Opinion
21 Civ. 8519(NRB)
2023-03-23
123RF LLC, Plaintiff, v. HSBC BANK USA, N.A., Defendant.
Evangeline Zimmerman Burbidge, Paul Llewellyn, Tobias George Snyder, Lewis & Llewellyn LLP, San Francisco, CA, Evan Steele Fensterstock, Fensterstock, P.C., New York, NY, for Plaintiff. Jeremy Michael Amar-Dolan, Phillips Lytle LLP, Buffalo, NY, Preston Lee Zarlock, Phillips Lytle LLP, New York, NY, for Defendant.
Evangeline Zimmerman Burbidge, Paul Llewellyn, Tobias George Snyder, Lewis & Llewellyn LLP, San Francisco, CA, Evan Steele Fensterstock, Fensterstock, P.C., New York, NY, for Plaintiff. Jeremy Michael Amar-Dolan, Phillips Lytle LLP, Buffalo, NY, Preston Lee Zarlock, Phillips Lytle LLP, New York, NY, for Defendant.
MEMORANDUM AND ORDER
NAOMI REICE BUCHWALD, UNITED STATES DISTRICT JUDGE
123RF LLC ("123RF" or "plaintiff") alleges that, over the course of almost two years, hundreds of unauthorized Automated Clearing House debits ("unauthorized transactions" or "ACH debits") were made from plaintiff's account, totaling close to $1.5 million. The source and mechanism of these transactions is unclear, as is why it took so long to correct the problem. Nevertheless, plaintiff filed this suit alleging that HSBC Bank USA, N.A ("HSBC" or "defendant"), which manages plaintiff's commercial bank account, should be held responsible. In essence, plaintiff asserts that HSBC should have caught the fraudulent transactions because HSBC should have used proper security procedures, especially since HSBC knew that 123RF did not make ACH debits on the account.
Specifically, the Amended Complaint asserts eight causes of action. See Amended Complaint ("AC"), ECF No. 25. First, it alleges that defendant breached New York Uniform Commercial Code ("N.Y. U.C.C.") § 4-A-204(1) for failing to refund plaintiff for the unauthorized transactions. Next, plaintiff brings claims for negligence and gross negligence, alleging that defendant breached its duty of care by failing to follow certain internal procedures, failing to properly monitor the account, and failing to notify plaintiff. The Amended Complaint then alleges that defendant breached the U.S. Commercial Deposit Account Agreement ("USCDAA") by not following security procedures. In addition, plaintiff asserts common law claims for fraud based on defendant's representations about security procedures, breach of fiduciary duty, and breach of the implied covenant of good faith and fair dealing. Finally, plaintiff brings a statutory claim for violation of New York's General Business Law ("G.B.L.") § 349, as defendant allegedly engaged in deceptive acts.
Defendant now moves to dismiss all of the claims, arguing, first, that all of the claims are time-barred, and second, that the individual claims are either preempted by N.Y. U.C.C. Article 4-A or fail to state a claim. See Def. Mem. of Law in Support of its Motion to Dismiss ("Def. Br."), ECF No. 28.
For the reasons outlined below, the Court finds that claims related to unauthorized transactions posted before October 15, 2020 are time-barred by the contractual limitations provision of the agreement between 123RF and HSBC. Additionally, the Court finds that all of the claims, except the N.Y. U.C.C. § 4-A-204(1) claim, should be dismissed, as they are either preempted by N.Y. U.C.C. Article 4-A or fail to state a claim under Rule 12(b)(6).
BACKGROUND
Unless otherwise noted, the facts considered and recited here for purposes of the instant motion to dismiss are drawn from plaintiff's Amended Complaint and are accepted as true, taking all reasonable inferences in plaintiff's favor. See McCarthy v. Dun & Bradstreet Corp., 482 F.3d 184, 191 (2d Cir. 2007); Gant v. Wallingford Bd. of Educ., 69 F.3d 669, 673 (2d Cir. 1995).
On August 7, 2012, 123RF LLC, which operates an online digital stock agency, opened a commercial bank account with HSBC. AC ¶¶ 12, 15. The account is governed by the USCDAA, which was attached to the Amended Complaint. Id. ¶ 15; see Exhibit A to Amended Complaint, ECF No. 25-1.
According to the Amended Complaint, 123RF LLC is a "subsidiary of Inmagine Lab Pte. Ltd., which together with its affiliates form the 123RF Group." AC ¶ 12. While 123RF LLC is a California limited liability company that is headquartered in Chicago, the larger 123RF Group has offices in 40 countries, with its principal officers in Malaysia. Id. ¶¶ 6, 12-13.
Plaintiff alleges that this bank account was to be used to "collect proceeds and settlements for online credit card sales in the United States, which were then transferred to accounts held by other 123RF Group entities." Id. ¶ 21. These transfers between 123RF Group entities were to be done through direct wire transfers on HSBCnet, not ACH debits, and only after a specific security protocol was followed. Id. While wire transfers are direct transfers between banks, ACH debits are processed through a centralized clearinghouse each day. Id. ¶ 27. It was plaintiff's belief that ACH debits could not be made from its account. Id. ¶ 26.
According to the Amended Complaint, to initiate a wire transfer, an authorized employee would need to log into the HSBCnet portal using a one-time security token generated by a security device. Id. ¶ 23-24. Only employees approved by plaintiff and defendant would receive the security device. Id. ¶ 24. From the HSBCnet portal, the employee would initiate the transfer, which was separately approved by a designated authorizer. Id. ¶ 23.
However, neither the special security process for wire transfers, nor any prohibition of ACH debits were included in the USCDAA. Instead, plaintiff's beliefs about the specific security procedures appear to stem from conversations with employees from HSBC when they visited 123RF Group's office in Malaysia in 2012. Id. ¶ 25. The Amended Complaint alleges that defendant's employees instructed 123RF Group's employees on the security procedure to access the account on the HSBCnet portal and how to initiate and approve account transfers. Id. ¶¶ 25-26. Plaintiff also alleges that, at the time, it understood these procedures to be the "sole means to initiate transfers from the Account" and "at no time did any HSBC employee suggest that any other procedures existed that were capable of initiating debits from the Account, including for ACH debits." Id. ¶ 26. The Amended Complaint does not state the date of this conversation, who specifically made these representations, or to whom the statements were made.
At oral argument, the Court asked the plaintiff's counsel if he was aware of any specific contractual provisions that reflected the precise security procedure or the prohibition of ACH debits, and he acknowledged that was not aware of any written agreement including this information. Oral Argument Transcript ("Oral Argument Tr."), dated Jan. 26, 2023, at 3:5-4:6, ECF No. 33.
Beginning in January or February 2020, a number of ACH debits, each between a few hundred dollars to the low thousands, were made from plaintiff's account to credit card companies. Id. ¶ 32. According to the Amended Complaint, "the transfers began abruptly in high volume out of pattern with prior activity on the Account [and] th[e] recipients of the transfers were distinct from intracompany recipients of plaintiff's legitimate direct wires." Id. ¶ 35. Despite the fact that these ACH debits were, according to plaintiff, obviously fraudulent, plaintiff did not identify these debits until several months later in April 2020. Id. ¶ 32.
Yet, even after identifying the improper transactions, it took plaintiff almost a year to send HSBC a list of the unauthorized transactions. Id. ¶ 54. Plaintiff claims to have tried to contact defendant about these transactions with varying degrees of success during that time. First, upon discovery of the initial transactions in April 2020, plaintiff alleges that it "alerted defendant to the issues and requested [that] defendant conduct its own internal investigation." Id. ¶¶ 36, 42. However, the complaint does not specify who was contacted or the method of communication, nor does it include any record of any such contact. The next attempt to contact defendant was about four months later, when plaintiff's senior finance manager contacted the general HSBC Help Desk line, but once again did not speak to the account manager. Id. ¶ 49. Finally, in November 2020, seven months after plaintiff originally discovered the unauthorized transactions, plaintiff contacted a relationship manager for 123RF Group's Hong Kong account. Id. ¶ 50. Apparently, the relationship manager was transitioning out of the role, and it was not until January 21, 2021 that the plaintiff heard from someone claiming to be the new account manager. Id. ¶¶ 50, 52. It nonetheless took several weeks to confirm this was the correct person. Id. ¶¶ 50, 52, 53. Finally, on March 17, 2021, the Chief Financial Officer at 123RF Group sent the new account manager a spreadsheet identifying the unauthorized debits until that point. Id. ¶ 54.
It appears from the Amended Complaint that plaintiff could not identify the account manager on its own account with HSBC USA. It is unclear why plaintiff could not identify this contact. The only explanation provided at oral argument was that the unauthorized transactions were discovered during the early days of the pandemic. Oral Argument Tr. at 14:12-19.
While plaintiff's delay in getting in contact with someone at HSBC is puzzling, HSBC's actions once alerted are equally puzzling. Although plaintiff claims that it asked HSBC to stop all unauthorized transactions, these transactions continued. Id. ¶55. Defendant did not transfer the account to a new account number or freeze the account. Id. ¶ 57. Instead, starting on March 29, 2021, plaintiff began to receive auto-generated alerts of ACH transactions, which plaintiff's employees were then asked to approve or deny. Id. However, those emails were sent to junior employees. Id. ¶ 58. HSBC did not disable ACH debit functionality, and the unauthorized ACH debits continued. Id. ¶¶ 57-58.
In April 2021, defendant responded to the list of unauthorized transactions sent on March 17, 2021. Id. ¶ 61. At that point, defendant reimbursed plaintiff for $431,821.56 worth of transactions that had occurred during March and April 2021. Id. However, HSBC refused to reimburse the remaining $998,518.54 worth of transactions. Id. In turn, on October 15, 2021, plaintiff filed the present lawsuit. See ECF No. 1. However, even after the case was filed, four additional debits were made on plaintiff's account. AC ¶ 80.
At oral argument, defendant claimed that HSBC simply returned the "money that the bank was able to recover." Oral Argument Tr. at 18:8-17.
II. Procedural History
On October 15, 2021, plaintiff filed its initial complaint, which it then amended on February 14, 2022. See ECF Nos. 1, 25. On March 7, 2022, defendant moved to dismiss the Amended Complaint. See ECF No. 26. Plaintiff filed its opposition to the motion to dismiss on March 28, 2022, ECF No. 30, and defendant responded on April 14, 2022, ECF No. 32. The Court held oral argument on January 26, 2023. ECF No. 33.
LEGAL STANDARD
To survive a motion to dismiss under Rule 12(b)(6), "a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (internal quotation marks and citation omitted). A claim is considered plausible "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. "Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. "[T]he [C]ourt is to accept as true all facts alleged in the complaint," and must "draw all reasonable inferences in favor of the plaintiff." Kassner v. 2nd Avenue Delicatessen Inc., 496 F.3d 229, 237 (2d Cir. 2007). In evaluating a motion to dismiss, the Court can consider documents attached to the complaint. See DiFolco v. MSNBC Cable L.L.C., 622 F.3d 104, 111 (2d Cir. 2010).
DISCUSSION
Defendant's motion to dismiss is layered. At the threshold, defendant argues that all eight claims are time-barred under the contractual limitations provision of the USCDAA. See Def. Br. at 5. However, if the entire suit is not time-barred, defendant then argues that: (1) the common law claims are preempted by UCC Article 4-A; (2) the tort claims are barred by the economic loss doctrine; and (3) the Amended Complaint fails to state a claim for all of the individual causes of action, except breach of N.Y. U.C.C. § 4-A-204(1) and breach of contract.
The Court first addresses the statute of limitations issue and holds that only claims for unauthorized transactions prior to October 15, 2020 are time-barred. Next, the Court addresses whether the common law claims are preempted by N.Y. U.C.C. Article 4-A and finds that the negligence, gross negligence, and breach of contract claims are preempted. And, finally, the Court analyzes whether the Amended Complaint properly states a claim for violation of G.B.L. § 349, breach of fiduciary duty, fraud, and breach of the implied covenant of good faith and fair dealing, finding that none state a claim and should be dismissed.
I. Statute of Limitations
In the first instance, defendant takes the position that the entire suit is barred by the statute of limitations provision within the USCDAA. Def. Br. at 6. Specifically, the defendant relies on § 2.2 of the USCDAA (hereafter, the "Contractual Limitations Provision"), which states:
The Customer agrees to bring any claims or legal action relating to Services in writing within one (1) year of the date the problem occurred . . . . If the problem involves a series of events, the Customer agrees that the date the first event occurred will be the date by
which the period to make any claim or bring any legal action begins to run.USCDAA § 2.2, Exhibit A to the Amended Complaint at 11, ECF No. 25-1.
Defendant asserts that based on this provision, plaintiff was required to have brought this suit within one year of the date of the first unauthorized transaction. Def. Br. at 6. Defendant's argument is two-fold: first, the contract contains a one-year statute of limitations to run from "the date the problem occurred"; and, second, the unauthorized transactions should be viewed as a "series of events" and, thus, the one-year period began to run on the date of the first unauthorized transaction. Def. Br. at 5. The Court agrees that the Contractual Limitations Provision creates a one-year statute of limitations but rejects the argument that all of the unauthorized transactions are part of a "series of events." Therefore, we hold that claims based on unauthorized transactions that occurred prior to October 15, 2020, one year before the date the complaint was filed, are time-barred.
a. The Contractual Limitations Provision Creates a One-Year Statute of Limitations
First, the Contractual Limitations Provision is an enforceable one-year statute of limitations. Under New York Law, parties can shorten statute of limitations by contract. Fleisig v. ED&F Man Capital Mkts., Inc., No. 19-cv-8217, 2021 WL 2678675, at *8 (S.D.N.Y. June 30, 2021); N.Y. C.P.L.R. § 201 (allowing a "shorter time [to be] prescribed by written agreement"). The language of the Contractual Limitations Provision is clear: the customer agreed to initiate a claim or legal action in writing related to the services covered by the USCDAA within one year of when the "problem occurred." USCDAA § 2.2.
Plaintiff does not challenge the plain reading of the Contractual Limitations Provision, but rather argues that the Contractual Limitations Provision is improper because "[d]efendant cannot alter by agreement the one-year statute of repose in Article 4-A." Pl. Mem. of Law in Opposition to Def. Motion Dismiss ("Pl. Br.") at 4, ECF No. 30 (emphasis added). Specifically, plaintiff cites to N.Y. U.C.C. § 4-A-505 ("Section 505") which states:
If a receiving bank has received payment from its customer with respect to a payment order issued in the name of the customer as sender and accepted by the bank, and the customer received notification reasonably identifying the order, the customer is precluded from asserting that the bank is not entitled to retain the payment unless the customer notifies the bank of the customer's objection to the payment within one year after the notification was received by the customer. (emphasis added).
There is no dispute that Section 505 is "in the nature of a statute of repose for objecting to debits made to the customer's account." Official Comment to N.Y. U.C.C. § 4-A-505. The New York Court of Appeals decision in Regatos v. North Fork Bank, 5 N.Y.3d 395, 403, 804 N.Y.S.2d 713, 838 N.E.2d 629 (N.Y. 2005), which held that a bank could not shorten by contract the statute of repose created by Section 505, is consistent.
However, plaintiff is conflating two separate concepts -- the statute of repose and the statute of limitations. "Statutes of repose and statutes of limitations are often confused, though they are distinct." Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 88 n.4 (2d Cir. 2010). Specifically, "[a] statute of limitations creates an affirmative defense where plaintiff failed to bring suit within a specified period of time after his cause of action accrued, often subject to tolling principles." Id. "By contrast, a statute of repose extinguishes a plaintiff's cause of action after the passage of a fixed period of time, usually measured from one of the defendant's acts." Id. (emphasis in original). A statute of repose impacts the substantive right, while a statute of limitations simply defines the time to initiate a court action to seek a remedy. Given this distinction, it is permissible to have a shorter statute of limitations than a statute of repose. See California Pub. Emp. Ret. Sys. v. ANZ Secs., Inc., 582 U.S. 497, 137 S. Ct. 2042, 2049, 198 L.Ed.2d 584 (2017) ("The pairing of a shorter statute of limitations and a longer statute of repose is a common feature of statutory time limits.").
The plaintiff's reliance on Regatos and Section 505 is therefore misplaced. Regatos involved an attempt by the bank to shorten to 15 days the period for the customer to notify the bank of unauthorized transactions or the claim would be extinguished. 5 N.Y.3d at 403, 804 N.Y.S.2d 713, 838 N.E.2d 629. This was an explicit modification of the statute of repose, which set a one-year period to notify the bank of an unauthorized transaction. In altering the notice requirement, the bank tried to modify the substantive right. Here, the Contractual Limitations Provision does not attempt to change the notice that must be given to the bank. Instead, it sets a one-year time period for plaintiff to initiate a legal action. Therefore, the Contractual Limitations Provision is a modification of the statute of limitations, which is not controlled by Regatos. Unlike a statute of repose, statutes of limitation can be modified by contract under New York law. See N.Y. C.P.L.R. § 201. Accordingly, the Court applies the one-year statute of limitations agreed to by the parties in the USCDAA.
At oral argument, plaintiff's counsel attempted to argue that a claim under N.Y. U.C.C. § 4-A-204(1) does not "accrue" until after plaintiff notifies the bank and the bank refuses to issue a refund, and thus applying the one-year Contractual Limitations Provision somehow shortens the statute of repose. See Oral Argument Tr. at 15:9-17:16. The Court does not follow plaintiff's logic. This argument was not outlined in plaintiff's brief, and plaintiff offers no support for it. More importantly, plaintiff fails to recognize that claims accrue at the time of injury, not when a defendant denies the remedy.
b. The Unauthorized Transactions Are Not a "Series of Events"
Having determined that the contractual one-year statute of limitations applies, we must next analyze when the one-year statute of limitations period begins to run. Just as parties can contract to create a shorter statute of limitations, they can also contract as to the commencement of the statute of limitations period. Wechsler v. HSBC Bank USA, N.A., No. 15-cv-5907, 2016 WL 1688012, at *3 (S.D.N.Y. Apr. 26, 2016), aff'd, 674 F. App'x 73 (2d Cir. 2017).
The Contractual Limitations Provision states that a party must bring legal action within one year from the "date the problem occurred." USCDAA § 2.2. Moreover, the provision states that when the problem involves a "series of events," the clock begins on the date of the "first event." Id. Defendant argues that the unauthorized transactions here should be considered a "series of events," and, therefore, the one-year statute of limitations began for all transactions from the date of the first unauthorized transaction in January or February 2020. Def. Br. at 6. A holding to that effect would bar all of plaintiff's claims.
The sole case upon which defendant relies to support its reading of a "series of events" is Wechsler v. HSBC Bank USA, N.A. See 2016 WL 1688012. Wechsler involved a recurring service charge that was charged once a month for the same amount and for the same reason. Id. at *3. However, the unauthorized transactions at issue here are easily distinguishable from those in Wechsler. First, the unauthorized transactions were for different amounts, "rang[ing] from around the low hundreds to the low thousands of dollars." AC ¶ 32. Additionally, the online payments were made to numerous credit card companies. See Exhibit B to the Amended Complaint, ECF No. 25-2 (listing payments to 26 suppliers). Moreover, there is no clear pattern to the timing of the transactions. The charges in early 2020 occurred multiple times per week, AC ¶ 32, and the rate accelerated over time, id. ¶ 51. Even the four charges made after filing the initial complaint do not appear to follow any pattern (i.e., charges were made on September 16, November 12, December 16, and December 21, 2021). Id. ¶ 3. Unlike the clear pattern in Wechsler, here, the only unifying pattern to the charges on 123RF's account is that they were all ACH debits.
While it is true that the Amended Complaint does generally refer to these transactions collectively, the Court is concerned that finding these unauthorized transactions to constitute a "series of events" based solely on the fact that they are all ACH debits would severely alter the balance of responsibilities between banks and customers that is broadly reflected in the U.C.C. Thus, the Court declines to treat the unauthorized transactions as a "series of events," and as a result looks to the date the individual transactions were posted to determine which are barred. Since the complaint was filed on October 15, 2021, any claim related to an unauthorized transaction before October 15, 2020 is barred.
As explained previously, the one-year period commences from the date the unauthorized transaction was posted, not as plaintiff claims, when defendant refused to issue a refund. See supra n.7. Our holding also resolves plaintiff's argument that the contractual limitations period is unreasonable.
II. Preemption
We now turn to defendant's second broad argument, namely, that all the asserted common law claims are preempted by N.Y. U.C.C. § 4-A ("Article 4-A"). Article 4-A "governs the procedures, rights and liabilities arising out of commercial funds transfers." Fischer & Mandell, LLP v. Citibank, N.A., 632 F.3d 793, 797 (2d Cir. 2011) (quoting Grain Traders, Inc. v. Citibank, N.A., 160 F.3d 97, 100 (2d Cir. 1998)). The act creates a scheme to set clear rules as to who bears the loss for unauthorized transactions. Banco del Austro, S.A. v. Wells Fargo Bank, N.A., 215 F. Supp. 3d 302, 306-307 (S.D.N.Y. 2016).
Specifically, N.Y. U.C.C. § 4-A-204 establishes that a bank must refund a payment it issued if the payment was "not authorized and not effective as the order of the customer." N.Y. U.C.C. § 4-A-204. A payment order is effective, even if not authorized by the customer, so long as there is a "commercially reasonable" security procedure in place, and the bank accepted a payment order in good faith and in compliance with the security procedure. N.Y. U.C.C. § 4-A-202(2). Therefore, if the bank follows commercially reasonable security procedures, the loss for an unauthorized transaction falls on the customer.
Article 4-A, however, does not delineate specific security procedures that must be followed. Instead, the security procedures are "established by agreement" between the customer and the bank. Id. § 4-A-201. The security procedures "may require use of algorithms or other codes, identifying words or numbers, encryption, callback procedure, or similar security devices." Id. Ultimately, whether the security procedures are commercially reasonable is a question of law to be decided by the court, and courts are instructed to consider "the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated." Id. § 4-A-202(3).
Because Article 4-A sets forth who bears the loss when an unauthorized transaction is made, the provisions:
represent a careful and delicate balancing of [competing] interests and are intended to be the exclusive means of determining the rights, duties, and liabilities of the affected parties in any situation covered by particular provisions of the Article. Consequently, resort to principles of law or equity out-side of Article 4A is not appropriate to create rights, duties and liabilities inconsistent with those stated in this Article.Official Comment to N.Y. U.C.C. § 4-A-102.
Thus, the Second Circuit has interpreted this language to "preclude common law claims when such claims would impose liability inconsistent with the rights and liabilities expressly created by Article 4-A." Grain Traders, 160 F.3d at 103. However, not all common law claims "are per se inconsistent with this regime." Ma, 597 F.3d at 89. In evaluating whether a claim is preempted "[t]he critical inquiry is whether the provisions protect against the type of underlying injury or misconduct alleged in a claim." Id. at 89-90.
To the extent that the plaintiff's brief suggests it is premature to rule on preemption and that it should be decided at the summary judgment phase, see Pl. Br. at 10, the Court disagrees. Courts in this district have decided that claims were preempted at the motion to dismiss stage. See e.g., Banco del Austro, 215 F. Supp. 3d at 306.
Consistent with these principles, the negligence and gross negligence claims here are preempted by Article 4-A. Courts in this district have found that claims that defendant "violated its duty of care by negligently honoring" unauthorized transfers, "fall[ ] entirely within the coverage of [Article 4-A], which creates a comprehensive risk allocation for unauthorized funds transfers," and are thus preempted. Banco del Austro, 215 F. Supp. 3d at 306-307; see also 2006 Frank Calandra, Jr. Irrevocable Tr. v. Signature Bank Corp., 816 F. Supp. 2d 222, 236 (S.D.N.Y. 2011). The pleading itself indicates that the negligence and gross negligence claims cover the same territory as Article 4-A, because the predicates for the negligence, gross negligence, and breach of Article 4-A claims are the same. Each claim asserts that defendant is liable for failing to "require that transactions be initiated though the HSBCnet portal," failing to "receive authorization," failing to "provide notice that transactions had occurred," failing to "identify suspicious patterns in Account activity," and failing to "make representatives available to receive alerts of unauthorized payments." AC ¶¶ 94, 103, 109. The negligence and gross negligence claims then seek to impose additional obligations on defendant (e.g., defendant failed to "put the account on hold" and failed to "properly monitor the account"). Id. ¶¶ 103, 109. At its core, the negligence and gross negligence claims concern the existence of unauthorized transactions and the way in which they occurred. These are certainly the types of claims that are covered by Article 4-A and thus precluded.
Given our holding that that the negligence and gross negligence claims are precluded, we need not reach the defendant's additional arguments that these claims are barred by the economic loss doctrine and for failure to state a claim.
The same is true for plaintiff's breach of contract claim. Plaintiff alleges that defendant breached its contract with plaintiff by "executing unauthorized ACH debits in contravention of the agreed upon security procedures," as well as failing to provide a proper channel to report these debits or block the transfers. AC ¶ 115. Putting to the side the fact that plaintiff cannot identify the particular contractual provision that was allegedly breached, the breach of contract claim falls entirely within the scheme created by Article 4-A because it is essentially the same claim as the breach of N.Y. U.C.C. 4-A-204 claim. Both claims assert that HSBC did not abide by the agreed-upon security procedures, and therefore HSBC should be liable for the unauthorized transactions. As discussed, "[a]ny common law claims about the existence of unauthorized wire transfers . . . and the mechanics of how those transactions were conducted, fall within the regime of Articles 4-A and 4." 2006 Frank Calandra, Jr., 816 F. Supp. 2d at 236 (holding a similar breach of contract claim was preempted by Article 4-A). This falls squarely within the regime created by UCC §§ 4-A-202, 204 and thus is preempted.
While not raised by defendant, the Amended Complaint does not specify the provisions of the contract that provide for the security procedures plaintiff alleges were not followed. At oral argument, plaintiff's counsel acknowledged that he was not aware of any written document that set out the precise security procedures that plaintiff now claims were breached. Oral Argument Tr. at 3:5-4:9. The only provision cited by plaintiff in the Amended Complaint is that HSBC agreed to "use reasonable efforts to comply with any request made by the Customer to vary or cancel an Instruction." AC ¶ 113. While the Court need not decide whether plaintiff has pled a standalone breach of contract claim, typically "[a] breach of contract claim will be dismissed where a plaintiff fails to allege 'the essential terms of the parties' purported contract, including the specific provisions of the contract upon which liability is predicated.' " Martinez v. Vakko Holding A.S., No. 07-cv-3413, 2008 WL 2876529, at *2 (S.D.N.Y. Jul. 23, 2008) (quoting Highlands Ins. Co. v. PRG Brokerage, Inc., No. 01-cv-2272, 2004 WL 35439, at *8 (S.D.N.Y. Jan. 6, 2004)).
In fact, at oral argument, plaintiff's counsel acknowledged that the breach of contract claim does not "give [plaintiff] anything that the U.C.C. claim does not." Oral Argument Tr. at 36:16-23. Given this and after the Court's ruling on the statute of limitations and the overlap of the claims, there is no substantive consequence to the dismissal of the breach of contract claim as preempted.
The Court does not rule on whether the claims for fraud, breach of fiduciary duty, or breach of the implied covenant of good faith and fair dealing are pre-empted by Article 4-A, because, as discussed below, the complaint clearly fails to state a claim for these causes of action.
III. Failure to State a Claim
Finally, defendant moves to dismiss all of the remaining claims, except the claim for breach of N.Y. U.C.C. § 4-A-204(1), for failure to state a claim under Rule 12(b)(6). Each claim is addressed separately below, and each claim is dismissed.
a. New York General Business Law § 349
Plaintiff's Amended Complaint includes a claim for violation of New York General Business Law ("G.B.L.") § 349. To successfully assert a claim under G.B.L. § 349, "a plaintiff must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice." Koch v. Acker, Merrall & Condit Co., 18 N.Y.3d 940, 941, 944 N.Y.S.2d 452, 967 N.E.2d 675 (N.Y. 2012) (internal quotation marks and citations omitted). "[S]ection 349 is directed at wrongs against the consuming public." Oswego Laborers' Local 214 Pension Fund v. Marine Midland Bank, N.A., 85 N.Y.2d 20, 24, 623 N.Y.S.2d 529, 647 N.E.2d 741 (N.Y. 1995). Of particular significance here, "[p]rivate contract disputes, unique to the parties, for example, would not fall within the ambit of the statute." Id. at 25, 623 N.Y.S.2d 529, 647 N.E.2d 741. Thus, if a plaintiff does not "plead and prove injury to the public generally, [rather than] just to himself, then he cannot benefit from the consumer protection law found in Section 349." Clayton v. Katz, No. 10-cv-5755, 2012 WL 4378035, at *5 (S.D.N.Y. Sept. 25, 2012) (internal quotation marks and citation omitted) (alteration in original).
The case at bar involves a commercial banking contract between two substantial businesses. While plaintiff is correct that the " 'consumer-oriented prong' does not preclude the application of G.B.L. § 349 to disputes between businesses," Pl. Br. 14, typically, business-to-business transactions do not fall under the statute, as "[l]arge businesses are not the small-time individual consumers [G.B.L.] § 349 was intended to protect". Exxonmobil Inter-America, Inc. v. Advanced Inf. Eng'g Servs., Inc., 328 F. Supp. 2d 443, 449 (S.D.N.Y. 2004).
Plaintiff further argues that "this case does not involve a unique private transaction between sophisticated business parties." Pl. Br. at 14. That assertion is without any foundation in the record. The entire premise of plaintiff's suit is that HSBC permitted ACH debits on an account that, unlike most other accounts, was never meant to be used for ACH debits. During oral argument, plaintiff's counsel agreed with the Court that "for most accounts, either commercial or consumer accounts, . . . ACH debits are not unusual" and that "this particular account had an unusual feature that it [did not] permit any ACH debit transactions." Oral Argument Tr. at 9:5-14. Structuring an account that blocks any ACH debit does create a "unique private transaction." Further, all of defendant's alleged "consumer-oriented practices" are actually related to ACH debits, which plaintiff claims were specifically precluded from its account (i.e., "refusing to compensate customers for unauthorized debits, based on alleged hidden terms," "intentionally permitting ACH debits without authorization because an additional fee was not paid," and "duping the consumer into believing their account was secure against unauthorized ACH debits in light of the multi-step security process required via HSBCnet portal"). AC ¶ 118. The only allegations in the Amended Complaint that connect plaintiff's claim to the public are the conclusory statements that plaintiff "understands that other members of the public continue to be subject to these deceptive acts and practices" and that defendant's security protocol "reflects a continuing danger to Plaintiff and the public." AC ¶¶ 3, 118. These statements do not meet plaintiff's burden to plead that the defendant engaged in consumer-oriented practice, which is within the ambit of Section 349, and thus the Court dismisses the claim.
While in its brief, plaintiff argues that it "entered into a standard form agreement with HSBC" to support its claim that G.B.L. § 349 can apply to this business-to-business transaction, Pl. Br. at 14, this is not alleged anywhere in the Amended Complaint.
b. Breach of Fiduciary Duty
Plaintiff's claim for breach of fiduciary duty is dismissed as it is well-settled that there is no fiduciary relationship between a bank and a depositor. See Abhyankar v. JPMorgan Chase, N.A., No. 18-cv-9411, 2020 WL 4001661, at *4 (S.D.N.Y. Jul. 15, 2020) (collecting cases).
The cases cited by plaintiff do not refute that there is no fiduciary relationship here. Every case cited by plaintiff mentions that generally there is no fiduciary duty created by the standard bank-depositor relationship. ADT Operations, Inc. v. Chase Manhattan Bank, N.A., 173 Misc. 2d 959, 963, 662 N.Y.S.2d 190 (N.Y. Sup. Ct. 1997); Mfrs. Hanover Tr. Co. v. Yanakas, 7 F.3d 310, 318 (2d Cir. 1993); P. Chimento Co. v. Banco Popular de Puerto Rico, 208 A.D.2d 385, 386, 617 N.Y.S.2d 157 (1st Dep't 1994); Scott v. Dime Sav. Bank, 886 F. Supp. 1073, 1078 (S.D.N.Y. 1995). A fiduciary relationship only exists when there is something special about the relationship. Chimento, 208 A.D.2d at 386, 617 N.Y.S.2d 157. In only one case cited by the plaintiff did the court even find there was a fiduciary relationship. In that case, the court found that there was a fiduciary relationship because the relationship "went well beyond the usual debtor-creditor relationship," as the bank encouraged the borrower to borrow 20 times more than the plaintiff had wanted to borrow and induced the plaintiff to invest in the banks' affiliate. Scott, 886 F. Supp. at 1078. That fact pattern is readily distinguishable from this case.
c. Fraud
Next, the Amended Complaint asserts a claim for fraud. Specifically, the Amended Complaint alleges that defendant represented in 2012 that the account had security measures in place to protect against unauthorized ACH debits and that plaintiff relied on those representations to contract with HSBC to allow it to manage the account. AC ¶¶ 128, 129.
Claims for fraud must comply with the heightened pleading standard of Rule 9(b). Fed. R. Civ. P. 9(b). To state a claim for fraud with particularity, a plaintiff needs to allege: "(1) precisely what statements were made, (2) the time and place of each such statement, (3) the content of such statements and the manner in which they misled the plaintiff, and (4) what the defendant obtained as a consequence of the fraud." Bingham v. Zolt, 683 F. Supp. 965, 972-973 (S.D.N.Y. 1988) (citation omitted).
Plaintiff argues that the complaint specifically identifies two separate statements that support its claim for fraud. Pl. Br. at 15. First, plaintiff identified in its complaint "specific advertising copy" that was "fraudulent," and, second, it identified "representations made by HSBC USA personnel on-site at [p]laintiff's offices on or around the time [p]laintiff first opened the account, in August 2012, during which the HSBC USA representative made representations regarding security procedures that would be used for the account." Id. at 15. Neither of these allegations are stated with sufficient particularity to meet Rule 9(b)'s standard.
Specifically, the Amended Complaint alleges that defendant represented on its website (www.us.hsbc.com/security/report-fraud) that it "works hard year round to protect [customer] information" and "[w]e stay vigilant, identifying threats and investigating suspicious activity across all your accounts." AC ¶ 19. It also stated, "[i]f we identify that your information has been compromised, we act promptly. We'll contact you directly and take the necessary steps to help safeguard your banking information." Id.
The Amended Complaint states: "When the account was initially set up, an HSBC employee visited 123RF Group's offices in Malaysia to instruct employees on the use of the Security Device and the procedure to access the Account through HSBCnet portal and how to initiate and approve account transfers. 123RF Group and Plaintiff understood these procedures to be the sole means to initiate transfers from the Account, and at no time did any HSBC employee suggest that any other procedures existed that were capable of initiating debits from the Account, including for ACH debits." Id. ¶¶ 25-26.
While plaintiff points to specific advertising copy that is currently found on HSBC's website, plaintiff does not plead when this copy was available, and, more importantly, whether plaintiff even read it prior to signing the contract in 2012. The statements made by HSBC's employees while on-site at plaintiff's office fare no better. The Amended Complaint does not allege precisely what was said, by whom, and to whom. The Court agrees with defendant that this vague allusion is far from the specificity required to meet the heightened pleading standard under Rule 9(b).
Having resolved the 9(b) issue, the Court need not address defendant's second argument that the fraud claim is merely duplicative of the breach of contract claim.
d. Breach of Implied Covenant of Good Faith and Fair Dealing
Finally, defendant argues that the plaintiff fails to state a claim for breach of the implied covenant of good faith and fair dealing. A breach of an implied covenant of good faith and fair dealing claim cannot be maintained if "it is premised on the same conduct that underlies the breach of contract cause of action and is intrinsically tied to the damages allegedly resulting from the breach of contract." MBIA Ins. Corp. v. Merrill Lynch, 81 A.D.3d 419, 420, 916 N.Y.S.2d 54 (1st Dep't 2011) (internal quotation marks and citation omitted). Even if pled in the alternative, claims of breach of implied covenant are dismissed "when the implied covenant and contract claims are based on the same facts." Merryman v. J.P. Morgan Chase Bank, N.A., No. 15-cv-9188, 2016 WL 5477776, at *12 (S.D.N.Y. Sept. 29, 2016).
The plaintiff argues that the claim is not duplicative as "plaintiff alleges that HSBC USA failed to provide a clear mechanism or representatives to whom [p]laintiff could submit notice of the unauthorized transactions and dragged its feet in response to [p]laintiff's outreach." Pl. Br. at 18. However, as defendant points out, the Amended Complaint alleges the same facts in the breach of contract cause of action. The Amended Complaint states: "Defendant breached its contract with plaintiff by . . . failing to provide a proper channel to report unauthorized ACH debits." AC ¶ 115. Given that both the breach of contract claim and the breach of the implied covenant of good faith and fair dealing claims are based on the same facts, the latter is dismissed.
CONCLUSION
Accordingly, for the reasons stated above, the Court dismisses all of the claims in the Amended Complaint, except for the claim for breach of N.Y. U.C.C. § 4A-204(1) related to unauthorized transactions that occurred after October 15, 2020.
SO ORDERED.