Opinion
21-cv-5966 (MKV)
2023-09-29
Joseph Andrew Matteo, Barnes; Thornburg LLP, New York, NY, for Plaintiff. Edward J. Heath, Robinson; Cole LLP, Hartford, CT, Ian T. Clarke-Fisher, Robinson; Cole LLP, New York, NY, Sandra Marin Lautier, Robinson; Cole, LLP, Stamford, CT, for Defendant.
Joseph Andrew Matteo, Barnes; Thornburg LLP, New York, NY, for Plaintiff. Edward J. Heath, Robinson; Cole LLP, Hartford, CT, Ian T. Clarke-Fisher, Robinson; Cole LLP, New York, NY, Sandra Marin Lautier, Robinson; Cole, LLP, Stamford, CT, for Defendant. OPINION AND ORDER GRANTING DEFENDANT'S MOTION FOR SUMMARY JUDGMENT AND DENYING PLAINTIFF'S MOTION FOR PARTIAL SUMMARY JUDGMENT MARY KAY VYSKOCIL, United States District Judge:
Plaintiff Niram, Inc. ("Niram") brings this action against Sterling National Bank ("Sterling") seeking to recover over $8.5 million in wire transfers that were sent as the result of an online "spoofing" attack. Niram asserts a claim under Article 4-A of New York's Uniform Commercial Code ("Article 4-A" and the "UCC") and common law claims for gross negligence and breach of contract.
Sterling moves for summary judgment on all claims. Niram cross-moves for partial summary judgment on its Article 4-A claim only. For the following reasons, Sterling's Motion for Summary Judgment is GRANTED and Niram's Motion for Partial Summary Judgment is DENIED.
BACKGROUND
The facts are drawn from the evidence cited in the parties' Local Civil Rule 56.1 statements [ECF Nos. 37 ("Def. 56.1"), 49 ("Pl. Counter"), 41 ("Pl. 56.1"), 47 ("Def. Counter")], the declarations submitted in connection with the parties' motions, and the exhibits attached thereto. Unless otherwise noted, if only one party's 56.1 statement or evidence is cited, the other party does not dispute the fact asserted, has not offered admissible evidence to refute the fact, or merely disagrees with the inferences to be drawn from the fact.
This case involves over $8.5 million in wire transfers that were sent as the result of an online "spoofing" fraud. Niram was the target of the fraud, and the wires in question were sent from Niram's account at Sterling.
Niram's and Sterling's Banking Relationship
Niram is a general contracting business based in New Jersey. Def. 56.1 ¶ 1; Pl. Counter ¶ 1; Pl. 56.1 ¶ 1; Def. Counter ¶ 1. Sterling is a national commercial bank that has provided commercial banking services to Niram since 2015. Def. 56.1 ¶¶ 2-3; Pl. Counter ¶¶ 2-3; Pl. 56.1 ¶ 2; Def. Counter ¶ 2.
In November 2020, Niram transferred its accounts at Sterling to Sterling's Commercial Treasury Management Services program and completed documentation to effectuate that transfer. Def. 56.1 ¶ 4; Pl. Counter ¶ 4; Pl. 56.1 ¶¶ 7, 11; Def. Counter ¶¶ 7, 11. One of the transferred accounts was Niram's account ending in 3098 (the "Account"). Def. 56.1 ¶ 6; Pl. Counter ¶ 6; Pl. 56.1 ¶ 8; Def. Counter ¶ 8. As part of the process to set up its access to Treasury Management Services, Niram completed an Online Banking Master Set-Up Form (the "Set-Up Form") and a Commercial Treasury Management Services Application (the "Application"). Def. 56.1 ¶ 5; Pl. Counter ¶ 5; Pl. 56.1 ¶¶ 9, 11; Def. Counter ¶¶ 9, 11. Under the executed Application, Niram was bound by a Commercial Treasury Management Services Agreement (the "Agreement"). Def. 56.1 ¶ 9; Pl. Counter ¶ 9; Pl. 56.1 ¶ 9; Def. Counter ¶ 9; see Declaration of Ian T. Clarke-Fisher ("Clarke-Fisher MSJ Decl.") Exhibit 3 [ECF No. 35-3 ("Agreement")].
On the Set-Up Form, Niram designated three employees as authorized users for the Account (each, an "Authorized User" and together, "Authorized Users"): Tracy Fedorko, Niram's Controller ("Fedorko"); Ana DeCruz, Niram's Accounts Receivable employee ("DeCruz"); and Roman Graure, Niram's President ("Graure"). Def. 56.1 ¶ 7; Pl. Counter ¶ 7; Pl. 56.1 ¶ 12; Def. Counter ¶ 12; see Clarke-Fisher MSJ Decl. Exhibit 1 [ECF No. 35-1 ("Set-Up Form")]. An Authorized User is defined by the Agreement as "a person authorized to give instructions to [Sterling] with respect to Service Transactions in the name of [Niram], subject to verification by any applicable Security Procedures." Agreement § 2.16. A "Security Procedure" is defined as "the applicable security procedure described in the Service Documentation or used by [Sterling] for verifying the authenticity of Entries, requests, or instructions sent to [Sterling] in the name of [Niram]." Agreement § 2.114. "Service Documentation" is defined as the "Agreement, any Application, User Guides, and any set-up forms, onboarding documentation, authorization forms, or other agreements required for [Sterling] to provide a Service to [Niram]." Agreement § 2.116.
DeCruz was terminated from her employment with Niram on March 5, 2021. Pl. 56.1 ¶ 29; Def. Counter ¶ 29. She was replaced by Lyubov Berezny ("Berezny") in early March of 2021. See Clarke-Fisher MSJ Decl. Exhibit 14 [ECF No. 35-14 ("Fedorko Dep.")] at 40:24-41:3. Berezny was given access to DeCruz's Sterling banking platform. Fedorko Dep. 52:8-54:11.
Pursuant to the Set-Up Form, each originally designated Authorized User is permitted to initiate wire transfers and requires one other Authorized User to approve the wires he or she initiates. Set-Up Form 3 (Graure), 6 (DeCruz), 9 (Fedorko); Pl. Counter ¶ 7; Pl. 56.1 ¶¶ 13-14; Def. Counter ¶¶ 13-14. This procedure is recommended by Sterling on the Set-Up Form and referred to as "Dual Authorization." Set-Up Form 3, 6, 9. No Authorized User may unilaterally initiate and approve his or her own wires. Pl. Counter ¶ 7; Pl. 56.1 ¶ 14; Def. Counter ¶ 14. The Set-Up Form also names Fedorko as the Primary Contact to Sterling and an Administrator of the Account. Set-Up Form 1, 8. As Administrator, Fedorko "may provide System access to additional Authorized Users," and if such additional Authorized Users are granted access, "[Niram] thereby authorize[s] [Sterling] to complete requests and transactions initiated by those Authorized Users." Agreement § 4.12
Under the Agreement, Niram "authorizes [Sterling] to follow any and all instructions entered and Service Transactions initiated using applicable Security Procedures . . . ." Agreement § 3.39. Niram further agrees that "the initiation of a Service Transaction using applicable Security Procedures constitutes sufficient authorization for [Sterling] to execute such Service Transaction and [Niram] agrees and intends that the submission of Service Transactions using the Security Procedures shall be considered the same as [Niram's] written signature in authorizing [Sterling] to execute such Service Transaction." Agreement § 3.39. The Agreement further provides that Niram "shall be bound by any and all Service Transactions initiated through the use of such Security Procedures, whether authorized or unauthorized, and by any and all Service Transactions and activity otherwise initiated by Authorized Users, to the fullest extent allowed by law." Agreement § 3.39. In addition, Sterling "shall be entitled to deem any person having knowledge of any Security Procedure to be an Authorized User." Agreement § 3.39. "The Security Procedures are not designed to detect error in the transmission or content of communications or Service Transactions initiated by [Niram], and [Niram] shall bear the sole responsibility for detecting and preventing such error." Agreement § 3.39; see also Def. 56.1 ¶ 21; Pl. Counter ¶ 21.
The Set-Up Form establishes a per-wire limit of $500,000, and a daily wire limit of $750,000. Set-Up Form 1; Def. 56.1 ¶ 28; Pl. Counter ¶ 28; Def. Counter ¶ 15. However, when entering the information provided on the Set-Up Form for the Account, a Sterling employee entered the per-wire limit as $750,000. Def. 56.1 ¶ 29; Pl. Counter ¶ 29; Pl. 56.1 ¶ 19; Def. Counter ¶ 19. The per-wire limit was corrected at the end of April 2021. Pl. 56.1 ¶ 22; Def. Counter ¶ 22. The Set-Up Form notes that the per-wire limit is "provided by" Sterling and for "internal use only." Set-Up Form 1. The Agreement also addresses "Service Limits." Agreement § 3.33. The Agreement provides that Niram "shall abide by and honor the limits or restrictions [Sterling] establish[es]," and that "[a]ny such limits or restrictions are solely for the protection of [Sterling] and its assets . . . ." Agreement § 3.33. Further, in the Agreement, Niram authorizes Sterling to "honor, execute and accept" "each and every payment order" in Niram's name that is initiated by an Authorized User "without limitation as to amount." Agreement § 7.04.
The Fraudulent Transfers
In early 2021, Niram became the victim of a fraudulent scheme executed by an unknown third party who wrongfully obtained access to Graure's email account. Def. 56.1 ¶ 12; Pl. Counter ¶ 12; Pl. 56.1 ¶ 23; Def. Counter ¶ 23. Between March 25 and April 29, 2021, the fraudulent actor sent emails from Graure's email address to Fedorko, directing her to initiate seventeen wire transfers from the Account to two accounts located in Singapore and Hong Kong. Def. 56.1 ¶ 13; Pl. Counter ¶ 13; Pl. 56.1 ¶ 24; Def. Counter ¶ 24. Fedorko initiated each of the wires using Sterling's online e-Treasury platform. Pl. Counter ¶¶ 16-17; Pl. 56.1 ¶ 25; Def. Counter ¶ 25. A Niram employee, either Fedorko or Berezny, approved each wire using DeCruz's credentials. Def. 56.1 ¶ 18; Pl. Counter ¶ 18; Pl. 56.1 ¶ 35; Def. Counter ¶ 35. The wires were then released from Niram's Account at Sterling. Pl. 56.1 ¶ 36; Def. Counter ¶ 36. Sixteen of the wires were completed (the "Transfers"); one was reversed. Def. 56.1 ¶ 14; Pl. Counter ¶ 14. The Transfers totaled $8,571,390. Def. 56.1 ¶ 15; Pl. Counter ¶ 15; Pl. 56.1 ¶ 24; Def. Counter ¶ 24. Ten of the Transfers, totaling $6,109,970, were in amounts over $500,000. Def. 56.1 ¶ 15; Pl. Counter ¶ 15; Pl. 56.1 ¶¶ 24, 48-49; Def. Counter ¶¶ 24, 48-49.
During the period in which the fraud occurred (which commenced after DeCruz had been terminated), on March 31, 2021, a wire for $19,666.53 was initiated by Fedorko and approved using DeCruz's credentials. Def. 56.1 ¶ 24; Pl. Counter ¶ 24; Clarke-Fisher MSJ Decl. Exhibit 7 [ECF No. 35-7]. Niram does not dispute this wire and does not allege that this wire was unauthorized. Def. 56.1 ¶ 25; Pl. Counter ¶ 25. Also during the period in which the fraud occurred, on April 15, 2021, a wire for $600,000 was sent from the Account to Graure's personal account. Def. 56.1 ¶¶ 33-35; Pl. Counter ¶¶ 33-35; Clarke-Fisher MSJ Decl. Exhibit 12 [ECF No. 35-12]. Niram does not dispute this wire and does not allege that this wire was unauthorized. Def. 56.1 ¶ 36; Pl. Counter ¶ 36.
On April 30, 2021, Graure notified Sterling of the fraud and directed Sterling to stop payment on Niram's accounts. Def. 56.1 ¶ 26; Pl. Counter ¶ 26; Pl. 56.1 ¶ 91; Def. Counter ¶ 91. No fraudulent or disputed wires were sent following Graure's notification to Sterling. Def. 56.1 ¶ 27; Pl. Counter ¶ 27. Also on April 30, Graure sent Sterling a list of the Transfers and requested that Sterling reverse them. Pl. 56.1 ¶ 92; Def. Counter ¶ 92. To date, Niram has not recovered the proceeds of any of the challenged Transfers. Pl. 56.1 ¶ 93; Def. Counter ¶ 93.
PROCEDURAL HISTORY
Niram initiated this action by filing the Complaint, raising four claims. Niram asserts one claim for violation of New York's UCC Article 4-A ("Count One") and three common law claims: gross negligence ("Count Two"); breach of contract for unauthorized transfers ("Count Three"); and breach of contract for failure to engage in loss recovery efforts ("Count Four"). [ECF No. 1 ("Compl.")]. Sterling filed an Answer. [ECF No. 21]. The parties completed fact and expert discovery.
Sterling now moves for summary judgment on all of Niram's claims. [ECF Nos. 34, 35, 36 ("Def. MSJ"), 37, 50, 51 ("Def. Reply")]. Niram opposes [ECF Nos. 46 ("Pl. Opp."), 48, 49], and cross-moves for partial summary judgment on its Article 4-A claim only [ECF Nos. 38, 39, 40 ("Pl. MSJ"), 41, 53, 54 ("Pl. Reply")]. Sterling opposes Niram's cross-motion for summary judgment. [ECF Nos. 44, 45 ("Def. Opp."), 47].
LEGAL STANDARD
Summary judgment should be granted only "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a). A dispute is "genuine" if "the evidence is such that a reasonable jury could return a verdict for the nonmoving party." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505,91 L.Ed.2d 202 (1986). A fact is "material" if it "might affect the outcome of the suit under the governing law." Id. The Court's role on a motion for summary judgment is "not to resolve disputed issues of fact but to assess whether there are any factual issues to be tried." Brod v. Omya, Inc., 653 F.3d 156, 164 (2d Cir. 2011) (internal quotation marks omitted).
The moving party bears the initial burden of demonstrating the absence of a dispute. See Celotex Corp. v. Catrett, 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). The Court "may not make credibility determinations or weigh the evidence." Jaegly v. Couch, 439 F.3d 149, 151 (2d Cir. 2006). In ruling on summary judgment, the Court "must resolve all ambiguities and draw all permissible inferences in favor of the non-moving party." Id. If there is evidence in the record that supports a reasonable inference in favor of the opposing party, summary judgment is improper. See Brooklyn Ctr. For Indep. of the Disabled v. Metro. Transp. Auth., 11 F.4th 55, 64 (2d Cir. 2021).
When confronted with cross-motions for summary judgment, "the [C]ourt must evaluate each party's motion on its own merits, taking care in each instance to draw all reasonable inferences against the party whose motion is under consideration." Dish Network Corp. v. Ace American Ins. Co., 21 F.4th 207, 212 (2d Cir. 2021) (internal quotation marks omitted); see also Crawford v. Franklin Credit Mgmt. Corp., 758 F.3d 473, 486-87 (2d Cir. 2014) ("When both sides have moved for summary judgment, the court must apply the [summary judgment] principles to each motion separately. On each motion it must view the evidence in the light most favorable to the party against whom summary judgment is sought.").
DISCUSSION
I. Violation of Article 4-A
Article 4-A "governs the procedures, rights, and liabilities arising out of commercial electronic funds transfers," including wire transfers. Fischer & Mandell, LLP v. Citibank, N.A., 632 F.3d 793, 797 (2d Cir. 2011) (internal quotation marks omitted) (quoting Grain Traders, Inc. v. Citibank, N.A., 160 F.3d 97, 100 (2d Cir. 1998)); see N.Y. U.C.C. § 4-A-102 & cmt. (Article 4-A applies to "funds transfers," which are "also commonly referred to in the commercial community as a . . . wire transfer"). Article 4-A "creates a scheme to set clear rules as to who bears the loss for unauthorized transactions." 123RF LLC v. HSBC Bank USA, N.A., No. 21 CIV. 8519(NRB), 663 F.Supp.3d 391, 400 (S.D.N.Y. Mar. 23, 2023).
Section 4-A-204 of Article 4-A addresses a bank's obligation to refund a customer for a wire transfer issued in the customer's name that was unauthorized. The provision states:
If a receiving bank accepts a payment order issued in the name of its customer as sender which is . . . not authorized and not effective as the order of the customer under Section 4-A-202, . . . the bank shall refund any payment of the
payment order received from the customer to the extent the bank is not entitled to enforce payment . . . .N.Y. U.C.C. § 4-A-204(1). In short, Section 4-A-204 "establishes that a bank must refund a payment it issued if the payment was 'not authorized and not effective as the order of the customer.' " 123RF, 663 F.Supp.3d at 400 (emphasis added) (quoting N.Y. U.C.C. § 4-A-204(1)); see also Essilor Int'l SAS v. J.P. Morgan Chase Bank, N.A., 650 F.Supp.3d 62, 75 (S.D.N.Y. 2023). Thus, "if [a payment] is authorized or if it is effective, there is no refund obligation." Essilor, 650 F.Supp.3d at 75.
A. Whether the Transfers Were "Authorized"
The sole common issue raised in the parties' cross-motions for summary judgment is whether the Transfers were "authorized" or "not authorized" within the meaning of Sections 4-A-202 and 204. If the Transfers were "authorized," Sterling has no refund obligation to Niram under Article 4-A. See id.
Sterling does not move for summary judgment on the issue of whether the Transfers were "effective," correctly noting that "the effectiveness prong . . . only applies if this Court finds that the orders were not authorized." Def. MSJ 9 n.9; Def. Opp. 5 n.3 ("Sterling's Motion is limited to the 'authorization' argument . . . .").
Under Section 4-A-202, a payment order is the "authorized" order of the sender "if [the sender] authorized the order or is otherwise bound by it under the law of agency." N.Y. U.C.C. § 4-A-202(1) (emphasis added); see Essilor, 650 F.Supp.3d at 75 ("A payment order can be 'authorized' in one of two ways."). Article 4-A does not specifically define "authorized." See Def. MSJ 9 n.10.
Sterling argues that the Transfers were authorized because they were initiated by an Authorized User, Fedorko, and dually authenticated by another Niram employee. Def. MSJ 8-14. Niram argues that the Transfers were not authorized because they were not initiated and approved by two different Authorized Users. Pl. MSJ 14-16. Niram additionally argues that it is not bound by the Transfers under the law of agency, because Fedorko and Berezny did not have actual or apparent authority to approve the Transfers or to send payments in excess of $500,000. Pl. MSJ 16-19. Sterling argues in turn that Niram is bound by the Transfers under both actual and apparent authority. Def. Opp. 6-16.
i. Applicable Case Law
Few courts have had occasion to interpret the meaning of "authorized" within Article 4-A. As noted, the statute's definition of an "authorized" payment order is somewhat circular, providing that a payment order "is the authorized order of the person identified as sender if that person authorized the order or is otherwise bound by it under the law of agency." N.Y. U.C.C. § 4-A-202(1) (emphasis added). The term "authorized" itself is not specifically defined. Most courts that have addressed the question on facts analogous to those before this Court have done so in a different procedural posture: on a motion to dismiss. Nonetheless, the Court looks to those decisions for guidance to the extent they set forth a helpful framework for analyzing the question of authorization on the full record presented here.
In Wellton International Express v. Bank of China (Hong Kong), 612 F. Supp. 3d 358 (S.D.N.Y. 2020), the plaintiff received a fraudulent email from a hacker purporting to be the plaintiff's business partner, requesting money owed for services rendered. The plaintiff wired the money to the fraudulent account, and though it attempted to recall the wire upon a verification call from the bank, the transfer was processed by the bank. Id. at 361-62. In granting the defendant bank's motion to dismiss, the court (Oetken, J.) held that plaintiffs could not sustain an Article 4-A claim because "the transfer was unequivocally authorized" within the meaning of Section 4-A-202, as "[p]laintiffs explicitly allege in the complaint that [they] sent the wire transfer." Id. at 364.
In Harborview Capital Partners, LLC v. Cross River Bank, 600 F. Supp. 3d 485 (D.N.J. 2022), the plaintiff's CEO's email account was hacked by a fraudster, who, similarly to the facts established here, instructed the plaintiff's accounting manager to wire funds to bank accounts in Hong Kong. The accounting manager submitted these wires to the defendant bank, which, after confirmation from the accounting manager, processed the transfers. Id. at 487. The plaintiff brought a claim pursuant to Article 4A of New Jersey's UCC, see id. at 488, which defines an "authorized order" identically to New York's Section 4-A-202. See N.J. Stat. Ann. § 12A:4A-202(1).
The defendant bank in Harborview moved to dismiss the Article 4A claim on the grounds that the wire transfers were "authorized" by the plaintiff's agent, its accounting manager, binding plaintiff. Id. at 491. The court agreed, finding that the plaintiff's accounting manager "was indisputably authorized, as Harborview's agent and as authorized signatory on the account, to sign and send the Wire Transfer Forms . . . . [E]ven if she did so because she was misled by a third-party hacker[,]Article 4 provides no cause of action." Id. at 493.
Sterling argues that, as in Harborview and Wellton, the Transfers here were "authorized" because they were initiated by Fedorko, an Authorized User, and dually authenticated by a Niram employee (using the credentials of another Authorized User). Def. MSJ 11. As with the bank in Harborview, Sterling argues, Fedorko's actions bind Niram, and Sterling was "entitled to rely on [her] instructions" consistent with the Agreement. Harborview, 600 F. Supp. 3d at 493; see Def. MSJ 11-12 (citing Agreement §§ 3.39, 3.42(d), 4.03, 4.12).
Sterling further argues that by permitting Berezny to authorize wires using DeCruz's credentials, Fedorko, as Administrator, made Berezny herself an Authorized User pursuant to the Agreement, which provides that "[i]f the Administrator grants access to additional Authorized Users, [Niram] thereby authorize[s] [Sterling] to complete requests and transactions initiated by those Authorized Users." Agreement § 4.12; Def. MSJ 11; see also Agreement § 3.39 (permitting Sterling "to deem any person having knowledge of any Security Procedure to be an Authorized User").
Niram argues that these decisions are distinguishable because there is no indication that either case involved a dual authentication procedure that was not properly followed. Pl. Opp. 6 & n.2; Pl. Reply 2-3. Further, it argues that another decision of this District forecloses Sterling's argument and mandates summary judgment in Niram's favor on the issue of authorization. Pl. Opp. 5; Pl. MSJ 14-16; Pl. Reply 2-3. Niram cites Essilor International SAS v. J.P. Morgan Chase Bank, in which the court (Liman, J.) denied in part JP Morgan's motion to dismiss an Article 4-A claim on the basis that, as alleged, the disputed wire transfers were "not authorized" by the plaintiff banking client. 650 F.Supp.3d at 77.
In Essilor, the plaintiff's employee internally orchestrated a fraud in which the employee (within his authority as a wire initiator) initiated wires, and then misappropriated another authorized employee's credentials to provide the necessary dual authentication for the fraudulent wires. Thus, although from JP Morgan's perspective these transfers were completed in accordance with the required dual authentication procedure (as two different users' credentials approved the wires), the fraudster-employee unilaterally both initiated and approved the wires in violation of the protocol. See id. at 68-69. In moving to dismiss the plaintiff's Article 4-A claim, JP Morgan argued that the plaintiff itself " 'authorized' the wire transfers," within the meaning of Sections 4-A-202 and 204, "even if [the plaintiff's employee] misappropriated his colleague's credentials, because JP Morgan received two approvals for each wire transfer and, as a result, each wire transfer was made pursuant to the agreed upon security procedure." Id. at 77.
The Essilor court declined to dismiss the Article 4-A claim at the pleadings stage on this argument. The court found that the plaintiff's interpretation of "authorized" would render superfluous the second element of a Section 4-A-204 claim, that the payment also be "not effective." Id. at 79. Under Section 4-A-204, "[i]neffective transfers are those in which the bank has not properly executed security procedures." Regatos v. N. Fork Bank, 5 N.Y.3d 395, 401 n.4, 804 N.Y.S.2d 713, 838 N.E.2d 629 (2005). A security feature is "effective" first, if the security procedure is "commercially reasonable," and second, if the bank acted "in good faith" and "in compliance with the security procedure and any [other] written agreement or instruction." Essilor, 650 F.Supp.3d 78 (internal quotation marks omitted) (quoting N.Y. U.C.C. § 4-A-202(2)(a)-(b)). The Essilor court found that to conclude that a transaction was "authorized" by the sender because it was executed in accordance with the required security procedures would render the "effective" prong meaningless: "Because Section 4-A-204(1)(a) requires that a payment order be both not authorized and not effective for the payment order to be refunded, a bank would only need to demonstrate that a security procedure existed and the payment order was issued pursuant to that procedure; it would never need to meet the stricter requirements." Id. (emphasis added). Further, interpreting "authorized" as coextensive with security procedure compliance would render superfluous Section 4-A-203 (which governs liability when a payment is "not authorized" but is "effective"), too, because "[t]here would be no circumstance where a payment order was both 'effective' and unauthorized." Id. Accordingly, "security procedures are only relevant to determining whether or not a payment order is 'effective,' not whether it is authorized." Id. at 81.
There are important differences between Essilor and this case. First, Essilor was decided on a motion to dismiss—not the fulsome record before the Court on these cross-motions for summary judgment. In addition, the facts alleged in Essilor concerned a fraud from within the plaintiff company, orchestrated by one of the plaintiff's own employees. See Def. Reply 3-4. By contrast, the fraud at issue in this case originated externally, and Niram's employees were unaware they were acting adversely to the company, similarly to the plaintiffs in Wellton and Harborview for whom the fraudulent transfers were found "authorized" under Article 4-A. See Pl. 56.1 ¶ 33 ("In asking Berezny to approve the Transfers, Fedorko believed that she was following Graure's instructions."); Def. Counter ¶ 33.
Moreover, although the facts of Essilor might appear at first blush to favor Niram, Niram plainly misstates Essilor's holding. Niram contends that Essilor "establishes that where, as here, the parties have agreed to a dual-authorization process for approving payment orders, a wire is not authorized under Article 4-A unless two different authorized users using their own respective credentials initiate and approve the wire." Pl. Opp. 5; see Pl. MSJ 14 (arguing that Essilor establishes that a payment is authorized "only if two different authorized users initiate and approve the order as provided" in the company's dual-authorization procedure). Not so. Essilor in fact held that security procedures are wholly irrelevant to whether a plaintiff authorized a payment. 650 F.Supp.3d at 78. Indeed, the Essilor court spoke primarily to what an "authorized" payment is not, and says very little about what an authorized payment is—and certainly nothing about what it exclusively is on the facts of this case, as Niram would have the Court find.
But most critically, even if the Court were to accept Essilor's reasoning and find that it applies to this case, Essilor leaves open to Sterling the argument by which it may—and, the Court finds, does—establish that there is no genuine dispute of material fact that the Transfers were "authorized." The Essilor court noted that the defendant's "contention glosses over another interpretation of" "if that person authorized the order" under Section 4-A-202(1):
It applies to natural persons. The definition of "person" under Article 4-A extends to individuals. The law of agency, however, does not apply to individuals. Thus, the clause "if that person authorized the order" accomplishes what "if that person . . . is otherwise bound by [the order] under the laws of agency" cannot; it expands the concept of "authorized" to include wire transfers issued in the name of individuals.Essilor, 650 F.Supp.3d at 83 (cleaned up). On this reading, Essilor is in fact consistent with Sterling's position, which relies on an agency theory of authorization as found, for example, in Harborview. See 600 F. Supp. 3d at 493 ("Because Harborview's agent, employee, and representative sent, signed, and confirmed the wire transfers—even if she did so because she was misled by a third-party hacker—Article 4 provides no cause of action for Harborview." (emphasis added)); Def. MSJ 10-11; Def. Reply 4.
ii. Agency
The relevant question is thus not whether Niram itself "authorized the [Transfers]," but whether the Transfers were authorized because Niram is "bound by [the Transfers] under the law of agency." N.Y. U.C.C. § 4-A-202(1). Here, Fedorko initiated the Transfers in Niram's name as an Authorized User. Each Transfer was then dually authenticated by a Niram employee, either Fedorko or Berezny, using the credentials of DeCruz, another Authorized User. Def. 56.1 ¶ 16-18; Pl. Counter ¶¶ 16-18; Pl. 56.1 ¶¶ 25, 35; Def. Counter ¶¶ 25, 35. As Article 4-A commentary notes, "[t]he issue is one of actual or apparent authority of the person who caused the order to be issued in the name of the customer . . . . If the customer is bound by the order under any of these agency doctrines, subsection [4-A-202(1)] treats the order as authorized and thus the customer is deemed to be the sender of the order." N.Y. U.C.C. § 4-A-203 cmt. 1; see also Essilor, 650 F.Supp.3d at 81. The issue here then is whether Fedorko and Berezny had actual or apparent authority to bind Niram to the Transfers. If they did, the Transfers were the authorized orders of Niram, the sender.
a. Actual Authority
"Under New York law, an agent has actual authority if the principal has granted the agent the power to enter into contracts on the principal's behalf, subject to whatever limitations the principal places on this power, either explicitly or implicitly." Highland Cap. Mgmt. LP v. Schneider, 607 F.3d 322, 327 (2d Cir. 2010) (citing Ford v. Unity Hosp., 32 N.Y.2d 464, 472, 346 N.Y.S.2d 238, 299 N.E.2d 659 (1973)). "Actual authority is created by direct manifestations from the principal to the agent, and the extent of the agent's actual authority is interpreted in the light of all circumstances attending these manifestations, including the customs of business, the subject matter, any formal agreement between the parties, and the facts of which both parties are aware." Peltz v. SHB Commodities, Inc., 115 F.3d 1082, 1088 (2d Cir. 1997) (internal quotation marks omitted).
Niram makes two arguments to dispute actual authority. First, Niram argues that Fedorko could not approve wires that she initiated, and that Berezny could not approve any wires at all because she was not designated as an Authorized User. Pl. MSJ 17-18. Second, Niram argues that no Authorized User was permitted to send wires over $500,000. Pl. MSJ 18-19.
The undisputed facts support that Fedorko, the Niram employee primarily responsible for execution of the Transfers, had actual authority to bind Niram to the Transfers. Niram designated Fedorko as an Authorized User who could initiate wires from the Account. Set-Up Form 9. Fedorko initiated each of the sixteen Transfers. See Pl. Counter ¶¶ 16-17; Pl. 56.1 ¶ 25; Def. Counter ¶ 25. Under the Agreement between Niram and Sterling, an Authorized User is "authorized to give instructions to [Sterling] with respect to Service Transactions in the name of [Niram], subject to verification by any applicable Security Procedures." Agreement § 2.16.
Niram's attempt to seek cover in the contractual language does not persuade the Court that Fedorko did not possess actual authority to bind Niram. "[A]ctual authority is interpreted in the light of all circumstances attending [the principal's] manifestations." Peltz, 115 F.3d at 1088. As an initial matter, the Agreement itself provides that Niram "shall be bound by any and all Service Transactions initiated through the use of . . . Security Procedures, whether authorized or unauthorized, and by any and all Service Transactions and activity otherwise initiated by Authorized Users, to the fullest extent allowed by law." Agreement § 3.39 (emphasis added). Thus, Fedorko's acts as an Authorized User bind Niram regardless of whether she abided by any Security Procedures.
As to Berezny's authority, Niram designated Fedorko as an Administrator of the Account. Set-Up Form 8. As Administrator pursuant to the Agreement, Fedorko had authority to designate additional Authorized Users. Agreement § 4.12. In addition, Fedorko testified that she and Niram provided access to DeCruz's banking credentials to Berezny. See Fedorko Dep. 45-46, 51-53, 62-63. As Niram acknowledged in the Agreement, Sterling (unilaterally) "shall be entitled to deem any person having knowledge of any Security Procedure to be an Authorized User." Agreement § 3.39. Thus, Niram is bound by Fedorko's acts in providing banking access to Berezny, and in turn by Berezny's acts as an additional Authorized User.
Moreover, it is plain from the record that despite any limitations on Fedorko's authority pursuant to the Agreement or other written documentation pertaining the Account, under Niram's "customs of business," Fedorko possessed broad authority to conduct financial transactions on behalf of Niram. Peltz, 115 F.3d at 1088. Fedorko's practice was to "not question [Graure's] directions" nor any of Graure's financial decisions relating to Niram because "[that] was the relationship." Fedorko Dep. 57:6-11. Further, Graure testified that there were no limitations on Fedorko's rights in dealing with Sterling. Clarke-Fisher MSJ Decl. Exhibit 13 [ECF No. 35-13 ("Graure Dep.")] at 14. That Fedorko's actual authority was not circumscribed by the Agreement and its related documents is reinforced by the fact that Niram sent at least one other wire during the relevant period using the same authentication process that Niram challenges with respect to the Transfers (i.e., dual authorization using DeCruz's credentials after DeCruz had been terminated), but this wire is not disputed as illegitimate by Niram. See Def. 56.1 ¶ 24-25; Pl. Counter ¶ 24-25; Pl. Reply 4.
Finally, that the Set-Up form provided a $500,000 per-wire limit does not alter this conclusion. The per-wire limit, as noted on the Set-Up form, was "provided by" Sterling, not Niram, and was for Sterling's "internal use only." Set-Up Form 1. The Agreement supports this interpretation, stating that Sterling provided any limits and that any limits "are solely for the protection of [Sterling]." Agreement § 3.33. Under the Agreement, Niram unambiguously and unqualifiedly authorized Sterling to execute wires in its name initiated by Authorized Users "without limitation as to amount." Agreement § 7.04 (emphasis added). And even if, as Niram argues, Niram somehow intended for the $500,000 limit to be an internal limitation on its employees' authority (which is not supported by the record), the company's business customs flouted that limitation. For example, Graure sent a wire for $600,000 from the Account to his personal account. Def. 56.1 ¶¶ 33-35; Pl. Counter ¶¶ 33-35. Niram does not dispute this wire and does not contend that this wire was unauthorized. Def. 56.1 ¶ 36; Pl. Counter ¶ 36; Pl. Reply 4. Graure testified that when this wire was executed, any $500,000 per-wire limitation was not considered by Niram: "I just said I needed that money to cover my taxes, I assume, and how it got done, it got done." Graure Dep. 72:13-15. As Niram concedes, the $600,000 wire was a "legitimate transaction." Pl. Reply 4; see also Pl. Opp. 11.
Niram's concession that, during the period of the fraud, it sent two "legitimate" wires that bore the same procedural defects that Niram contends render the Transactions "not authorized" underscores the absurdity of its argument. See United States v. Dauray, 215 F.3d 257, 264 (2d Cir. 2000) ("A statute should be interpreted in a way that avoids absurd results."). Under Niram's argument, nothing would prevent a plaintiff from bringing an Article 4-A claim to recover "legitimate" payments on the basis that they were completed by the plaintiff's employees who, although acting at the behest of the plaintiff, disregarded internal safeguards or limitations to execute the transactions in haste. Because there is no dispute that employees of Niram acted within their actual authority to complete the "legitimate transactions," Pl. Reply 4, Niram's employees, including Fedorko and Berezny, necessarily acted within their actual authority in executing the Transfers in the same manner, notwithstanding that they were misled by an external fraudster.
b. Apparent Authority
"Where an agent lacks actual authority, he may nonetheless bind his principal to a contract if the principal has created the appearance of authority, leading the other contracting party to reasonably believe that actual authority exists." Highland Cap., 607 F.3d at 328. Because the Court finds that Niram is bound by the Transactions under a theory of actual authority, the Court does not reach the issue of apparent authority. See GMAC Mortg. Corp. of Pa. v. Weisman, No. 95 CIV. 9869 (JFK), 1998 WL 132791, at *4 (S.D.N.Y. Mar. 23, 1998) (declining to reach the issue of apparent authority on a motion for summary judgment where no genuine issue of material fact was found as to actual authority).
Accordingly, the Court finds that the Transfers were the "authorized order[s]" of Niram because Niram is bound by the Transfers under the law of agency. N.Y. U.C.C. § 4-A-202(1). Thus, there is no genuine dispute of material fact that the Transfers were "authorized" within the meaning of Sections 4-A-202 and 204. Summary judgment in favor of Sterling on this issue is granted.
B. Whether the Transfers Were "Effective"
Because the Court finds that there is no genuine issue of material fact that the Transfers were authorized, it need not reach Niram's argument that the Transfers were "not effective." Pl. MSJ 19-22. To prevail on its Article 4-A claim, Niram must prove that the transfers were both "not authorized" and "not effective." See Essilor, 650 F.Supp.3d at 75. The Court's grant of summary judgment in favor of Sterling on the question of authorization precludes that possibility. See Mirror Worlds Techs., LLC v. Facebook, Inc., 588 F. Supp. 3d 526, 557 (S.D.N.Y. 2022) (declining to reach plaintiff's motion for partial summary judgment where defendant's motion for summary judgment was granted). Because Niram, through the acts of its agents, "authorized the [T]ransfer[s], even erroneously, no cause of action lies." Wellton, 612 F. Supp. 3d at 364.
Accordingly, the Court grants summary judgment in favor of Sterling on Count One.
II. Common Law Claims
Sterling alone moves for summary judgment on Niram's common law claims for gross negligence and breach of contract, arguing that, as a matter of law, these claims are preempted by Article 4-A. Def. MSJ 14-16.
Article 4-A "preclude[s] common law claims when such claims would impose liability inconsistent with the rights and liabilities expressly created by Article 4-A." Grain Traders, 160 F.3d at 103. However, not all common law claims "are per se inconsistent with this regime." Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 89 (2d Cir. 2010); see also 123RF, 663 F.Supp.3d at 401. "Practically speaking, Article 4A controls how electronic funds transfers are conducted and specifies certain rights and duties related to the execution of such transactions . . . . Claims that, for example, are not about the mechanics of how a funds transfer was conducted may fall outside of this regime." Ma, 597 F.3d at 89. To determine whether a claim is preempted by Article 4-A, "the critical inquiry is whether [the statute's] provisions protect against the type of underlying injury or misconduct alleged in a claim." Id. at 89-90.
A. Gross Negligence
Niram's gross negligence claim (Count Two) alleges that "Sterling failed to exercise reasonable skill and care by consummating each of the Fraudulent Transfers without proper authorization and without following the parties' agreed upon security procedures." Compl. ¶ 47.
This claim is preempted by Article 4-A. At bottom, Niram's gross negligence claim "concern[s] the existence of unauthorized transactions and the way in which they occurred." 123RF, 663 F.Supp.3d at 401; see also Banco del Austro, S.A. v. Wells Fargo Bank, N.A., 215 F. Supp. 3d 302, 307 (S.D.N.Y. 2016); 2006 Frank Calandra, Jr. Irrevocable Tr. v. Signature Bank Corp., 816 F. Supp. 2d 222, 236 (S.D.N.Y. 2011), aff'd, 503 F. App'x 51 (2d Cir. 2012).
Niram argues that its gross negligence claim falls outside the scope of Article 4-A in part because it is premised on Sterling's failure to abide by the $500,000 per-wire limit. Pl. Opp. 17-18. As the Court discusses above, there is no genuine issue of material fact that the per-wire limits were set by Sterling for Sterling's sole benefit. See supra Section I.A.ii.a. Niram is thus correct insofar as it argues (for purposes of resisting preemption) that "per-wire limits are unrelated to whether the Transfers were authorized under Article 4-A." Pl. Opp. 17-18. However, the "underlying injury" of Niram's gross negligence claim is that Niram lost money as the result of the allegedly unauthorized Transfers. Ma, 597 F.3d at 89-90; Compl. ¶ 49. Article 4-A provides the exclusive remedy for such an injury. Niram's attempt to impose "[n]egligence liability above and beyond the commands of Section 4-A-202 would be inconsistent with that section" and is thus preempted. Banco del Austro, 215 F. Supp. 3d at 307 (emphasis added).
The Court finds no genuine issue of material fact that Niram's gross negligence claim is preempted by Article 4-A. The Court therefore grants summary judgment in favor of Sterling on Count Two.
B. Breach of Contract - Unauthorized Transfers
Niram's first breach of contract claim (Count Three) alleges that Sterling breached its obligations under the Agreement, specifically Section 7.04, by honoring, executing, and accepting payment orders that were submitted in excess of Authorized Users' level of authority. Compl. ¶ 53. This claim centers on the allegation that Sterling honored payments in excess of the per-wire limit of $500,000. Compl. ¶¶ 54-55.
This claim is preempted by Article 4-A. As an initial matter, as noted above, the Court determines that there is no genuine issue of material fact that the per-wire limits were set by Sterling for Sterling's sole benefit. See supra Sections I.A.ii.a, II.B. Further, as relevant here, the Court determines that there is no genuine issue of material fact that the relevant provision of the contract expressly establishes that Sterling may honor, execute, and accept "each and every payment order" subject to an Authorized User's level of authority "without limitation as to amount." Agreement § 7.04 (emphasis added). Moreover, because this claim focuses on "the existence of unauthorized wire transfers . . . and the mechanics of how those transactions were conducted, [it] fall[s] within the regime of Article[ ] 4-A" and is thus preempted. Calandra, 816 F. Supp. 2d at 236; accord Banco del Austro, 215 F. Supp. 3d at 306; 123RF, 663 F.Supp.3d at 402.
The Court finds no genuine issue of material fact that Niram's breach of contract claim for unauthorized transfers is preempted by Article 4-A. The Court therefore grants summary judgment in favor of Sterling on Count Three.
C. Breach of Contract - Failure to Engage in Loss Recovery Efforts
Niram's second breach of contract claim alleges that Sterling breached the Agreement by failing to engage in "loss recovery efforts." Compl. ¶ 60 (citing Agreement § 3.27). This claim is premised on the Transfers, which are alleged to be unauthorized. Compl. ¶ 60. However, Section 4-A-204 provides the exclusive means by which a bank has a duty to refund a customer for such an unauthorized payment. See Banco del Austro, 215 F. Supp. 3d at 307; Calandra, 816 F. Supp. 2d at 236. This claim is thus preempted, and the Court grants summary judgment in favor of Sterling on Count Four.
Accordingly, the Court grants summary judgment in favor of Sterling on Counts Two, Three, and Four because they are preempted by Article 4-A. See Ma, 597 F.3d at 90 (Where "claims are, at their core, assertions that [plaintiff] did not order or approve any of the disputed electronic transfers of funds from his accounts, we are bound to recognize the rights and duties New York law provides for precisely these circumstances.").
CONCLUSION
For the foregoing reasons, Sterling's Motion for Summary Judgment is GRANTED and Niram's Motion for Partial Summary Judgment is DENIED. Sterling's letter motion requesting oral argument in connection with the Motions for summary judgment [ECF No. 52] is DENIED as moot. Sterling's letter motion to file under seal certain limited exhibits in connection with Niram's Motion for Partial Summary Judgment [ECF No. 55] is GRANTED.