The New York Attorney General’s decision to sue Citibank last week for failing to reimburse customers who’d been victimized by fraud raised some interesting issues for business that go beyond just Citibank. Specificially, when should a customer be reimbursed for fraud and at what point do the customer’s own actions come into play?
To be clear, financial institutions have been routinely refusing to reimburse customers who have done nothing wrong. The far trickier issue is when the customer does indeed do something wrong.
Consider three scenarios:
- A customer gets a phone call supposedly from the financial institution; the caller says they’re investigating a fraud and asks the customer to reveal their confirmation code (almost always an unencrypted SMS text, which no business should be doing, but I digress). Contrary to the “we will never ask you for your password” line, many enterprises will absolutely ask a customer to reveal that code to “verify” the customer is who they claim to be. Therefore, it’s not an unusual request.
- The customer is standing at an ATM about to make a withdrawal when someone stands next to them, points a gun at their head and says “Give me $5,000 or I will kill you.”
- The customer is conned by a relative who says he needs money for an operation. The person takes the money out of their account and hands it over to the relative.
All three are frauds against that customer. Is the financial institution required to return the funds under scenario 3? What about scenario 2?
Many financial institutions say that if the customer did not strictly follow the rules, they are under no obligation to reimburse. But what if the cus tomer in scenario one truly believed the caller was from their bank? Should that play a role in the reimbursement decision?
This kind of fraud reimbursement decision could affect all enterprises. If a utility or a retailer or a hotel or a car dealer has customers who are ripped off due to fraudsters, where does the reimbursement obligation start and end?
The New York case points out that financial institutions are using obscure and outdated rules about wire transfers to avoid customer remibursements. (Those wire rules were written long before mobile and online money transfers became common.)
“Citi does not apply the EFTA (the Electronic Funds Transfer Act of 1978) to its own unauthorized EFTs initiated electronically by scammers, citing a narrow but inapplicable exclusion for bank-to-bank wires,” the AG’s legal filing said. “Citi also does not apply its most robust verification procedures to Payment Orders received within minutes of rejected Payment Orders involving the same accounts. At times, Citi cancels fraudulent Payment Orders after it is unable to verify those orders directly — either because Citi is unable to contact consumers directly or because scammers provide inaccurate information when contacted.
“Yet when scammers submit new Payment Orders minutes later using the same accounts for the same amounts, no heightened scrutiny is applied. To the contrary, at times Citi employs weaker verification procedures to the subsequent fraudulent Payment Orders.”
More importantly, the filing said that Citi does not engage in meaningful investigations when a fraud is reported. And it does not lock accounts to end the fraud when it learns of an attack. Instead, it makes customers come into local branches, which gives the attackers plenty of time to steal more money and move the funds out of the reach of law enforcement.
Linda Miller, the former principal at Grant Thornton and currently the CEO of The Audient Group, said “banks have not been getting held accountable in any meaningful way. They are not incentivized to take fraud seriously.”
The proper way to fix this is to change federal law to make it clear that the banks are responsible for their customers getting defrauded. But Miller said that’s highly unlikely.
“The banks aren’t too worried about these laws changing, because they have a very powerful lobbying group,” Miller said.
The full New York state filing (which I would encourage everyone to read) makes a tactical error, in my view. It talks about reimbursement, but then also explores the specific cybersecurity mechanisms Citi uses — and the ones it’s not using. Although it’s relevant, this also allows Citi to make this all about the protections it uses. Then it can talk at length about about the defenses in use. That is a distraction, not an answer.
New York’s sole focus should be on forcing financial institutions to reimburse customers fully for fraud. In other words, if the state focuses on demanding better protection, financial institutions are likely to do the minimum they can get away with. If the state focuses on forcing full reimbursement for all fraud, banks and institutions will see cybersecurity as a way to reduce losses. Then they’re more likely to take appropriate measures.
This brings us back to the real question: When should a business reimburse for fraud? If a customer deliberately and intentionally withdraws money to give to a worthless effort or a tricky charlatan, is the institution responsible? What about when they truly believe they were talking with a bank representative?
Let’s flip this around. Financial institutions do have a legitimate fear. They worry that if all fraud has to be reimbursed, it will encourage so-called fake fraud. That’s where a customer, for instance, could get a friend to transfer the customer’s money to an overseas bank account — then the customer claims fraud and demands reimbursement. That way, customers can double their money.
There is an easy fix. Financial institutions should indeed reimburse all fraud. Then they do an investigation and if they believe the fraud is bogus, report the customer to law enforcement and let the authorities deal with it. This answers the bank’s question “Why wouldn’t customers pretend that a transfer was fraudulent?” The answer would be: “Because they don’t want to go to prison.”
The institutions have a strong incentive to determine whether a fraud case is bogus. The police, along with the DAs or prosecutors who have to try the case, have much less incentive to wrongly find a fraud complaint to be a lie. They need to prove the case beyond a reasonable doubt to a jury or a judge. That’s how this should be handled.
Alternatively, institutions could simply conduct real investigations, instantly lock accounts at the first hint of fraud, and deploy more effective mechanisms to detect and block suspicious activities.
There is an easy model for this: payment card systems (both credit cards and debit cards). The banks that handle these cards for the card brands (Visa, MasterCard, Amex, etc.) do a terrific point of instantly detecting likely fraudulent activity. Why can’t their counterparts handling business and consumer accounts do the same?