As businesses across the country begin to reopen in the wake of COVID-19, they should prepare for an anticipated surge of embezzlement schemes by employees — and banks and financial institutions should prepare for a surge of lawsuits. It is important that businesses take action now to protect themselves, and both businesses and financial institutions must understand when the buck does and does not stop with the bank.
The Typical Employee Embezzlement Scheme
Employee embezzlement schemes take many different forms. While the most common form of employee theft involves stealing office supplies, the most damaging form involves bookkeepers or other trusted employees who gain access to their employer’s blank checks, forge the employer’s signature on checks, make payments either directly to themselves or to fictitious payees, and deposit the funds into their own accounts. In many instances, such schemes last many months or even years before the fraud is discovered, resulting in losses ranging from tens of thousands to millions of dollars.
The Association of Certified Fraud Examiners (ACFE) studies occupational fraud and its 2020 global report is enlightening:
The ACFE studied 2,504 cases of occupational fraud across 125 countries totaling $3.6 billion in losses.
The countries with the highest number of reported cases of occupational fraud are the United States and Canada.
While theft of physical assets is the most common type of fraud, it is the least costly. By contrast, while financial statement theft (including check forgery) is the least common, it is the most costly.
The typical occupational fraud case lasts 14 months before detection.
Check forgery and payment tampering fraud is four times higher in small businesses than in larger ones.
The full report can be found here.
The Expected Uptick in Claims as Businesses Reopen Following COVID-19 Lockdowns
In connection with COVID-19 related stay-at-home orders, Americans lost jobs at an unprecedented rate. As of the time of this Alert, it is reported that more than 40 million Americans filed for unemployment following the lockdown orders. For many, the last several months have been a time of extreme financial stress.
In times of economic crisis, there is invariably an uptick in financial fraud as desperation sinks in and people act on poorly considered impulses. While cases of employee embezzlement have always existed, the next six months to a year will likely see a sharp rise in these claims.
What Do Such Cases Look Like?
By the time an employer discovers an embezzlement scheme, there is often little economic utility in pursuing the employee directly, because the employee has spent the money and is judgment-proof. Although a criminal court may order restitution , in most cases the funds are never recovered. Because pursuit of the employee is so often a dead end, employers will look to the only deep pocket they can find – their bank or financial institution.
Both Statutory and Case Law Favor the Banks in Embezzlement Cases
The relationship between a bank and its depositors is that of debtor and creditor, and banks owe no fiduciary duty to their depositors. Contrary to popular belief, a bank is not required to monitor account activity or make inquiries as to how customer funds are spent. Due to the misconception that banks have such a duty, employers often file meritless and costly claims against their banks.
When dealing with a forged check claim, banks typically have two defenses: (1) the customer’s delay in notifying the bank and/or filing a lawsuit, and (2) contributory negligence. In enacting California Code of Civil Procedure Section 340, the legislature sought to bring uniformity to claims involving forged or unauthorized endorsements. This section provides a one-year statute of limitations, triggered from the date that a routine monthly account statement reporting the unauthorized check becomes available to the customer, and acts to bar stale claims regardless of whether or not the bank was negligent in paying the check. It is important to understand that the bank has no burden to demonstrate that the monthly statement was actually received by the customer, or that the customer reviewed it. Because most banks and other financial institutions make monthly statements available online, the limitations period starts to run when the statement is posted online.
This time bar is premised upon the public policy consideration that the employer is always in a better position than its bank to discover bookkeeper fraud simply by properly supervising its employees and exercising its duty to review monthly account statements. Notably, courts have routinely held that employers are not excused from the duty to review monthly account statements even when bookkeepers intercept those monthly statements and “prevent” the employer from reviewing them. Indeed, knowledge that would have been gained from properly reviewing the monthly account statements is imputed to the employer, regardless of the faithless employee’s efforts to conceal them.
Further, California Commercial Code Section 4406 (adopted from Uniform Commercial Code 4-406) provides for claims preclusion. Upon receipt of monthly account statements, Section 4406 requires the customer to report unauthorized activity within a period “not exceeding 30 days.” If the account agreement between the bank and its customer provides for a shorter reporting period (often referred to as a contractual “cut down” provision), such reduced periods will typically be upheld, and courts have upheld cut down provisions limiting the reporting period to as little as 14 days.
The effect of Section 4406’s claim preclusion ties together the issues of timeliness of reporting the loss and contributory negligence. Analogous to the limitations period contained within Code of Civil Procedure Section 340, if the customer does not discover and report an unauthorized transaction to the bank within one year of the monthly statement containing the transactions being made available, the customer is precluded from recovering against the bank without regard to any possible lack of care on the part of the bank. However, a contributory negligence analysis can come into play if reported within less than one year. If the bank demonstrates that (1) the customer failed to timely report the unauthorized checks and (2) such failure contributed to the loss, the customer will be unable to assert a claim against the bank. Conversely, if the customer demonstrates that the bank did not exercise ordinary care in paying the item, the loss is allocated based upon the respective fault of the customer and the bank. This allocation typically favors the bank.
Taking the contributory negligence concept further, in employee embezzlement situations there typically is a single wrongdoer — a bookkeeper or other trusted employee. That person, perhaps emboldened by their employer’s failure to catch the first instance of forgery, will forge a series of checks over an extended period of time. The litigation landscape of such claims was drastically changed by the decision in Espresso Roma Corp. v. Bank of America, 100 Cal.App.4th 525 (2002). The facts typify the routine, long-term embezzlement scheme. Espresso Roma employed a bookkeeper who, starting in late 1997, stole blank checks, learned how to generate company checks on his home computer, forged his employer’s signature, and used those checks to pay his personal bills. The bookkeeper acted to conceal his embezzlement by intercepting the mail and removing the forged checks from the envelopes before delivering the monthly account statements to his employer. Espresso Roma did not discover this scheme until mid-1999 — nearly two years after the embezzlement began, and after the bookkeeper had embezzled more than $330,000.
The court applied the so-called “repeater rule,” codified in Commercial Code Section 4406(d), which provides that if a customer fails to timely report the first unauthorized check forged by a single wrongdoer, the customer is precluded from recovering for any subsequent checks forged by the same wrongdoer.
The customer can attempt to overcome this preclusion by demonstrating that the bank failed to exercise ordinary care in paying the items. To establish ordinary care, banks typically rely on expert testimony. In Espresso Roma, Bank of America’s expert testified that it, along with similarly sized banks in the San Francisco Bay area, are “bulk filers” — meaning that it processes millions of checks per day and does not visually examine every check or verify signatures. Although the bank uses fraud filters, these filters cannot “catch a crooked employee who forges his employer’s checks, which only the employer would know are forged.”
The court held that Bank of America acted with ordinary care and, therefore, the customer’s failure to timely report the first of its bookkeeper’s forgeries barred the customer’s recovery. This was a landmark decision for banks because the repeater rule, coupled with the bulk-filing standards, provides even greater protections to banks than the one-year statute of limitations. Indeed, these defenses are even more relevant today due to the increasing prevalence of digital deposits and other growing uses of technology in everyday banking.
If These Lawsuits Favor Banks, What Can Employers Do to Protect Themselves?
Because bank defenses rely largely on the duty of employers to timely review their monthly statements and report unauthorized transactions, it is incumbent upon businesses to create a system of checks and balances to prevent a faithless employee from covering up their embezzlement efforts. Large corporations have entire teams of people in their finance departments handling accounts payable and accounts receivable and, therefore, are more insulated from such activity. Smaller corporations and other businesses will often hire a single bookkeeper and often provide little to no oversight of their activities. If the faithless bookkeeper conceals or doctors the monthly statements, their embezzlement activity can go undetected for a considerable length of time. Accordingly, best practices include having at least two employees in this role, along with direct review and supervision of their activities. Employers should also consider downloading their monthly statements directly from their bank’s website instead of relying upon the potentially doctored versions handed to them by their bookkeepers.
In conclusion, employers must realize that they, not their banks, are the first line of defense in preventing and detecting employee embezzlement. When these matters result in lawsuits against banks, financial institutions can turn to the defenses and strategies outlined above to help insulate themselves from liability