New York Attorney General (AG) Letitia James has filed a lawsuit against Citibank, alleging the bank failed to do enough to protect and reimburse victims of fraud.
The lawsuit argues that New York customers lost millions of dollars – in some cases their entire lifesavings – to scammers and hackers because of Citi’s weak security and anti-fraud protections.
And it alleges that Citi does not implement strong online protections to stop unauthorized account takeovers, misleads account holders about their rights after their accounts are hacked and funds are stolen, and illegally denies reimbursement to victims of fraud.
The AG’s Office found that the bank fails to respond to fraudulent activity appropriately and quickly, and it wants the company to pay back defrauded New Yorkers with interest, pay penalties, and adopt enhanced anti-fraud defenses to prevent scammers from stealing consumers’ funds.
“Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats.”
Citibank, responding to the NY AG’s allegations
“Banks are supposed to be the safest place to keep money, yet Citi’s negligence has allowed scammers to steal millions of dollars from hardworking people,” said James. “Many New Yorkers rely on online banking to pay bills or save for big milestones, and if a bank cannot secure its customers’ accounts, they are failing in their most basic duty. There is no excuse for Citi’s failure to protect and prevent millions of dollars from being stolen from customers’ accounts and my office will not write off illegal behavior from big banks.”
Text scam example
James cites a case in which a Citi customer, in October 2021, received a text message appearing to be from the bank, instructing her to log onto a website or call her local branch. The customer clicked the link in the message and later called her branch to report the activity; upon doing so, the Citi employee told her not to worry about it.
Within three days, she said, she realized a scammer had changed her banking password, enrolled in online wire transfers, transferred $70,000 from her savings to her checking account, and electronically pushed a $40,000 wire transfer. Such transfers were inconsistent with the customer’s account history, James argued, and should have been a red flag of fraudulent behavior.
The customer stayed in touch with the bank and submitted affidavits, but her fraud claim was ultimately denied, James said.
James asserted that Citi is required by the Electronic Fund Transfer Act to reimburse victims of fraud because the bank makes wire transfers available to consumers online and through mobile banking apps.
Citi responds
“Banks are not required to make customers whole when those customers follow criminals’ instructions and banks can see no indication the customers are being deceived,” Citi said in a statement Tuesday seen by CNBC. The bank said it has “taken proactive steps” to buffer accounts with “leading security protocols, intuitive fraud prevention tools [and] clear insights about the latest scams”.
“Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats,” the bank said.