
    Frederick P. Ognibene, Plaintiff, v Citibank, N. A., Defendant.
    Civil Court of the City of New York, New York County,
    December 9, 1981
    APPEARANCES OF COUNSEL
    
      Frederick P. Ognibene, plaintiff pro se. Leonard D. Rosen for defendant.
   OPINION OF THE COURT

Mara T. Thorpe, J.

Plaintiff seeks to recover $400 withdrawn from his account at the defendant bank by an unauthorized person using an automated teller machine. The court has concluded that plaintiff was the victim of a scam which defendant has been aware of for some time.

Defendant’s witness, an assistant manager of one of its branches, described how the scam works: A customer enters the automated teller machine (ATM) area for the purpose of using a machine for the transaction of business with the bank. At the time that he enters, a person is using the customer service telephone located between the two automated teller machines and appears to be telling customer service that one of the machines is malfunctioning. This person is the perpetrator of the scam and his conversation with customer service is only simulated. He observes the customer press his personal identification code into one of the two machines. Having learned the code, the perpetrator then tells the customer that customer service has advised him to ask the customer to insert his Citicard into the allegedly malfunctioning machine to check whether it will work with a card other than the perpetrator’s. When a good Samaritan customer accedes to the request, the other machine is activated. The perpetrator then presses a code into the machine, which the customer does not realize is his own code which the perpetrator has just observed. After continuing the simulated conversation on the telephone, the perpetrator advises the customer that customer service has asked if he would try his Citicard in the allegedly malfunctioning machine once more. A second insertion of the card permits cash to be released by the machine, and if the customer does as requested, the thief has effectuated a cash withdrawal from the unwary customer’s account.

Plaintiff testified that on August 16,1981, he went to the ATM area at one of defendant’s branches and activated one of the machines with his Citibank card, pressed in his personal identification code and withdrew $20. While he did this a person who was using the telephone between plaintiff’s machine and the adjoining machine said into the telephone, “I’ll see if his card works in my machine.” Thereupon he asked plaintiff if he could use his card to see if the other machine was working. Plaintiff handed it to him and saw him insert it into the adjoining machine at least two times while stating into the telephone, “Yes, it seems to be working.”

Defendant’s computer records in evidence show that two withdrawals of $200 each from plaintiff’s account were made on August 16, 1981, on the machine adjoining the one plaintiff used for his $20 withdrawal. The two $200 withdrawals were made at 5:42 p.m. and 5:43 p.m., respectively; plaintiff’s own $20 withdrawal was made at 5:41 p.m. At the time, plaintiff was unaware that any withdrawals from his account were being made on the adjoining machine.

The only fair and reasonable inferences to be drawn from all of the evidence are that the person who appeared to be conversing on the telephone observed the plaintiff enter his personal identification code into the machine from which he withdrew $20 and that he entered it into the adjoining machine while simulating a conversation with customer service about that machine’s malfunctioning. It is conceded in the testimony of defendant’s assistant branch manager that it would have been possible for a person who was positioned so as to appear to be speaking on the telephone physically to observe the code being entered into the machine by plaintiff. Although plaintiff is not certain that his card was inserted in the adjoining machine more than twice, the circumstances indicate that it was inserted four times. No issue of fraud by plaintiff or anyone acting in concert with him has been raised' by defendant. Having observed plaintiff’s demeanor, the court found him to be a credible witness and is of the opinion that no such issues exist in this case.

The basic rights, liabilities and responsibilities of the banks which offer electronic money transfer services and the consumers who use them have been established by the Federal legislation contained in section 1693 et seq. of title 15 of the United States Code, commonly called the Electronic Fund Transfer Act (EFT). Although the EFT Act pre-empts State law only to the extent of any inconsistency (US Code, tit 15, § 1693q), to date New York State had not enacted legislation which governs the resolution of the issues herein. Therefore, the EFT Act is applicable.

The EFT Act places various limits on a consumer’s liability for electronic fund transfers from his account if they are “unauthorized”. Insofar as is relevant here, a transfer is “unauthorized” if (1) it is initiated by a person other than the consumer and without actual authority to initiate such transfer, (2) the consumer receives no benefit from it, and (3) the consumer did not furnish such person “with the card, code, or other means of access” to his account. (US Code, tit 15, § 1693a, subd [11].)

In an action involving a consumer’s liability for an electronic fund transfer, such as the one at bar, the burden of going forward to show an “unauthorized” transfer from his account is on the consumer. The EFT Act places upon the bank, however, the burden of proof of any consumer liability for the transfer. (US Code, tit 15, § 1693g, subd [b].) To establish full liability on the part of the consumer, the bank must prove that the transfer was authorized. To be entitled to even the limited liability imposed by the statute on the consumer, the bank must prove that certain conditions of consumer liability, set forth in title 15 (§ 1693g, subd [a]) of the United States Code, have been met and that certain disclosures mandated by title 15 (§ 1693c, subd [a], pars [1], [2]) of the United States Code have been made. (US Code, tit 15, § 1693g, subd [b].)

Plaintiff herein met his burden of going forward. He did not initiate the withdrawals in question, did not authorize the person in the ATM area to make them, and did not benefit from them.

However, defendant’s position is, in essence, that although plaintiff was duped, the bank’s burden of proof on the issue of authorization has been met by plaintiff’s testimony that he permitted his card to be used in the adjoining machine by the other person. The court does not agree.

The EFT Act requires that the consumer have furnished to a person initiating the transfer the “card, code, or other means of access” to his account to be ineligible for the limitations on liability afforded by the act when transfers are “unauthorized”. The evidence establishes that in order to obtain access to an account via an automated teller machine, both the card and the personal identification code must be used. Thus, by merely giving his card to the person initiating the transfer, a consumer does not furnish the “means of access” to his account. To do so, he would have to furnish the personal identification code as well. See 12 CFR 205.2 (a) (1), the regulation promulgated under the EFT Act which defines “access device” as “a card, code or other means of access to [an] * * * account, or any combination thereof” (emphasis added).

The court finds that plaintiff did not furnish his personal identification code to the person initiating the $400 transfer within the meaning of the EFT Act. There is no evidence that he deliberately or even negligently did so. On the contrary, the unauthorized person was able to obtain the code because of defendant’s own negligence. Since the bank had knowledge of the scam and its operational details (including the central role of the customer service telephone), it was negligent in failing to provide plaintiff customer with information sufficient to alert him to the danger when he found himself in the position of a potential victim. Although in June, 1981, after the scam came to defendant’s attention, it posted signs in its ATM areas containing a red circle approximately 2Vz inches in diameter in which is written “Do Not Let Your Citicard Be Used For Any Transaction But Your Own”, the court finds that this printed admonition is not a sufficient security measure since it fails to state the reason why one should not do so. Since a customer of defendant’s electronic fund transfer service must employ both the card and the personal identification code in order to withdraw money from his account, the danger of loaning his card briefly for the purpose of checking the functioning of an adjoining automated teller machine would not be immediately apparent to one who has not divulged his personal identification number and who is unaware that it has been revealed merely by virtue of his own transaction with the machine.

Since the bank established the electronic fund transfer service and has the ability to tighten its security characteristics, the responsibility for the fact that plaintiff’s code, one of the two necessary components of the “access device” or “means of access” to his account, was observed and utilized as it was must rest with the bank.

For the foregoing reasons and in view of the fact that the primary purpose of the EFT Act and the regulation promulgated thereunder is the protection of individual consumers (12 CFR 205.1 [b]), the court concludes that plaintiff did not furnish his code to anyone within the meaning of the act. Accordingly, since the person who obtained it did not have actual authority to initiate the transfer, the transfer qualifies as an “unauthorized” one under title 15 (§ 1693a, subd [11]) of the United States Code and the bank cannot hold plaintiff fully liable for the $400 withdrawal.

To avail itself of the limited liability imposed by the act upon a consumer in the event of an “unauthorized” transfer, the bank must demonstrate (1) that the means of access utilized for the transfer was “accepted” and (2) that the bank has provided a way which the user of the means of access can be identified as the person authorized to use it. (US Code, tit 15, § 1693g, subds [a], [b].) One definition of “accepted” under the act is that the consumer has used the means of access. (US Code, tit 15, § 1693a, subd [1].) Both of the foregoing conditions of liability have been met here since plaintiff used the means of access to his account to withdraw the $20 and had been given a personal identification code.

Additionally, the bank must prove that it disclosed to the consumer his liability for unauthorized electronic fund transfers and certain information pertaining to notification of the bank in the event the consumer believes that an unauthorized transfer has been or may be effected. (US Code, tit 15, § 1693c, subd [a], pars [1], [2]; § 1693g, subd [b].) Defendant did not establish that it made such disclosures to plaintiff. Accordingly, it is not entitled to avail itself of the benefit of the limited liability for unauthorized transfers imposed upon consumers by the act.

For the foregoing reasons, judgment shall be for plaintiff in the sum of $400.  