Jon Brodkin - Jan 30, 2024 9:12 pm UTC
Citibank has illegally refused to reimburse scam victims who lost money due partly to Citibank's poor online security practices, New York Attorney General Letitia James alleged in a lawsuit filed today in US District Court for the Southern District of New York.
"The lawsuit alleges that Citi does not implement strong online protections to stop unauthorized account takeovers, misleads account holders about their rights after their accounts are hacked and funds are stolen, and illegally denies reimbursement to victims of fraud," James' office said in a press release.
The AG's office alleged that Citi customers "have lost their life savings, their children's college funds, or even money needed to support their day-to-day lives as a result of Citi's illegal and deceptive acts and practices."
"Defendant Citi has not deployed sufficiently robust data security measures to protect consumer financial accounts, respond appropriately to red flags, or limit theft by scam," the lawsuit said. "Instead, Citi has overpromised and underdelivered on security, reacted ineffectively to fraud alerts, misled consumers, and summarily denied their claims. Citi's illegal and deceptive practices have cost New Yorkers millions."
Describing the case of a New York woman who lost $35,000 to a scammer in July 2022, the AG's press release stated:
She was reviewing her online account and found a message that her account had been suspended and was instructed to call a phone number. She called the number provided and a scammer told her that he would send her Citi codes to verify recent suspicious activity. The scammer then transferred all of the money in the customer's three savings accounts into her checking account, changed her online passwords, and attempted a $35,000 wire transfer.
Citi attempted to verify the wire transfer by calling the customer, but she was working and did not see the call at the time. Less than an hour later, the scammer attempted another $35,000 wire transfer, which Citi approved without ever having made direct contact with the customer. She lost nearly everything she had saved, and Citi refused to reimburse her.
In an October 2021 incident, a customer clicked a link in a scammer's message "but did not provide additional information" and then "called her local branch to report the suspicious activity but was told not to worry about it," the AG's office said.
"Three days later, the customer discovered that a scammer changed her banking password, enrolled in online wire transfers, transferred $70,000 from her savings to her checking account, and then electronically executed a $40,000 wire transfer, none of which was consistent with her past account activity," the AG's office said. "For weeks, the customer continued to contact the bank and submit affidavits, but in the end, she was told that her claim for fraud was denied."
Citi defended its security and refund practices in a statement provided to Ars.
"Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from affecting our clients and to assist them in recovering losses when possible. Banks are not required to make clients whole when those clients follow criminals' instructions and banks can see no indication the clients are being deceived," the company said.
Citi acknowledged that there has been an "industry-wide surge in wire fraud during the last several years," and said it has "taken proactive steps to safeguard our clients' accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education. Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats."
James' lawsuit argues that Citibank must provide reimbursement under the Electronic Fund Transfer Act (EFTA), a US law passed in 1978. "As with credit cards, so long as consumers promptly alert banks to unauthorized activity, the EFTA limits losses and requires reimbursement of stolen funds. These consumer protections cannot be waived or modified by contract. Under the EFTA, Citi's electronic debits of consumers' accounts are unauthorized and Citi must reimburse all debited amounts," the lawsuit said.
The lawsuit seeks a permanent injunction against Citibank, an accounting of customer losses over the last six years, payment of restitution and damages to harmed consumers, and civil penalties.
Jon Brodkin Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.