When Banking Laws Don't Protect Consumers From Cybertheft

Banking laws designed to protect Federal Deposit Insurance Corp. (FDIC)-insured accounts contain loopholes that strip consumers of coverage against certain cyberattacks.

Less than a month before the US Consumer Financial Protection Bureau hit Wells Fargo & Co. with the largest financial civil penalty ever for the mismanagement of car loans, mortgages, and bank accounts In December 2022, a Wells Fargo customer suffered an account takeover of his consumer checking account that cost him $45,000. Wells Fargo chose not to reimburse that customer, Kartik Gada, CFO and chief economist at a San Francisco-area company.

According to records, the perpetrators hacked into Gada's cell phone account and obtained his bank login details from the device's backup data. The attackers modified the bank login information, granting themselves permission to conduct wire and Zelle money transfers to the checking account. They then transferred $45,000 to a New York-based bank, using two regular wire transfers before siphoning off the money. Wells Fargo argued that Gada's legitimate bank login credentials were acquired by the hackers, and as a result, they were not obligated to compensate Gada.

Account takeovers are not uncommon. A Marina del Rey couple faced a similar attack but had their funds returned to them by Wells Fargo at roughly the same time as the Gada attack. However, the modus operandi of the attackers was different, as were the results.

Gada tells Dark Reading that Wells Fargo denied his request for the funds to be returned because the bank claims he "failed to protect his password security." A bank representative told Gada that while the company acknowledged the attack, it still declined to reimburse him.

In the final resolution letter Wells Fargo sent to Gada, the bank wrote, "According to the Online Access Agreement, you are responsible for keeping your username and password confidential, and for actions taken by anyone using the Service after signing in with your username and password, or any other Wells Fargo approved authentication control, except as otherwise provided by law or regulation. We are entitled to rely and act upon instructions received under your username and password."

Inadequate Bank Oversight

Jay Hack, a partner at New York law firm Gallet Dreyer & Berkey, says the bank's "procedures for due diligence with respect to customers is obviously failing and the filtering software to filter out suspicious transactions is obviously failing. This transaction has all of the conditions of being a theft."

Once the bank's systems recognized the change in how the customer had been using the personal checking account and the swift changes to the account the night of the account takeover, the bank's monitoring software should have alerted authorities, Hack asserts. There are two possible reasons why it might not have done so, he notes. The first is the software was misconfigured to not "kick out suspicious transactions." Another is that even if the alert was noted, it could have been ignored.

A major bank, Hack says, should have software that identifies account takeovers and unusual actions — such as changing passwords and then adding and immediately using wire transfer capabilities — and then kicks out an alert.

Finessed Legal Justifications

Wells Fargo ignored multiple requests by Dark Reading to comment on its decision not to compensate Gada, why the bank's security controls did not flag the anomalies occurring on the account, and why no bank employee tried to confirm the unusual changes to the account before processing the transactions.

Although the Comptroller of the Currency's office and the Consumer Financial Protection Bureau both declined to discuss the specifics of Gada's situation, both organizations directed Dark Reading to documents concerning the Electronic Fund Transfer Act and Regulation E. One carve-out that Wells Fargo used as a reason to deny compensating the customer is that the attackers implemented wire-transfer capabilities, which specifically is not covered under Regulation E.

Wells Fargo's response to the breach was to redefine the personal checking account as a brokerage account due to the attackers' actions and subsequently told the client different rules applied to the brokerage account, Gada said. The bank chose to follow Universal Commercial Code (UCC) 4A-202, which addresses wire transfers and has different "good faith" rules than does Regulation E. A short PowerPoint description of the regulations can be found on the FDIC's website.

Wells Fargo's position is that a customer is responsible for losses if the attackers use a wire transfer to steal money from the customer's checking account. Should the attackers have chosen a different approach, such as a money transfer application (like Zelle or PayPal) or an Automated Clearing House (ACH) transfer, the FDIC would have required the bank to reimburse Gada under Regulation E.

The bank chose not to address why the victim of a crime would be subject to UCC 4A, which requires an agreement between the bank and the customer. Because the attackers caused the change in account status and not Gada, this raised the question of whether this was a legal contract between the customer and bank.

Hack says that banks can get away with such denials because the cost of litigation is often far higher than the consumer's loss. It does not become profitable for specialty law firms to file lawsuits until the customer's losses are $1 million or more, he notes.