Financial institutions are vulnerable to financial loss and reputational damage caused by dishonest customers who use deposit accounts as part of a scheme to defraud others. An all too common fact pattern involves the fraudster convincing his or her victim to deposit a check or wire funds into an account controlled by the wrongdoer. The wrongdoer may mask the scheme by using an account titled in such a way as to give an appearance of legitimacy to the transaction. But when the fraud is eventually discovered, the funds turn up missing and the conman skips town, the victim will look to the financial institution that received the funds to shoulder the loss.
Fortunately, courts across the country have regularly rejected attempts to hold financial institutions responsible for losses created by bad customers. Specifically, courts have declined to find a duty of care owed to non-customers because there is no contractual relationship between the bank and the victim vis-à-vis fraudulent accounts opened by the wrongdoer. Moreover, courts have declined to find a duty of care born from the bank’s internal policies and procedures governing the opening of new accounts.
In Software Design & Application, Ltd. v. Hoefer & Arnett, Inc., 49 Cal. App. 4th 472 (1996), a fraudster was hired as a financial consultant to manage the investments of Software Designs & Application, Ltd. (a Hong Kong company). The fraudster opened brokerage accounts and a bank account in the name of “Software Designs & Application, Ltd.” (a non-existent, domestic limited partnership) by presenting falsified corporate records. The investor’s funds were deposited into the phony account and then promptly disappeared. The victim sued the brokerage company and the bank. The trial court dismissed the claims. The Court of Appeal affirmed, explaining that “the banks’ basic duty of care derives from the contract with their customer” and that “absent extraordinary and specific facts, a bank does not owe a duty of care to a noncustomer.” 49 Cal. App. 4th at 479. The court also held that banks do not owe a duty of care to non-customers to “follow internal procedures and industry standards when opening an account.” Id. at 481-82.
The same result was reached in Eisenberg v. Wachovia Bank, N.A., 301 F.3d 220 (4th Cir. 2002). In that case, the wrongdoer convinced the plaintiff to wire $1,000,000 to Wachovia to be deposited to an account bearing the name “Douglas Walter Reid dba Bear Stearns,” “For further Credit to BEAR STEARNS.” Right on cue, the fraudster ran off with the funds. The plaintiff sued Wachovia, alleging that the bank “negligently allowed Reid to establish and operate a fraudulent bank account and negligently failed to train its employees to detect fraud.” 301 F.3d at 222. Wachovia’s motion to dismiss was granted (on preemption grounds). The Fourth Circuit Court of Appeals reviewed de novo and, although it found that the plaintiff’s claims were not preempted, it nevertheless affirmed the dismissal, finding that the bank did not owe the plaintiff a duty of care. Id. at 225. The court went on to articulate the sound reason behind the rule that banks do not owe a duty of care to non-customers: “extend[ing] a duty of care to strangers like [the plaintiff] would be contrary to the normal understanding of the purpose of a bank account and would expose banks to unlimited liability for unforeseeable frauds.” Id. at 226.
In McCallum v. Rizzo, 1995 WL 1146812 (Mass. Super. Ct. Oct. 13, 1995), the plaintiff was solicited to loan $100,000 to the Paul Tsongas presidential campaign for “exploratory” activities. After the campaign’s chief fundraiser withdrew the funds and used them for his own purposes, the plaintiff sued Andover Bank for negligently allowing the defalcating fundraiser to open an account in the name of “The Tsongas Committee.” In granting summary judgment for Andover, the court concluded, “[t]he mere fact that a bank account can be used in the course of perpetrating a fraud does not mean that banks have a duty to persons other than their own customers. To the contrary, the duty is owed exclusively to the customer, not to the persons with whom the customer has dealings.” McCallum, 1995 WL 1146812, at *2. The court based its holding on “an abundance of precedent from other jurisdictions holding that a bank owes no duty of care to third parties who are not bank customers.” Id.
Building on the groundwork established by cases like Software Design, Eisenberg, and McCallum, courts have made it clear that banks do not owe a duty of care to non-customers with respect to opening “dba” accounts for customers.
In Owens v. Comerica Bank, 229 S.W.3d 544 (Tex. Ct. App. 2007), Davis opened accounts at Comerica in the name of “Charles Dwain Davis d/b/a Birchtree Financial Services.” Id. at 546. Davis represented that the accounts were for a sole proprietorship for which he provided an “assumed name certificate.” Id. He then used the accounts to misappropriate funds that the plaintiffs intended to invest with the real Birchtree Financial Services, Inc. When the fraud was discovered, the plaintiffs sued Comerica for negligently opening the accounts. The trial court granted Comerica’s motion for summary judgment. The Court of Appeals affirmed, holding that “[i]t is, of course, possible that any bank account may be used for a wrongful purpose. But we see nothing in the facts of this case that would lead Comerica to anticipate a danger of injury to another when it opened and maintained the two accounts for Davis. Because there was no foreseeable danger, Comerica owed no duty to the Owens family as a matter of law and the trial court correctly granted summary judgment on this ground.” Id. at 547.
Similarly, in VIP Mortg. Corp. v. Bank of Am., N.A., 769 F. Supp. 2d 20 (D. Mass. 2011), an employee of the plaintiff opened a bank account in the name of “Mark Rhodes dba VIP Mortgage.” The bank employee who opened the account did not request a dba certificate per the bank’s policy. Rhodes then deposited 52 checks—payable to his employer—into his dba account. The court granted the bank’s motion for summary judgment on the plaintiff’s negligence claim, holding that “courts have found that a bank owes no duty of care to third-party non-customers where a dba account was fraudulently created in another’s name and then used for fraudulent purposes.” 769 F. Supp. 2d at 27.
Likewise, in Nat’l Union Fire Ins. Co. of Pittsburgh, PA v. Raczkowski, 764 F.3d 800 (8th Cir. 2014), Mark Henry, an employee of Investment Centers of America, Inc. (“ICA”), opened an account titled “Mark L. Henry d/b/a Investment Centers of America.” Henry deposited $292,000-worth of checks payable to ICA into the account that he later withdrew for his own use. The only identification Henry provided to the bank was his driver’s license. ICA’s insurer sued, alleging that the bank was negligent in opening the account and not confirming that Henry had authority from ICA to open the account. The trial court granted the bank’s motion to dismiss based on the lack of any duty. The Eighth Circuit affirmed. The court recognized that requiring banks to verify a customer’s authority to open a dba account would be burdensome and, ultimately, infeasible: “Although National Union suggests Hometown Bank should have verified with ICA Henry’s authority to use the name, it is no simple matter to identify who exactly holds rights in a name, trademark, or trade name. And, National Union proffers no explanation as to where the asserted duty might end.” 764 F.3d at 805. The court rightly recognized that “the scope of [such a] duty could be particularly burdensome in some cases, and imposing the duty may not even generate the result National Union seeks because small differences, such as name or location difficulties, may prevent a bank’s search from even locating the correct d/b/a entity.” Id. at 805-06.
Not only have courts consistently refused to find a duty of care owed to non-customers with respect to opening dba accounts, but they have also rejected attempts to tether any such duty of care to the “Know Your Customer” and “Customer Identification Program” (“KYC/CIP”) obligations under the Bank Secrecy Act (“BSA”).
In Gilbert Tuscany Lender, LLC v. Wells Fargo Bank, 232 Ariz. 598 (Ariz. Ct. App. 2013), Kennedy opened an account at Wells Fargo in the name of “Sun West Builders” by completing a business account application in which he certified that he was the owner of Sun West Builders. Kennedy then deposited $650,000-worth of checks payable to Sun West Builders into his account. When Kennedy’s embezzlement was discovered, the construction lenders sued Wells Fargo for negligently allowing Kennedy to open the corporate account. The trial court granted Wells Fargo’s motion for summary judgment, which was affirmed on appeal. The court rejected the plaintiff’s argument that the BSA’s “customer identification” requirements created a duty of care, holding the BSA “was not intended to create a duty on the part of banks to third parties such as [the plaintiff]. The Bank Secrecy Act imposes on banks an obligation to the government, not to a remote victim.” 232 Ariz. at 601-02. The court also rejected the argument that the “universal standard practice” in the banking industry to require proof of a corporate entity’s existence when opening a new account creates a duty of care. “[N]o duty was created by Wells Fargo’s failure to comply with its policy to ask for corporate documents before opening a corporate account.” Id. at 603.
Although the case law is well-developed and in most cases should shield financial institutions from the risk of liability created by the wrongdoing of customers who use deposit accounts to defraud others, banks must nevertheless be diligent in screening new customers and reviewing new account applications. First, not all courts will be persuaded by the sound reasoning of the legal authorities discussed herein. Second, financial institutions must still comply with their KYC/CIP obligations. Third, it is not good business to do business with fraudsters. At a minimum, dishonest customers present reputational risk. At worst, they expose the bank to real losses.
To minimize the risk created by customers who want to use phony dba accounts to defraud others, financial institutions should give appropriate attention to their policies and procedures, such as:
Requiring certified copies of corporate formation documents (for example, articles of incorporation, articles of organization and certificate of limited partnership) recorded with the appropriate government agency (for example, the secretary of state);
Requiring certified copies (if available) of dba certificates/fictitious name statements;
Requiring certified copies of certificates of good standing for foreign business entities;
Training employees to be familiar with what genuine copies of these documents look like; and
Verifying business addresses and phone numbers through available search engines.
Adopting appropriate policies and procedures will not eliminate the risk presented by would-be-fraudsters to zero, but they will almost certainly reduce the risk by deterring some bad actors. Adequate policies and procedures, combined with the case law from around the country, should provide a robust defense for any financial institution that gets caught up in schemes perpetrated by bad customers.
For more information regarding minimizing the risk of fraud with dba accounts or responding to claims relating to such fraud, please contact Mark I. Wraight at
miw@severson.com.