Fourth Circuit Rejects Rehearing in ACH Fraud Suit Alleging Violations of KYC Rules and NACHA Operating Standards

The dispute stems from a 2018 incident in which the company received a spoof email claiming to be from a supplier and directing the company to reroute payments to a new bank account. Relying on the instructions, the company made four ACH transfers to an account at the credit union, identifying the supplier as the beneficiary. However, the funds were deposited into an account belonging to another individual who had also been unknowingly involved in the fraud.

In its original complaint, the plaintiff alleged that the credit union failed to comply with Know Your Customer (KYC) regulations and anti-money laundering (AML) procedures by not verifying the identity or eligibility of the account holder. The complaint also asserted that the credit union violated the NACHA Operating Rules by accepting commercial ACH transfers—coded for business transactions—into a personal account. These claims were framed as failures to implement basic security protocols and to recognize clear mismatches in the payment data.

The panel held that the credit union lacked actual knowledge that the account was being used for fraudulent purposes and therefore could not be held liable under applicable law. In a concurring opinion, however, one judge noted that the record may contain evidence suggesting the credit union obtained actual knowledge of the misdescription before the final two transfers.

Putting It Into Practice: Even though the credit union ultimately avoided liability, the action is a good example of the lengths plaintiffs’ attorneys are going to hold banks liable for fraud related to spoofing. Unfortunately, Regulation E provides no avenue for relief for consumers where they are tricked into transferring money knowingly to another account. And the CFPB’s lawsuit against major banks related to similar conduct, where claims under the CFPA were alleged, was dropped earlier this year.