Depository Institution Not Liable in ACH Fraud Case

On March 26, 2025, the U.S. Court of Appeals for the Fourth Circuit issued an important decision addressing a depository institution’s liability for wire transfer losses resulting from a business email compromise scam.

The court held that the Uniform Commercial Code protects a beneficiary bank of a payment order when it accepts funds into an account based on the account number specified in the payment order, even if the account name does not match the account number, if the bank does not have “actual knowledge” of the mismatch.

The Fraud

In Studco Building Systems, Inc. v. 1^st Advantage Federal Credit Union, Studco, a metal fabricator, received a fraudulent email from someone impersonating an account manager for Studco’s steel supplier, Olympic Steel, Inc. The email falsely stated Olympic was changing banks and that Studco should pay Olympic’s future invoices by ACH to Olympic’s new bank account. A subsequent email from the fraudster identified a Virginia-based credit union as the new bank and provided the account information for future payments.

Unaware that the emails seeming to be from Olympic were fraudulent, Studco ordered payment of four Olympic invoices, totaling over $550,000, to “Olympic Steel, Inc.” by ACH transfer to its supposed account at the credit union.

This account was in fact controlled by the fraudsters who were able to make off with the money and were never identified. The fraudsters were able to do all of this because they had hacked into Studco’s email system and obtained information on Olympic.

The Credit Union’s Role

The credit union processed the ACH transfers based on the account number specified in Studco’s payment orders, even though that account number was not in Olympic’s name. The funds were deposited into an account with the account number provided by Studco, but that account was in the name of an individual member of the credit union who had also been duped by the fraudsters as part of the scam.

Importantly, at the time of the transfers, the credit union had in place a security system to monitor ACH transfers and generate reports, including warnings when the identified payee on a payment order did not match the name on the receiving account.

According to testimony at trial, this security system generated “hundreds to thousands of warnings related to mismatched names on a daily basis,” but the system did not notify anyone of such warnings and the credit union did not review them.

The Lawsuit Against the Credit Union

Studco, which was out $550,000, sued the credit union in U.S. district court for reimbursement based on the credit union’s alleged negligence in failing to discover the mismatch between the account name and intended payee. Studco argued that the loss would have been avoided if the credit union acted in a commercially reasonable manner. Studco claimed the credit union was responsible under Article 4A of Uniform Commercial Code (UCC) (§4A-207, also adopted and codified in Virginia), because it accepted the ACH transfers to a misdescribed account.

The district court ruled in favor of Studco, finding the credit union had failed to act in a commercially reasonable manner or exercise ordinary care. The court stated if the credit union had implemented “reasonable routines” it would have been alerted to the mismatch and the fraud losses could have been avoided.

The Fourth Circuit reversed that ruling on appeal. The court held that if the name and account number in a payment order refer to different persons, a depositing institution is not liable for honoring the payment order in reliance on the account number, unless it has “actual knowledge” (not imputed knowledge or constructive knowledge) of the discrepancy.

The court found that the credit union did not have “actual knowledge” of the mismatch between the account number and the intended beneficiary. Despite the credit union’s internal monitoring system that generated warnings about misdescriptions, the system lacked mechanisms to notify staff or prompt reviews, leading the court to conclude the credit union did not have the necessary knowledge to be held liable.

Lessons for Financial Institutions

A depository institution that does not have actual knowledge of a discrepancy between the name and account number given for a funds transfer will not be liable if it accepts a transfer of funds into an account bearing the number given. Furthermore, a depository institution has no duty to determine whether there is such a discrepancy.

However, a depository institution needs to understand when it may have actual knowledge of a misdescription under its fraud prevention or other security practices and ensure it acts appropriately when it does. What saved the day for the credit union in this case was the fact that it did not review the reports of misdescriptions generated by its security system. The result likely would have been different if the credit union had reviewed them and failed to act.

For further guidance on your institution’s fraud prevention policies, please contact Jay Spruill or your Woods Rogers attorney.