banks are best positioned to prevent fraud. What the EFTA says should happen is that the bank should ask its customer, “Did you authorize this transaction?” If the answer is no (and the customer isn’t lying), voila! The bank’s response should be, “We’re sorry, here is your money.”

We can, and should do a much better job at security. Hackers target all participants in funds transfer frauds — consumers, banks, funds recipients, etc. — to find a soft spot. But Congress decided who was required to compensate for fraudulent consumer transactions, and banks should never require their customers to waive their rights as a condition precedent for the bank doing its job. And that’s just common sense.

Recent Articles By Author