/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

New York AG sues Citi over lax security and failure to reimburse fraud victims

New York's Attorney General is suing Citibank for failing to protect customers from fraud and scams.

  0 Be the first to comment

New York AG sues Citi over lax security and failure to reimburse fraud victims

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The lawsuit alleges that Citi does not implement strong online protections to stop unauthorized account takeovers, misleads account holders about their rights after their accounts are hacked and funds are stolen, and illegally denies reimbursement to victims of fraud.

The Office of the Attorney General (OAG) claims to have evidence that the bank fails to respond to fraudulent activity appropriately and quickly. As a result of Citi’s lax security, New York customers have lost millions of dollars, and in some instances, their entire lifesavings, to scammers and hackers, says Attorrney General Letitia James.

She is seeking to hold Citi accountable and require the company to pay back defrauded New Yorkers with interest, pay penalties, and adopt enhanced anti-fraud defenses to prevent scammers from stealing consumers’ funds.

“Banks are supposed to be the safest place to keep money, yet Citi’s negligence has allowed scammers to steal millions of dollars from hardworking people,” says James. “Many New Yorkers rely on online banking to pay bills or save for big milestones, and if a bank cannot secure its customers’ accounts, they are failing in their most basic duty. There is no excuse for Citi’s failure to protect and prevent millions of dollars from being stolen from customers’ accounts and my office will not write off illegal behavior from big banks.”

The OAG found that Citi’s systems do not respond effectively to red flags, such as scammers who are using unrecognized devices, are accessing accounts from new locations, or are changing banking passwords or usernames. Additionally, Citi systems do not flag and stop efforts to transfer funds from multiple accounts into a single account and then send tens of thousands of dollars out the door in minutes. Citi also does not automatically initiate investigations or report fraudulent activity to police or law enforcement authorities when consumers first report it to Citi.

In addition, says the OAG, Citi fails to appropriately respond to notifications of fraud by its customers. When victims contact the bank to report fraud, Citi leaves them on lengthy telephone holds, allowing scammers to continue their fraud. Additionally, Citi does not implement sufficient measures to protect consumers from future unauthorized transactions until they visit a local branch and execute special affidavits detailing the scams that led to their losses — information Citi then used to blame consumers and deny their claims.

Attorney General James alleges that because Citi makes wire transfers available to consumers online and through mobile banking apps, it must reimburse victims of fraud under the Electronic Fund Transfer Act (EFTA), similar to when banks reimburse victims of electronic credit or debit card fraud.

Under EFTA, banks such as Citi are required to reimburse their customers for money in their accounts that is lost or stolen through unauthorized electronic payments. The OAG alleges that Citi "illegally exploited" a narrow exception in these laws to deny consumer claims for reimbursement, resulting in millions of dollars in losses for New York consumers.

"Through this lawsuit, Attorney General James is seeking to stop Citi’s deceptive practices and to collect restitution for victims who were denied reimbursement in the last six years, penalties, and disgorgement."

In a statement, Citi says: “Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from affecting our clients and to assist them in recovering losses when possible. Banks are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived.

"However, given the industry-wide surge in wire fraud during the last several years, we’ve taken proactive steps to safeguard our clients’ accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education. Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats.”

Sponsored [Impact Study] 2024 Fraud Trends in Banking, Insurance, and Beyond

Comments: (0)

[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming MandatesFinextra Promoted[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates