On March 26, the US Court of Appeals for the Fourth Circuit issued a decision that has important ramifications for banks and credit unions that process millions of Automated Clearing House (ACH) and Electronic Funds Transfer (EFT) transactions daily, some of which are fraudulent or "phishing scams." In Studco Buildings Systems US, LLC v. 1st Advantage Federal Credit Union, No. 23-1148, 2025 WL 907858 (4th Cir. amended Apr. 2, 2025), the Fourth Circuit held that financial institutions typically have no duty to investigate name and account number mismatches — commonly referred to as "misdescription of beneficiary." Instead, they can rely strictly on the account number identified before disbursing the funds received. The financial institution will only face potential liability for the fraudulent transfer if it has "actual knowledge" that the name and the account number do not match the account into which funds are to be deposited.
A Phishing Scam Results in Misdirected Electronic Transfers
A metal fabricator (Studco) was the victim of a phishing scam in which hackers penetrated its email systems. Once inside, the scammers impersonated Studco's metal supplier (Olympic Steel, Inc.) and sent an email with new ACH/EFT payment instructions purporting to be those of Olympic Steel. The instructions designated Olympic’s "new account" at 1st Advantage Credit Union for all future invoice payments. The new account number, however, had no association with Olympic and was controlled by scammers in Africa.
Studco failed to recognize certain red flags in the payment instructions and sent four payments totaling over $550,000. Studco sued 1st Advantage for reimbursement, alleging the credit union negligently "fail[ed] to discover that the scammers had misdescribed the account into which the ACH funds were to be deposited." Studco claimed that 1st Advantage was liable under Virginia's version of UCC § 4A-207 because it completed the transfer of funds to "an account for which the name did not match the account number." Following a bench trial, the district court entered judgment in Studco's favor for $558,868.71, plus attorneys' fees and costs. It found that 1st Advantage "failed to act 'in a commercially reasonable manner or exercise ordinary care'" in posting the transfers to the account in question.
UCC § 4A-207 and Financial Institution Duties and Liability
1st Advantage appealed, and the Fourth Circuit reversed. The Court began by noting that Studco itself failed to spot warning signs in the imposter’s emails: the domain did not match Olympic's email domain; the new account was at a credit union in Virginia, not Ohio (where Olympic was based); and there were multiple grammatical and "non-sensical" errors contained in the imposter's instructions.
The Court then turned to 1st Advantage and whether it had a duty to act on any mismatch between the name on the payment instructions (Olympic) and the account number (a credit union customer with no obvious association to Olympic). It first noted the absence of actual knowledge by the credit union. 1st Advantage used a system known as DataSafe that monitored ACH transfers. The Court observed that the "DataSafe system generated hundreds to thousands of warnings related to mismatched names on a daily basis, but the system did not notify anyone when a warning was generated, nor did 1st Advantage review the reports as a matter of course." The Court further noted that the DataSafe system generated a "warning of the mismatch: 'Tape name does not contain file last name TAYLOR'" which was the name of the credit union's account holder, not Olympic.
The Court then assessed Virginia’s version of § 4A-207(b)(1), Va. Code Ann. § 8.4A-207(b)(1), which says in relevant part: "'If a payment order received by the beneficiary’s bank identifies the beneficiary both by name and by an identifying or bank account number and the name and number identify different persons' and if 'the beneficiary's bank does not know that the name and number refer to different persons,' the beneficiary’s bank 'may rely on the number as the proper identification of the beneficiary of the order.'" The Court further noted that the provision states that "[t]he beneficiary's bank need not determine whether the name and number refer to the same person." Based upon this, the Court concluded that it "protects the beneficiary's bank from any liability when it deposits funds into the account for which a number was provided in the payment order, even if the name does not match, so long as it "does not know that the name and number refer to different persons." [Emphasis added.] Studco argued that constructive knowledge was sufficient or could be imputed to 1st Advantage. The Court disagreed, concluding that "knowledge means actual knowledge, not imputed knowledge or constructive knowledge" and that a "beneficiary's bank has 'no duty to determine whether there is a conflict' between the account number and the name of the beneficiary, and the bank ‘may rely on the number as the proper identification of the beneficiary.'"
In the concurring opinion, however, one judge disagreed that there was no evidence of actual knowledge because 1st Advantage may have received actual knowledge of the misdescription when an investigation of a Federal Office of Foreign Asset Control (OFAC) alert led to a review of the transfers at issue. Because the first two (of four) overseas transfers from the infiltrated 1st Advantage account triggered an OFAC alert, 1st Advantage opened an ongoing investigation into the wires, including a review of the member’s account history. Thus, the concurrence noted that a "factfinder could infer that [the officer's] investigation led to a [credit union] employee obtaining actual knowledge of a misdescription between account name and number prior to Studco’s two November deposits."
Lessons Learned Post-Studco
In the age of ubiquitous cyber and other sophisticated scams running throughout the US financial system, the financial services industry surely welcomes this Fourth Circuit decision. The trial court in Studco ruled that 1st Advantage was liable for scam-related ACH transfers in excess of a half-million dollars because 1st Advantage’s core system had triggered a warning regarding the name and account discrepancy, which 1st Advantage did not review or investigate. The fact that 1st Advantage did not undertake to review warnings from its core system appears to have saved 1st Advantage as the Court concluded that “actual knowledge” of the discrepancy was a prerequisite to liability. There was no proof of actual knowledge in this case.
On April 9, 2025, Studco petitioned the Fourth Circuit for rehearing, and alternatively, rehearing en banc with the full court. Studco argues that the panel erred in holding that there was no actual knowledge, pointing out that "1st Advantage opened the scammer's account and reviewed the account at least 33 times over an approximate 40-day period – each time related to the scammers conducting a suspicious transaction." Studco argues that a full en banc hearing should be permitted because the application of "UCC Article 4A-207 presents a question of exceptional importance."
In the end, Studco stands as a warning to banks and credit unions alike that the more they know about the name mismatch issue for any particular transaction, the more liability they may take on. Banks and credit unions should consult their bank counsel to discuss their ACH and EFT review processes and ensure that their processes do not tip into "actual knowledge" and potential liability for transfers rooted in fraud.
Dallas
