New York sues Citi for refusing to reimburse victims of online fraud
Attorney General James argues that under the Electronic Fund Transfer Act (EFTA), Citi should reimburse victims of online fraud, similar to electronic credit or debit card fraud.
New York Attorney General Letitia James has filed a lawsuit against Citi for not adequately protecting customers from electronic fraud and refusing to reimburse victims.
The suit claims that Citi’s weak online security measures have led to unauthorized account access. Consequently, New Yorkers have suffered significant financial losses, with some losing their life savings.
“Banks are supposed to be the safest place to keep money”
NY Attorney General James said: “Banks are supposed to be the safest place to keep money, yet Citi’s negligence has allowed scammers to steal millions of dollars from hardworking people. Many New Yorkers rely on online banking to pay bills or save for big milestones, and if a bank cannot secure its customers’ accounts, they are failing in their most basic duty. There is no excuse for Citi’s failure to protect and prevent millions of dollars from being stolen from customers’ accounts and my office will not write off illegal behavior from big banks.”
The lawsuit details multiple instances of fraud. In one case, a New Yorker lost $40,000 from her retirement savings after a phishing attempt. Despite reporting the suspicious activity, Citi denied her fraud claim. In another case, a customer lost $35,000 when a scammer manipulated her accounts, and Citi failed to verify the transactions adequately.
The Office of the Attorney General (OAG) found Citi’s response to fraud alerts inadequate. The bank’s systems failed to detect unusual activities, such as access from new locations or devices, and large fund transfers. Citi also did not report fraudulent activities to law enforcement promptly. Additionally, Citi’s customer service was criticized for long hold times and misinformation, further enabling ongoing scams.
Citi should reimburse victims of online fraud, says Letitia James
Attorney General James argues that under the Electronic Fund Transfer Act (EFTA), Citi should reimburse victims of online fraud, similar to electronic credit or debit card fraud. However, Citi allegedly exploited a loophole in these laws to deny consumer reimbursement claims. The lawsuit seeks restitution for victims over the past six years, as well as penalties and disgorgement.
This legal action is part of Attorney General James’s broader efforts to hold financial institutions accountable. Recently, she urged federal agencies to ensure national banks cooperate with state investigations and called for eliminating overdraft fees at major banks.
Citi says banks are not required to make clients whole
A spokesperson for the bank commented, “Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from affecting our clients and to assist them in recovering losses when possible.
“Banks are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived. However, given the industry-wide surge in wire fraud during the last several years, we’ve taken proactive steps to safeguard our clients’ accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education. Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats.”
NY AG claims Citi bullies customers into signing forms
On the plaintiff’s side, NY AG is arguing that Citibank bullies customers into signing forms that admit the customer authorized the funds transfer, even if they were hacked, thus boxing the customer into the narrow rules of the UCC’s article 4A-204.
Under that law liability is clear, if a bank follows a valid security procedure before executing the funds transfer it has no liability or duty to reimburse the customer.
If a bank didn’t follow a security procedure such as validating a customer’s ID via user/pass log in, pin number, ID in person and the customer says they didn’t authorize the wire transfer the law is clear and a customer must be reimbursed by its bank plus daily interest.
