Financial Service Command Center: Legal Trends and Analysis for Financial Service Providers (Vol.1, No.1) Identity Theft-Know The Law

Briefings on significant legislative, regulatory and judicial developments affecting the financial services industry.



(April 5, 2013)  Identity theft pervades our personal and professional lives. Consumer groups warn about its perils and vendors hawk their products’ defenses against it, while the Federal Trade Commission reports that in 2012, identity theft topped the list for the 13th consecutive year in its annual compilation of consumer complaints.

Bankers know about identity theft from both actual experience, as well as regulators’ alerts about its financial and reputational risks. While they typically know about the operational and technological aspects of identity theft, bankers may be unfamiliar with the governing laws and regulations. To make well-informed decisions about their human and financial investment in identity theft detection and prevention, compliance officers should understand the basic legal framework, especially the extent to which it favors consumers.

Account Hijacking

Identity theft takes many forms. Account hijacking is a kind of identity theft to which financial institutions are particularly vulnerable because they house mountains of deposit and loan account data. Hijackers get account information by penetrating security measures through the telephone, email or other electronic media. Once the information is acquired, the hijacker accesses account funds and through one device or another, steals them. A recent case shows how the law treats the victim bank and customer.

A husband and wife maintained a checking account and a $150,000 home equity line of credit at a community financial institution. The accounts were linked in a typical arrangement so that the customers could draw down HELOC funds and transfer them to the checking account. They could access the account by telephone with a pre-set voice activated code.

On a Thursday before a holiday weekend, a thief acquired the depositors’ phone access code and penetrated into the linked accounts through the phone system. Before this security breach, the depositors had only drawn about $6,000 in HELOC funds, leaving a $144,000 balance available and they had only transferred funds between the accounts once, when they moved the $6,000 to the checking account to pay a bill. They had never used the telephone access system.

The hijackers worked fast. By the close of business on Friday, they had tested the bank’s security features with 16 transfers back and forth between the checking account and the HELOC. No alarm sounded, no wires tripped, so they emptied the HELOC balance into the checking account. The following Tuesday, the bank received a fax from the thief, instructing it to wire the $144,000 to a South Korean bank account. The depositors had never before wired funds from the account to anywhere, let alone South Korea. Without inquiry or notification to the customers, the bank complied with the imposter’s directions. Later that day, an employee notified the depositors of the account transfers and the wire. By that time of course, the money was long gone, beyond recall.

The Law

Even in a world without federal consumer protection laws, this bank would have been in trouble. Numerous intra-account transfers in previously quiet accounts, poor voice/code security and reliance on an unverified fax to wire the entire HELOC balance to Korea, all add up to plain old negligence. But of course we do have a federal consumer protection law that covers the case, and that is the Electronic Funds Transfer Act  (“EFTA”) and its implementing Regulation E.

EFTA/Regulation E

Congress enacted EFTA in 1968 to “provide a basic framework establishing the rights, liabilities, and responsibilities of participants in electronic fund and remittance transfer systems”. As noted in Regulation E, EFTA’s primary purpose is “the protection of individual consumers engaging in electronic funds transfers”.

EFTA provides that an electronic funds transfer is any transfer of funds initiated through an electronic terminal, telephone, computer or magnetic tape for the purpose of ordering, instructing or authorizing a financial institution to debit or credit a consumer account. Even though telephone transfers are included in the general language, EFTA and Reg. E specifically exclude them from coverage as an electronic funds transfer, unless they take place under a “written plan in which periodic or recurring transfers are contemplated”. Unfortunately for banks, the Official Staff Commentary to EFTA (formerly administered by the Federal Reserve, now transferred to the Consumer Financial Protection Bureau under the Dodd-Frank Act) defines a written plan quite broadly to include written statements available to the account holder that describes a telephone transfer initiation system, for example a “brochure or material included with periodic statements”.

The husband and wife depositors in this case had received just such a brochure in the form of a booklet that described a telephonic “audio response access service for your accounts”. Since the brochure amounted to a “written plan”, the 16 transfers between the HELOC and the checking account qualified as electronic funds transfers. More importantly, each transfer was an “unauthorized electronic funds transfer” because it was made by a person without actual authority to initiate the transfer, the customers received no benefit from the transfer, and they did not furnish the hijacker with an access code or card. Since they were unauthorized electronic funds transfers, the bank was liable for all but $50.00 of the loss resulting from the drawdown of HELOC funds to the checking account, from which the money was wired to Korea.


Article 4-A of the Uniform Commercial Code governs wire transfers. The UCC generally imposes liability on the bank for unauthorized transfers (“interloper fraud”, in the words of a federal court decision). Liability shifts to the customer where the bank and the customer have agreed to an authentication security procedure that is commercially reasonable and the bank accepts the payment order (i.e., the fax) in good faith and in compliance with the procedure.

In this case, the bank hadn’t agreed to any security procedures with the customers, so the question of commercial reasonableness never arose. The bank was liable to the customers for the full amount of the funds wired from the checking account to Korea.


The facts here were extreme: in fact they were so one-sidedly in favor of the customers under the UCC and the EFTA that the bank settled with them by refunding the full amount of the wired funds. The customers just had to furnish forgery affidavits in support of the bank’s claim for insurance coverage.

Most banks we know have much better security controls and procedures to deter identity theft. Still, this case is instructive because it shows what happens when systems fail or don’t exist: the law takes over, and that law is designed to protect consumers, not banks. That’s the real takeaway.


Article written by Clifford S. Weber, Esq., a partner at the HH&K White Plains office. For more information contact Mr. Weber at (914) 694-4102 or

Recent Entries

©2017 HH&K Contact Us: 80 Exchange Street, P.O. Box 5250, Binghamton NY 13902-5250 | 607-723-5341 Terms of Use | Privacy Policy

ATTORNEY ADVERTISING  Prior Results Do not Guarantee a Similar Outcome