Managing Fraud Risk in Consumer Wires

11 minute read | March.06.2025

As anticipated, 2025 is already shaping up to be a busy year in consumer financial services, with a federal district court expanding the application of a strict consumer protection law to wire transfers. The potential for a sudden shift has created a new opening for private litigants and aggressive state Attorneys General looking to step into the shoes of refocused federal regulators.

To set the stage, last January, the New York attorney general (“NYAG”) announced that it had sued a large national bank, relying on a novel theory that the consumer protections in the Electronic Fund Transfers Act (“EFTA”) and its implementing regulation, Regulation E, apply to wires ordered by consumers through online banking. The NYAG advanced this view notwithstanding the express carve-out of wires from Regulation E’s scope. Despite vociferous opposition by industry groups and the bank, who both point to the plain text of the law and decades of settled practices surrounding wires as evidence that the NYAG’s position is incorrect, the district court has indicated in the early stages of litigation that it agrees with the NYAG’s position.

On January 21, 2025, United States District Judge J. Paul Oetken rejected the bank’s attempt to dismiss the complaint on the basis that the unauthorized “Payment Orders” at issue in the case are excluded from EFTA coverage. In the 62-page order, Judge Oetken ruled that the allegedly fraudulent Payment Orders are governed by the EFTA. The NYAG’s argument persuaded Judge Oetken that the EFTA should apply to at least some segments in the process that enable the transfer of funds from one financial institution to another along a wire network. This allows key claims in the case to proceed, including those tied to the EFTA, under which consumers can dispute unauthorized debits and receive reimbursement from their banks. The NYAG had also advanced several claims under state law that attack the adequacy of the bank’s data security measures to protect consumers and the quality of its digital contracting process. However, Judge Oetken narrowed or threw out these other claims. On February 19, 2025, the bank requested Judge Oetken for permission to appeal his decision allowing the NYAG to move forward with key claims in the suit.

Notably, the NYAG is not alone in its interpretation of the EFTA and Regulation E. On May 29, 2024, the CFPB announced in a blog post that it was adopting a similar position as the NYAG in that the EFTA and Regulation E apply to wires ordered by consumers through online banking. The CFPB also submitted a Statement of Interest in the NYAG’s case, arguing that the bank’s interpretation of the EFTA’s wire transfer exclusion is incorrect. However, with the advent of a new presidential administration, it remains unclear whether the CFPB will continue to put forward this view.

Between the CFPB’s announced position and the developments in New York, there is material risk previously well-settled law regarding Regulation E, and wires will be upended, necessitating significant revisions to financial institutions’ existing wire practices.

Regardless of the Regulation E implications, these legal developments are occurring against a backdrop of increases in threat-actor activity, which have strained fraud prevention systems at financial institutions — and their fintech partners — throughout the country. These elements highlight the importance of robust systems for not only fraud detection and prevention but also the calibration of compliance structures and consumer-facing agreements to limit a depository’s risk as much as possible.

Key Details

The NYAG and CFPB’s interpretation of Regulation E disturbs well-settled case law and effectively re-writes existing law. By their own plain language, Regulation E and the EFTA do not apply to wire transfers. The EFTA applies to any “electronic fund transfer,” defined as a transfer of funds “initiated through an electronic terminal, telephonic instrument or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account.” The EFTA excludes from its coverage, among others, any transfer of funds “made by a financial institution on behalf of a consumer by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer.” Furthermore, Regulation E makes clear that “[w]ire or other similar transfers” are excluded from EFTA coverage. While the law appears to be clear as to scope, the NYAG, CFPB and now a federal court in New York have seized on a leg of a wire transfer moving money from a consumer’s account to a bank’s wire settlement account to avoid the exclusion and dramatically shift the law’s coverage.

Article 4 of the Uniform Commercial Code

As has been the case for many years, courts have taken the view that Article 4A of the Uniform Commercial Code — not Regulation E — covers wire transfers. Under Article 4A, banks are required to reimburse payments to consumers for unauthorized payment orders. However, reimbursement is not required if an unauthorized payment order is “effective,” which requires that: (i) an agreed-upon, commercially reasonable security procedure is in place; and (ii) the bank proves that it accepted the payment order in good faith, in compliance with the security procedure, and in compliance with customer instructions.

Regulation E’s prescriptive error resolution procedures would pose a heightened administrative and financial burden for banks. Under the current interpretation of the legal frameworks, where the UCC applies to fraudulent wire transfers, the bank will likely be able to avoid compensating the victim of that fraud if the payment order was “effective.” However, if instead Regulation E covers wire transfers, and there is fraud, banks may have to compensate victims for the full amount of any fraudulent transfers, provided that the consumer notified the bank of the fraudulent transfer. The error resolution procedures would require banks to investigate, and resolve supposed fraudulent wire transfers and provisionally credit consumers’ accounts with the amount of the alleged fraudulent transfer generally within ten business days of receiving notice from the consumer. This shift in financial risk and liability could have downstream ripple effects on both the availability and cost of consumer-facing services and financial products.

SHIELD Act and Red Flags Rule Compliance

To further complicate the compliance field and to shore up defenses against wire fraud, New York’s SHIELD Act requires banks to develop, implement and maintain a data security program that includes reasonable safeguards to protect financial account information. Such safeguards include technical, administrative and physical safeguards to, among other things, detect and respond to system attacks or failures, train and manage employees, assess risk in network and software design, and protect against the unauthorized access of data. Additionally, the federal “Red Flags Rule” requires financial institutions that offer or maintain covered accounts to establish an identity theft prevention program designed to detect, prevent and mitigate identity theft, including the detection and appropriate response to Red Flags and to ensure that the identity theft prevention program is periodically updated to reflect changes in risks to customer posed by identity theft. At its core, the program must be able to detect and respond appropriately to “Red Flags”, which are defined as patterns, practices, or specific activities that indicate the possible existence of identity theft. Even if a bank followed the SHIELD Act and the Red Flags Rule, according to the NYAG, the bank may nevertheless be on the hook for fully compensating consumer victims of wire fraud under its novel interpretation of Regulation E.

Six Takeaways for Financial Institutions

While these matters work their way through the court, here are six steps depository institutions can take, with the assistance and advice of legal counsel, to manage their cybersecurity and fraud risk:

Consider the cost of compliance with Regulation E and changes to processes. Bank examiners, state Attorneys General, and plaintiffs’ counsel looking to cash-in on the possibility of broader adoption of this shift in the law may soon begin to look for compliance with the newly-articulated view of Regulation E. Depositories may do well to consider the cost of applying Regulation E protections—or elements thereof—to consumer wires ordered online. Depositories may also consider what changes might be made to existing wire processes and agreements to avoid the application of Regulation E under this novel view of the law.
Written agreements between customers and banks are crucial. Setting aside Regulation E’s application, under the UCC, a written agreement detailing commercially reasonable security procedures is key to limiting liability between a customer and their bank. Special care must be given to not only the text of the agreement but to the manner in which it is presented and agreed to by consumers—especially in an online environment. Courts and regulators beyond the NYAG case are increasingly examining the methods by which a bank presents the written agreement to the customer digitally. Whether the customer is considered fully informed or to have consented can turn on minute details such as hyperlink placement, font and color choices. Compliance and legal need to be consulted to avoid regulator findings of “dark patterns” that can invalidate an agreement or lead to UDAAP liability.
Written agreements are only the first step in limiting liability for fraudulent transfers under the UCC. Even with a written agreement, a bank’s good faith execution of a customer’s wire instructions is a necessary condition. Strictly following internal security procedures may be inadequate when other indicia or facts available to the bank create suspicion around the transfer that a reasonable bank would or should have noticed. A bank should employ robust fraud detection screens and act on feedback actually received through customer service.
Entities subject to New York’s SHIELD Act must implement and maintain reasonable safeguards to protect customers’ private information. Any business that owns or licenses computerized data that includes private information of New York residents, including financial account information, must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information. This includes, among other obligations, implementing reasonable administrative and technical safeguards to identify, prevent, and respond to reasonably foreseeable internal and external risks and actual threats, and training and managing employees in the security program. The New York Department of Financial Services (“NYDFS”) enforces a regulation known as “Part 500” or the “Cybersecurity Regulation,” which imposes similar cybersecurity requirements on financial services companies, including banks. The Cybersecurity Regulation requires covered entities to, among other things, maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems and the nonpublic information stored on those systems. Between the SHIELD Act and the Cybersecurity Regulation, New York expects companies to adopt appropriate layered security, which may include safeguards such as multi-factor authentication, algorithmic monitoring of consumer and account behavior, mechanisms to identify anomalous or suspicious behavior, and employee training to prevent fraudulent transfers. As an initial step on the road to effectively safeguarding customers’ private information, businesses may consider using the Federal Financial Institutions Examination Council’s (“FFIEC”) Cybersecurity Assessment Tool to identify risks in their cybersecurity programs and procedures. While not totally comprehensive, the Assessment Tool allows financial institutions to measure their cybersecurity preparedness at a given point in time.
The Red Flags Rule requires financial institutions to establish an identity theft prevention program that is designed to detect, prevent and mitigate identity theft. Financial institutions should be able to identify and prevent patterns and practices that indicate potential identity theft. Under the FTC’s Red Flags Rule, the NYAG expects financial institutions to be able to detect, flag and respond appropriately to suspicious behavior — relating to wires or any fund transfer — such as:
- Fund transfers electronically transmitted within hours of changes in consumers’ online account details;
- Fund transfers electronically transmitted within hours of consumers first enrolling in online wire transfer services;
- Fund transfers that, if executed, would result in a near-zero balance in consumers’ bank accounts; and
- Fund transfers received within hours of similar orders that had been cancelled or were unverified.
Fintechs should be concerned, too. Regulation E applies to “financial institutions,” a term defined to include any person or entity that holds a consumer account or that issues an access device and agrees with a consumer to provide electronic fund transfer services, subject to limited exception. This broad definition may encompass a number of existing fintech and alternative banking companies, and a finding in favor of the NYAG could subject such companies to added compliance requirements and risks. The CFPB had previously indicated that it believes some nonbank financial institutions dealing in digital currencies are subject to its supervisory authority and has proposed an interpretive rule to that effect. Even with the CFPB’s future direction in question under this administration, this prior works lays plenty of groundwork for state Attorneys General and private litigants. A reinterpretation of Regulation E’s applicability would further expand the suite of laws and regulations that fintechs must consider.

For more information about the NYAG’s lawsuit, its updates, and its implications, please contact Edward Somers, Elizabeth McGinn or Hayden Irwin.

For more information and coverage on developments related to the CFPB, visit Orrick’s “CFPB Pause: Where From Here?” resource center, which is updated daily with the latest news and analysis, and follow our InfoBytes Blog for the latest consumer financial services news.

Authors

Edward Somers Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Chicago

See my bio

D:+1 312 924 9835
E: esomers@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Edward Somers Partner

Chicago

Ted is a trusted advisor to the financial services industry in supervisory and enforcement matters before state and federal regulators, including the CFPB, and the DOJ. He also has significant experience guiding clients through enhancements to internal policies, practices, and customer-facing documentation to align with regulator expectations.

Prior to joining Orrick, Ted was a partner at Buckley LLP.

Elizabeth McGinn Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: emcginn@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn Partner

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).