Illustration showing person on a large coin that is fragmenting; to demonstrate importance of New York's scams lawsuit against Ciitbank

The United States has lagged behind other countries regarding scam liability requirements. But a recent lawsuit against a major US bank could open the door to reimbursing scam victims for their losses. Here’s why the scams lawsuit is so significant and what US banks can do to improve their scam prevention efforts and avoid their own legal troubles. 

New York’s AG Takes a Stand Against Scams

The Office of the New York Attorney General filed a lawsuit against Citibank in late January. In the filing, NY Attorney General Letitia James claims that Citi failed to put sufficient controls in place to protect its customers from unauthorized account takeovers

The lawsuit also claims that Citi did not reimburse clients who had been scammed, even though customer service staff told victims they would get reimbursed. Despite these promises, Citi allegedly made no effort to recover lost funds. James wants Citi to reimburse customers under the Electronic Fund Transfer Act (EFTA).

James added that these losses contributed to serious harm to victims. One victim lost $40,000 after clicking on a suspicious link, resulting in a fraudster changing her bank password and executing a series of wire transfers. Another customer received a message to contact her bank because her account had been suspended. After changing the victim’s online passwords, the scammer pretended to be the bank and authorized $35,000 in wire transfers.

Citi issued a statement claiming it had taken steps to strengthen its security operations and reduce wire transfer fraud. The bank insists that it has followed all wire transfer laws and regulations.

Image of scam losses: Text: Risk & Reputation: Who Ultimately Pays for Scam Losses?

Other US banks are facing lawsuits from scam victims over their scam responses. A Wells Fargo customer is suing the bank for allegedly losing over $150,000, despite alerts from the bank’s fraud system. Meanwhile, a pair of JP Morgan customers filed their own lawsuit after losing thousands in wire transfers. While these legal actions are brought by individuals, Citi’s lawsuit is unique because it was filed by a government entity.

Why the New York Scams Lawsuit is Significant

It’s unusual to see a lawsuit of this magnitude filed against a major US bank. However, it’s not surprising considering the growing threat of scams worldwide. Recent data from the Global Anti-Scams Alliance (GASA) found that US consumers lost an estimated $156 billion to scams last year alone. 

It’s also worth noting that this is not the first significant action against US banks for how they address reimbursing scam victims. In 2022, Massachusetts Senator Elizabeth Warren released a report accusing the bank-owned payment service Zelle of allowing “rampant” unauthorized fraud for not sufficiently refunding customers who were victims of unauthorized fraud. Banks are required to reimburse unauthorized transfers under the EFTA.

Zelle began reimbursing victims of imposter scams specifically last year. In these scams, victims are tricked into sending money to criminals pretending to be bank, government, or legal officials. 

Whether it’s a legal action like the New York scams lawsuit or a legislative inquiry like Sen. Warren’s report, the real goal of these measures is to shine a light on the issue of scam reimbursement and banks’ responses to their customers in times of need. Banks should take these developments as an opportunity to assess their own scam prevention capabilities and scam victim responses.

Time for Banks to Shift Away from Big Tech for Authentication?

Significant legal inquiries tend to spur a familiar response: finger-pointing. 

Undoubtedly, that’s what we’ll see in response to the New York scams lawsuit. Expect to hear plenty of arguments over the roles of tech companies in allowing suspicious emails, text messages, phone calls, or social media posts to reach victims. 

But rather than blame Big Tech and telcos, banks should look at the effectiveness of their scam prevention measures. For example, should banks still use authentication tools like one-time passcodes (OTPs) or phone calls if they are easily compromised?

Case in point, I remember a bank implementing an SMS authentication tool to confirm suspicious transactions. Customers were instructed to call the number on the back of their bank card if they received a suspicious communication. 

Unfortunately, criminals learned about the measure and quickly took advantage. These bad actors could spoof the number, contact the bank’s customers, and convince them to share their OTPs and passwords. The criminals could commit account takeovers and steal customers’ money with this information.

This analogy demonstrates that flawed implementation of security measures can increase fraud risks. Banks need to think about how to authenticate their customers effectively without creating openings for fraud.

5 Tips for Banks to Strengthen Scam Prevention

Banks should be concerned about whether they could face their own scam lawsuits. To avoid any reputational damage, they should consider implementing the following measures to improve scam prevention efforts and get ahead of any future scam loss liability shifts.

Autonomy in Authentication

US banks should strive to stop relying on big tech and telecom companies for authentication purposes. This means backing away from methods like SMS, authenticator tools like Google, and OTPs. Instead, invest in more effective and seamless authentication tools that combine passcodes, behavioral biometrics, and device intelligence. These tools can improve security without interfering with legitimate customers’ journeys.

Training and Awareness for Consumers

The best way to prevent scams is to help customers to protect themselves. Banks should create robust and comprehensive training programs to teach customers about common scam tactics and how to verify communications with their bank. 

Implement Bank Authentication Measures

Banks should add an extra layer of security by providing a unique verbal password known only by the customer and the bank itself. That way, if customers get a call or email from someone claiming to be their bank, they can request the password for verification. Steps like this add a level of deterrence for criminals, making it less attractive for scammers to target the bank’s customers.

Leveraging Advanced Analytics & Machine Learning

Banks should leverage advanced analytics like AI and machine learning to identify unusual transaction patterns that could be scams. These technologies can quickly review transaction data and use anomaly detection to uncover suspicious activities effectively. 

Industry-wide Collaboration for Improved Security

Unfortunately, scams are significantly underreported. Unlike the United Kingdom, the US does not have a mandated data-sharing consortium. That’s why the financial services industry needs to come together to collaborate on the industry’s challenges. Banks should reach out to other banks to create a data-sharing framework. This would make a united front in the US that would push the entire financial services industry to develop a resilient system to protect customers from emerging fraud and scam threats. 

Taking measures like these could help banks protect their reputations, avoid legal actions, and demonstrate that they take scam prevention seriously. Banks could also offer a strong market differentiator by guaranteeing reimbursement to scam victims. 

Legal action like the New York AG scams lawsuit is a warning to banks. But it’s also a critical opportunity for financial service organizations to stand out and offer their customers comfort as scams take their toll.  In other words, forget the finger-pointing! Take this opportunity to distinguish your bank’s brand by demonstrating your commitment to putting customers first.