Business account takeover (“ATO”) fraud occurs where a threat actor gains access to a business account on a payments platform (e.g., a payroll or accounts payable tool) or fraudulently creates such an account and engages in unauthorized transactions.¹ Once on the platform, the threat actor typically causes payments or refunds to be made and/or redirected to an account to which he or she has access. Once the funds arrive, they are quickly withdrawn or sent elsewhere, allowing the threat actor to abscond with the proceeds before the business or the platform can effectively claw back the transfers.

The legal trajectory of ATO disputes often turns on two factors:

1. the formation of a legitimate contractual relationship between the “true” business and the platform; and
2. the existence and extent of any security failings that contributed to the fraudulent scheme’s success.

But, even in the best of cases, a business pursuing recovery of funds from a platform for unauthorized activity on its account faces an uphill, if not unwinnable, battle.

Business Identity Theft

In the case of business identity theft, where the true business never had a contractual relationship with the platform (commonly, when an account is opened by a third party impersonating a business without the knowledge and consent of the true business owner), there is little precedent to inform what liability the platform might have to the impersonated business. At times, counsel have argued that the payments platform is liable under a common law claim for negligence or a statutory claim for unfair or deceptive business practices. The problem with those arguments, however, is that there is virtually no authority recognizing the existence of a duty flowing from a payments platform to a non-consumer user of its services. And even if there were, there is no body of precedent establishing what standard of care a platform is obligated to use (beyond performing fundamental Know Your Customer (“KYC”) processes) to validate the true identity of someone purporting to open an account in the name of a particular organization. Pursuing such claims, therefore, encounters the doubly difficult task of garnering legal recognition of a duty to ferret out business impersonators and proving that whatever security safeguards the platform implemented were insufficient to satisfy that duty. And even if those hurdles can be surmounted, the victim then has to grapple with the allocation of fault to the “empty chair” of the third-party threat actor who fraudulently impersonated the business to create the account, not to mention its own potential security lapses that may have contributed to the compromise.

Moreover, where the payments platform handled card payments, the victim and its principal(s) may also find themselves placed on Mastercard’s Member Alert to Control High-Risk Merchants (“MATCH”) list for business identity theft. Although less prone than other MATCH reason codes to prevent reentry in the payment card ecosystem, such a designation can increase the difficulty and expense associated with maintaining or forming new payment-card processor relationships. Disgruntled businesses have likewise threatened claims for defamation or tortious interreference associated with such MATCH placement against the merchant acquirer that submitted their names for inclusion. But those claims, too, face strong headwinds. After all, the information supplied by the platform (or its banking partner) is accurate. Reporting a business to MATCH for identity theft indicates only that, at the time the merchant relationship was terminated, the acquirer had “reason to believe” that the business’ identity had been compromised. Where the business’ identity has been coopted by a threat actor, that statement is entirely accurate. And notifying other would-be acquirers of that incident through a MATCH listing serves to protect the victim from future identity-theft attempts — erecting a higher bar for entry so that only the “true” merchant can transact in the business’ name.

“Hacked” Accounts

Where a legitimate account is instead “hacked,” and an unauthorized actor transacts on a business’ platform account without its consent, the legal landscape is less murky, but often just as unrewarding. A well-drafted payments platform agreement will often have layers of protection insulating the platform from liability due to the acts of unauthorized threat actors. These terms may include:

• Disclaimers of warranties
• Limitations of liability, including outright disclaimers of any liability for account activity undertaken under the user’s login and password
• Obligations imposed on the user to secure its account credentials
• Obligations imposed on the user to review it statements and promptly report unauthorized activity

Although the law varies by state, these contractual protections often prove impenetrable. To be sure, certain states require a certain degree of prominence or conspicuousness for exculpatory provisions to be enforceable, while others limit a party’s ability to disclaim liability for its own negligence or gross negligence. But, outside the realm of unconscionability, the law generally allows businesses the freedom to contract with one another on terms they deem appropriate.² See generally Alghadeer Bakery & Mkt., Inc. v. Worldpay US, Inc., Case No. 1:16-cv-03627, 2018 WL 5016496, at *2-*5 (N.D. Ga. Oct. 16, 2018). Generally speaking, courts have been loath to disregard these legitimate contractual protections in order to facilitate a victim’s recovery from a payments platform (especially one that is likewise a victim of the same criminal actor).

A Path Forward

Notwithstanding the relative lack of exposure for ATO events, payments platforms are not impervious to the escalating trend of unauthorized account activity. Reputational pressure, the possibility of regulatory scrutiny or unrecoverable losses, and a general reluctance to have perceived security failings litigated in court have spurred security enhancements, suspicious activity monitoring, and good-faith attempts at resolving customer disputes involving fraudulent or compromised accounts.

Additional regulatory guidance, akin to CFPB Circular 2022-04 (Insufficient data protection or security for sensitive consumer information), may be beneficial as business platforms attempt to develop cohesive strategies to enhance business account security. But the most effective solution for concerned businesses may be to pursue cyber insurance that covers unauthorized account activity on third-party platforms. The simple reality is that security is always an arms race, and motivated bad actors can frequently overcome even the most robust security protections. It is illogical to assume that intrusions will never occur. Rather, the risk of business ATOs should be mitigated like other forms of property crime risk — with insurance that compensates victims without the necessity of allocating fault among other victimized persons or entities.

[1] Account takeovers of consumer accounts are governed by a more robust statutory and regulatory landscape, including the Fair Credit Billing Act (“FCBA”), 15 U.S.C. § 1601 et seq., and Regulation E, 12 CFR Part 1005 et seq. Consumer protections, however, are beyond the scope of this article.

[2] This freedom of contract is more limited in the context of “payment orders” executed by a bank. See U.C.C. § 4A-202. The definition of a payment order, however, is a narrow one, and courts have been generally reluctant to expand the protections afforded by Article 4A of the U.C.C. outside of the narrow context of payment orders as defined by statute.