top of page

Citibank Faces Legal Action Over Alleged Failure to Protect Customers from Wire Transfer Fraud

Citibank faces legal repercussions as New York Attorney General Letitia James files a lawsuit alleging the bank's failure to protect and reimburse customers who fell victim to fraudulent wire transfers. The lawsuit, filed in the U.S. District Court for the Southern District of New York, contends that Citibank lacked "sufficiently robust data security measures to protect consumer financial accounts, respond appropriately to red flags, or limit theft by scam." Two victims allegedly lost thousands of dollars each when hackers managed to access their accounts and sent fraudulent wire transfers. In one case, Citi completed a fraudulent wire transfer without ever having contacted the victim to confirm it.

Citibank Faces Legal Action Over Alleged Failure to Protect Customers from Wire Transfer Fraud

James alleged that Citi violated the Electronic Fund Transfer Act when it failed to reimburse the customers, similar to when banks reimburse victims of electronic credit or debit card fraud.

Citi also may have violated the SHIELD Act, a New York state law that requires businesses that own or license computerized data to take reasonable safeguards to protect the security, confidentiality, and integrity of the private information of their customers. The law requires companies that possess customer private information to employ "reasonable administrative safeguards to both identify reasonably foreseeable internal and external risks and train and manage employees in its security program," as well as "technical safeguards to detect, prevent, and respond to attacks or system failures."

The lawsuit alleged Citi "failed to adopt appropriate layered security, including [multi-factor authentication], algorithmic monitoring of consumer and account behavior, mechanisms to identify high-risk transactions or anomalous behavior that trigger strengthened procedures, or transaction limitations based on frequency, volume, and repeat activity."


In a press release, James said in addition to its poor online protections, the bank misled its customers about their rights after their accounts were hacked and then illegally denied reimbursement to the victims of fraud.

In December, James led a coalition of state attorneys general in writing letters to the Office of the Comptroller of the Currency (OCC) and Consumer Financial Protection Bureau (CFPB) urging both agencies to ensure that national banks cooperate with investigations by state attorneys general into violations of state law.

In an emailed statement, Citi said banks "are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived."

"However, given the industry-wide surge in wire fraud during the last several years, we’ve taken proactive steps to safeguard our clients’ accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education," the statement continued. "Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats."

This legal development underscores the increasing scrutiny financial institutions face regarding cybersecurity measures, reflecting a broader trend in the industry. As banks navigate the evolving landscape of digital threats, the outcome of this lawsuit may set a precedent for the level of responsibility financial institutions bear in protecting customers from fraudulent activities, especially in the realm of wire transfers and electronic fund transfers.



bottom of page