The New York Department of Financial Services (“NYDFS”) has brought action in Federal court against Citibank, N.A., alleging that the bank systemically failed to protect accountholders from rampant online scam activity, leading to individual losses amounting to tens, or hundreds of thousands. In taking this step, NYDFS seeks formal recognition of depository institutions’ liability under the Electronic Funds Transfer Act (EFTA) to safeguard depositors from fraud. If successful, this enforcement action carries major implications for banking risk and compliance teams, who will be forced to grapple with liability for the $151.1 billion in losses attributed to bank fraud scams in the U.S. in 2023 alone.

NYDFS’s 71 page complaint against Citi recounts myriad deeply flawed compliance processes at the bank that all but ensure that accountholders who fall victim to scams never receive any compensation. As alleged, Citi illegally attempts to circumvent its obligation to protect depositors under the EFTA and FDIC Regulation E by misleading them about their rights under these regulations. The bank instead treats reports about account takeover or other online scams as claims for reimbursement for unauthorized payment orders under the Universal Commercial Code, in what NYDFS characterizes as an effort to skirt its legal responsibility to protect depositors from under existing law. This sets up a legal battle with nine-figure stakes, as NYDFS attempts to pin liability for the losses resulting from scams onto the bank where the scam was executed.

In its assessment of Citi’s antifraud compliance program, NYDFS found that Citi’s process for investigating reported fraud is transparently geared towards denying consumer claims and imposing liability on the victims themselves. According to NYDFS, Citi’s investigators rarely even contact the victims, many of whom report merely receiving vague form letters denying their claims months later on the basis that the consumer failed to adequately safeguard their accounts.

But NYDFS paints a very different picture about whose failure it is when a depositors account is looted by unauthorized transfers. NYDFS takes Citi to task for its weak cybersecurity controls, which make the bank willfully blind to fraudulent activity that could be detected with appropriate investment into modern surveillance technology and other tools. As alleged, Citi also failed to sufficiently train call center and fraud prevention employees, leading to scammers manipulating Citi staff into resetting consumers’ passwords and granting them unfettered account access. According to NYDFS, Citi’s woeful antifraud performance fails to meet the standards for commercially reasonable security that are expected of depository institutions in the State of New York.

The sum total of Citi’s failures has created an institution that is “disorganized, haphazard, and incapable of effectively safeguarding consumer funds,” as told by NYDFS. Citi systemically fails to act despite clear red flags, allowing scammers to make off with consumers’ life savings in minutes. Once the fraud is reported, Citi subjects the victim to confusing and opaque investigation processes designed to shield the bank from liability––not to protect its depositors, as Citi is obliged to do by law.

NYDFS’s complaint recounts the stories of consumers clicking a link, or answering a text message, only to find their savings vanish later that day. One such example describes a long-time Citi customer who suffered a fraudulent wire transfer in the amount of $40,000 after mistakenly clicking a link that appeared to be from the bank itself. The victim provided all information asked of her, made reports with appropriate law enforcement agencies, and followed up with Citi regularly for a period of several weeks in 2023. Citi denied this individual’s claim, having never contacted the victim, on the basis that the fraudulent transfer had been “authorized” by the account holder, who had unknowingly given their login credentials to Citi.

The issue of liability for fraudulent transfers has been heating up for some time. The Senate Banking, Housing, and Urban Affairs Committee released a report in October 2022 lambasting banks for failing to repay the vast majority of claims where customers were fraudulently induced into making bank-to-bank payments. In response, certain banks succumbed to pressure and reversed course, beginning to reimburse the victims of peer-to-peer payments scams in certain contexts. However, the overarching, centi-billion dollar question of antifraud liability in banking remains unresolved.

Citi, in its defense, asserted in a statement that “banks are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived.” However, the issue lies in the latter half of Citi’s defense; according to NYDFS, the bank could have, in real time, seen indications that its customers were being deceived. The signs were there, and the technology exists to pull those signals from the noise. Rather, Citi chose not to pay attention, failed to invest in its antifraud compliance program, and now must live with the consequences.

Given the enormity and seemingly unimpeded growth of financial fraud in the 2020’s, regulatory intervention was always inevitable. As NYDFS aggressively seeks regulatory clarity regarding who is on the hook when depositors get scammed, the proverbial writing is already on the wall. Banks should take proactive steps to shore up their antifraud controls, and ensure that antifraud compliance team members are properly trained, in anticipation of the expansion of antifraud liability likely to result from NYDFS’s enforcement action against Citibank.