Citibank is contending with a lawsuit filed by the city of New York that claims it failed to protect accounts from fraudulent takeovers. Whether the suit has merit or not, the New York-based bank will now have to defend itself against a common risk item in banking.
New York Attorney General Letitia James filed the suit in the Southern District of New York. “The lawsuit alleges that Citi does not implement strong online protections to stop unauthorized account takeovers, misleads account holders about their rights after their accounts are hacked and funds are stolen, and illegally denies reimbursement to victims of fraud,” James’ office said in a press release. “Defendant Citi has not deployed sufficiently robust data security measures to protect consumer financial accounts, respond appropriately to red flags, or limit theft by scam.”
According to the suit, criminals accessed victims’ accounts via social engineering and phishing tactics, eventually making large unauthorized wire transfers. Citi’s back-end fraud detection and customer authentication processes allegedly failed to catch red flags such as scammers using unrecognized devices, accessing accounts from new locations, and changing account usernames and passwords. The bank also failed to prevent the transfer of funds from multiple accounts to a single account.
“If gaps in the transaction verification and user authentication methods are in fact deemed by the court to be insufficient, Citi will definitely be on the hook for the losses,” said Javelin Strategy & Research’s Director of Fraud and Security Tracy Kitten. “Security must be ‘reasonable,’ both in what the financial institution expects the consumer to know and do and in the efficacy of the security measures it has in place to detect a possible account takeover or fraudulent transmission of funds.”
In response to the lawsuit, Citibank provided the following statement to PaymentsJournal: “Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from affecting our clients and to assist them in recovering losses when possible. Banks are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived. However, given the industry-wide surge in wire fraud during the last several years, we’ve taken proactive steps to safeguard our clients’ accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education. Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats.”
Lack of Follow-Up to Fraud Claims
Once a breach occurred, Citi was accused of dragging its feet to halt or even investigate the activity. Consumers who contacted the bank to report fraud experienced lengthy delays on the phone—in some cases long enough to allow the criminals to extract more money. James’ office provided the details from one victim:
“She was reviewing her online account and found a message that her account had been suspended and was instructed to call a phone number. She called the number provided and a scammer told her that he would send her Citi codes to verify recent suspicious activity. The scammer then transferred all of the money in the customer’s three savings accounts into her checking account, changed her online passwords, and attempted a $35,000 wire transfer. Citi attempted to verify the wire transfer by calling the customer, but she was working and did not see the call at the time. Less than an hour later, the scammer attempted another $35,000 wire transfer, which Citi approved without ever having made direct contact with the customer. She lost nearly everything she had saved, and Citi refused to reimburse her.”
“The consumer tried to do her due diligence by contacting the bank, and unfortunately appears to have dealt with contact center staff who were not trained or well-versed in fraud response,” said Kitten. “It’s a challenge for FIs, because they don’t want to upset consumers by declining legitimate transactions. But in this case, more friction would have benefitted Citi and the accountholder.”