Summary
In Harborview Capital Partners, LLC v. Cross River Bank, 600 F. Supp. 3d 485 (D.N.J. 2022), the plaintiff's CEO's email account was hacked by a fraudster, who, similarly to the facts established here, instructed the plaintiff's accounting manager to wire funds to bank accounts in Hong Kong.
Summary of this case from Niram, Inc. v. Sterling Nat'l BankOpinion
Civ. No. 2:21-15146-KM-ESK
2022-04-26
Brigitte M. Gladis, A. Ross Pearlson, Chiesa Shahinian & Giantomasi PC, West Orange, NJ, for Plaintiff. Allison Robin Levinson, Iram Pagan Valentin, Jennifer Casazza Carter, Kaufman Dolowich Voluck LLP, Hackensack, NJ, for Defendant.
Brigitte M. Gladis, A. Ross Pearlson, Chiesa Shahinian & Giantomasi PC, West Orange, NJ, for Plaintiff.
Allison Robin Levinson, Iram Pagan Valentin, Jennifer Casazza Carter, Kaufman Dolowich Voluck LLP, Hackensack, NJ, for Defendant.
KEVIN MCNULTY, United States District Judge:
Harborview Capital Partners ("Harborview"), a customer of Cross River Bank ("Cross River"), had an Account Manager who was the person designated on the account to authorize wire transfers. Harborview unfortunately was the victim of a fraud; a hacker, impersonating Harborview's CEO, instructed Harborview's Account Manager to make transfers to a foreign account. The Account Manager submitted the transfer requests to Cross River, which, after double-checking with the Account Manager, executed the transfers. Harborview, thus defrauded of $1.375 million, now attempts to shift its losses to Cross River. Cross River, however, did no more than execute transfers in accordance with the instructions of Harborview's authorized representative.
Now before the Court is Cross River's motion (DE 21) to dismiss the Complaint for failure to state a claim. See Fed. R. Civ. P. 12(b)(6). For the reasons stated herein, I will GRANT Cross River's motion to dismiss.
I. Allegations of the Complaint
For ease of reference, certain key items from the record will be abbreviated as follows:
"DE_" | = | Docket Entry in this Case |
"Compl." | = | Complaint (DE 1) |
Plaintiff Harborview is a real estate investment company authorized and existing under the laws of Delaware. (Compl. at ¶1.) Defendant Cross River is a New Jersey bank with its principal place of business in Teaneck, New Jersey. (Compl. at ¶2.) In 2014, Harborview began depositing funds in accounts at Cross River, eventually reaching a balance of $20,000,000. (Compl. at ¶¶ 11-12.)
Cross River requested that Harborview complete Account Opening Data Entry Forms ("Account Forms"). (Compl. at ¶¶ 14-15.) On those forms, Harborview indicated that its business was "domestic in nature"; specifically, in January 2015 and January 2018, Harborview designated in the Account Forms that its specific "Trade Area was USA, that Harborview's foreign wire transfers was zero, and that Harborview did not conduct any foreign business." (Compl. at ¶¶ 15-18, DE 1-1) ("Exhibit A"), DE 1-2 ("Exhibit B"). Consistent with the Account Forms, "[f]rom 2014 until August 16, 2018, Harborview made 1,171 domestic wire transfers" from its Cross River accounts; it made no international transfers. (Compl. at ¶¶ 21, 25)
At some point, the email account of Harborview's CEO was hacked by an unknown fraudster. (Compl. at ¶ 26.) From August 16 through August 27, 2018, the hacker sent emails from the CEO's email account which instructed Harborview's Accounting Manager to wire funds internationally to bank accounts at Hang Seng Bank ("Hang Seng") in Hong Kong. (Compl. at ¶¶ 28, 32.) Following the "CEO's" (actually the hacker's) instructions, Harborview's Accounting Manager completed four wire transfer forms and sent them to Cross River. (Compl. at ¶ 30.) Upon the receipt of each wire transfer form, "Cross River contacted Harborview's Accounting Manager to confirm the details of the transaction." (Compl. at ¶ 33.) Ultimately, Cross River processed four international wire transfers at the direction of Harborview's Accounting Manager: (1) $420,000.00 on August 16, 2018; (2) $95,000.00 on August 17, 2018; (3) $325,000.00 on August 24, 2018; and (4) $955,000.00 on August 27, 2018. (Compl. at ¶ 31.)
According to Harborview, on August 17, 2018, Cross River learned that the initial wire transfer to Hang Seng (dated August 16, 2018) failed to process. (Compl. at ¶¶ 37, 38.) In fact, that initial wire transfer failed to process each day from August 17, 2018 through August 21, 2018. (Compl. at ¶ 37.) Allegedly, it was not until August 21, 2018 that Cross River notified Harborview that the initial August 16, 2018 wire had failed to go through to the Hang Seng bank account. (Compl. at ¶¶ 38, 39) The remaining three wire transfers, however, were successfully completed. These three, dated August 17, 2018, August 24, 2018, and August 27, 2018, totaled $1,375,000. (Compl. ¶ 41.)
Harborview alleges that the three successful wire transfers "would not have been made but for Cross River's failure to follow commercially reasonable procedures to timely notify Harborview of the failed initial Wire Transfer." (Compl. at ¶ 42.) The Complaint also alleges that if Cross River had performed a reasonable, prompt investigation of the failure of the initial August 16, 2018 wire transfer, "Cross River would have discovered that the [initial] Wire Transfer was fraudulent, thus preventing the three subsequent Wire Transfers from being completed." (Compl. at ¶ 48.) Moreover, Harborview contends that the four international wire transfers were processed by Cross River in bad faith, because Harborview indicated in the Account Forms "that no foreign wire activity was authorized, and that no business would be conducted of a foreign nature." (Compl. at ¶¶ 50-56.) Finally, Harborview claims that Cross River exhibited bad faith and lack of knowledge by failing to obtain direct verbal authority from either Harborview's President or Harborview's Managing Director to process the wire transfers, especially considering that all of Harborview's previous wires had been domestic but the disputed wire transfers were sent to Hong Kong. (Compl. at ¶¶ 61-64.)
On August 11, 2021, Harborview filed this action. It contains five counts:
Count 1: N.J. Stat. Ann. § 12:4A-201, 202, 203 (Article 4A of the Uniform Code as adopted by New Jersey "Article 4A")
Count 2: Negligent Misrepresentation
Count 3: Breach of Contract
Count 4: Promissory Estoppel
II. LEGAL STANDARDS
A. Motion to Dismiss
Federal Rule of Civil Procedure 8(a) does not require that a complaint contain detailed factual allegations. Nevertheless, "a plaintiff's obligation to provide the ‘grounds’ of his ‘entitlement to relief’ requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ; see Phillips v. Cnty. of Allegheny , 515 F.3d 224, 232 (3d Cir. 2008) ( Rule 8 "requires a ‘showing’ rather than a blanket assertion of an entitlement to relief.") (citation omitted). Thus, the complaint's factual allegations must be sufficient to raise a plaintiff's right to relief above a speculative level, so that a claim is "plausible on its face." Twombly , 550 U.S. at 570, 127 S.Ct. 1955 ; see also West Run Student Hous. Assocs., LLC v. Huntington Nat. Bank , 712 F.3d 165, 169 (3d Cir. 2013).
That facial-plausibility standard is met "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citing Twombly , 550 U.S. at 556, 127 S.Ct. 1955 ). While "[t]he plausibility standard is not akin to a ‘probability requirement’ ... it asks for more than a sheer possibility." Id.
Rule 12(b)(6) provides for the dismissal of a complaint if it fails to state a claim upon which relief can be granted. The defendant, as the moving party, bears the burden of showing that no claim has been stated. Animal Sci. Prods., Inc. v. China Minmetals Corp. , 654 F.3d 462, 469 n.9 (3d Cir. 2011). For the purposes of a motion to dismiss, the facts alleged in the complaint are accepted as true and all reasonable inferences are drawn in favor of the plaintiff. New Jersey Carpenters & the Trustees Thereof v. Tishman Const. Corp. of New Jersey , 760 F.3d 297, 302 (3d Cir. 2014).
B. Consideration of Documents Outside the Complaint
Generally, "a district court ruling on a motion to dismiss may not consider matters extraneous to the pleadings." Doe v. Princeton Univ. , 30 F.4th 335, 342 (3d Cir. 2022) (citing In re Burlington Coat Factory Sec. Litig. , 114 F.3d 1410, 1426 (3d Cir. 1997) ). Where a document, however, is "integral to or explicitly relied upon in the complaint," it "may be considered without converting the motion to dismiss into one for summary judgment" under Rule 56. Id. (citing Doe v. Univ. of Scis. , 961 F.3d 203, 208 (3d Cir. 2020) ). For a court to consider such a document, that document must be "undisputedly authentic." Pension Ben. Guar. Corp. v. White Consol. Indus., Inc. , 998 F.2d 1192, 1196 (3d Cir. 1993). Nonetheless, "a plaintiff cannot defeat consideration of a[n] integral document on a motion to dismiss unless it can offer a factual basis questioning its authenticity." Oshinsky v. New York Football Giants, Inc. , No. CIV.A.09-CV1186( ), 2009 WL 4120237, at *3 (D.N.J. Nov. 17, 2009) (citing Cal. Pub. Employees’ Ret. Sys. v. Chubb Corp. , No. CIV. NO. 00-4285 (GEB), 2002 WL 33934282, at *13 (D.N.J. June 26, 2002)) ; see also In re AT&T Corp. Sec. Litig. , No. CIV. 00-CV5364(GEB), 2002 WL 31190863, at *17 (D.N.J. Jan. 30, 2002).
Cross River has attached to its motion to dismiss Exhibit A, consisting of "true and correct copies" of the wire transfer forms cited in the Complaint, dated August 16, August 17, August 24, and August 27, 2018 (the "Finalized Wire Forms"). (DE 21-2; see also DE 21-3.) Harborview responds that these forms, at least in the form submitted by Cross River, are neither integral to nor explicitly relied upon in the Complaint, and are not undisputedly authentic. (DE 26 at 4) (citing 188 L.L.C. v. Trinity Indus. Inc. , 300 F.3d 730, 735 (7th Cir. 2002) ); Burlington , 114 F.3d at 1426. Harborview provides various reasons that the Court should not consider the Finalized Wire Forms.
First, Harborview contends that the Finalized Wire Forms are not the "international wire transfer forms sent by Harborview ... [which] would not have had any writing in the ‘bank only’ section of the form." (DE 26 at 3-4) (emphasis added). Second, Harborview asserts that the Finalized Wire Forms are not "undisputedly authentic" because (1) Cross River's attorney arguably "does not possess personal knowledge of the document's authenticity"; and (2) Harborview cannot authenticate a wire transfer form "which has bank writing on it." (DE 26 at 4.) Third, Harborview claims that it had never seen the wire forms in their finalized state before Cross River filed its motion to dismiss, and it is therefore "impossible to say that Harborview based its Complaint on the content of this document." (DE 26 at 2-3, 4) (citing McCauley v. Metro. Life Ins. Co. , No. CV187942ESMAH, 2019 WL 145624, at *3 (D.N.J. Jan. 8, 2019) ).
I agree that Cross River cannot add its own factual content (e.g. , the processing notations placed on the wire forms by the bank after they were submitted) to supplement or controvert the allegations of the complaint. Cross River, however, has largely mooted Harborview's objections by providing the "unaltered" versions of the wire transfer forms. Submitted with Cross River's reply brief is an affidavit from Kathleen Nelson, Chief Operating Officer of Cross River Bank, appending the same wire forms, but "without Cross River's processing notes" (the "Unaltered Wire Forms"). (DE 30-1). The Court will consider the Unaltered Wire Forms because they are integral to and explicitly relied upon in the Complaint.
The Unaltered Wire Forms are not merely referred to in the Complaint; they constitute much of the factual underpinning of Harborview's claims. The Complaint alleges, in part, that: (1) "Harborview's Accounting Manager completed four wire transfer forms in total and sent them to Cross River Bank"; (2) "Cross River processed four (4) international wire transfers ... from Harborview's Account"; (3) "Upon receipt of each Wire Transfer form, Cross River contacted Harborview's Accounting Manager to confirm the details of the transaction; (4) "The Wire Transfers ... were not authorized by Harborview and were the product of fraud."; and (5) Cross River violated N. J. Stat. Ann. § 12A:4A-202(2) "by accepting unauthorized Wire Transfer orders in connection with the Account." (Compl. at ¶¶ 30-32, 33, 55.)
Harborview makes no substantial argument that these Unaltered Wire Forms are not authentic copies of the ones it submitted to Cross River. Harborview cannot describe and rely upon the forms in its complaint while shielding them from scrutiny. The Court will consider the Unaltered Wire Forms on this motion.
III. DISCUSSION
A. Article 4A (UCC) Claims
1. Statutory Background
Article 4A of the UCC was enacted by New Jersey's legislature to address electronic funds transfers. ADS Assocs. Grp., Inc. v. Oritani Sav. Bank , 219 N.J. 496, 99 A.3d 345, 354 (2014). A "[f]unds transfer" is defined as "the series of transactions, beginning with the originator's payment order, made for the purpose of making payment to the beneficiary of the order." N.J. Stat. Ann. § 12A:4A-104(1). The "[p]ayment order" is the "instruction of a sender to a receiving bank, transmitted orally, electronically, or in writing, to pay, or to cause another bank to pay, a fixed or determinable amount of money to a beneficiary." Id. § 12A:4A-103(1)(a).
Section 104 defines the "[o]riginator" as "the sender of the first payment order in a funds transfer," N.J. Stat. Ann. § 12A:4A-104(3), and Section 103 defines the "[b]eneficiary" as "the person to be paid by the beneficiary's bank." N.J. Stat. Ann. § 12A:4A-103(1)(b). Finally, the "[b]eneficiary bank" is "the bank identified in a payment order in which an account of the beneficiary is to be credited pursuant to the order or which otherwise is to make payment of the beneficiary if the order does not provide for payment to an account." Id. 103(1)(c).
Pursuant to Article 4A, a payment order can be deemed authorized or effective through two alternative means. See ADS , 99 A.3d at 354. First, pursuant to Section 201(1), "[a] payment order received by the receiving bank is the authorized order of the person identified as sender if that person authorized the order is otherwise bound by it under the law of agency." N.J. Stat. Ann. § 12A:4A-202(1). Second, Section 202(2) establishes, in part, that
[i]f a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.
N.J. Stat. Ann. § 12A:4A-202(2). Article 4A defines the "[s]ender" as the person giving the instruction to the receiving bank. Id. § 12A:4A-103(1)(e). The "receiving bank" is the "bank to which the sender's instruction is addressed." Id. § 12A:4A-103(1)(d). Here, Harborview is the "sender" of the at-issue wires, and Cross River is the "receiving bank."
The Complaint alleges that Cross River violated N.J. Stat. Ann. § 12A:4A-202(2) by (1) "accepting unauthorized Wire Transfer orders in connection with the Account"; and (2) "failing to maintain and/or adhere to a commercially reasonable security procedure." (Compl. at ¶¶ 96-98.) Accordingly, Harborview requests that this Court find that the transfers were unenforceable and hold Cross River liable for the payment of the unenforceable transfers. (Compl. at ¶¶ 100-102; see also N.J. Stat. Ann. § 12A:4A-203, 204).
Section 203 states, in part, that "[i]f an accepted payment order is not, under section 12A:4A-202(1), an authorized order of a customer identified as sender, but is effective as an order of the customer pursuant to section 12A:4A-202(2), the following rules apply:
(a) By express written agreement, the receiving bank may limit the extent to which it is entitled to enforce or retain payment of the payment order.
(b) The receiving bank is not entitled to enforce or retain payment of the payment order if the customer proves that the order was not caused, directly or indirectly, by a person (i) entrusted at any time with duties to act for the customer with respect to payment orders or the security procedure, or (ii) who obtained access to transmitting facilities of the customer or who obtained, from a source controlled by the customer and without authority of the receiving bank, information facilitating breach of the security procedure, regardless of how the information was obtained or whether the customer was at fault. Information includes any access device, computer software, or the like.
N.J. Stat. Ann. § 12A:4A-203(1) (emphasis added). Further, under Section 204, if the receiving bank accepts a payment order that is neither "authorized" or "effective" (based on verification pursuant to commercially reasonable procedures), "the bank shall refund any payment of the payment order received from the customer to the extent the bank is not entitled to enforce payment and shall pay interest on the refundable amount calculated from the date the bank received payment to the date of refund." N.J. Stat. Ann. § 12A:4A-204(1) (emphasis added).
2. Analysis
In moving to dismiss the Complaint, Cross River argues that it cannot be liable for the disputed wire transfers because said transfers "were ... authorized by Plaintiff's agent." (DE 21 at 13.) The Complaint itself alleges that (1) Harborview's Accounting Manager "completed four wire transfer forms in total and sent them to Cross River Bank"; and (2) "[u]pon receipt of each Wire Transfer form, Cross River contacted Harborview's Accounting Manager to confirm the details of the transaction." (Compl. at ¶¶ 30, 33.) Thus, Cross River argues, Harborview is "bound by its agents, who submitted, confirmed and authorized each and every disputed wire transfer." (DE 21 at 15.)
To begin with, the transfers were not "unauthorized"; they were specifically ordered by Harborview's Account Manager. Article 4A provides that a payment order sent by a sender's representative is authorized and binding "if that person authorized the order or is otherwise bound by it under the laws of agency." N.J. Stat. Ann. § 12A:4A-202(1). While no court in this District has analyzed what constitutes an "authorized order" under Article 4A of the UCC, two out-of-jurisdiction opinions (examining equivalent UCC provisions in other states) are instructive.
The first case, Wellton Int'l Express v. Bank of China (Hong Kong) , involved Wellton International Express ("International") and Wellton Express Inc. ("Express"), two freight forwarders that routinely worked together to ship goods from China to the United States. No. 19-CV-6834 (JPO), ––– F.Supp.3d ––––, ––––, 2020 WL 1659889, at *1 (S.D.N.Y. Apr. 3, 2020). A computer hacker pretending to be from Express emailed International with instructions to wire money to a Wells Fargo bank account for money owed by International to Express. Id. Pursuant to these instructions, International wired money from its Bank of China (Hong Kong) ("BOC") account to the Wells Fargo bank account identified in the hacker's email. Id. Express later apprised International that the wire instructions provided by the hacker were fraudulent. Id. Wells Fargo placed a hold on the transfer until it was verified, and International notified three participants—BOC, JP Morgan (an intermediary bank to the transfer), and Wells Fargo—not to transfer the funds. Nevertheless, the money was transferred to the Wells Fargo bank account and withdrawn by the unknown fraudsters. Id.
In dismissing plaintiffs’ UCC claim, Judge J. Paul Oetken found that JPMorgan and Well Fargo were not liable for the transfer because "the transfer was unequivocally authorized" pursuant to UCC § 4 -A-202(1) (as enacted by New York). Id. at ––––, 2020 WL 1659889 at *3. Because the plaintiffs themselves alleged that "Wellton International sent the wire transfer," Judge Oetken found that they had no cause of action. Id. (citing N.Y. UCC § 4-A-202(1) ; Blum v. Citibank , N.A., 81 N.Y.S.3d 51, 162 A.D.3d 631, 632 (2018) ).
N.Y. UCC § 4-A-202(1) is identical to N.J. Stat. Ann. 12A:4A-202(1).
Similarly, in Berry v. Regions Fin. Corp. , plaintiffs entered into a contract to purchase real property and retained the services of a law firm for purposes of closing the contract. 507 F. Supp. 3d 972, 975 (W.D. Tenn. 2020). The plaintiffs alleged that an attorney from the law firm began receiving fraudulent emails purporting to be sent from plaintiff David Berry, "requesting a copy of the closing statement and wiring instructions." Id. Plaintiffs also alleged that they received fraudulent emails purporting to be from the law firm attorney as well as the plaintiff's realtor. The emails contained wire instructions, instructed plaintiffs to contact the attorney with any questions, and provided a fraudulent email address to which such inquiries should be directed. Id. Plaintiffs went to a Regions Bank and initiated a wire transfer order, which was ultimately processed by Regions Bank and wired to a SunTrust Bank account not belonging to the law firm. Id.
In dismissing plaintiffs’ motion to amend on futility grounds, Judge Jon McCalla found that the funds transfer was authorized by plaintiffs pursuant to Tennessee's version of UCC 202(a), Tenn. Code Ann. § 47-4A-202(a). Id. at 981-982. Judge McCalla noted that plaintiff Melanie Berry's signature was on the wire request; therefore, as the plaintiffs authorized the disputed wire transfer, the plaintiffs had no claim against the bank under the UCC. Id.
Like New York's UCC equivalent, Tenn. Code Ann. § 47-4A-202(a) is identical to N.J. Stat. Ann. 12A:4A-202(1). For clarity, the Court notes that while Berry quotes Tenn. Code Ann. § 47-4A-202(a), it cites 207(a), probably a typographical error.
Applying the principles of these cases, I conclude that the disputed wire transfers were undoubtedly authorized by Harborview. Like the victims in Wellton and Berry , Harborview was tricked into authorizing the transfers, but authorize them they did, as the complaint itself makes clear.
First, the Complaint states that all of Harborview's "actions and statements ... occurred via its authorized agents, employees and representatives." (Compl. at ¶2.) Second, the Complaint alleges that a "hacker used the CEO's email account to direct Harborview's Accounting Manager to wire funds internationally" (Compl. at ¶ 28), and that Harborview's Accounting Manager subsequently "completed four wire transfer forms in total and sent them to Cross River Bank." (Compl. at ¶ 30.) Third, the Complaint alleges that "upon receipt" of the wire transfer forms, "Cross River contacted Harborview's Accounting Manager" to confirm the transaction details." (Compl. at ¶ 34.) Fourth, Marilyn Tirado, who is designated as an authorized signer for account number xxxxxxxxx7 in Harborview's Account Form, signed the Wire Transfer Forms for the disputed transactions. (Compl. at ¶¶ 17-18; see also DE 1-2.)
Here, Harborview plays peekaboo with its own allegations, arguing that the "Complaint does not comment on [the Accounting Manager's] authority, nor ... states what if anything she confirmed." DE 26 at 7. The Complaint repeatedly alleges that Cross River only received one verbal authorization, which improperly did not come from Harborview's President and/or Managing Director. See Compl. at ¶¶ 36 ("Cross River contacted the very person who was unknowingly receiving direction from the hacker to confirm each Wire Transfer."); 58 ("At no point did Cross River obtain direct verbal authority from the President or Managing Director of Harborview to process the Wire Transfers."); 59, 60 ("Cross River should have contacted the President and CEO and/or the Managing Director of Harborview to verbally confirm the authenticity of these Wire Transfers."); 61 ("Cross River exhibited bad faith and lack of knowledge of Harborview in failing to directly contact the President and CEO and/or the Managing Director of Harborview to verbally confirm the authenticity of these Wire Transfers."); 63 ("Cross River should have directly contacted two authorized signatories at Harborview to verbally verify the authenticity of the Wire Transfer requests, or the lack thereof, Instead, Cross River made only one such direct communication.")
The unavoidable implication, confirmed by the Wire Transfer Orders themselves (which Harborview references repeatedly but does not attach to the Complaint), is that the person who sent the Orders was the Account Manager, Ms. Tirado. The Unaltered Wire Forms provided by Cross River merely corroborate the Complaint's allegations, establishing that Ms. Tirado, designated as an authorized signatory by Harborview, signed the forms sent to Cross River. Harborview does not actually dispute that Ms. Tirado signed the Unaltered Wire Forms, but argues that this Court cannot consider the forms because they are "additional ‘facts’ from outside of the Complaint" (a contention this Court has already rejected). See DE 26 at 11.
Harborview's claim might have a chance of succeeding if Cross River was not entitled to rely on the instructions of Harborview's Account Manager. No such contention is made here. Ms. Tirado was indisputably authorized, as Harborview's agent and as authorized signatory on the account, to sign and send the Wire Transfer Forms. Because Harborview's agent, employee, and representative sent, signed, and confirmed the wire transfers—even if she did so because she was misled by a third-party hacker—Article 4 provides no cause of action for Harborview. See Wellton , 2020 WL 1659889, at *3.
Harborview asserts, however, that the UCC requires more where the bank and the customer have agreed to more rigorous verification procedures. Compliance with Section 202(1), it says, does not suffice to bind the customer "if a bank and its customer have agreed that the authenticity of all payment orders will be verified pursuant to a commercially reasonable security procedure and processed in good faith," pursuant to Section 202(2). (DE 26 at 9) (citing Hedged Inv. Partners, L.P. v. Norwest Bank Minn., N.A. , 578 N.W. 2d 765, 773 (Minn. Ct. App. 1998) ; Grabowski v. Bank of Boston , 997 F. Supp. 111, 123 (D. Mass 1997).) In support of this reading of Section 202, Harborview cites the Official Comments to Section 203, which state, in part, that "[i]f [Section 202] subsection[(2)] does not apply, the question of whether the customer is responsible for the order is determined by the law of agency." N.J. Stat. Ann. § 12A:4A-203, cmt. 1. Therefore, Harborview argues, "even if a payment was in fact authorized within the meaning of Section 202(1), a bank needs to comply with the commercially reasonable security procedures and good faith requirements of Section 202(2) if the parties have agreed to a verification procedure." (DE 26 at 10.)
N.J. Stat. Ann § 12A:4A-202(2) provides, in part, that:
If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.
The UCC and interpretive case law cited by Harborview cannot be stretched so far as to cover the situation here: a transfer that was actually authorized by Tirado, the designated signatory to Harborview's account, but only because Harborview had already been the victim of an antecedent fraud. Section 202(1) applies where, as here, the customer actually does authorize a transfer through the authorized signatory on the account—even if it turns out that the customer ordered the transfer only because it had been defrauded by some third party. In that situation, the bank is entitled to rely on the customer's admittedly genuine instructions. Section 202(2) does not nullify 202(1), but rather posits a second scenario under which the bank may safely execute a transfer order, even if it turns out to have not been actually authorized. Under 202(2), even if the transfer was not actually authorized by the customer, the bank may escape liability if it verified the transfer according to commercially reasonable procedures upon which the parties had agreed beforehand.
As the New Jersey Supreme Court has recognized, the UCC provisions invoked by Harborview allocate the risk of payment for a transfer order that was not authorized by the customer; they define "the rights and obligations of banks and their customers in the event that funds are transferred in accordance with a payment order that a customer has not authorized. " ADS , 99 A.3d at 355-356 (emphasis added). In support of this conclusion, the New Jersey Supreme Court cited Section 203, which provides that Section 202(2) places "the risk of loss on the customer if an unauthorized payment order is accepted by the receiving bank after verification by the bank in compliance with a commercially reasonable security procedure." Id. at 355 (emphasis added) (citing N.J. Stat. Ann. § 12A:4A-203 cmt. 5). The court also cited Section 204, detailing the circumstances under which a customer may be refunded for funds "transferred without authorization ," which only applies in situations where:
Providing that "if an accepted payment order is not, under [Section 202(1)] ..., an authorized order of a customer identified as sender, but is effective as an order of the customer pursuant to [Section 202(2)]," the following guidelines apply:
(a) By express written agreement, the receiving bank may limit the extent to which it is entitled to enforce or retain payment of the payment order.
(b) The receiving bank is not entitled to enforce or retain payment of the payment order if the customer proves that the order was not caused, directly or indirectly, by a person (i) entrusted at any time with duties to act for the customer with respect to payment orders or the security procedure, or (ii) who obtained access to transmitting facilities of the customer or who obtained, from a source controlled by the customer and without authority of the receiving bank, information facilitating breach of the security procedure, regardless of how the information was obtained or whether the customer was at fault. Information includes any access device, computer software, or the like.
N.J. Stat. Ann. § 203(1).
(i) no commercially reasonable security procedure is in effect, (ii) the bank did not comply with a commercially reasonable security procedure that was in effect, (iii) the sender can prove, pursuant to [N.J. Stat. Ann.] 4A–203(a)(2), that the culprit did not obtain confidential security information controlled by the customer, or (iv) the bank, pursuant to [N.J. Stat. Ann.] 4A–203(a)(1) agreed to take all or part of the loss resulting from an unauthorized payment order.
Id. (citing N.J. Stat. Ann. § 204, cmt. 1).
A reading of ADS and Article 4A's provisions supports the view that whether a payment order is authorized is a threshold inquiry; if the order was authorized in fact by the person who is the designated signatory for the customer, the outcome does not thereafter depend on whether the bank also verified the payment order pursuant to commercially reasonable procedures. There is no provision under Article 4A providing that a payment order authorized pursuant to Section 202(1) may nevertheless not be effective or enforceable.
Out-of-jurisdiction case law supports this reading as well. As noted above, Wellton , supra , involved a substantively identical scenario, in which a hacker instructed the company to initiate a wire transfer, and the company did so. Judge Oetken determined that New York's UCC Section 4-A-202(2) did not apply because "the transfer was unequivocally authorized—Plaintiffs explicitly allege in the complaint that Wellton International sent the wire transfer. ... And because Plaintiffs authorized the transfer, even erroneously, no cause of action lies." 2020 WL 1659889, at *3. Similarly, the court in Berry held that "[w]hen a payment order is authorized by the person identified by the sender, security procedures for verifying the authenticity of a payment order are irrelevant." Berry , 507 F. Supp. 3d at 981 (citations omitted). The customer who, sadly, has been the victim of a third-party fraud cannot shift the loss to a bank that faithfully executed the customer's instructions to implement a transfer.
Which as established before, is identical to N.J. Stat. Ann. § 12A:4A-202(2).
The Court notes that the case law submitted by Harborview is consistent with the Court's ruling. First, in Hedged Inv. Partners, L.P. v. Norwest Bank Minnesota, N.A. , the Court of Appeals of Minnesota stated that for a financial institution to avoid responsibility under Article 4A of Minnesota's Commercial Code, that institution was required to establish that the transfer was either : (1) "authorized" under Minn. Stat. § 336.4A-202(a) ; or (2) "verified" pursuant to commercially reasonable procedures under Section 336.4A-202(b). 578 N.W.2d 765, 772 (Minn. Ct. App. 1998) (emphasis in original). Elaborating, the court opined that while a reading of section 202 causes "some confusion ... a careful reading of 4A-202(a) and 4a-202(b) shows that these subsections are freestanding alternative methods to ascertaining whether a payment order is authentic." Id. (emphasis added).
Similarly, in Grabowski v. Bank of Bos. , the court established that Article 4A provides "two paths for loss allocation of payment orders: verification by a security procedure and/or authorization by the customer." 997 F. Supp. 111, 123 (D. Mass. 1997). Notably, when discussing verification pursuant to a security procedure, the court established that a bank could "protect itself from liability for unauthorized transfers by agreeing with the customer on the use of a commercially reasonable security procedure and complying with it and any other agreement it has in place with the customer." Id. (emphasis added).
Accordingly, the Court dismisses all of Harborview's UCC Article 4A claims against Cross River.
B. Common-Law Claims
Cross River contends that because Harborview's negligent misrepresentation, breach of contract, and promissory estoppel claims stem from the disputed wire transfers, Article 4A preempts Harborview's common-law claims. (DE 21 at 29-30.) Harborview responds that given "the nature" of their common-law allegations and "the additional facts and conduct lying outside the scope of Article 4A," Harborview's common-law claims are not preempted. (DE 26 at 25.)
The New Jersey Supreme Court in ADS held that "Article 4A comprehensively governs the rights and remedies of parties affected by funds transfers." ADS , 99 A.3d at 359. Specifically, the Official Comments provide that the Article 4A scheme is intended to be all-encompassing in this area:
Funds transfers involve competing interests ... The rules that emerged [from the statutory drafting] represent a careful and delicate balancing of those interests and are intended to be the exclusive means of determining the rights, duties and liabilities of the affected parties in any situation covered by particular provisions of the Article. Consequently, resort to principles of law or equity outside of Article 4A is not appropriate to create rights, duties and liabilities inconsistent with those stated in this Article.
N.J. Stat. Ann. § 12A:4A-102 cmt. 1. ADS thus held that Article 4A preempted any common law negligence claim arising "from a setting directly addressed by Article 4A." ADS , 99 A.3d at 359 ; see also DeFazio v. Wells Fargo Bank Nat'l Ass'n , No. CV 20-375 (SRC), 2020 WL 1888252, at *3 (D.N.J. Apr. 16, 2020). In ADS , the plaintiff asserted a negligence claim with respect to a funds transfer from one account to another account at the same bank. As to such transfers, the court held, Article 4A provided "the exclusive means of determining the rights, duties and liabilities of the affected parties" ADS , 99 A.3d at 359 (citation and quotation marks omitted). The Court warned that allowing such a negligence claim "would contravene the essential objective of Article 4A: to provide definitive principles that allocate the risks and define the duties of banks effecting electronic transfers on behalf of their customers." ADS , 99 A.3d at 359 (citation and quotation marks omitted).
Guided by the New Jersey Supreme Court's holding in ADS , I hold that Harborview's common-law claims for negligent misrepresentation, promissory estoppel, and breach of contract are preempted by Article 4A. The Complaint's common law claims are predicated on (1) Cross River's alleged acceptance of unauthorized payment orders from Harborview; (2) Cross River's alleged failure to adhere to a commercially reasonable security procedure; and (3) Cross River's actions (or lack thereof) with respect to funds transfers involving Harborview. That is the very subject matter covered by Article 4A.
Count Two (Negligent Misrepresentation) alleges that Cross River made false and negligent representations because "Cross River did not read and follow the information provided by Harborview on the Account Opening Data Entry Form, ... Cross River did not code Harborview's account within the wire room to only process domestic wires, [and] Cross River processed foreign wires even though Harborview specifically stated on the Account Opening Data Entry Form that it only conducts business domestically and that any wires would be domestic." (Compl. at ¶ 117.) Count Three (Breach of Contract) alleges that Cross River breached contractual duties proscribed by the account opening documents, by processing "foreign wires from Harborview's account, thereby breaching the terms of its agreement with Harborview." (Compl. at ¶ 123.) And Count Four (Promissory Estoppel) alleges that Harborview reasonably relied on Cross River's representations that it would maintain "first-rate security policies and procedures," which were breached when Cross River
(f)ailed to follow the multiple written instructions issued by Harborview pertaining to domestic wires ONLY, failed to implement and follow first-rate security measure to prevent ... [the] scheme that occurred ..., failed to timely advise as to fraudulent account activity, failed to timely investigate fraudulent activity, failed to timely recover fraudulent transferred wire fund ... [, and] failed to verify the subject wire requests with two distinct and independent contacts with its client, Harborview.
(Compl. at ¶128.)
As the Court's previous analysis of Sections 202, 203, and 204 demonstrates, Article 4A comprehensively sets forth the parties’ rights and duties as to transfers of funds, including the authorization of payment orders and the effectuation of a payment order pursuant to reasonable security procedures. The wire transfers disputed under Article 4A also form the nucleus of Harborview's common-law claims. Consequently, the Court finds that Harborview's common-law claims are preempted by Article 4A.
At any rate, the initial description of the domestic nature of Harborview's business could not override an actual, specific instruction by Harborview to make an international transfer, which Harborview reconfirmed with Tirado. Indeed, it is hard to conclude that the bank should have known that an international transfer request was not genuine if Harborview's own Account Manager did not.
IV. CONCLUSION
For the reasons set forth above, I will GRANT Defendant Cross River's motion (DE 21) to dismiss the action. An appropriate order follows.