Who Bears the Burden for a Fraudulently Intercepted ACH Payment?

Imagine you receive an email from a known creditor containing an invoice for an account payable. The email contains instructions for you to pay the invoice through an accredited clearing house (“ACH”). The email further contains the creditor’s bank account information for depositing the ACH payment. You pay the invoice by depositing the ACH payment as instructed in the email. You later discover the creditor’s email system was hacked and the bank account information provided in the email belonged to third-party hackers. The creditor never received the ACH payment and has not been compensated for the goods or services it provided you. Do you still owe the creditor? The law is still unclear. However, a recent decision on a preliminary motion by a federal judge of the United States District Court for the District of Massachusetts would indicate that, under certain circumstances, the answer may be yes. The decision sheds new light on the obligations of both purchasers and sellers when payment is made through an ACH.

Whether a purchaser is justified or excused from paying a seller due to a fraudulently intercepted ACH payment will ultimately depend on:

• Whether the seller took reasonable steps to secure or maintain its email system;
• Whether the seller knew, or should have known, that its email system had been compromised;
• Whether the purchaser took reasonable steps to verify the bank account information before attempting to pay the seller; and
• Whether the seller knew or should have known that the email and correspondence was fraudulent.

The case involved a breach of contract lawsuit for the sale of eggs. At the beginning of the parties’ contractual relationship, the seller required the purchaser to enter into an ACH Agreement, which provided the terms under which the purchaser would pay the seller for the eggs. The ACH Agreement specified the bank account belonging to the seller and authorized the purchaser to make deposits into that account for payment of the seller’s invoices.

The parties’ contractual relationship was at first uneventful. The seller delivered eggs to the purchaser, and the purchaser paid the seller for the eggs pursuant to the terms of the ACH Agreement. Roughly one-year into the parties’ contractual relationship, however, the purchaser received an email that appeared to be from the seller’s email account stating that the seller’s bank account was changing and that the purchaser would receive new ACH payment instructions. Notably, the correspondence attached to the new ACH payment instructions incorrectly identified the seller’s address, contained at least one additional typographical error, and was not personally addressed or signed.

The purchaser did not require a new ACH Agreement and did not follow up with a telephone call to the seller to verify the bank account in the new ACH payment instructions. For the next three months, the purchaser made nine deposits totaling almost one million dollars into the new bank account, completely unaware that this account was in fact controlled by third-party hackers, not the seller. The purchaser became aware of the fraud only after the seller made demand upon the delinquent account.

When the purchaser failed to cure the delinquent account, the seller sued for breach of contract. In defense, the purchaser argued that its failure to pay the seller was justified.