NEW YORK BY JAMES v. CITIBANK (2025)

OPINION AND ORDER

The State of New York, by Leticia James, New York Attorney General (“NYAG”), brings this action against Citibank, N.A. (“Citibank”) for alleged violations of the Electronic Funds Transfer Act of 1978 (EFTA), 15 U.S.C. §§ 1963 et seq., and New York state law arising from the theft of consumer funds held in Citibank accounts in connection with wire transfers. Before the Court is Citibank's motion to dismiss the complaint in its entirety. For the reasons that follow, Citibank's motion is granted in part and denied in part.

I. Background

A. Factual Background

The following facts, drawn from NYAG's complaint, are assumed true for the purposes of resolving the motion to dismiss. Fink v. Time Warner Cable, 714 F.3d 739, 740-41 (2d Cir. 2013).¹ Citibank is a large financial institution that offers its customers “online and mobile banking” services. (ECF No. 1 (“Compl.”) ¶ 5.) Customers access Citibank's online and mobile banking platforms “using usernames and passwords, codes, or other security protocols,” and use them to “review account information, deposit checks, and make electronic payments.” (Id.) The use of such services at Citibank and other financial institutions is growing; now, as many as “87% of U.S. adults primarily bank online or on mobile devices.” (Id. ¶ 24-25.) As interest in and access to mobile banking increases, financial institutions have begun “to market and provide electronic payment options directly to consumers, including the ability to seamlessly transfer money among bank accounts online or using mobile devices.” (Id. ¶ 26.)

As electronic payment mechanisms have grown more sophisticated and common, unfortunately so too have efforts by scammers to infiltrate consumers’ bank accounts and steal their money. (Id. ¶ 29-33.) “The FTC reported that in 2022 alone, scammers stole hundreds of millions of dollars from consumers using text messages impersonating banks, delivery services, Amazon, and other common service providers.” (Id. ¶ 34.) Those frauds take a variety of forms. In one type, involving impersonation or “phishing,” “scammers call or send emails or text messages to consumers pretending to be banks or other reputable institutions, such as the government or a well-known business,” in order to “trick consumers into providing personal or security information that can be used to fraudulently infiltrate consumer accounts.” (Id. ¶ 30.) Between 2017 and 2021, phishing scams increased nationally by more than 1000%, resulting in “750,000 complaints and losses of more than one billion dollars in 2021 alone.” (Id. ¶ 31.) Other scams, such as “SIM swaps,” involve scammers obtaining enough personal information about consumers to request new subscriber identity modules, or “SIMs,” from the consumers’ phone companies, activating new phones in the consumers’ names, and then using the phones to impersonate and steal from them. (Id. ¶ 32.) As no one disputes, these frauds have affected Citibank customers. And according to NYAG, “the number of complaints related to [Citibank's] handling of claims for fraudulent wire transfers submitted by consumers to the federal Consumer Financial Protection Bureau nearly tripled from 2020 to 2022.” (Id. ¶ 35.)

This case principally concerns frauds perpetrated using a relatively novel form of online banking: “payment systems [that] provide consumers with electronic access to wire transfer services over the internet or on mobile devices.” (Id. ¶ 26.) According to NYAG, what is often referred to colloquially as a “wire transfer” is actually a complex, multi-step transaction that involves multiple electronic transfers of funds among several different entities. “The simplest and most common form of a wire transfer involves four parties: the sender, who wants to send money; the beneficiary, to whom the sender wants to send money; the receiving bank, a bank that receives an instruction to execute a wire transfer (and where the sender often has a bank account); and the beneficiary bank, a bank at which the beneficiary has a bank account.” (Id. ¶ 46.)

In the first step of an ordinary, authorized wire transfer, a consumer sends a “Payment Order” to a bank “instructing it to pay or cause another bank to pay the beneficiary.” (Id. ¶ 47.) Upon accepting the Payment Order, the first bank “sends a new Payment Order, either directly to the beneficiary bank if both banks participate in a common wire network, or through one or more intermediary banks, in which case each bank accepts the prior Payment Order and issues a new Payment Order.” (Id. ¶ 49.) In a wire transfer, by definition at least one Payment Order is transmitted over a “wire network,” which is a system used by large financial institutions to transfer money quickly by keeping a ledger of transfers and periodically settling balances. (Id. ¶¶ 50-51.) One such wire network is Fedwire, accessible by financial institutions that maintain master accounts with the Federal Reserve. (Id. ¶ 51.) When a bank intends to transfer funds on Fedwire after receiving a Payment Order from a consumer requesting that it do so, “a Federal Reserve bank will debit the [first] bank's master account and credit the [second] bank's master account.” (Id.) Another wire network, the Clearing House Interbank Payments System, or “CHIPS,” works similarly, with member financial institutions settling their debits and credits from wiring money at the end of each day. (Id.) Any CHIPS member bank whose debits exceed its credits after one day sends a Fedwire payment to a CHIPS settlement account, which in turn distributes settlement funds to member banks whose credits exceed their debits. (Id.)

As NYAG alleges, when a financial institution sends money to another financial institution on a wire network like Fedwire or CHIPS, “no money moves” between the consumers that requested or stand to benefit from the wire transfer. (Id. ¶ 53.) Instead, other fund transfers occur ancillary to the transfer on the wire network. In one, “the sender is obligated to pay for the initial Payment Order.” (Id. ¶ 54.) “A sender can pay for a Payment Order in many ways,” such as with cash, check, or a verbal authorization to debit their account when in person, or online through electronic “agreements provid[ing] that consumers’ electronic transfer requests ․ also act as electronic authorizations for [their financial institution] to debit consumers’ bank accounts to pay for the transfers.” (Id. ¶ 55-56.) In another, “the beneficiary bank, upon accepting the final Payment Order, is obligated to pay the beneficiary.” (Id. ¶ 54.) Likewise, banks that are the beneficiaries of wire transfers may pay their accountholders through a variety of means. When everything goes according to plan, wire transfers are a fast and efficient option for consumers to send money through their financial institutions to other consumers and businesses. (Id. ¶ 51-52.)

But like other means of electronic banking, wire transfers are not immune to scams and fraud. As NYAG alleges, “[w]hen scammers infiltrate consumers’ online or mobile banking to initiate fraudulent wire transfers ․ two things occur. First, scammers electronically instruct [Citibank] to send tens of thousands of dollars or more by wire to third-party banks where scammers have set up dummy accounts. Second, scammers electronically instruct [Citibank] to reimburse itself by debiting consumers’ bank accounts.” (Id. ¶ 6.) Frequently, in order to steal more from a customer whose funds are spread across multiple accounts, as well as to evade detection, scammers will initiate a series of intrabank transfers to consolidate a consumer's funds before wiring the total to one of their dummy accounts at another bank. (¶ 94.)

Beyond the unauthorized wire transfers themselves, NYAG alleges that Citibank's security measures permit a vast amount of fraud to go undetected and unmitigated. That begins with the initial fraudulent access to a consumer's account or accounts, which NYAG contends is made easier by Citibank's lack of scrutiny of suspicious account activity and relaxed security protocols as authorized by its customer agreements. (See id. ¶¶ 101-13.) Then, in response to reports of an unauthorized transfer, Citibank “lock[s] consumers’ bank accounts and instruct[s] consumers to visit their local branches,” delaying investigations into the transfers by “hours or days, providing time for scammers to escape with stolen funds ․” (Id. ¶ 59.) Once they arrive at a local branch, customers are told that “before [Citibank] will investigate the fraudulent activity or take any other action, consumers must execute and have notarized a form ‘Affidavit of Unauthorized Online Wire Transfer.’ ” (Id. ¶ 60.) Often, when Citibank denies a claim for reimbursement, it does so using “specific details regarding how scammers infiltrated their online or mobile banking” that Citibank encourages its customers to include in the affidavits. (Id. ¶ 61.) And when Citibank does conduct investigations, they are allegedly “ineffective, pro forma, and not reasonably tailored to mitigate the security failure that led to the unauthorized [electronic fund transfers] and consumer losses.” (Id. ¶ 63.) Sometimes, Citibank investigators do not “even speak directly to complaining consumers” before, after “30 to 60 days,” sending “form letters [that] do not describe the scope of the investigation, what actions [Citibank] took, or what evidence [Citibank] relied upon.” (Id. ¶ 64-65.) Instead, those “form letters merely assert, in one or two sentences, one of a few predetermined grounds for denying claims.” (Id. ¶ 65.)

NYAG also asserts claims arising from Citibank's allegedly misleading statements regarding its security protocols and the contracts it executes with customers to govern the provision of online and mobile banking services. For example, NYAG alleges that Citibank's advertisements make “promises of safe and secure electronic banking experiences,” averring that “security ‘is a priority for Citi with 24/7 fraud detection services and security features to keep your account information protected.’ ” (Id. ¶¶ 82-83.) But when customers sign the online agreement governing the terms of their use of online and mobile banking services, they purportedly agree to specific security protocols that NYAG concludes—in a manner not to be presumed true—are legally insufficient and violative of customers’ statutory rights. (Id. ¶ 84-89.) And to illustrate all of the foregoing allegations, NYAG's complaint details ten Citibank customers who lost money from purportedly unauthorized wire transfers under a variety of circumstances. (See id. ¶¶ 123-262.)

B. Procedural Background

NYAG sued Citibank on January 30, 2024, asserting eight causes of action under federal and state law. (See Compl.) Citibank moved to dismiss the complaint in its entirety on April 2, 2024 (ECF No. 11), and filed an accompanying memorandum (ECF No. 12 (“Mem.”), as well as supporting declarations (ECF No. 13). NYAG opposed the motion on May 17, 2024 (ECF No. 25 (“Opp.”)), and filed accompanying declarations (ECF No. 26). Citibank replied in further support on June 25, 2024 (ECF No. 33 (“Reply”)), along with further declarations (ECF No. 34). Following the conclusion of briefing but before argument, Citibank submitted a letter containing additional authority concerning the first cause of action. (ECF No. 39 (“Supp. Letter”).) Citibank submitted another such letter after argument (ECF No. 47), to which NYAG responded (ECF No. 48). The Court's review of the motion to dismiss and accompanying briefing was aided by amicus submissions from the American Bankers Association, New York Bankers Association, the Bank Policy Institute, and the Clearing House Association, L.L.C (ECF No. 20 (“ABA Amicus”)), as well as by the Consumer Financial Protection Bureau (ECF No. 28 (“CFPB Amicus”)). The Court heard oral argument on the motion on October 8, 2024. (See ECF No. 43 (“Hrg. Tr.”).)

II. Legal Standard

Complaints in federal court must “contain a ‘short and plain statement of the claim showing that the pleader is entitled to relief.’ ” Ashcroft v. Iqbal, 556 U.S. 662, 677-68, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Fed. R. Civ. P. 8(a)(2)). Surviving a motion to dismiss, brought under Federal Rule of Civil Procedure 12(b)(6), for failure to state a claim “does not require ‘detailed factual allegations,’ but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.’ ” Id. at 678, 129 S.Ct. 1937 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. In considering such a motion, the court must “accept all ‘well-pleaded factual allegations’ in the complaint as true,” Lynch v. City of New York, 952 F.3d 67, 74-75 (2d Cir. 2020) (quoting Iqbal, 556 U.S. at 679, 129 S.Ct. 1937), as well as “construe all reasonable inferences that can be drawn from the complaint in the light most favorable to the plaintiff,” id. at 75 (quoting Arar v. Ashcroft, 585 F.3d 559, 567 (2d Cir. 2009) (en banc)). A plaintiff's “[l]egal conclusions,” on the other hand, do not benefit from “the tenet that a court must accept as true all of the allegations contained in a complaint.” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937.

III. Discussion

NYAG brings this action pursuant to New York Executive Law Section 63(12), which permits the Attorney General to sue a person or entity “engage[d] in repeated fraudulent or illegal acts” or who “demonstrate[s] persistent fraud or illegality in the carrying on, conducting or transaction of business.” N.Y. Exec. L. § 63(12). Under that provision, “any conduct which violates state or federal law is actionable,” and it “applies to all business activity accompanied by repeated acts of illegality.” Nat'l Coal. on Black Civic Participation v. Wohl, 661 F. Supp. 3d 78, 132 (S.D.N.Y. 2023) (cleaned up). NYAG asserts that Citibank's repeated violations of several substantive federal and state laws give rise to liability under Section 63(12). The Court takes each cause of action in turn.

A. Unauthorized Wire Transfers (Claim I)

NYAG's first cause of action is for violation of the Electronic Funds Transfer Act of 1978 (“EFTA”), 15 U.S.C. §§ 1963 et seq. The EFTA includes the following definition:

[T]he term “electronic fund transfer” means any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. Such term includes, but is not limited to, point-of-sale transfers, automated teller machine transactions, direct deposits or withdrawals of funds, and transfers initiated by telephone.

15 U.S.C. § 1693a(7). The EFTA allocates loss from unauthorized electronic fund transfers (“EFTs”) from consumer accounts, generally capping a consumer's losses so long as the consumer reports an unauthorized transfer within certain statutory time periods. See 15 U.S.C. § 1693g. NYAG alleges that Citibank failed to properly investigate unauthorized EFTs that were made ancillary to transfers on the wire networks, as well as to provisionally credit and ultimately reimburse consumers who were the victims of those EFTs. (Compl. ¶ 271.) Citibank argues that the EFTA does not apply to transfers from a consumer's account made to pay for a wire transfer. (See Mem. at 24-34.)

In significant part, Citibank's argument turns on the meaning of the following, which it calls an “exemption” to the statutory definition of an EFT:

The term ‘electronic fund transfer’ ․ does not include ․ any transfer of funds, other than those processed by automated clearinghouse, made by a financial institution on behalf of a consumer by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer.

15 U.S.C. § 1693a(7)(B).² Because the losses in this case arose from unauthorized Payment Orders requesting wire transfers, Citibank argues that subsection (7)(B) renders the EFTA inapplicable. (Mem. at 25-26.) As demonstrated in the following chart included in the complaint, NYAG acknowledges that the losses in this case arose from unauthorized Payment Orders requesting wire transfers, but argues nevertheless that subsection (7)(B) excludes from the EFTA's coverage only the “transfer” of funds from one financial institution to another along a wire network. (Opp. at 34-38.)

(Compl. ¶ 58.) According to NYAG's interpretation, an initially fraudulent Payment Order causing a debit from a consumer's account may be subject to the EFTA notwithstanding subsection (7)(B). (Id.) That disagreement requires the Court to decide what parts of an electronic payment, initiated by a consumer and facilitated in part by an interbank wire, are regulated by the EFTA. As far as the Court is aware, this is a question of first impression.

1. Statutory Text

“Every exercise in statutory construction must begin with the words of the text.” N.Y. Legal Assistance Grp. v. Bd. of Immigr. Appeals, 987 F.3d 207, 216 (2d Cir. 2021) (quoting Saks v. Franklin Covey Co., 316 F.3d 337, 345 (2d Cir. 2003)). “When resolving a dispute over a statute's meaning, [the court's] principal task is ‘to afford the law's terms their ordinary meaning at the time Congress adopted them.’ ” United States v. Bedi, 15 F.4th 222, 226 (2d Cir. 2021) (quoting Niz-Chavez v. Garland, 593 U.S. 155, 160, 141 S.Ct. 1474, 209 L.Ed.2d 433 (2021)). Where the statute's terms are clear, the court's job is at its end. United States ex rel. Weiner v. Siemens AG, 87 F.4th 157, 161 (2d Cir. 2023). And even where a statute is ambiguous enough to permit the consideration of extraneous evidence, such “materials have a role in statutory interpretation only to the extent they shed a reliable light on the enacting Legislature's understanding of otherwise ambiguous terms.” Exxon Mobil Corp. v. Allapattah Servs., Inc., 545 U.S. 546, 568, 125 S.Ct. 2611, 162 L.Ed.2d 502 (2005). Legislative history, though sometimes informative, can be murky, vulnerable to cherry picking, and unrepresentative of the entire Congress that enacted the statute at issue. Id. at 568-69, 125 S.Ct. 2611. That is why, in all cases, “the authoritative statement is the statutory text, not the legislative history or any other extrinsic material.” Id. at 568, 125 S.Ct. 2611. That is true even in the face of contrary interpretations proffered by regulatory agencies responsible for implementing statutes, for though “[s]uch interpretations ‘constitute a body of experience and informed judgment to which courts ․ may properly resort for guidance,’ ” the court must still “resolve [any statutory ambiguities] by exercising independent legal judgment.” Loper Bright Enters. v. Raimondo, 603 U.S. 369, 144 S. Ct. 2244, 2262, 2266, 219 L.Ed.2d 832 (2024).³

Turning to the statutory text, subsection (7)(B) plainly confines its scope to a “transfer,” a word that is not defined anywhere in the EFTA. The provision then imposes three requirements on such a “transfer”: It must be (1) “made by a financial institution,” (2) “on behalf of a consumer,” (3) “by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer.” (See Hrg. Tr. at 7:7-7:16.)

Begin with the initial scope of subsection (7)(B): a “transfer.” “When a term goes undefined in a statute, [the court is to] give the term its ordinary meaning.” Taniguchi v. Kan Pac. Saipan, Ltd., 566 U.S. 560, 566, 132 S.Ct. 1997, 182 L.Ed.2d 903 (2012). Citibank insists that the ordinary meaning of “transfer” in subsection (7)(B) is the entire end-to-end “wire transfer” referenced in much of its extrinsic evidence. (See, e.g., Hrg. Tr. at 11:5-11:16.) But, of course, subsection (7)(B) does not use the phrase “wire transfer”; it says “transfer.”⁴ Even accepting that a “wire transfer” means one integrated, end-to-end transmission of funds, that does not imply that any other use of the word “transfer” carries the same meaning. To the contrary, if Congress knew that a “wire transfer” was one integrated transaction, the fact that it chose not to use that term in lieu of “transfer” cuts against Citibank's view. Courts are to give meaning to the words Congress used, not those it knew of but forewent. See United States v. Tribunella, 749 F.2d 104, 108-09 (2d Cir. 1984).

Regardless, there is yet better evidence of the term's meaning in subsection (7)(B) itself, particularly the subsection's subsequent use of an almost identical term: “by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions.”⁵ As used in that phrase, “transfers” refers only to the movement of funds within a wire network. Citibank agrees that the clause's use of “a service” refers to the wire networks. (Mem. at 17 (“Although the services are not identified by name, Congress was referring to wire services like Fedwire (operated by the Federal Reserve) and CHIPS (operated by private banks).” (cleaned up).) But as NYAG alleges, the movement of funds within a wire network does not involve consumer funds or a consumer's account, since only banks—using their institutional accounts—have access to those networks. (Opp. at 30.) So subsection (7)(B)’s use of the term “transfers” in that context necessarily suggests a narrower meaning than the one Citibank offers, because a wire “service” does not “transfer” funds from an initial customer to an ultimate payee, but only between banks. “[T]here is a presumption that a given term is used to mean the same thing throughout a statute,” and that presumption is “at its most vigorous when a term is repeated within a given sentence.” Brown v. Gardner, 513 U.S. 115, 118, 115 S.Ct. 552, 130 L.Ed.2d 462 (1994);⁶ see also Cochise Consultancy, Inc. v. United States ex rel. Hunt, 587 U.S. 262, 268, 139 S.Ct. 1507, 203 L.Ed.2d 791 (2019) (“We ․ avoid interpretations that would ‘attribute different meanings to the same phrase.’ ” (quoting Reno v. Bossier Parish Sch. Bd., 528 U.S. 320, 329, 120 S.Ct. 866, 145 L.Ed.2d 845 (2000)); L.S. v. Webloyalty.com, Inc., 954 F.3d 110, 115 (2d Cir. 2020) (invoking this principle of statutory interpretation to define the term “authorization” as used in the EFTA). Applying that strong principle of statutory interpretation here, the Court is inclined to afford the first instance of “transfer” in subsection (7)(B) the definition that is required by the next instance of the term, in the absence of compelling evidence to the contrary.

Moreover, rather than solving any ambiguity in subsection (7)(B)’s use of the term “transfer,” Citibank's proposed interpretation creates its own: If “a wire transfer goes from beginning to end” (Hrg. Tr. at 11:8-11:9), what is the “beginning” and what is the “end”? Here, Citibank would have the Court rely exclusively on extrinsic evidence about the common usage of “wire transfer,” but that does not supply an interpretation that is workable in other contexts, and it would require a court considering whether to apply subsection (7)(B) to invoke decades of industrial practice and academic commentary in order to define a crucial term. If one roommate gives cash to a second roommate to “wire” her rent to their landlord, was the cash payment part of a “wire transfer”? Intuition says “no,” but Citibank's approach cannot explain why. Such unbounded and indeterminate definitions that rely exclusively on extrinsic evidence no more serve the goals of interpreting statutory text than would abandoning the text entirely. Or as the Supreme Court explained in another context, “[i]t strains credulity that Congress would have abandoned [a] predictable, workable framework for the uncertain and complex ․ requirements that a [different] rule would inflict on litigants, their attorneys, administrative agencies, and the courts.” Richlin Sec. Serv. Co. v. Chertoff, 553 U.S. 571, 589, 128 S.Ct. 2007, 170 L.Ed.2d 960 (2008). That principle is especially forceful where, as here, Congress set out a detailed, three-part test for coverage under subsection (7)(B) rather than relying on the broad, extrinsic-evidence-dependent “wire transfer” approach that Citibank offers.

Citibank's other argument against “subdivid[ing]” the term “transfer” is that such an approach renders useless the EFTA's periodic reporting requirements included in 15 U.S.C. § 1693d. (See Mem. at 29-30.) Specifically, Citibank contends that if “transfers” occur any time the legal ownership of money changes, then “transfers”—like those initiated with debit cards at retail stores—would be between the consumer and their financial institution, rather than the “ultimate recipient,” and that reporting them back to consumers would be unhelpful for purposes of identifying fraudulent charges. (Id. at 30.) On this point, NYAG and the CFPB diverge on the proper interpretation of 15 U.S.C. § 1693d. NYAG argues that identifying the financial institution as the ultimate recipient is sufficient to alert consumers of fraud, as is the case when fraud occurs at an ATM (see Opp. at 31-32), though the CFPB argues that financial institutions are nevertheless required to disclose the “ultimate recipient” (see CFPB Amicus at 20). The CFPB's view appears based on its understanding that “under EFTA and Regulation E, an electronic fund transfer generally encompasses the entire movement of funds from a sender to its ultimate recipient,” and that that notwithstanding, “[w]here that movement of funds includes a transfer via a wire service, that bank-to-bank transfer is excluded, but the remainder of the transaction is covered by EFTA and Regulation E.” (Id.)

As a starting matter, recall that the word “transfer” is not defined in the EFTA, and though the Court is inclined to provide that term with a consistent meaning throughout the statute, that principle is less strong where the term is used across not only different sentences, but entirely different statutory sections, such as between 15 U.S.C. §§ 1693a and 1693d. It is not implausible that “transfer” as used in subsection (7)(B) refers to a narrower component of an EFT than does the provision of Section 1693d requiring periodic reporting of recipients to consumers, as the latter provision includes statutory context that may compel a broader interpretation.⁷ Moreover, Section 1693d requires disclosure of “any third party to whom ․ funds are transferred,” 15 U.S.C. § 1693d(a) (emphasis added), suggesting that some transfers may not have third-party recipients at all (such as ATM transactions), or that sometimes there may be multiple recipients who must all be included as part of the EFTA's reporting requirements. And even if Citibank is correct, it cannot escape the fundamental ambiguity raised by its interpretation: Defining the “beginning” and “end” of an overall transfer raises line-drawing problems that the text of the EFTA cannot resolve. At bottom, Citibank's arguments about the periodic reporting requirements—drawn from a different statutory section—do not suggest that subsection (7)(B) must be read to eliminate any component of an overall “wire transfer” from the EFTA's coverage.

Subsection (7)(B)’s three additional requirements constitute more evidence of the meaning of the term “transfer” as used in that provision. Recall that for a “transfer” to fall within subsection (7)(B), it must be (1) “made by a financial institution,” (2) “on behalf of a consumer,” (3) “by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer.” See 15 U.S.C. § 1693(a)(7)(B). Each is instructive.

First, “made by a financial institution.” On its own, “made by” does not carry much meaning, since “made by” could require that the financial institution have initiated the transfer, completed it, or merely participated in it in some way. If it stood on its own, all that phrase would do is exclude from the EFTA's coverage a transfer in which the consumer is not involved at any point. That much is uncontroversial. However, it is noteworthy that Congress chose to write “by a financial institution” rather than “by a consumer,” because if Citibank is correct that Congress was legislating with “consumer wires” in mind, it conspicuously omitted any reference to them. That Congress chose instead to refer to transfers “made by financial institutions,” though on its own not the strongest evidence of the statutory meaning, undercuts much of Citibank's contextual evidence about what Congress thought it was regulating in 1978.

Second, “on behalf of a consumer.” Like “transfer,” that phrase goes undefined in the EFTA, and so the Court's charge is ascertaining its ordinary meaning. Cf. Taniguchi, 566 U.S. at 566, 132 S.Ct. 1997. The ordinary meaning of “on behalf of a consumer,” much like subsection (7)(B)’s first requirement, is that the financial institution must make the transfer for a consumer. NYAG takes the “on behalf of” language to exclude from the EFTA at most only the portion of a wire transfer completed by a bank, rather than that initiated by a consumer. (See Opp. at 30.) Citibank, again relying largely on extrinsic evidence, contends that the entire “consumer wire” contemplated by the statutory language includes the initiation of a Payment Order by a consumer and the corresponding account debit. (See Mem. at 25.) But in reading the provision to simply refer to “consumer wires,” Citibank fails to give meaning to the specific words—“on behalf of”—that Congress chose to employ. See United States v. Balde, 943 F.3d 73, 82 (2d Cir. 2019) (holding that Courts must give meaning to “the language that Congress chose,” rather than similar words with potentially different meanings).

A “survey of the relevant dictionaries” suggests the same result. Taniguchi, 566 U.S. at 566-69, 132 S.Ct. 1997. The Fourth Edition of Black's Law Dictionary, published in 1968 and operative at the time the EFTA was drafted and adopted, defined “behalf” as “[b]enefit, support, deference, or advantage.” Behalf, Black's Law Dictionary (4th ed. 1968). That edition also included an analogous example: “A witness testifies on ‘behalf’ of the party who calls him, notwithstanding his evidence proves to be adverse to that party's case,” id., suggesting, again, that one entity (the witness) performs an action (testifying) for another entity (the party). The 1961 edition of Webster's Third New International Dictionary, Unabridged, also operative at the time of the drafting and enactment of the EFTA, provided slightly more color, defining the prepositional phrases “in behalf of” and “on behalf of” as “in the interest of,” “as the representative of,” or “for the benefit of.” Behalf, Webster's Third New International Dictionary, Unabridged (1961). Like Black's Law, Webster's provided a familiar example: “this letter is written in behalf of my client.” Id. Together, the contemporaneous dictionary evidence suggests that “on behalf of” meant that, for a transfer to be covered by subsection (7)(B), it would have to be conducted by a financial institution for the benefit or in the interests of a consumer. Thus, when a consumer initially requests a wire transfer—or when a third party fraudulently requests such a transfer—that does not fall within subsection (7)(B), since it is an action performed by the consumer, or an unauthorized third party, themselves.

The structure of subsection (7)(B)’s first two requirements further underscores this result. Though, as already discussed, “made by a financial institution” does not suggest all that much on its own, that it is immediately followed by “on behalf of a consumer” implies a critical difference in meaning: The first entity (the financial institution) will execute the transfer, and the second entity (the consumer) will receive the benefit from it. When “interpreting statutes,” courts are to “presume differences in language like this convey differences in meaning.” Henson v. Santander Consumer USA Inc., 582 U.S. 79, 86, 137 S.Ct. 1718, 198 L.Ed.2d 177 (2017).

Third, “by means of a service that transfers funds held at either Federal Reserve banks or other depository institutions and which is not designed primarily to transfer funds on behalf of a consumer.” As already explained, this requirement's use of the word “transfers” in a context that can refer only to a bank-to-bank wire is strong evidence that supports NYAG's interpretation, see supra. But it also works independently to remove from the EFTA's coverage the payment from a consumer to her bank, ancillary to an interbank wire, that NYAG alleges is the source of EFTA liability in this case. That is because NYAG alleges that consumers requesting wire transfers must pay their banks for those transfers, and that they can do that through electronic requests that fall within the EFTA. (See Compl. ¶¶ 54-56.) Importantly, NYAG makes the factual allegation that a transfer of funds occurs between a consumer and her financial institution that is separate from that which occurs “by means of a [wire] service.” (Opp. at 30.) Thus, applying the literal language of subsection (7)(B) to the factual allegations that the Court is required to take as true as this stage, the first “component” of the wire transfer does not satisfy the subsection's third requirement and as a result is not immunized from EFTA liability.

Despite the strong evidence from the text of subsection (7)(B), Citibank argues that the provision would be meaningless if it applied only to an interbank wire, since those wire networks are not accessible by consumers and thus will always fall outside the EFTA. (Mem. at 25-26.) Counsel for Citibank emphasized this at oral argument, contending that “to read [subsection (7)(B)] the way that the [NYAG] would like it to read, it literally makes meaningless this entire exemption.” (Hrg. Tr. at 9:8-9:10.) At the outset, like Citibank's primary argument regarding the text of Section 1693a, this is a weak one, since all it suggests about subsection (7)(B) is that it should apply to something. Citibank musters no arguments from the text about what the subsection should include, relying only on extrinsic evidence that, for reasons discussed later, does not conclusively support Citibank's position.

And notably, Citibank does not argue—nor could it—that subsection (7)(B) is literally superfluous (as if, for example, it contained redundant words or phrases), since, as already discussed, the sentence has meaning that is found nowhere else in the statute. Moreover, the EFTA does not call subsection (7)(B) an “exemption,” which would otherwise imply that it removes from the EFTA's coverage something that was already there. Instead, subsection (7)(B) is preceded by what NYAG calls a “clarification” (Hrg. Tr. at 32:21.)—the phrase “[s]uch term” (referring to “electronic fund transfer”) “does not include ․” Thus, though it may have been substantively unnecessary for Congress to explain what the definition of EFT did and did not include through additional paragraphs, it would not be superfluous to phrase the provision as Congress chose, using clarifying language to ensure that purely interbank wires were beyond the reach of the EFTA. Instead, Citibank is arguing that subsection (7)(B) is functionally unnecessary in light of existing payment mechanisms, in that it removes from the EFTA one method of transferring funds that does not currently exist. That does not aid the Court in ascertaining the meaning of the subsection's text; at best, it provides some evidence of Congress's purpose.

But even taking the surplusage argument on its terms, it is not clear that interpreting subsection (7)(B) to apply to only the interbank portion of a “wire transfer” renders it meaningless. Consider the type of “consumer wire” that Congress would have known about in 1978: a consumer walking into a bank office and requesting that bank to wire money on their behalf. Of course, that oral conversation would not constitute an “electronic fund transfer,” and so, unlike the Payment Orders here, simply falls outside of the EFTA at its threshold. However, Congress may have been concerned that the actual bank-to-bank wire that would follow the in-person conversation would be subject to EFTA liability. After all, the bank-to-bank wire is a “transfer of funds,” “initiated through an electronic terminal,” that “order[s], instruct[s], or authorize[s] a financial institution to ․ debit or credit an account.” 15 U.S.C. § 1693a(7). If Congress wrote subsection (7)(B) to exclude a bank-to-bank wire originally requested in person by a consumer, it would have been acting according to the motives that both parties agree led to subsection (7)(B) in the first place: keeping EFTA liability out of the wire network. (See Mem. at 19; Opp. at 19-20.) Not only would that explain the purpose behind the subsection; it would render it non-superfluous, as well. But even if that is incorrect, and the technical definition of an EFT did not include the bank-to-bank wire resulting in a consumer credit, it would not have been unreasonable for Congress to cover its bases with a potentially unnecessary exemption, as it was legislating amid significant legal and technological uncertainty. See infra § III.A.2.

That is because “sometimes drafters do repeat themselves and do include words that add nothing of substance, either out of a flawed sense of style or to engage in the ill-conceived but lamentably common belt-and-suspenders approach.” United States v. Bronstein, 849 F.3d 1101, 1110 (D.C. Cir. 2017) (brackets omitted) (citing Antonin Scalia & Bryan A. Garner, Reading Law: The Interpretation of Legal Texts 176-77 (2012)). “This is why the surplusage canon of statutory interpretation must be applied with the statutory context in mind.” Id. Here, the statutory context contradicts the inference Citibank seeks to draw from subsection (7)(B)’s potential superfluity. Later in Section 1693a, the same provision of the EFTA that contains the definition of an EFT and subsection (7)(B), the statute defines an “unauthorized electronic fund transfer.” That term includes, in relevant part, “an electronic fund transfer from a consumer's account initiated by a person other than the consumer.” 15 U.S.C. § 1693a(12). And just like in the definition of EFT and subsection (7)(B), the definition of “unauthorized electronic fund transfer” is followed by “the term does not include” and then a string of carve-outs, one of which is “any electronic fund transfer ․ initiated with fraudulent intent by the consumer or any person acting in concert with the consumer.” 15 U.S.C. § 1693a(12)(B). In plain terms, the definition of “unauthorized electronic fund transfer” requires that the transfer be “initiated by a person other than the consumer,” but then excludes transfers “initiated ․ by the consumer.” Evidently, Congress drafted the same section of the EFTA with at least one other instance of the same form of supposed surplusage, suggesting the Court need not select less textually plausible interpretations just to avoid surplusage.

In sum, the plain meaning of subsection (7)(B) does not apply to electronic transfers of funds between consumers and their financial institutions, even when made ancillary to an interbank wire. Even if the Court were faced with strong countervailing extrinsic evidence (which it concludes it is not), that subsection (7)(B)’s text is unambiguous would end the inquiry here.

2. Extrinsic Evidence

Although subsection (7)(B)’s text is straightforward, there are additional lessons to be learned from the history surrounding its enactment, which played out amid a wave of technological advancements in the ways consumers make and receive payments. In 1974, Congress established the National Commission on Electronic Fund Transfers, or “NCEFT.” The NCEFT was tasked with studying EFTs to help Congress “obtain a variety of views on the appropriate public policy toward EFT.” National Commission on Electronic Fund Transfers, EFT and the Public Interest xi (1977) (hereinafter, “NCEFT Report”). The NCEFT “was directed by [ ] Congress to ‘conduct a thorough study and investigation and recommend appropriate administrative action and legislation necessary in connection with the possible development of public or private electronic fund transfer systems.” Id. The NCEFT's final report arrived in October 1977. 1 Donald I. Baker, et al., The Law of Electronic Fund Transfer Systems § 12.03 (2024). “Central to all of the Commission's inquiries [was] a recognition that the consumer's interests are primary in all regulatory, legislative, and policy decisions affecting EFT, and the consumer's interests must be reflected in such decisions.” NCEFT Report at xii. Indeed, the NCEFT considered consumer protection “to be the most critical factor in all its recommendations.” Id. And in creating its recommendations, the NCEFT considered scenarios that underscored its focus on consumer EFTs: a shopper paying for retail goods using a debit card, a bank customer using an ATM to deposit or withdraw cash, an employee who receives their paycheck through direct deposit, and families that pay bills through preauthorized or telephone-initiated debits from their bank accounts. See id. at 1-2.

But as focused as it was on the types of electronic funds transfers that prevailed in the late 1970s, the NCEFT also recognized that in an era of rapid technological change, “[d]epository institutions are likely to continue to implement EFT facilities offering enhanced and broadened services.” Id. at 2. It predicted, correctly, that “[t]he role of computers in money and banking will become increasingly apparent to consumers,” demanding “a coherent policy toward EFT services and systems.” Id. And all of that innovation was occurring against the backdrop of what one State bank supervisor quoted in the NCEFT Report described as “pervasive economic illiteracy,” wherein “consumers [did] not understand the nature of everyday financial transactions as well as their rights and responsibilities in dealings with financial institutions.” Id. at 8 (quoting Richard J. Francis, then-Commissioner of Michigan Financial Institutions).

Following the release of the NCEFT Report, Congress enacted the EFTA. See Baker, supra, at § 12.03. One of the Act's chief objectives was protecting consumers from unauthorized fund transfers on platforms that utilized emerging technologies. See Yuille v. Uphold HQ Inc., 686 F. Supp. 3d 323, 337-38 (S.D.N.Y. 2023). Generally, an EFT is unauthorized when it is “initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit.” 15 U.S.C. § 1693a(12). Under the EFTA, who bears the ultimate loss from an unauthorized EFT—the consumer or the financial institution where the consumer holds an account—depends on when the consumer discovers and notifies the financial institution of the loss. When a consumer notifies a financial institution of an unauthorized EFT within two business days of discovering it, the consumer's loss is capped at $50. 15 U.S.C. § 1693g(a). That loss is capped at $500 when the consumer notifies the financial institution within sixty days, but the cap increases only if the loss “would not have occurred but for the failure of the consumer to report [it] ․ within two business days after the consumer learns of the loss or theft.” Id. And, finally, the consumer's loss is not capped by the EFTA where the consumer fails to notify the financial institution within sixty days of discovery, if the failure to report was the but-for cause of the loss. Id. In each case, the financial institution bears the burden of proof. Id. § 1693g(b). In establishing “three tiers of potential consumer liability for unauthorized transfers” dependent on only the consumer's reporting time, the EFTA “rejected the Commission's recommendation for a rule keyed to specified types of [consumer] negligence.” Baker, supra at § 14.02.

The EFTA was and remains implemented by Regulation E, oversight and rulemaking authority over which was transferred to the newly established Consumer Financial Protection Board, or CFPB, in 2011. Baker, supra, at § 12.04. Now, the CFPB also periodically publishes updated “Official Staff Commentary to Regulation E,” which “provides guidance on specific technical points and examples of the application of what can be complex legal requirements.” Id. The Federal Reserve Board promulgated the first final version of Regulation E in 1979. See 44 Fed. Reg. 18468 (Mar. 28, 1979). In issuing the regulation, the Board explicitly forwent including “a descriptive statement of the scope of electronic fund transfers,” so as to avoid “limit[ing] the development of new EFT services.” Id. at 18469. Indeed, the Board recognized that, “[b]ecause EFT systems are still rapidly evolving, ․ few data are available on existing EFT systems, and ․ the long-run effects of this Act and regulation will have to be measured historically ․” Id. at 18478.

Unlike the EFTA itself, Regulation E placed its provision parallel to subsection (7)(B) under the “exemption” for “Wire transfers,” specifying that Regulation E “does not apply to ․ [a]ny wire transfer of funds for a consumer through the Federal Reserve Communications System or other similar network that is used primarily for transfers between financial institutions or between businesses.” Id. at 18481. But importantly, Regulation E's version of subsection (7)(B)’s specification of a transfer “for a consumer” largely tracked the EFTA's “on behalf of a consumer” language. And the Board's official commentary did the same when explaining the change in language from the interim Regulation E to the final version: “[T]ransfers for consumers by any network similar to Fedwire (that is used primarily for financial institution or business transfers) are exempt.” Id. at 18471 (emphasis added). Regulation E thus preserved the subsection's instruction that, to be immune from EFTA liability, wire transfers needed to be “for” (or “on behalf of”) consumers. It merely simplified the EFTA's technical definition of the wire networks and added the recognizable header “Wire transfers.”⁸

Citibank points to a slew of regulatory guidance promulgated in the years following the EFTA's passage, but none of that guidance demonstrates a contemporaneous understanding of subsection (7)(B) as precluding EFTA coverage for electronic Payment Orders. For example, Citibank cites official guidance from the Federal Reserve in 1981 that clarified that “transfers ‘sent by Fedwire or a similar network’ with electronic ‘instructions for crediting individual consumers’ accounts’ are subject to the wire transfer exception.” (Mem. at 26 (citing Electronic Fund Transfers, 46 Fed. Reg. 46,876, at 46,879 (Sept. 23, 1981)) (emphasis omitted)). Citibank contends that the reference to “instructions for crediting individual consumers’ accounts” would have been relevant only if the transfer was to be conceptualized as between the consumer requesting a Payment Order and the ultimate beneficiary of the payment following the wire transfer and subsequent fulfillment of the payment obligation. (Id.) But that is a strained interpretation of the guidance. As an initial matter, though the Court is to try to give effect to every word in a statute, that principle is not as forceful as applied to regulatory guidance serving as extrinsic evidence of legislative intent, which is far attenuated from the original statutory language. Moreover, it is just as likely, if not more so, that the Federal Reserve included that language to differentiate consumer from non-consumer wire transfers. And finally, that the guidance refers to transfers not initiated by a consumer but “sent by Fedwire or a similar network” suggests a difference from transfers sent by consumers.

Citibank points next to another section of the same guidance that “provides an example of when a series of payments would be considered as separate for EFTA purposes: a ‘company sends funds by Fedwire or a similar network from one financial institution to another, and transfers via ACH are then made from the second institution to the accounts of company employees at still other institutions.’ ” (Id. (citing Electronic Fund Transfers, supra, at 46,879) (emphasis omitted)). Citibank explains that this means “when there is a sequence of payments where one leg of the payment is via one mechanism (e.g., wire) and the next via another (e.g., ACH), the different mechanisms can be regulated differently.” (Id. at 26-27.) But Citibank does not define “mechanism,” and that the Federal Reserve contemplated that the EFTA might apply to individual “legs” of transactions and not others is evidence that may support NYAG's interpretation, rather than Citibank's.

Finally, Citibank points to another Federal Reserve regulation—Regulation J—which was promulgated in 1980 to regulate check payments and interbank wires. In particular, Citibank points to commentary to Subpart B of Regulation J, promulgated in 1990 to incorporate the newly drafted UCC Article 4A,⁹ that explained, “Fedwire funds transfers to or from consumer accounts are exempt from the Electronic Fund Transfer Act and Regulation E.” 55 Fed. Reg. 40,791, 40,804 (Oct. 5, 1990). But as explained, that commentary was not promulgated until 1990, twelve years after the EFTA's enactment. And, importantly, it continued: “A funds transfer from a consumer originator or a funds transfer to a consumer beneficiary could be carried out in part through Fedwire and in part through an automated clearing house or other means that is subject to the Electronic Fund Transfer Act or Regulation E. In these cases, subpart B [of Regulation J] would not govern the portion of the funds transfer that is governed by the [EFTA] or Regulation E.” Id. Far from precluding the EFTA from applying to particular parts of an overall wire transfer, the commentary contemplated that very result.

And though the 1990 version of Regulation J's official commentary contained that evidence, the original version of Regulation J also contained definitions of terms that would suggest a narrower scope of subsection (7)(B) more in line with NYAG's interpretation. For example, though the EFTA did not define “transfer,” the original version of Regulation J came much closer. It defined “Transferee” as “a member bank, a Reserve Bank, or other institution that (1) maintains or, if authorized by the Reserve Bank, uses an account at a Reserve Bank and (2) is designated in a transfer item or request to receive the amount of the item or request.” 45 Fed. Reg. 68,633, 68,638 (Oct. 16, 1980). And it defined “Transferor” as “a member bank, a Reserve Bank, or other institution that maintains or uses an account at a Reserve Bank and that is authorized by that Reserve Bank to send a transfer item or request to it.” (Id.) In other words, it contemplated a “transfer” that occurred solely on the wire network, rather than from ultimate sender to ultimate recipient.

Beyond UCC Article 4A and Regulation J, Citibank cites a variety of guidance and other documents from the mid-1990s to the present that it contends implicitly assumed that electronic Payment Orders requesting wire transfers were exempt from the EFTA by virtue of subsection (7)(B). (See Mem. at 27-29.) Those documents, in addition to exhibiting much of the same imprecision already described in the contemporaneous regulatory history, are simply too attenuated from the passage of the EFTA to be probative of the enacting Congress's intent. The same goes for Citibank's citations to congressional activity revising a portion of the EFTA in 2010, as well as unsuccessful efforts to remove subsection (7)(B) altogether in recent years. (Id. at 28, 31-32.) Those changes, or failures to change, the EFTA occurred over thirty years after its passage, and though they may be modest evidence of the current Congress's interpretation of subsection (7)(B), they are weak indicia of the plain meaning of the text. “Failed legislative proposals are a particularly dangerous ground on which to rest an interpretation of a prior statute,” and more generally, “subsequent history is less illuminating than ․ contemporaneous evidence.” Rapanos v. United States, 547 U.S. 715, 749-50, 126 S.Ct. 2208, 165 L.Ed.2d 159 (2006) (quoting Solid Waste Agency of N. Cook Cnty. v. U.S. Army Corps. of Eng'rs, 531 U.S. 159, 169-70, 121 S.Ct. 675, 148 L.Ed.2d 576 (2001)).

From all this extrinsic evidence, and examining the more recent history with a cautious eye, two principles emerge most clearly. First, the 1978 Congress that enacted the EFTA was almost singularly concerned with consumer protection in the face of rapid technological change in electronic payment mechanisms. See Webloyalty.com, 954 F.3d at 116 (“When Congress enacted EFTA in 1978, it announced ․ that its primary purpose was to protect consumers in the then-novel context of electronic payment systems ․”). Congress was concerned that consumers would not understand the technologies they were using and would be susceptible to sophisticated frauds as a result, and it determined that financial institutions were better positioned to shoulder the risk of those frauds. This comports with a view of the EFTA that covered consumer portions of transactions while forgoing regulation of purely interbank transfers. Legislators in the 1970s would have had no way of anticipating the modern scope of electronic wire transfer requests, but they did know that existing transfers along the wire networks did not directly touch consumer accounts and thus fell outside of their explicit statutory purpose. Modern wire transfers, NYAG alleges, are different. Second, in the decades that followed, the relative infrequency of wire transfers completed on behalf of consumers, and especially those that made use of electronic Payment Orders, may have led some regulators and commentators to assume that all “wire transfers” were exempted from the EFTA by virtue of subsection (7)(B). But none of the extrinsic evidence offered by Citibank manifests reliable evidence of the meaning of subsection (7)(B)’s text, and some of it (like the definitions and commentary in Regulation J) explicitly contemplated transfers that would be regulated only in part by the EFTA. In other words, though the extrinsic evidence is murky at best, it is clear that the statutory purpose of the EFTA was to protect consumers from sophisticated, technological frauds. “Thus, in addition to being at odds with the statutory language, [Citibank's] reading would operate in derogation of the statutory purpose.” Weiner, 87 F.4th at 162.

3. Persuasive Authority

As a final pillar supporting its interpretation of subsection (7)(B), Citibank points to a string of cases from across the country purporting to interpret the provision to exclude transfers like those alleged here. But none considered the precise statutory interpretation question at issue, i.e., the scope of a “transfer” that is excluded from the EFTA because it occurs by means of a wire network.

Begin with Fischer & Mandell LLP v. Citibank, N.A., No. 09-CV-1160, 2009 WL 1767621 (S.D.N.Y. June 22, 2009). In that case, a plaintiff law firm sued Citibank under the EFTA for losses incurred as a result of wire transfers requested by the plaintiff following the deposit of a fraudulent check. 2009 WL 1767621, at *1-2. Citibank moved for summary judgment on the basis of the EFTA's and Regulation E's exclusions of “transfers of funds made through checks and wire transfers.” Id. at *4. Judge Sullivan began by noting that the plaintiff presented “no argument in any of its moving papers as to why Defendant's motion for summary judgment as to the EFTA claim should not be granted, and in fact, decline[d] to address the EFTA claim at all.” Id. Still, the court proceeded through the analysis, finding—after determining that the EFTA did not apply to the law firm's institutional account at all—that as an alternative ground, “Regulation E explicitly excludes from the coverage of the EFTA transfers of funds made through checks and wire transfers.” Id. Because “the initial deposit was through a check, and the subsequent withdrawals were through wire transfers,” the court concluded that the EFTA did not apply. Id. That case carries little weight here. First, the plaintiff did not present NYAG's argument regarding the different components of a wire transfer that individually may incur EFTA liability, and so the court had no opportunity to consider them. Second, it was not necessary for the court to reach subsection (7)(B), since the institutional account was not covered by the EFTA and the wire transfers, apart from the fraudulent check, were not themselves unauthorized. Indeed, the court did not consider the language of subsection (7)(B) at all—relying instead only on the text of Regulation E, which does not control the outcome here. Another of Citibank's cases is similar. See McClellon v. Bank of America, N.A., No. 18-CV-829, 2018 WL 4852628 (W.D. Wash Oct. 5, 2018). There, a pro se plaintiff alleged a violation of Regulation E, rather than the EFTA itself. Id. at *5. The court concluded that “Regulation E does not apply to the wire transfers at issue,” but did not consider the statutory language in subsection (7)(B). Id. at *6. Moreover, the court did not discuss any allegation of an electronic payment order, at issue in this case.

Citibank's next case, Wright v. Citizen's Bank of East Tennessee, is similarly cursory, stating merely that “the funds transfers at issue were made through Fedwire” and “[t]herefore, the EFTA does not apply.” 640 F. App'x at 404 (6th Cir. 2016). But the Sixth Circuit in Wright may not have had the opportunity to consider the particular language of subsection (7)(B), since that case concerned not an unauthorized wire transfer, but the delay of a wire transfer that resulted in a sale of some of the plaintiff's assets to satisfy a financial obligation. Id. at 402. And critically, the plaintiff there went in person to a branch of her financial institution to request the wire transfer, meaning there was no electronic Payment Order of the type that NYAG argues establishes Citibank's EFTA liability here. Id. (“Mrs. Wright told the teller ․ that she wanted to make a wire transfer and handed [her] a sheet of paper containing [the recipient's bank's] wiring instructions.”). Thus Wright, too, is inapposite.¹⁰

Another of Citibank's cases, Stepakoff v. IberiaBank Corp., 637 F. Supp. 3d 1309 (S.D. Fla. 2022), is even less on point. That was a case where the plaintiff requested by telephone a series of wire transfers in order to restrict her mother's access to funds held in a shared account. 637 F. Supp. 3d at 1311. In response, the plaintiff's mother visited a regional branch of the bank seeking to cancel the wire request and withdraw the funds herself. Id. “Faced with inconsistent demands from the two joint account holders, the bank closed the joint checking account and sent a cashier's check” with the funds to the mother's address. Id. The plaintiff sued the bank under the EFTA for failure to make an EFT “in a timely manner” as is required by the statute. Id. at 1312. Importantly, the only disagreement regarding subsection (7)(B) was whether transfers on other wire networks besides Fedwire fell within the provision; no one argued that the subsection might apply to some payment “legs” and not others. See id. at 1312-13. Nor would anyone in that case have had any reason to make such an argument, since there was no electronic payment ancillary to the transfer on the wire network to which EFTA liability would have attached. By contrast, and supportive of NYAG's position, the court considered solely the transfer along the wire network as an “electronic fund transfer” for purposes of the EFTA's “timely manner” requirement. See id. And though the court concluded that subsection (7)(B) ultimately did bar the claim, it relied on McClellon and Fischer & Mandell, two cases already discussed as being unpersuasive as to the dispute here.¹¹

Citibank's final cases, submitted in supplemental letters to the Court following the close of briefing on the motion to dismiss, do no more to advance their interpretation of subsection (7)(B). Nazimuddin v. Wells Fargo Bank N.A., No. 23-CV-4717, 2024 WL 3431347 (S.D. Tex. June 24, 2024), report and recommendation adopted, 2024 WL 3559597 (S.D. Tex. July 25, 2024), aff'd, No. 24-20343, 2025 WL 33471 (5th Cir. Jan 6, 2025), did not confront the instant legal issue—instead confronting whether the wire network used was covered by subsection (7)(B)—and cited Stepakoff, McClellon, and Fischer & Mandell, three cases this Court has already determined to be unpersuasive. Cf. 2024 WL 3431347, at *2.¹² And in the other, Bakhtiari v. Comerica Bank, Inc., No. 24-CV-273, 2024 WL 3405340 (N.D. Cal. July 12, 2024), the plaintiffs did not allege that an electronic Payment Order occurred, instead themselves “characteriz[ing] that they engaged in a ‘wire transfer.’ ” 2024 WL 3405340, at *1. This case, of course, does involve allegations of electronic Payment Orders to which EFTA liability may attach and which NYAG does not call “wire transfers.”

In sum, not one of Citibank's cases explicitly analyzes the issue before the Court: whether an electronic Payment Order may fall within the EFTA even if a subsequent transfer within a wire network does not. This appears to be because plaintiffs in those cases did not allege electronic transfers ancillary to a transfer on a wire network, failed to make the argument NYAG does now, or failed to rebut citations to previous cases in which some combination of those circumstances arose. As a result, the cited cases cannot overcome the plain meaning of subsection (7)(B).

The Court holds that 15 U.S.C. § 1693a(7)(B) does not preclude EFTA liability for a fraudulent Payment Order resulting in a debit from a consumer account in connection with a wire transfer. The Court is not ignorant to the fact that “[t]hose who adopted” the EFTA “might not have anticipated their work would lead to this particular result.” Bostock v. Clayton Cnty., Georgia, 590 U.S. 644, 653, 140 S.Ct. 1731, 207 L.Ed.2d 218 (2020). But “Congress's key drafting choices ․ virtually guaranteed that unexpected applications would emerge over time.” Cf. id. at 680, 140 S.Ct. 1731. And in honoring those choices, “[j]udges are not free to overlook plain statutory commands on the strength of nothing more than suppositions about intentions or guesswork about expectations.” Id. at 683, 140 S.Ct. 1731. Accordingly, Citibank's motion to dismiss the complaint on the basis of subsection (7)(B) is denied.

4. 15 U.S.C. 1693a(7)(D)

Citibank argues in the alternative that “the EFTA's ‘automatic transfer’ exemption” precludes liability in this case. (Mem. at 33.) For that proposition, Citibank does not even bother with the statutory text, proceeding straight to a section of Regulation E that excludes from coverage:

[a]ny transfer of funds under an agreement between a consumer and a financial institution which provides that the institution will initiate individual transfers without a specific request from the consumer ․ [b]etween a consumer's account and an account of the financial institution.13

12 C.F.R. § 1005.3(c)(5). Citibank's contention is that, because a debit from a consumer's account occurs “automatically” upon the request of a wire transfer, that debit falls within this provision. (See Mem. at 33-34.) Setting aside the fact that the regulation does not even use the word “automatic,” subsection 3(c)(5) only excludes transfers that occur “without a specific request from the consumer,” such as recurring payments made pursuant to a preset schedule or to cover an overdraft. Citibank admits that the so-called “automatic” debits at issue here are only “approved when a wire is requested,” clearly taking it out of subsection 3(c)(5)’s ambit. (Cf. Mem. at 33 (emphasis added)).

NYAG also notes correctly that the statutory text undermines Citibank's interpretation. The parallel EFTA provision is phrased to exclude only “transfers between accounts ‘for the purpose of covering an overdraft or maintaining an agreed upon minimum balance.’ ” (Opp. at 39 (quoting 15 U.S.C. § 1693a(7)(D)). Though NYAG admits that Regulation E has since been broadened, it cites the CFPB's official interpretation as specifying that the automatic transfers covered include “debits or credits to consumer accounts for check charges, stop-payment charges, non-sufficient funds (NSF) charges, overdraft charges, provisional credits, error adjustments, and similar items that are initiated automatically on the occurrence of certain events.” 12 C.F.R. § 1005.3, Supp. I, Comment 3(c)(5) (“Official Interpretations”). NYAG argues also that Citibank's reading would lead “to absurd results,” since construing any consumer authorization that triggers a debit from their account to be covered by subsection (7)(D) would cover just about every consumer transaction, as consumers cannot themselves move money in or out of an electronic account, but can only request that that be done. (See Opp. at 40.)

NYAG has the better interpretation of the provision. First, the regulatory language cited by Citibank does not cover the transfers at issue, as Payment Orders are “specific requests” for the transfer of consumer funds. In particular, NYAG alleges that, in requesting wire transfers, consumers enter electronic “agreements provid[ing] that consumers’ electronic transfer requests ․ also act as electronic authorizations for [their financial institution] to debit consumers’ bank accounts to pay for the transfers.” (Compl. ¶ 56.) Second, the plain statutory language does not cover the transfers that NYAG alleges are the basis for liability here, as that language refers only to automatic transfers conducted to cover an overdraft or to maintain an agreed-upon balance. No one here argues that that applies. That statutory language ultimately controls. See Loper Bright, 144 S. Ct. at 2266. Accordingly, 15 U.S.C. § 1693a(7)(D) is no basis upon which to dismiss the first count of the complaint.

B. Unauthorized Intrabank “Consolidation” Transfers (Claim II)

NYAG's second cause of action concerns not the debits from a consumer's account ancillary to a wire transfer, but when scammers “consolidate funds from multiple accounts into one account” in order to steal a larger sum of money without the need for multiple Payment Orders. (Compl. ¶ 277.) NYAG contends that these intrabank transfers, too, are EFTs subject to the EFTA's remedial provisions for unauthorized electronic fund transfers. (Opp. at 40-42.) Citibank disagrees, arguing that because consumers do not lose funds in an intrabank transfer—for example, from their savings account to their checking account—they “receive the benefits” of such transfers, removing them from the EFTA's coverage. (Mem. at 34.)

Recall that for an electronic fund transfer to be “unauthorized,” it must be “from a consumer's account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit ․” 15 U.S.C. § 1693a(12).¹⁴ No one disputes that when a scammer accesses a consumer's bank accounts and consolidates funds among them in order to make those funds easier to steal, those transfers were “initiated by a person other than the consumer without actual authority to initiate such transfer.” Instead, Citibank contends that because a consumer's overall wealth does not change during the consolidation, the intrabank transfers “benefit” the consumer and thus fall outside the definition of “unauthorized electronic fund transfer.” NYAG argues that these intrabank transfers harm consumers in three ways: by (1) enabling larger fraudulent transactions, (2) reducing the number of Payment Orders and thus lessening the ability to detect fraud, and (3) decreasing the proportion of a consumer's funds in interest-bearing savings accounts. (See Opp. at 41-42.)¹⁵

The EFTA does not define “benefit,” and so the Court's primary task is ascertaining that term's ordinary meaning. The Fourth Edition of Black's Law Dictionary defines “benefit” as “[a]dvantage; profit; fruit; privilege; advantage.” Benefit, Black's Law Dictionary (4th ed. 1968). Similarly, the 1961 edition of Webster's Third New International Dictionary defines the term's then-contemporary meaning as “something that guards, aids, or promotes well-being;” an “advantage” or “good”; and “useful aid.” Benefit, Webster's Third New International Dictionary, Unabridged (1961).¹⁶ In other words, a “benefit” improves the position of the recipient in some way.

That definition accords with the admittedly scarce case law on the question. Most on point is Moore v. JPMorgan Chase Bank, N.A., where the district court held that an alleged transfer from a consumer's savings account to her checking account for the purpose of conducting a fraudulent wire transfer constituted an “unauthorized” EFT. No. 22-CV-1849, 2022 WL 16856105, at *1-2 (N.D. Cal. Nov. 10, 2022). Specifically, the court held that “without the unauthorized (and unknown) transfer of money from their savings to their checking account there would not have been sufficient monies in the checking account to fund the unauthorized (and unknown) wire transfers,” and that “[s]uch a consequence is a detriment, not a benefit.” Id. at *1. Other courts have similarly looked past the immediate transfer for consideration of whether the consumer received “no benefit.” For example, in Park v. Webloyalty.com., Inc., the Ninth Circuit held that no “benefit” existed for purposes of 15 U.S.C. § 1693a(12) where a consumer, who had been debited in exchange for a coupon, “was unaware that he had enrolled” in the coupon program and thus could not “get any benefit from the coupons associated with the program.” 685 F. App'x 589, 592 (9th Cir. 2017) (unpublished opinion).

Citibank's only Second Circuit case is not to the contrary. In that case, Aikens v. Portfolio Recovery Assocs., the Second Circuit held that, where a bank debited a consumer to offset a portion of that consumer's credit card debt held by the same bank, the consumer received “the decided benefit of reducing her debt,” and so the transfer was not unauthorized. 716 F. App'x 37, 40 (2d Cir. 2017) (summary order). Importantly—and contrary to Citibank's view that “whether a transaction is ‘unauthorized’ turns on whether the consumer receives ‘no benefit’ from the transfer itself, not whether the consumer suffers some related, downstream loss” (Reply at 30)—the Aikens conception of a “benefit” requires consideration of downstream effects, since the consumer benefited not from the transfer itself, but from its effect on her credit card debt held by the bank. That is true whenever the transfer in question is a debit, as having money deducted from a bank account is always to the detriment to the accountholder unless they receive some other downstream benefit, such as purchasing a good or service, or reducing an existing debt.

Citibank's other case, Becker v. Genesis Financial Services, No. 06-CV-5037, 2007 WL 4190473 (E.D. Wash. Nov. 21, 2007), is admittedly more difficult to square with Moore, Park, and Aikens. In Becker, a consumer held two credit cards from different banks. 2007 WL 4190473, at *2. One of the banks transferred funds to the other bank, crediting the consumer's account at the second bank. Id. The consumer then sought to cast that transfer as an unauthorized EFT and refused to pay for it, but the court rejected that interpretation of the statute, holding that the consumer received a benefit in the form of the credit to the second account. Id. at 12. However, Becker is ultimately not on point, as the transfers there did not result in subsequent fraud (as in Moore) and did not involve a consumer's unawareness of the purported benefit (as in Park). In fact, the transfer in Becker appears to have resulted in no loss to the plaintiff whatsoever, at least until she refused to pay for the transfer and incurred additional debt as a result of that refusal. Both of those cases suggest that what Citibank has alleged here—unauthorized consolidations of consumers’ funds without their knowledge in order to facilitate easier and less detectable fraud—occurred without any “benefit” to the consumer. Accordingly, the Court holds that, at least where a plaintiff alleges that intrabank transfers (1) were initiated by someone other than the consumer without actual authority, (2) were unknown to the consumer, and (3) facilitated a subsequent fraud, the plaintiff has adequately alleged the absence of “benefit” within the meaning of U.S.C. § 1693(a)(12). Citibank's motion to dismiss the second cause of action in the complaint is denied.

C. Terms and Conditions (Claim III)

NYAG's third cause of action concerns the EFTA's requirements for disclosing the “terms and conditions” of EFT services to consumers and corresponding prohibition on terms that purport to waive a consumer's rights under the Act. See 15 U.S.C. §§ 1693c, 1693l. Specifically, NYAG alleges that Citibank failed to disclose the “security protocols” used in its provision of EFT services, in violation of Section 1693c, and also required consumers to sign contracts that waived their EFTA rights, in violation of Section 1693l. (Compl. ¶¶ 283-86.) Citibank moves to dismiss the claim, arguing that the EFTA does not require Citibank to detail its security protocols and that Citibank's customer agreements do not waive any EFTA rights. (Mem. at 35-37.)

1. Disclosure of Security Protocols

The EFTA provides that “[t]he terms and conditions of electronic fund transfers involving a consumer's account shall be disclosed at the time the consumer contracts for an electronic fund transfer service, in accordance with regulations of the Bureau. Such disclosures shall be in readily understandable language ․” 15 U.S.C. § 1693c(a). That provision then lists ten disclosures that must be provided to consumers. See 15 U.S.C. § 1693c(a)(1)-(10). Citibank argues that because that list of required disclosures does not include the “security protocols” used in the operation of an EFT service, such protocols do not need to be disclosed per the EFTA. (Mem. at 35-36.) NYAG does not dispute that the enumerated required disclosures in Section 1693c(a) do not include “security protocols,” but insists instead that once Citibank “chose[ ] to make a disclosure” regarding its security protocols, it did so “using insufficiently understandable terms.” (Opp. at 43.) Without saying so explicitly, NYAG's position depends on a reading of Section 1693c(a) that imposes two requirements: first, a requirement to make enumerated, required disclosures; and second, a requirement that any disclosure—required or not—be made in “readily understandable language.”

NYAG is correct, as an initial matter, that Section 1693c(a) may require certain disclosures to be “in readily understandable language” even if they are not mandatory disclosures, so long as they constitute the “terms and conditions of electronic fund transfers.” That is because the “shall be in readily understandable language” requirement modifies “[s]uch disclosures,” which refers not to the enumerated list of ten items, but to “[t]he terms and conditions.” See 15 U.S.C. § 1693c(a). But NYAG must clear another hurdle: whether the “security protocols” used in operating an EFT service are part of the “terms and conditions of electronic fund transfers.” Here, none of NYAG's papers make any argument about the scope of the phrase “terms and conditions.” To the contrary, Citibank argues that to read such a requirement into the EFTA would require financial institutions to “provide a roadmap for fraudsters” who could use the disclosures to circumvent the security measures. (See Mem. at 36.) On this point, NYAG counters that disclosures would not necessarily have that effect, because all Citibank would have to disclose are the measures it “might” employ beyond requiring a username and password to access an account. (Opp. at 43.) But, again, NYAG cites no support for this limiting principle and further separates its desired rule from the text of Section 1693c(a), which speaks of neither “security protocols” nor the ones that a financial institution “might” employ.

One of the few judicial pronouncements of the meaning of “terms and conditions” as used in Section 1693c(a) came in Virginia is for Movers, LLC v. Apple Fed. Credit Union, 720 F. Supp. 3d 427 (E.D. Va. 2024). There, the court explained that “the phrase ‘terms and conditions’ signifies ‘conditions or stipulations limiting what is proposed to be granted or done.’ ” 720 F. Supp. 3d at 442 (emphasis added) (citing Terms and Conditions, Garner's Dictionary of Legal Usage (3d ed. 2011)). In that case, the court held that a provision in a user agreement for charging overdraft fees on debit card point-of-sale transactions fell within the “terms and conditions” of an electronic fund transfer because it was “an element, prerequisite or limitation of [the] offer to make certain kinds of electronic fund transfers.” Id. at 442-43.

While mindful that the phrase “terms and conditions” might have a different meaning in other contexts,¹⁷ the Court is persuaded by the approach taken in Virginia is for Movers in the context of the EFTA. In order to constitute “terms and conditions” that must be disclosed in “readily understandable language,” the contract term or protocol governing an EFT must be “an element, prerequisite or limitation” on the offer to provide that EFT. Here, NYAG admits that Citibank was not obligated by its terms and conditions to utilize any particular security protocols beyond requiring a username and password. (See Opp. at 44.) NYAG's allegation that Citibank failed to adequately disclose “security protocols” thus falls short, since the disclosures Citibank provided about those protocols are not an “element, prerequisite or limitation” on the provision of the EFT. NYAG does not allege that the contract obligations of either party to an EFT is qualified by the use of particular security protocols.

In sum, the Court holds that 15 U.S.C. § 1693c(a) does not require a financial institution to disclose the “security protocols” governing an electronic fund transfer unless those protocols constitute an “element, prerequisite or limitation” on the offer to transfer. Because that is not the case here, the component of the third cause of action dependent on a violation of 15 U.S.C. § 1693c(a) is dismissed.

2. Waiver of EFTA Rights

In addition to requiring that the terms and conditions of EFTs be disclosed, the EFTA also provides that “[n]o writing or other agreement between a consumer and any other person may contain any provision which constitutes a waiver of any right conferred or cause of action created by this subchapter.” 15 U.S.C. § 1693l. Here, the parties appear to agree on the meaning of Section 1693l: Citibank and its customers may not enter into any agreement waiving any of the customers’ rights under the EFTA. What the parties dispute is whether Citibank's “online terms and conditions,” which NYAG alleges contain several limitations of Citibank's customers’ rights, constitute illegal EFTA waivers. Though Citibank disputes NYAG's characterization of the contracts, the Court is bound to accept as true NYAG's factual allegations. Thus, the question at this stage is merely whether the contract terms specified in NYAG's complaint plausibly operate to waive consumer EFTA rights in violation of Section 1693l.

Typically, courts review alleged violations of the EFTA's anti-waiver position by comparing contract terms to the statute itself to look for inconsistencies. See, e.g., Simone v. M&M Fitness LLC, No. 16-CV-1229, 2017 WL 1318012, at *3 (D. Ariz. April 10, 2017) (“Defendant's Agreement precludes Plaintiff from exercising her right freely and without legal exposure—the very circumstance contemplated by the EFTA's anti-waiver provision.”). That is consistent with the Supreme Court's approach in CompuCredit Corp. v. Greenwood, 565 U.S. 95, 132 S.Ct. 665, 181 L.Ed.2d 586 (2012), which concerned a similar anti-waiver position in the Credit Repair Organization Act (“CROA”). Cf. Miller v. Interstate Auto Grp., Inc., No. 14-CV-116, 2015 WL 1806815, at *5 (W.D. Wis. April 21, 2015) (applying the CompuCredit approach in a case concerning the EFTA's anti-waiver position). In CompuCredit, the Court confronted a CROA mandate that credit repair organizations provide to potential customers a statement that read, “You have a right to sue a credit repair organization that violates the Credit Repair Organization Act.” CompuCredit, 565 U.S. at 98-99, 132 S.Ct. 665. A group of plaintiffs sought to sue such an organization in federal court in spite of an arbitration clause they had signed, arguing that the arbitration clause constituted an illegal waiver of the CROA's “right to sue.” Id. at 96-97, 132 S.Ct. 665. The Court disagreed, holding that though the CROA created a right to the statement indicating the right to sue, it did not itself provide a right to sue that could not be superseded by an arbitration agreement. Id. at 102, 132 S.Ct. 665. CompuCredit’s lesson is that, in applying an anti-waiver provision, courts must carefully compare statutory rights with subsequent agreements to determine whether the agreements violate the statute.

On that score, NYAG makes two specific allegations regarding the online customer agreements, that they: (a) “improperly narrowed the scope of unauthorized EFTs by contractually defining any EFT initiated through online or mobile banking using usernames and passwords as an authorized EFT even if not made with actual authority”; and (b) “altered [Citibank]’s burden of proof by contractually providing that [Citibank] may treat its own internal records and documents as conclusive evidence,” which also “altered the scope of a reasonable investigation by Citi into notices of unauthorized EFTs provided to [Citibank] by consumers.” (Compl. ¶ 286.)¹⁸

a. Narrowing the Definition of an Unauthorized EFT

First, NYAG argues that Citibank's online agreement (“User Agreement”) improperly narrowed the scope of an “unauthorized electronic fund transfer,” thus effectively limiting the types of unauthorized transfers for which consumers have rights under the EFTA. (Opp. at 42.) NYAG does not supply the relevant contract language but alleges instead that “the terms and conditions provide that [Citibank] may treat EFTs made using consumers’ username and password as ‘authorized’ while the EFTA requires persons to have actual authority for authorized EFTs—not just usernames and passwords.” (Compl. ¶ 89.) The actual text, attached by Citibank to its motion to dismiss,¹⁹ contains the following terms:

You authorize Citibank to treat any instruction made on Citi Online with valid Codes as if the instructions had been made in writing and signed by you.

․

Citibank will therefore consider any access to Citi Online through use of valid Codes to be duly authorized, and Citibank will carry out any instruction given regardless of the identity of the individual who is actually accessing the system.

․

When you place an order for a funds transfer (including a wire or cable transfer), Citibank may follow a security procedure established for your protection that may entail a telephone call or other required contact with or from you prior to acting upon your instructions. In certain instances, Citibank may also decline to act upon your instructions.

(ECF No. 46-1 (“User Agreement”) at 2.) The EFTA's definition of an “unauthorized electronic fund transfer” is as follows:

[T]he term “unauthorized electronic fund transfer” means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit, but the term does not include any electronic fund transfer (A) initiated by a person other than the consumer who was furnished with the card, code, or other means of access to such consumer's account by such consumer, unless the consumer has notified the financial institution involved that transfers by such other person are no longer authorized, (B) initiated with fraudulent intent by the consumer or any person acting in concert with the consumer, or (C) which constitutes an error committed by a financial institution.

15 U.S.C. § 1693a(12). By its plain terms, the User Agreement does not change the scope of an “unauthorized electronic fund transfer,” as it does not purport to define that term at all. Instead, the User Agreement purports to establish what Citibank will do when it receives a request for a transfer by a person with a customer's log-in credentials. Though that contract provision may limit Citibank's liability for breach of contract, it does not alter Citibank's responsibilities under the EFTA. That approach accords with CompuCredit, which requires defining the statutory right at issue with precision before determining whether a contract term conflicts with the right and thus violates the statute's anti-waiver rule.

NYAG's only cited authority, Simone v. M&M Fitness, is not to the contrary. There, Judge Tuchi of the District of Arizona held that a customer contract's requirement that a consumer contact their financial institution within a certain time period in order to stop a preauthorized EFT violated the EFTA's anti-waiver provision, because it “create[d] an additional hurdle not contemplated by the EFTA, which does not require that a consumer provide notice to a payee before stopping payment.” Simone, 2017 WL 1318012, at *3. That was problematic because if a consumer “were to stop payment without notifying Defendant—as is her right under the EFTA—she would be susceptible to a breach of contract lawsuit brought by Defendant which could expose her to liquidated damages.” Id. But here, NYAG does not allege that any consumer could be subject to contract liability based on the language of the User Agreement, nor could they be, since it does not impose any obligation on any Citibank customer. Because the quoted language neither limits an EFTA remedy nor imposes on a consumer an additional requirement beyond the EFTA, it does not violate 15 U.S.C. § 1693l.²⁰

b. Alteration of the Burden of Proof and Avoiding a Reasonable Investigation

NYAG alleges next that language in the User Agreement changes the allocation of the burden of proof for allocating liability under the EFTA, thus violating 15 U.S.C. § 1693l. In particular, NYAG refers to the following language:

Unless there is substantial evidence to the contrary, Citibank records will be conclusive regarding any access to, or action taken through, Citi Online.

(User Agreement at 2.) Unlike the first provisions, this language is more ambiguous, since it does not speak of Citibank's internal procedures, but of the conclusiveness of “Citibank records” generally. NYAG argues that that “evidentiary presumption”—a characterization that Citibank does not dispute (see Mem. at 37)—makes it easier to “determine that an error did not occur and deny reimbursement” as well as to decline to conduct investigations into potentially unauthorized EFTs (see Opp. at 43). Because there is a reasonable reading of this contract language that alters the burden of proof to which a consumer is entitled in an EFTA action, see 15 U.S.C. § 1693g(b), the Court holds that NYAG has adequately alleged at this stage that the quoted section of the User Agreement limits a statutory right and thus violates 15 U.S.C. § 1693l.²¹

Because NYAG has alleged that at least one portion of the User Agreement violates the EFTA's anti-waiver provision, the motion to dismiss the third cause of action is denied with respect to the allegation that the User Agreement waives the EFTA's statutory burden of proof.

D. NY UCC Article 4A (Claim IV)

NYAG's fourth cause of action concerns Citibank's alleged violations of UCC Article 4A-204(1)²² in failing to refund fraudulently initiated Payment Orders that Citibank accepted not “in good faith and in compliance with commercially reasonable security procedures” as well as “any instructions of its customers restricting acceptance of payment orders.” (Compl. ¶ 290.) However, as the Court has already decided, the allegedly fraudulent Payment Orders at issue in this case are governed by the EFTA because they do not occur on the wire network and are thus not removed from the EFTA's coverage by virtue of 15 U.S.C. § 1693a(7)(B). And as no one disputes, “Article [4A] does not apply to a funds transfer any part of which is governed by the Electronic Fund Transfer Act of 1978.” NY UCC § 4-A-108 (2023). Indeed, as counsel for NYAG explained at argument, “Section 108 of the UCC provides that if any part of a funds transfer is subject to the EFTA and Reg E, then Article 4A goes away entirely.” (Hrg. Tr. 43:12-43:14.) Accordingly, NYAG's fourth cause of action—arising entirely under Article 4A and concerning Payment Orders held to be subject to the EFTA—must be dismissed. However, because there may be other transfers conducted by Citibank that NYAG could plausibly allege are covered by the UCC, NYAG is granted leave to amend the complaint as to Claim IV.

E. SHIELD Act and General Business Law § 349 (Claim V) and the Federal Red Flags Rule (Claim VI)

NYAG's fifth and sixth causes of action concern New York's SHIELD Act and the federal Red Flags Rule. (Compl. ¶¶ 298-306, 307-16.) Citibank makes several arguments for dismissing both claims, but the Court need reach only one: Both of these claims are either preempted or otherwise barred by the Fair Credit Reporting Act (“FCRA”) and related regulations.

“[T]he FCRA's applicable preemption provisions are somewhat intricate and require consideration of multiple cross-referencing statutory provisions.” Galper v. JP Morgan Chase Bank, N.A., 802 F.3d 437, 444 (2d Cir. 2015). Two provisions are most relevant to the dispute here. First, Section 1681m specifies that it “shall be enforced exclusively under section 1681s of this title by the Federal agencies and officials identified in that section.” 15 U.S.C. § 1681m(h)(8)(B). Second, Section 1681t provides for express preemption of state law:

No requirement or prohibition may be imposed under the laws of any State ․ with respect to the conduct required by the specific provisions of ․subsections (e), (f), and (g) of section 1681m of this title.

15 U.S.C. § 1681t(b)(5)(F). For context, Section 1681m(f), a prohibition on the transfer or sale of debt caused by identity theft, and Section 1681m(g), regulating debt collector communications concerning identity theft, are not at issue in this case. Section 1681m(e), on the other hand, constitutes the “Red Flags Rule” that is the subject of NYAG's sixth cause of action, and permits several federal agencies to prescribe regulations for financial institutions and card issuers to protect consumers from identity theft. See 15 U.S.C. § 1681m(e)(1)(A)-(C). Citibank argues that the FCRA's provisions for exclusive enforcement by federal officials and the preemption of regulation with respect to the conduct required by the Red Flags Rule, see 15 U.S.C. §§ 1681m(h)(8)(B), 1681t(b)(5)(F), bar NYAG from enforcing the Red Flags Rule directly or applying state law to the facts alleged in the fifth and sixth causes of action. (See Mem. at 45-47, 52.) NYAG argues that FCRA preemption is “narrow,” and that it is permitted to enforce the Red Flags Rule directly through Executive Law § 63(12). (See Opp. at 52-54.)

“Congress may preempt (or invalidate) a state law by means of a federal statute.” Galper, 802 F.3d at 443. There are two forms of federal preemption of state laws: express, in which Congress is explicit in its intent to displace state law, or implied, in which “it is clear that Congress intended to occupy the entire regulatory field, where state law stands as an obstacle to the objectives of Congress, or where compliance with both federal and state law is impossible.” Id. This is an express preemption case, as Congress enacted a statutory provision, Section 1681t(b)(5)(F), which purports to prohibit state “requirement[s] or prohibition[s]” in a particular area. “[I]n cases such as this one that involve a claim of express preemption, [the court is to] focus on the plain wording of the statute, which is necessarily the best evidence of the scope of Congress's preemptive intent.” Id. (citing Chamber of Com. of U.S. v. Whiting, 563 U.S. 582, 131 S.Ct. 1968, 179 L.Ed.2d 1031 (2011)). “The structure and purpose of the federal statute [are] also a guide to Congress's intent.” Id. (citing Ingersoll-Rand Co. v. McClendon, 498 U.S. 133, 138, 111 S.Ct. 478, 112 L.Ed.2d 474 (1990)). “[W]hen considering a preemption argument in the context of a motion to dismiss, the factual allegations relevant to preemption must be viewed in the light most favorable to the plaintiff.” Id. at 444.

As the Second Circuit decided in Galper, subsection 1681t(b)(1)(F)—not at issue here—is to be construed “fairly but narrowly, mindful in the appropriate case that ‘each phrase within the provision limits the universe of state action pre-empted by the statute.’ ” Id. at 445 (brackets omitted) (quoting Lorillard Tob. Co. v. Reilly, 533 U.S. 525, 551, 121 S.Ct. 2404, 150 L.Ed.2d 532 (2001)). Interpreting 1681t(b)(5)(F), at this juncture, should proceed no differently. The operative language of both subsections—prohibiting states from regulating “with respect to” conduct required by the FCRA—has been interpreted by the Second Circuit to preempt “only those claims that concern a [regulated entity's] responsibilities.” Id. at 446 (emphasis in original). In Galper, the critical inquiry was whether the state-law claim concerned the “defendant's legal responsibilities as a furnisher of information under the FCRA,” id., as subsection 1681t(b)(1)(F) cross-references Section 1681s-2, which governs a furnisher's reporting to credit reporting agencies. And in that case, the Second Circuit said the answer was “no,” interpreting the plaintiff's allegations at the motion-to-dismiss stage to allege that the defendant was liable for identify theft not because of a failure to comply with their FCRA legal responsibilities, but on a respondeat superior theory stemming from their employees’ conduct. See id. That case is instructive, as it provided the general approach to FCRA preemption and interpreted the critical language “with respect to conduct.” But Galper did not, and could not, answer the present question of the preemptive effects of subsection 1681t(b)(5)(F), which cross-references different provisions of FCRA.²³ The Court addresses the preemption issues raised by the SHIELD Act claim and the Red Flags Rule claim in turn.

1. SHIELD Act

NYAG's fifth cause of action asserts a violation of New York's SHIELD Act. At the outset, in seeking to enforce the SHIELD Act, NYAG does not face a problem under Section 1681m(h)(8)(B), since it is not attempting to enforce federal law directly. But NYAG must still overcome FCRA preemption of any “requirement or prohibition” under state law “with respect to the conduct required by” the Red Flags Rule. 15 U.S.C. § 1681t(b)(5)(F).

This preemption inquiry is one of first impression.²⁴ Galper instructs district courts to begin with the federal laws at issue, in this case, the regulations promulgated according to authority granted by 15 U.S.C. § 1681m(e). The Federal Trade Commission's version of the Red Flags Rule requires financial institutions to “develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” 16 C.F.R. § 681.1(d)(1). Such a Program must contain “reasonable policies and procedures to” identify, detect, and respond appropriately to Red Flags, as well as ensure that the Program is “updated periodically[ ] to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.” Id. § 681.1(d)(2). A “Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.” Id. § 681.1(b)(9). In addition to developing its Program, a financial institution must also “[t]rain staff, as necessary, to effectively implement the Program.” Id. § 681.1(e)(3). The version adopted by the Office of the Comptroller of the Currency, codified at 12 C.F.R. § 41.90, is identical in all material respects. All of these requirements were promulgated by the FTC, pursuant to authority derived from the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), “to prevent identity theft, improve resolution of consumer disputes, improve the accuracy of consumer records, and make improvements in the use of, and consumer access to, credit information.” Am. Bar Ass'n v. F.T.C., 636 F.3d 641, 644 (D.C. Cir. 2011) (quotation marks and brackets omitted); see also Galper, 802 F.3d at 444 (“[T]he FCRA has been subject to multiple amendments, including to impose regulatory requirements in actors other than consumer reporting agencies and ․ to help consumers and businesses combat identity theft.”) Aside from the D.C. Circuit's decision in American Bar Association, which supplies the context of the regulations at issue, no court has reached a merits decision on the FTC's version of the regulation, and no federal court has cited the OCC's version at all.

Now take the SHIELD Act, N.Y. Gen. Bus. L. § 899-bb. (See Compl. ¶¶ 298-306.)²⁵ Section 899-bb(2) requires “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York” to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” Id. § 899-bb(2)(a). Businesses are “deemed to be in compliance” with that requirement if they “implement[ ] a data security program that includes” a variety of components, including “reasonable administrative ․ technical ․ [and] physical safeguards.” Id. § 899-bb(2)(b)(ii)(A)-(C). NYAG alleges a slew of administrative and technical lapses by Citibank, including failure to train employees to adequately decrease the risk of fraud and failure to implement technologies capable of detecting electronic activity in consumer accounts. (See Compl. ¶¶ 303-06.)

NYAG contends that “[t]he SHIELD Act plainly is not preempted ․ as it concerns [Citibank's] illegal failures to safeguard consumer financial information and to adequately train its employees to effectively secure such information, which are wholly distinct from the Red Flag[s] Rule's requirements for identification of potential identify theft and mitigation of related harm.” (Opp. at 53 (citations omitted).) But NYAG's dodge proves Citibank's point. If the SHIELD Act claim concerns “failures to safeguard consumer financial information,” that is precisely within the ambit of the Red Flags Rule, which requires the development of “reasonable policies and procedures” to identify, detect, and respond appropriately to “pattern[s], practice[s], or specific activity that indicates the possible existence of identity theft.” See 16 C.F.R. § 681.1(d)(2)(i)-(iii). And NYAG's second attempt at distinguishing the rules, that the SHIELD Act claim alleges failure to “adequately train ․ employees to effectively secure ․ information,” falls squarely within the Red Flags Rule's requirement that a financial institution must “[t]rain staff, as necessary, to effectively implement the Program.” See id. § 681.1(e)(3). All of that comports with the purposes of the Rule, which include “prevent[ing] identity theft” and “improv[ing] resolution of consumer disputes.” See Am. Bar Ass'n, 636 F.3d at 644. In other words, NYAG had failed to plead “any facts to suggest that these claims concern conduct different from that underlying [its] FCRA claim.” Manes v. JPMorgan Chase Bank, N.A., No. 20-CV-11059, 2022 WL 671631 (S.D.N.Y. Mar. 7, 2022).

Importantly, however, enforcement of the SHIELD Act will not always be preempted by 15 U.S.C. § 1681t(b)(5)(F), 15 U.S.C. § 1681m(e), and the related regulations. That is because those rules apply only to “financial institutions and creditors that are subject to administrative enforcement of the FCRA by the Federal Trade Commission pursuant to 15 U.S.C. § 1681s(a)(1).” 16 C.F.R. § 681.1(a). NYAG does not argue here that its SHIELD Act claims concern financial institutions that fall outside the scope of the FCRA and the Red Flags Rule, so the Court does not have the occasion to consider the circumstances in which the SHIELD Act will permit enforcement that is not preempted. Furthermore, other invocations of the SHIELD Act may not run afoul of the Red Flags Rule, such as applications of the law in cases not concerning identity theft.

That aside, NYAG's proposed application of the Shield Act in this case is entirely coextensive with the Red Flags Rule. Accordingly, the Court holds that the fifth cause of action—asserting a violation of the Shield Act—is preempted by FCRA subsection 1681m(b)(5)(F) and must be dismissed.

2. Red Flags Rule

The sixth cause of action, for violation of the Red Flags Rule, is much simpler. In particular NYAG asserts that Citibank's failed to detect and respond to “red flags” in violation of the federal Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 rule (the “Red Flags Rule”), 16 C.F.R. § 681.1 (as adopted by the Federal Trade Commission) & 12 C.F.R. § 41.90 (as adopted by the Office of the Comptroller of the Currency). (See Compl. ¶¶ 307-16.) NYAG does not argue that the fifth cause of action is in any way distinct from the federal Rule. Instead, it appears to argue that it may enforce the federal Rule by virtue of a state law. But recall that FCRA Section 1681m prohibits the enforcement of its terms, which include the delegation of the Red Flags Rule to the FTC and OCC, by any entity other than federal officials. NYAG cannot have it both ways; either it is seeking to enforce the Rule in violation of Section 1681m(h)(8)(B), or it is seeking to enforce an identical version of the Rule encoded in New York's Executive Law in violation of Section 1681t(b)(5)(F). Indeed, NYAG essentially concedes this point, writing in opposition to the motion to dismiss, “OAG is simply enforcing the Red Flag Rule. Executive Law § 63(12) is a regulatory tool that, among other things, gives the OAG ‘standing to redress liability recognized elsewhere in the law.’ ” (Opp. at 53.) Maybe so, but federal law does not permit states to redress liability imposed by regulations enacted pursuant to 15 U.S.C. § 1681m. Accordingly, the Court holds that the sixth cause of action—asserting a violation of the Red Flags Rule—is inconsistent with FCRA and thus must be dismissed.

F. Fraud and Deceptive Acts and Practices (Claims VII and VIII)

NYAG's final two causes of action assert that Citibank committed fraud in violation of New York Executive Law Section 63(12) and violated New York General Business Law Section 349’s prohibition of “deceptive acts and practices in the conduct of any business, trade, or commerce in the state of New York.” (Compl. ¶¶ 317-20, 321-25.)

“New York Executive Law § 63(12) empowers the New York Attorney General to seek injunctive relief and other remedies against persons or entities that ‘engage in repeated fraudulent or illegal acts or otherwise demonstrate persistent fraud or illegality in the carrying on, conducting or transaction of business.’ ” Consumer Fin. Protection Bureau v. RD Leg. Funding, LLC, 332 F. Supp. 3d 729, 769 (S.D.N.Y. 2018), vac'd on other grounds, 828 F. App'x 68 (2d Cir. 2020) (summary order), (quoting N.Y. Exec. L. § 63(12)). As used in that provision, “[t]he word ‘fraud’ or ‘fraudulent’ ․ include[s] any device, scheme or artifice to defraud and any deception, misrepresentation, concealment, suppression, false pretense, false promise or unconscionable contractual provisions.” N.Y. Exec. L. § 63(12). And “[t]he term ‘repeated’ ․ include[s] repetition of any separate and distinct fraudulent or illegal act, or conduct which affects more than one person.” Id. “Thus, while a claim under Section 63(12) may allege fraud and necessitate a showing of knowledge or reliance as an element of the claim, the NYAG may equally assert a cause of action under Section 63(12) that alleges ‘deception’ or some other non-fraudulent conduct that does not include scienter as an element.” RD Leg. Funding, 332 F. Supp. 3d at 769 (citing People v. Am. Motor Club, 179 A.D.2d 277, 582 N.Y.S. 2d 688, 692 (1st Dep't 1992)).

Executive Law Section 63(12) thus offers two strains of liability: “fraud”²⁶ (which encompasses a broader range of deceptive conduct than the common law) as well as “repeated ․ illegal acts.” See Fed. Trade Comm'n v. Roomster Corp., 654 F. Supp. 3d 244, 261 n.11 (S.D.N.Y. 2023) (distinguishing the standard for fraud under Executive law § 63(12) and for deception under N.Y. General Business Law § 349). The former theory entails an independent, substantive violation of Executive Law § 63(12), and the latter theory requires a “predicate violation” of another law. See N.Y. by James v. Sirius XM Radio Inc., 735 F.Supp.3d 272, 277 (S.D.N.Y. 2024). However, “[c]ourts have interpreted this provision to mean that any conduct which violates state or federal law or regulation is actionable under Executive Law § 63(12).” Id. (cleaned up).²⁷ Reading the complaint in the light most favorable to NYAG—as is required at this stage, Galper, 802 F.3d at 443-44—the Court construes Claim VII to plead “fraud” as a substantive violation of Executive Law Section 63(12) and Claim VIII to plead a violation of General Business Law Section 349 as a predicate of Executive Law Section 63(12) liability.

General Business Law Section 349 empowers the New York Attorney General to sue to redress “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state.” N.Y. Gen. Bus. L. Section 349(a). “The statute's reach is broad in order to provide the needed authority to cope with the numerous, ever-changing types of false and deceptive business practices which plague customers in New York State.” Dunham v. Sherwin-Williams Co., 636 F. Supp. 3d 308, 313 (N.D.N.Y. 2022) (cleaned up) (quoting Dimond v. Darden Rests., Inc., No. 13-CV-5244, 2014 WL 3377105, at *4 (S.D.N.Y. July 9, 2014)). Generally, “[t]o establish a violation of Section 349, the plaintiff must prove the defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result.” Id. (quoting Chery v. Conduent Educ. Servs., LLC, 581 F. Supp. 3d 436, 449 (N.D.N.Y. 2022)). To be “materially misleading,” “the allegedly deceptive acts, representations or omissions must be misleading to ‘a reasonable consumer.’ ” Goshen v. Mut. Life Ins. Co. of N.Y., 98 N.Y. 2d 314, 324, 746 N.Y.S.2d 858, 774 N.E.2d 1190 (2002).

As a plaintiff in a Section 349 action, the New York Attorney General need not satisfy the injury requirement. Id. (“Unlike private plaintiffs, the Attorney General may, for example, seek injunctive relief without a showing of injury [under General Business Law § 349].”). Moreover, Citibank does not dispute here that it was engaged in “consumer-oriented conduct” when it advertised to its customers, completed EFTs on their behalf, and responded to reports of unauthorized EFTs. So, for both claims—Executive Law Section 63(12) fraud and general Business Law Section 349 deceptive practices—the dispositive question is whether Citibank deceived its customers. On that score, NYAG alleges eight categories of “fraudulent” (id. ¶ 319) or “deceptive” (id. ¶ 324) “practices in its account administration and handling of unauthorized EFTs and Payment Orders sent electronically” (id. ¶¶ 319, 324).²⁸ Broadly, the practices fall into three groups: (1) representations Citibank allegedly made about the security of specific customer accounts (id. ¶ 319(a), (c)); (2) incorrect, general statements about customers’ EFTA rights in the event of an unauthorized EFT (id. ¶ 319(b)); and (3) actions Citibank took following an unauthorized EFT (id. ¶ 319(d)-(h)).

NYAG adequately alleges that at least some of Citibank's representations constitute fraudulent or deceptive practices that are actionable under Executive Law Section 63(12) and General Business Law Section 349. For example, NYAG alleges that Citibank informed customers that “bank accounts were secure ․ when in fact the bank accounts were not safe from scammers” (id. ¶ 319(c)), and that Citibank falsely “represented in its standard form denials ․ that consumers acted improperly—such as not taking ‘adequate steps to safeguard’ accounts or ‘providing customer account information’ in response to scams—as bases to deny any obligation by Citi to reimburse, which falsely led consumers to believe that their own actions were relevant and deprived them of their legal rights to recover stolen funds” (id. ¶ 319(h)). Moreover, NYAG alleges that Citibank “required consumers who provided notice of unauthorized EFTs to execute affidavits asserting claims for unauthorized wire transfers” and “told customers that no action could be taken” without those affidavits. (Id. ¶ 319(d)-(e).)

Citibank argues that the statement about consumer account security is not actionable, but the Court must reasonably infer from NYAG's allegations anything plausibly giving rise to liability. Here, one reasonable inference is that Citibank made specific representations to specific customers about the security of their accounts when their accounts were the subject of ongoing frauds. That is actionable deception under the applicable statutes. Likewise, though Citibank argues that it included language denying reimbursements because consumers furnished the means of access to their accounts to fraudsters, it is reasonable to infer from NYAG's allegation that Citibank included such language in “standard form denials” incorrectly, and thus deceptively. And finally, NYAG adequately alleges that Citibank deceived customers into believing that obtaining a notarized affidavit was required before Citibank would be obligated to investigate an unauthorized EFT, issue a provisional credit, and reimburse the customer, when Citibank does not dispute that the EFTA imposes no such condition. The Court concludes that those allegations state claims for fraud and deception under Executive Law Section 63(12) and General Business Law Section 349.

However, certain other representations alleged by NYAG do constitute non-actionable ‘puffery’ ” (Mem. at 53-54), including statements made by Citibank regarding the general security of customer accounts or its commitment to the security of customer information and funds. (See Compl. ¶ 319(a)). Puffery constitutes “exaggerated general statements that make no specific claims on which consumers could rely,” and are by their nature not fraudulent or deceptive. Pelman v. McDonald's Corp., 237 F. Supp. 2d 512, 528 n.14 (S.D.N.Y. 2003). No reasonable consumer would expect that a financial institution's general averments to prioritize security connoted a promise to use any particular security protocol or that a customer's account was impenetrable to fraud. See Duran v. Henkel of Am., Inc., 450 F. Supp. 3d 337, 346-47 (S.D.N.Y. 2020) (“Statements that are mere puffery cannot support a claim under GBL §[ ] 349 ․ and thus courts can determine that a statement is puffery as a matter of law.” (quotation marks and brackets omitted)).

In sum, the Court holds that at least two types of Citibank's alleged practices are actionable under Executive Law Section 63(12) and General Business Law Section 349: (1) incorrect statements made to particular customers about the security of their accounts, and (2) incorrect statements made to any customer about their rights under their EFTA or their need to complete affidavits prior to Citibank conducting an investigation or issuing a provisional credit or reimbursement. The Court further holds that statements about Citibank's general commitment to security or the general safety of customer information and funds constitute puffery that cannot sustain claims under Executive Law Section 63(12) and General Business Law Section 349. Accordingly, the motion to dismiss the seventh and eighth causes of action is granted in part and denied in part.

IV. Conclusion

For the foregoing reasons, Defendant's motion to dismiss is GRANTED with respect to Claims IV, V, and VI; GRANTED IN PART with respect to Claims III, VII, and VIII; and DENIED with respect to Claims I and II.

Defendant shall file an answer to the remaining claims within fourteen days after the date of this opinion and order. See Fed. R. Civ. P. 12(a)(4)(A).

SO ORDERED.

FOOTNOTES

1.   As explained more thoroughly infra, NYAG's complaint contains a number of legal conclusions that are not to be presumed true in resolving Citibank's motion. See Starr v. Sony BMG Music Ent., 592 F.3d 314, 321 (2d Cir. 2010).

2.   The parties dispute, at least implicitly, whether 15 U.S.C. § 1693a(7)(B) is an “exemption” or a “clarification” to the statutory definition of “electronic fund transfer.” To avoid any ambiguity, the Court refers to that provision as “subsection (7)(B)” throughout this opinion.

3.   While Loper Bright concerned the deference courts must afford agency interpretations of statutes under the Administrative Procedure Act, the Court expressly invoked “the traditional understanding of the judicial function, under which courts must exercise independent judgment in determining the meaning of statutory provisions.” Loper Bright, 144 S. Ct. at 2262. Of course, that exercise does not preclude affording “due respect for the views of the Executive Branch.” See id. at 2267. But “[w]here Congress has spoken, Congress has spoken; only its judgments matter.” Id. at 2300 (Kagan, J., dissenting).

4.   As discussed infra, Regulation E did refer to the same provision under the header “Wire transfers.”

5.   Though the first usage is “transfer,” and the second usage is “transfers,” that difference in form does not present any reason not to afford the term the same scope throughout subsection (7)(B).

6.   The next instance of “transfer” works similarly, describing the wire networks as those “not designed primarily to transfer funds on behalf of a consumer.” Though less telling than the first instance, again, subsection (7)(B) uses the term “transfer” to carve more narrowly than the end-to-end picture of a wire transfer offered by Citibank, as the term transfer refers to the movement of funds “on behalf of” consumers, rather than initiated by them.

7.   And, as discussed further infra, the statutory context of subsection (7)(B) suggests a relatively narrower meaning of the term “transfer” by referring in particular to the movement of funds within a wire network.

8.   Simplification of technical statutory requirements into more colloquial regulatory phrasing was typical at the time Regulation E was promulgated, and at least one expert foresaw the challenges associated with simplifying the EFTA given its inherent complexity. See David C. Hsia, Legislative History and Proposed Regulatory Implementation of the Electronic Fund Transfer Act, 13 U.S.F. L. Rev. 299, 306-07 (1979) (predicting effects of Executive Order 12044’s direction to agencies to use “simple, easily understood language” in drafting regulations on the “FRB's administrative interpretation of the EFTA”).

9.   It is true that, though UCC Article 4A came later than the EFTA, the 1978 Congress knew of its development. The NCEFT compared its recommendations, which would later form the basis for the EFTA, and the then-existing version of the UCC, which the Commission noted was “concerned with the rights and responsibilities of participants in commercial transactions and was developed to provide uniform standards governing these transactions; hence its development was lengthy, evolutionary, and [reflective of] existing business practices.” NCEFT Report at 15. The NCEFT acknowledged that a project was underway to study whether “to amend the UCC to incorporate EFT transactions”—the effort that would later result in Article 4A—but ultimately “believe[d] that [it was] too long to wait to remove the uncertainty surrounding certain consumer rights and responsibilities in EFT transactions.” Id. at 17.

10.   Citibank cites two other cases that rely on Wright but misinterpret its holding. In Pope v. Wells Fargo Bank, N.A., the fraud occurred in the inducement of a wire transfer that was requested by a consumer in person at a regional branch of their financial institution. No. 23-CV-86, 2023 WL 9604555, at *2 (D. Utah Dec. 27, 2023). And though the Pope report and recommendation does conclude that wire transfers fall outside of the EFTA by virtue of subsection (7)(B), it misstates the holding in Wright to do so, writing incorrectly that “the Sixth Circuit ․ held EFTA did not apply to the plaintiff's instructions regarding a same-day wire transfer that was not performed until the next morning because it involved a wire transfer through Fedwire or similar system.” Id. at *4 (emphasis added). In fact, the Sixth Circuit's analysis did not turn on whether a transaction “involved” a wire transfer, which would be broader than even Citibank's construction of subsection (7)(B). Another of Citibank's cases, Trivedi v. Wells Fargo Bank, N.A. likewise misstates Wright’s holding as precluding EFTA liability any time a “transaction involves a wire transfer.” 609 F. Supp. 3d 628, 633 (N.D. Ill. 2022) (emphasis added). Moreover, in Trivedi, it is unclear whether the payment order request was electronic, id. at 630-31, suggesting that the court did not consider whether any individual component of the transaction could be subject to EFTA liability notwithstanding subsection (7)(B).

11.   The final case cited in Citibank's opposition, Bodley v. Clark, 11-CV-8955, 2012 WL 3042175 (S.D.N.Y. July 23, 2012), cited Fischer & Mandell for the rule about subsection (7)(B) and wire transfers, but does not purport to apply it, resting instead on the conclusion that “debit[ing] [an] account without notification ․ is insufficient to sustain an EFTA claim.” 2012 WL 3042175, at *4. Moreover, the court suggested that EFTA liability would have been inappropriate because the plaintiff's bank accounts may not have been for “personal, family, or household purposes,” as is required by the EFTA; because it was not “initiated through an electronic terminal, telephone, computer, or magnetic tape”; and because the plaintiff failed to join the financial institution itself as the proper defendant in an EFTA action. Id. at 4. That no EFT occurred prevented the court from considering whether the text of subsection (7)(B) would permit liability in a case like the one at bar, and the rest of the defects render the terse statement about Fischer & Mandell pure dictum. Similarly, Bhuya v. Citibank, N.A., No. 22-CV-6006, 2024 WL 3256723 (E.D.N.Y. June 6, 2024), was a report and recommendation concerning the highly deferential review of an arbitration award and did not confront the legal question raised by the complaint and Citibank's motion to dismiss the first count and is therefore unpersuasive.

12.   The Fifth Circuit's recent decision affirming the Southern District of Texas in Nazimuddin, brought to the attention of the Court by Citibank in a supplemental letter filed on January 8, 2025 (see ECF No. 47), as NYAG correctly notes, declined to consider arguments raised in this case and thus does not compel a result different than the one the Court reaches here (see ECF No. 48 (“[T]he Fifth Circuit expressly declined to consider [the CFPB's Statement of Interest in this action], deeming such arguments ‘abandoned.’ ”)).

13.   Note, in addition, that this is another instance of the EFTA describing a “transfer” as occurring between a consumer and their financial institution.

14.   That definition is subject to three limitations that are not here at issue. See 15 U.S.C. § 1693a(12)(A)-(C).

15.   Because the complaint itself makes no allegations regarding any consumer's loss of earned interest, the Court will not consider NYAG's third argument in resolving the motion to dismiss. See Coyle v. Coyle, 153 F. App'x 10, 11-12 (2d Cir. 2005) (summary order) (citing Hayden v. County of Nassau, 180 F.3d 42, 54 (2d Cir. 1999)).

16.   Other, irrelevant definitions of the term are excluded here, such as references to a “benefit” as a paid distribution akin to a social security payment or lottery winning. See Benefit, Webster's Third New International Dictionary, Unabridged (1961). In any event, those definitions would only support the result the Court arrives at here, since they imply that receiving a “benefit” connotes an increase in the recipient's wellbeing.

17.   See, e.g., Ohio Power Co. v. FERC, 744 F.2d 162, 167 (D.C. Cir. 1984) (noting that “terms and conditions” is “frequently used as a term of art”); Peck v. Cingular Wireless, LLC, 535 F.3d 1053, 1057-58 (9th Cir. 2008) (holding that the phrase “other terms and conditions” in the Federal Communications Act encompasses “the method of disclosure” and “how line items are displayed or presented on wireless consumers’ bills”); Sheet Metal Workers, Int'l Ass'n, Loc. Union No. 24 v. Architectural Metal Works, Inc., 259 F.3d 418, 433 (6th Cir. 2001) (Batchelder, J., dissenting) (explaining that “terms and conditions of employment” is a “a specialized term of art in federal labor law”); United Steel, Paper & Forestry v. Sekisui Specialty Chems. Am., LLC, No. 11-CV-43, 2012 WL 692810, at *7 (W.D. Ky. Mar. 1, 2012) (finding “terms and conditions” to be ambiguous as used in an arbitration award).

18.   Though the complaint enumerates the allegations into three categories (see Compl. ¶ 286), NYAG, in opposing the motion to dismiss, combined the second and third allegation into one: that the User Agreement's “evidentiary presumption” altered the burden of proof in allocating loss from an unauthorized EFT and alleviated Citibank of the requirement to conduct a reasonable investigation (see Opp. at 43). It suffices here to treat the allegations as comprising two categories, rather than three.

19.   No one disputes that the text of the User Agreement may be considered in resolving the motion to dismiss. Even if that were not the case, if a plaintiff has failed to attach or incorporate by reference a document “upon which it solely relies and which is integral to the complaint,” the defendant may produce the document in its motion to dismiss for failure to state a claim “because plaintiff should not so easily be allowed to escape the consequences of its own failure.” Cortec Indus., Inc. v. Sum Holding L.P., 949 F.2d 42, 47 (2d Cir. 1991); see also Chambers v. Time Warner, Inc., 282 F.3d 147, 153 (2d Cir. 2002).

20.   While NYAG does not make the argument specifically, the quoted material also does not alleviate Citibank of any EFTA obligation to conduct a reasonable investigation. Though Citibank may make the incorrect decision to deny reimbursement or avoid an investigation based on its internal records, that does not limit the consumer's statutory remedy in the event Citibank fails to satisfy its EFTA obligations. That is distinct from NYAG's allegation that the User Agreement alters the burden of proof in EFTA actions in violation of 15 U.S.C. § 1693l, which is a reasonable reading of the contract and thus inappropriate for dismissal at this stage.

21.   That hypothetical EFTA action might be for failure to provisionally credit an account, reimburse a consumer, or to conduct a reasonable investigation. See 15 U.S.C. §§ 1693f, 1693g. In any such action, that there is a reasonable interpretation of the User Agreement mandating a burden of proof other than that provided by Section 1693g(b) satisfies NYAG's obligation at this stage to plead a plausible violation of Section 1693l’s anti-waiver rule.

22.   Both parties cite the UCC. Of course, the UCC is not the governing law in New York or anywhere; the version adopted by the New York legislature is. That provision, NY UCC § 4-A-204, does not differ in meaningful respect from model code.

23.   In other cases, plaintiffs have argued that their state-law claims are not preempted because “they do not involve information transmitted to any credit reporting agency.” See Prignoli v. Bruczynski, No. 20-CV-907, 2021 WL 4443895, at *9 n.11 (E.D.N.Y. Sept. 28, 2011). NYAG does not advance this argument. But just to avoid confusion, it appears that many of the cases raising that argument concerned other preemption provisions of Section 1681t that do concern, e.g., the “responsibilities of persons who furnish information to consumer reporting agencies.” See 15 U.S.C. § 1681t(b)(1)(F). This case concerns subsection 1681t(5)(F), which contains no similar language, but only the terse statement that prohibits state regulations “with respect to the conduct required by the specific provisions of ․subsections (e), (f), and (g) of section 1681m.” 15 U.S.C. § 1681t(b)(5)(F). This is significant, too, because Galper concerned a different subsection providing for preemption of laws “relating to the responsibilities of persons who furnish information to consumer reporting agencies.” Galper, 802 F.3d at 445. To the extent that other decisions from this District have relied on language from Galper explaining the significance of the “persons who furnish information to consumer reporting agencies” component of the preemption provision it was analyzing, those decisions are not applicable to the issue in this case. Accord Consumer Data Indus. Ass'n v. Frey, 26 F.4th 1, 7 (1st Cir. 2022) (tailoring the FCRA preemption inquiry to the “subject matter regulated” by the provision cross-referenced by the particular subsection of 15 U.S.C. § 1681t invoked by the defendant).

24.   Only one other court appears to have confronted the effects of FCRA's preemption requirements on subsection 1681m(e). In Pasternak v. Trans Union, Judge Jenkins of the Northern District of California rejected an argument that Section 1681t preempted a state-law claim by virtue of overlap with subsection 1681m(e). No. 07-CV-4980, 2008 WL 928840, at *5 (N.D. Cal. Apr. 3, 2008). That case concerned a suit brought by a customer against the bank after the bank sought to collect on credit card debt incurred by a scammer that stole the customer's identity. Id. at *1. Rejecting the bank's preemption defense, the court explained that “subsections [1681m(e) and 1681(m)(f)] do not have a broad enough scope to preempt state regulation of the alleged misconduct,” and in particular that “the regulations prescribed by [subsection 1681m(e)] do not concern a bank's behavior towards a consumer other than reporting information about consumer[s] to [consumer reporting agencies].” Id. If the law at the time of Pasternak was the same as now, its reasoning would be forceful here. But the relevant provisions of the Red Flags Rule were not codified until well after the events giving rise to liability in that case occurred, and it does not appear that the court considered the FTC's new regulations.

25.   That law deems any violation of the SHIELD Act as a violation of General Business Law § 349, as well. See N.Y. Gen. Bus. L. § 899-bb(2)(d).

26.   The question of the appropriate standard of review of NYAG's fraud claim is not discussed by the parties. However, the Court must determine which federal pleading standard applies in order to decide the motion. Though fraud claims are typically subject to heightened requirements in federal court by virtue of Federal Rule of Civil Procedure 9(b), “NYAG's claim under N.Y. Executive Law § 63(12) is ․ not subject to this heightened pleading standard because the underlying conduct is premised on deceptive acts or practices that do not include intent or reliance as an element of those claims.” RD Leg. Funding, 332 F. Supp. 3d at 769.

27.   Though the complaint distinguishes between “fraud” (Claim VII) and “deceptive acts and practices” (Claim VIII), the parties collapse the distinction in briefing the motion to dismiss. (See Mem. at 52-56; Opp. at 54-57.)

28.   For the remainder of this section of the opinion, factual allegations concerning the fraud and deceptive-acts-and-practices claims refer to those in Claim VII. They are identical in all material respects to those in Claim VIII.

J. PAUL OETKEN, District Judge: