Opinion
No. 20-55862
12-20-2021
Margaretha Natalia WIDJAJA, Plaintiff-Appellant, v. JPMORGAN CHASE BANK, N.A., a national banking association, Defendant-Appellee
Paro Astourian (argued), Astourian & Associates Inc., Pasadena, California, for Plaintiff-Appellant. Karin L. Bohmholdt (argued) and Blakeley S. Oranburg, Greenburg Traurig LLP, Los Angeles, California, for Defendant-Appellee.
Paro Astourian (argued), Astourian & Associates Inc., Pasadena, California, for Plaintiff-Appellant.
Karin L. Bohmholdt (argued) and Blakeley S. Oranburg, Greenburg Traurig LLP, Los Angeles, California, for Defendant-Appellee.
Before: D. Michael Fisher, Paul J. Watford, and Patrick J. Bumatay, Circuit Judges.
The Honorable D. Michael Fisher, United States Circuit Judge for the U.S. Court of Appeals for the Third Circuit, sitting by designation.
WATFORD, Circuit Judge:
To address concerns raised by the increasing prevalence of electronic banking transactions, Congress enacted the Electronic Fund Transfer Act of 1978 (EFTA), 15 U.S.C. § 1693 et seq. Lawmakers viewed such transactions—processed through computer networks without human interaction—as "much more vulnerable to fraud, embezzlement, and unauthorized use than the traditional payment methods." Bank of America v. City and County of San Francisco , 309 F.3d 551, 564 (9th Cir. 2002) (quoting H.R. Rep. No. 95-1315, at 2 (1978)). Consumer groups urged Congress to provide protection from liability for unauthorized transfers, similar to the protection Congress had already afforded for unauthorized credit card charges. See 15 U.S.C. § 1643(a) (imposing a $50 cap on liability for unauthorized credit card use); Lewis M. Taffer, The Making of the Electronic Fund Transfer Act: A Look at Consumer Liability and Error Resolution , 13 U.S.F. L. Rev. 231, 238 (1979). Congress responded in the EFTA by imposing a similar, but not identical, cap on a consumer's liability for unauthorized electronic fund transfers.
The plaintiff in this case, Margaretha Widjaja, alleges that she was the victim of unauthorized electronic fund transfers from her checking account at JPMorgan Chase Bank (Chase). Identity thieves made a series of unauthorized withdrawals that ultimately totaled more than half a million dollars. Chase reimbursed Widjaja for some of those losses, but it has refused to repay $300,000 of the funds stolen from her account. Widjaja sued Chase for violating the EFTA, alleging that the bank has imposed liability on her in excess of what the EFTA allows. The district court dismissed Widjaja's complaint at the pleading stage on the ground that Widjaja's lengthy delay in reporting the unauthorized withdrawals to Chase barred her claims as a matter of law. We conclude that the district court misinterpreted the relevant provision of the EFTA and reverse the dismissal of Widjaja's EFTA claim.
I
According to the complaint, whose allegations we accept as true at this stage of the litigation, Widjaja is a foreign national who held several accounts at Chase, including the checking account at issue here. Although she maintains a residence in California, Widjaja resides primarily outside the United States and spends a significant portion of the year traveling overseas.
Widjaja alleges that, through unknown means, unidentified individuals gained access to her Chase checking account in October 2017 and began making unauthorized withdrawals without her knowledge. The first withdrawal involved a transfer on October 31 of less than two dollars to Union Bank, followed by a much larger transfer of $29,000 to Union Bank on November 2. This second transfer aroused Union Bank's suspicion, which led it to contact Chase's fraud department. The banks jointly determined that the transaction was fraudulent, as the Union Bank customer who received the $29,000 had no relationship with Widjaja. Union Bank accordingly refunded the money to Widjaja's Chase account.
Although Chase learned through this episode that Widjaja's account had been compromised, it did nothing to protect her account from further unauthorized withdrawals. It did not change Widjaja's account number and password or freeze her account. Nor did it inform her that an unauthorized transfer had taken place. Due to this inaction, Widjaja alleges, the same individuals were able to make more than 100 unauthorized withdrawals from her checking account between November 2017 and March 2019.
Widjaja did not report any of the unauthorized withdrawals to Chase until March 2019. She does not dispute that each of the withdrawals appeared on the monthly bank statements Chase sent her. Widjaja alleges that, between November 2017 and March 2019, she was traveling overseas and had "very limited or no" internet access to check her bank statements. When Widjaja returned to California in March 2019, she reviewed her statements and noticed the unauthorized withdrawals. She reported them to Chase and thereafter the withdrawals stopped.
Chase reimbursed Widjaja for some of the unauthorized withdrawals through its internal dispute resolution process. But it has refused to reimburse her for $300,000 of the losses she suffered, citing her failure to report the initial unauthorized withdrawals within 60 days of their appearance on her bank statements, as the EFTA ordinarily requires. See 15 U.S.C. §§ 1693f(a), 1693g(a) ; 12 C.F.R. § 1005.6(b)(3).
Regulation E, which implements the EFTA, was originally promulgated by the Board of Governors of the Federal Reserve System and published in Part 205 of Title 12 of the Code of Federal Regulations. See 12 C.F.R. § 205.1(a). After the Dodd-Frank Act transferred rulemaking authority to the Consumer Financial Protection Bureau, the Bureau republished Regulation E in Part 1005 of Title 12. See Electronic Fund Transfers (Regulation E), 76 Fed. Reg. 81,020 (Dec. 27, 2011) ; 12 C.F.R. § 1005.1(a). The provisions relevant to this case, now found at 12 C.F.R. § 1005.6, are identical to the provisions in 12 C.F.R. § 205.6.
In June 2019, Widjaja filed this action against Chase. After amending her complaint, she asserted four claims: (1) violation of the EFTA or, alternatively, California's EFTA counterpart, Cal. Comm. Code § 11101 et seq. ; (2) breach of contract; (3) breach of the implied covenant of good faith and fair dealing; and (4) negligence. The district court granted Chase's motion to dismiss under Federal Rule of Civil Procedure 12(b)(6). The court agreed with Chase that the EFTA generally requires consumers to report an unauthorized withdrawal within 60 days after the bank sends a monthly statement reflecting the withdrawal. Because it is undisputed that Widjaja failed to report the withdrawals at issue within that time frame, the court held that the EFTA bars her claim as a matter of law. The court therefore dismissed Widjaja's EFTA claim with prejudice, along with her remaining state law claims.
II
This appeal requires us to interpret the EFTA provision limiting a consumer's liability for unauthorized electronic fund transfers, 15 U.S.C. § 1693g. The provision states that in most instances a consumer's liability for an unauthorized transfer (or a series of related unauthorized transfers, see 12 C.F.R. § 1005.6(b) ) may not exceed $50. That baseline cap on liability is subject to two exceptions, however.
The first exception raises the cap to $500 when the unauthorized transfers occur due to the loss or theft of an access device (such as an ATM card) and the consumer fails to notify her bank within two business days of learning that the device has been lost or stolen. 15 U.S.C. § 1693g(a) ; see 12 C.F.R. § 1005.6(b)(2). The second exception—the one relevant here—provides that the cap on liability will be lifted if: (1) an unauthorized transfer appears on the monthly statement banks must send to consumers under 15 U.S.C. § 1693d(c) ; (2) the consumer fails to report the unauthorized transfer to her bank within 60 days after the statement is sent to her; and (3) the bank can establish that unauthorized transfers made after the 60-day period would not have occurred but for the consumer's failure to provide timely notice of the earlier unauthorized transfer. 15 U.S.C. § 1693g(a). In that scenario, the consumer's liability for unauthorized transfers that occur within the 60-day period cannot exceed $50 or $500 (depending on the circumstances), but the consumer faces unlimited liability for unauthorized transfers occurring outside the 60-day period. See 12 C.F.R. § 1005.6(b)(3) ; 12 C.F.R. pt. 1005, Supp. I, 6(b)(3) ¶ 1.
The statutory language creating this second exception reads as follows:
Notwithstanding the [default liability cap], reimbursement need not be made to the consumer for losses the financial institution establishes would not have occurred but for the failure of the consumer to report within sixty days of transmittal of the statement (or in extenuating circumstances such as extended travel or hospitalization, within a reasonable time under the circumstances) any unauthorized electronic fund transfer or account error which appears on the periodic statement provided to the consumer under section 1693d of this title.
15 U.S.C. § 1693g(a) ; see also 12 C.F.R. § 1005.6(b)(3). A neighboring subsection makes clear that the bank bears the burden of proving that "the conditions of liability set forth in subsection (a) have been met." 15 U.S.C. § 1693g(b).
Widjaja does not dispute that she failed to report any of the unauthorized withdrawals to Chase within the 60-day period set by the EFTA. She contends instead that her compliance with the 60-day reporting requirement was excused for two reasons, both of which, we conclude, the district court properly rejected.
First, Widjaja asserts that, during her time abroad, she had "very limited or no access to her banking records and/or to the internet," and that her extended international travel thus constituted "extenuating circumstances" under § 1693g(a). The district court held that this cursory allegation does not plausibly explain how someone with Widjaja's financial means lacked adequate internet access to view her banking records for more than a year. We agree with the district court that Widjaja has not plausibly alleged "extenuating circumstances" excusing her failure to timely report the unauthorized withdrawals.
Second, Widjaja contends that she did not need to report the unauthorized withdrawals to Chase because it was already aware of the initial $29,000 withdrawal in November 2017 by virtue of its communications with Union Bank. The district court properly rejected this argument as well. Section 1693g(a) plainly states that "the consumer" must report an unauthorized withdrawal to her bank within the prescribed 60-day period to avoid facing potentially unlimited liability for subsequent withdrawals occurring after that period. The statute says nothing about a bank receiving notice from third-party sources unaffiliated with the consumer. It is true that a different portion of § 1693g(a) refers to losses that occur "prior to the time the financial institution is notified of, or otherwise becomes aware of , circumstances which lead to the reasonable belief that an unauthorized electronic fund transfer involving the consumer's account has been or may be effected." § 1693g(a) (emphasis added); see also 12 C.F.R. § 1005.6(b)(5)(iii) (notice is deemed "constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer" has taken place). But that language addresses whether the default cap on liability for unauthorized transfers will be $50 or some lesser amount. When the statute addresses the issue relevant here—the circumstances under which the default cap on liability will be lifted—it unambiguously provides that "the consumer" must report an unauthorized transfer to her bank within the 60-day period.
The official staff interpretations of Regulation E state that notice may also be provided by "a person acting on the consumer's behalf." 12 C.F.R. pt. 1005, Supp. I, 6(b)(5) ¶ 2. Widjaja does not contend that Union Bank was acting on her behalf when it notified Chase of the fraudulent transfer in November 2017.
Despite our agreement with the district court on the two points just discussed, we must nonetheless reverse the dismissal of Widjaja's EFTA claim. While the Act requires a consumer to notify her bank of unauthorized transfers within the prescribed 60-day reporting period, a consumer who fails to do so is not automatically liable for all subsequent losses. A consumer may be held liable for unauthorized transfers occurring after the 60-day period only if the bank establishes that those transfers "would not have occurred but for the failure of the consumer" to timely report the earlier unauthorized transfer reflected on her bank statement. 15 U.S.C. § 1693g(a). The district court's analysis overlooked this requirement, and the error was not harmless.
The EFTA authorizes a private right of action against a bank that "fails to comply" with any provision of the Act, including the provision limiting a consumer's liability for unauthorized transfers. § 1693m(a). When, as here, a bank concludes that the EFTA authorizes liability in excess of the default cap, the consumer must allege facts plausibly suggesting that the bank's conclusion is wrong in order to state a claim that the bank has violated § 1693g. That will often prove difficult when the consumer fails to report an unauthorized transfer within the 60-day period and seeks reimbursement for losses suffered as a result of further unauthorized transfers occurring after that period. When notified by a consumer that an unauthorized transfer has taken place, most banks have procedures in place to prevent subsequent unauthorized transfers, such as freezing the consumer's account or changing the account number and password. A consumer must therefore allege facts plausibly suggesting that even if she had reported an unauthorized transfer within the 60-day period, the subsequent unauthorized transfers for which she seeks reimbursement would still have occurred. See Nayab v. Capital One Bank (USA), N.A. , 942 F.3d 480, 495–97 (9th Cir. 2019) (holding in a similar context that the plaintiff must allege facts giving rise to a reasonable inference that a statutorily available affirmative defense does not apply).
We think Widjaja has met her pleading burden here. She alleges that Chase became aware of a security breach that enabled unknown individuals to make an unauthorized withdrawal of $29,000 from her checking account in November 2017. Yet, according to Widjaja's allegations, Chase took no action to protect her account from further unauthorized withdrawals, despite having a strong financial incentive to do so. If Widjaja had notified Chase of the unauthorized withdrawals within the EFTA's 60-day reporting period, Chase itself would have borne liability for all related unauthorized withdrawals, save for the $50 or $500 loss Widjaja would bear. The only outer limit on Chase's liability in that scenario (assuming the thieves acted quickly enough) was the amount of money in Widjaja's checking account—in this instance, at least half a million dollars. And at the time Chase allegedly failed to act in November 2017, it of course had no way of knowing whether Widjaja would fail to report the unauthorized withdrawals within the 60-day period, or how quickly or slowly the thieves would move to drain her account. The EFTA thus gave Chase a strong financial incentive to take immediate corrective action in November 2017, regardless of the source of its notice that fraud was afoot. In these circumstances, to hold Widjaja liable for subsequent losses, Chase will have to explain why its response to notice from Widjaja herself would have been substantially different from its (non)response to the notice it received from Union Bank. At a later stage in the case, Chase may be able to provide such an explanation. But at the pleading stage, Widjaja's allegations plausibly suggest that some sort of failure in the bank's fraud-prevention procedures occurred with respect to her checking account. Put differently, Widjaja's allegations give rise to a reasonable inference that Chase would not have taken action to prevent subsequent losses even if she had reported the initial unauthorized withdrawals within the 60-day period. Her allegations suffice to survive a motion to dismiss.
We reverse the district court's dismissal of Count One, the count alleging a claim under the EFTA or, in the alternative, California's EFTA counterpart.
III
Widjaja also contests the district court's dismissal of her state law claims for breach of contract and breach of the implied covenant of good faith and fair dealing. (She has not challenged the dismissal of her negligence claim.) The district court held that Widjaja's failure to provide notice to Chase within the EFTA's 60-day reporting period foreclosed these state law claims as well. We affirm the district court's dismissal of Widjaja's state law claims, but for different reasons.
As to her breach of contract claim, Widjaja argues that Chase's failure to safeguard her account and to take action in response to the notice from Union Bank violated the Deposit Account Agreement (DAA) that governs the relationship between Chase and its depositors. Widjaja does not cite any specific provision of the DAA that Chase allegedly violated. She points generally to the Privacy Notice appended to the DAA, which states: "To protect your personal information from unauthorized access and use, we use security measures that comply with federal law." The Privacy Notice does not impose any substantive duties on Chase; it merely explains Chase's policies and a consumer's ability to limit the sharing of personal information. Widjaja's breach of contract claim therefore fails.
Widjaja alleges that Chase breached the implied covenant of good faith and fair dealing by failing to act when it became aware that Widjaja's account had been compromised and by abruptly closing Widjaja's accounts after she filed this lawsuit, allegedly in retaliation for her legal action against the bank. While the DAA gives Chase the discretionary power to decline or prevent transactions, Widjaja does not allege that Chase exercised this discretion in bad faith when it failed to take action to prevent the unauthorized withdrawals. And the DAA expressly permitted Chase to close Widjaja's accounts "at any time for any reason or no reason without prior notice." The implied covenant of good faith cannot "prohibit a party from doing that which is expressly permitted by an agreement." Carma Developers (California), Inc. v. Marathon Development California, Inc. , 2 Cal.4th 342, 6 Cal.Rptr.2d 467, 826 P.2d 710, 728 (1992). Thus, Widjaja's claim for breach of the implied covenant of good faith and fair dealing also fails.
AFFIRMED in part, REVERSED in part, and REMANDED. Widjaja shall recover her costs on appeal.