The U.S. Court of Appeals for the Eleventh Circuit recently held that, consistent with rulings as to an identical New York law, the one-year period to make a demand for a refund of a fraudulent wire transfer under Florida Statutes § 670.202 may be not modified by contract.
A copy of the opinion in Jesus Rodriguez, et al v. Branch Banking & Trust Company, et al is available at: Link to Opinion.
An alleged bank employee and co-conspirator supposedly stole over $850,000 from two business owners, along with their families and companies (“Plaintiffs”), by impersonating the alleged victims, changing their passwords, and transferring money from their bank accounts.
The Plaintiffs’ deposit account agreement with the bank required them to notify the bank “within 30 days of any unauthorized transaction from the account”, and to notify the bank “within 10 days of the regular statement date” if they did not receive a monthly bank statement. A separate treasury management agreement required the Plaintiffs to examine every bank statement and to notify the bank of any unauthorized transfers within 30 days of the statement date.
In addition, the parties agreed to use a security protocol for wire transfers that: (1) required the Plaintiff business to change its password every 30 days; (2) issued the Plaintiff business “a physical security token that created a one-time passcode to use to log in, as a type of dual-factor authentication”; and (3) sent event notifications to alert the business of “potentially suspicious” activity — like a password change.
A bank employee changed the email address for 10 of the Plaintiffs’ accounts. In the coming weeks, the bank received a call from a person who was able to answer certain security questions relating to the Plaintiffs’ accounts. The next day, a person emailed from the fraudulent email account to set up a physical security token for a wire transfer, and the bank provided the necessary forms.
Two different bank employees determined that the signatures on the forms appeared to match those in the bank’s records. Given the correct responses to the security questions, and apparently matching signatures, the bank sent the physical security token to the fraudsters as requested.
Later, the fraudsters transferred roughly $850,000 out of the Plaintiffs’ bank account by a series of wire transfers. Before authorizing the first wire transfer, the bank called the telephone number for the accounts to verify the transactions, and the fraudsters answered as if they were the Plaintiffs.
The Plaintiffs asserted that they made numerous calls and emails to the bank to no avail. The Plaintiffs did not regain access to their accounts until roughly six months later, at which time they discovered the theft.
The Plaintiffs sued the bank and the alleged thieves in common law contract, tort, and made a statutory demand for repayment under Florida’s law requiring refunds of fraudulent wire transfers (Florida Statutes § 670.202). The Plaintiffs asserted that the Florida law “provided a one-year time period to notify a bank of an unauthorized wire transfer and further provided that the time-period could not be modified by agreement.” In addition, the Plaintiffs asserted “that because they lived abroad and used the bank accounts only sparingly, [the bank] should have designated those accounts as ‘higher risk’ and applied stricter anti-fraud controls,” and that the bank “hadn’t complied with its own procedures because it failed to require in-person authentication.”
At summary judgment, the trial court ruled in favor of the bank, holding that none of the bank’s contractual duties were breached, the tort claims were duplicative of the contract claims, the statutory demand was time-barred by the bank’s contractual 30-day limitations period, and regardless that the bank had followed commercially reasonable security procedures.
The Plaintiffs appealed. However, on appeal, the bank found additional documents relevant to the case that it had not previously produced. Because the “late-breaking discovery implicates factual issues related to the contractual, tort, and statutory repayment claims,” the Eleventh Circuit chose to “resolve only a single legal issue and then vacate and remand the rest of the case to the district court for discovery, repleading, and further litigation.”
Thus, on appeal, the only issue was “whether the one-year period to make a demand for a refund of a fraudulent wire transfer under Florida Statutes § 670.202 may be modified by the parties.”
Under Florida law, “[i]f a bank accepts a payment order that isn’t verified, then the bank “shall refund any payment” and “shall pay interest on the refundable amount.” Fla. Stat. § 670.204(1). “There is a penalty for failing to timely report a fraudulent transfer, though: the customer isn’t entitled to the interest if the customer failed to exercise ordinary care and to notify the bank of the fraudulent transfer within a reasonable time that cannot exceed 90 days.” Id.
The Florida law provides that a “’reasonable time’ may be fixed by agreement,” but “’the obligation of a receiving bank to refund payment’ may not be varied by agreement.” Id. § 670.202(2).
In addition, “if a bank receives ‘payment from its customer with respect to a payment order'”, then “the customer is precluded from asserting that the bank is not entitled to retain the payment unless the customer notifies the bank of the customer’s objection to the payment within one year after the notification was received by the customer.” Id. § 670.505.
Moreover, Chapter 670 — the chapter of the Florida statutory provisions at issue — “has a general rule that ‘the rights and obligations of a party to a funds transfer may be varied by agreement of the affected party”, but this general rule does not apply to when “otherwise provided in this chapter.” Id. § 670.501(1).
The Eleventh Circuit agreed with the Plaintiffs that the one-year deadline for reporting fraudulent transfers applied and could not be modified by the parties.
The Eleventh Circuit explained that Florida Statutes § 670.204 distinguished between “(1) a fraudulent transfer and (2) the interest that fraudulent transfer would have accumulated had it not been fraudulently transferred.” If a customer fails to notify a bank of a fraudulent transfer within “a reasonable time,” which may be set by agreement, “the sole penalty is that the customer loses the interest on the refunded payment.” Id. § 670.204(1). However, the Court noted that Florida explicitly did not also authorize modification to a “reasonable” period for the one-year period for reporting fraudulent transfers.
The Eleventh Circuit noted that the “New York Court of Appeals and the Second Circuit also determined that the one-year refund period cannot be modified when it was interpreting New York law (which is identical to Florida’s).” See Regatos v. North Fork Bank, 838 N.E.2d 629, 633 (N.Y. 2005); Regatos v. North Fork Bank, 431 F.3d 394, 395 (2d Cir. 2005).
Therefore, the Eleventh Circuit reversed the trial court’s ruling that the Plaintiffs’ Florida statutory claim was time-barred, and as previously noted, vacated and remanded the rest of the case to the trial court for discovery, repleading, and further litigation.