By Chris McKibbin and Daniel Silla
In the recent decision of Cachet Financial Services v. Berkley Insurance Company, the United States District Court for the Central District of California found no coverage under a commercial crime policy in respect of several alleged frauds involving a payroll processor.
The decision is instructive for fidelity claims professionals as to the meaning of “alteration” in the Forgery insuring agreement found in commercial crime and financial institutions coverages. The decision also reinforces existing jurisprudence that restricts the Computer Fraud insuring agreement to situations involving “hacking” and unauthorized access, rather than fraudulent misuse of authorized access.
Cachet provides Automated Clearing House (“ACH”) transactions and related payroll services. Employers contract with payroll companies (known as “remarketers”) to facilitate payments made to employees through Cachet’s system. An employer would provide payroll information to its remarketer, which would then create a batch file containing (i) account details for each of the employer, Cachet, and the employees; (ii) the amount to be transferred from the employer’s account into Cachet’s settlement account (the “Settlement Account”); (iii) the amount to be deposited to each employee’s account; and (iv) the payment date.
The remarketer then uploaded its batch file onto Cachet’s server for processing. Cachet’s server confirmed that the batch file balanced (i.e., the amount to be withdrawn from the employer’s account equaled the amounts to be paid to the employees). With that confirmation, Cachet’s system initiated the transfer of funds from the employer’s account to the Settlement Account on the specified date, following which Cachet’s system automatically disbursed funds from the Settlement Account to the employees’ bank accounts.
Cachet contracted with remarketers MyPayrollHR LLC (“MyPayrollHR”) and iGreen Payroll Services Inc. (“iGreen”) to provide ACH services and to route payments from employer customers of MyPayrollHR and iGreen to those customers’ employees. In turn, MyPayrollHR and iGreen were granted access to use Cachet’s system.
Cachet alleged that it sustained some $40 million in losses from three separate schemes involving various forms of fraudulent batch files that were uploaded onto its server. Cachet alleged that MyPayrollHR stole more than $26 million from it through two separate transactions:
- ACH Kiting: Cachet alleged that MyPayrollHR stole approximately $19 million through a scheme commonly referred to as ACH kiting. MyPayrollHR allegedly manipulated Cachet’s batch files’ specifications to make it appear as if the $19 Million was being debited from bank accounts of entities controlled by MyPayrollHR’s principal (the “Originating Accounts”) and paid to the Settlement Account, and that the same amount was then being debited from the Settlement Account and credited to accounts of MyPayrollHR and other entities owned and controlled by MyPayrollHR’s principal (the “Receiving Accounts”). However, no funds were transferred into the Settlement Account because the Originating Accounts were frozen. Nevertheless, the $19 million was debited from the Settlement Account and credited to the Receiving Accounts.
- Fraudulent Destination Account: Cachet alleged that MyPayrollHR created batch files containing manipulated account information, which caused $7 million of employers’ funds to be credited to MyPayrollHR’s account instead of the Settlement Account. MyPayrollHR’s account had already been frozen, which led to the rejection and return of the corresponding debits pulled from the MyPayrollHR account. As the ACH processor, Cachet credited the employees’ accounts $7 million without receiving the $7 million from employers.
Cachet also claimed that iGreen caused it a net loss of over $14 million after iGreen allegedly uploaded non-payroll related batch files to Cachet’s server. The iGreen batch files contained instructions directing Cachet to debit $21,458,361.97 from accounts held by four entities (the “Debited Entities”) at Dime Community Bank (“Dime Bank”) and to credit the Settlement Account. However, the Debited Entities’ bank accounts had insufficient funds when the batch files were uploaded. In accordance with the instructions in the batch file, the Settlement Account was debited $21,458,361.97 and two non-employee accounts were credited with the transferred funds. These funds were then transferred out of Dime Bank and could not be recovered. Dime Bank then rejected and reversed the debits to the Debited Entities’ accounts. Consequently, the Settlement Account was debited $21,458,361.97 but Cachet did not receive any corresponding funds from the Debited Entities’ accounts.
Cachet maintained a primary commercial crime policy with Berkley and follow-form excess coverage with Great American Insurance Group. Cachet contended that its alleged losses were covered by Insuring Agreement A.2.a (Forgery or Alteration) and A.6.a (Computer Fraud). Berkley and Great American (collectively, the “Insurers”) moved to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted (analogous to a rule 21.01(1)(b) motion in Ontario).
The Forgery Coverage
Insuring Agreement A.2.a provided:
[Berkley] will pay for loss resulting directly from “forgery” or alteration of checks, drafts, promissory notes, or similar written promises, orders or directions to pay a sum certain in “money” that are:
(1) Made or drawn by or drawn upon you; or
(2) Made or drawn by one acting as your agent; or that are purported to have been so made or drawn.
The policy defined “forgery” as “the signing of the name of another person or organization with intent to deceive; it does not mean a signature which consists in whole or in part of one’s own name signed with or without authority, in any capacity, for any purpose.”
As there was no signature of any kind – let alone a qualifying “forgery” – the issue became whether the batch files were “altered”. The Insurers pointed out that there was no alteration of the batch files because MyPayrollHR and iGreen entered the files into Cachet’s computer system exactly as they were originally created, and Cachet executed the files’ instructions exactly as they were originally created and submitted. The Court agreed with the Insurers’ position:
… Plaintiff’s allegations in the Complaint as to how its ACH process works belie its assertion that any “alteration” occurred. Plaintiff alleges that remarketers … are responsible for creating the ACH batch files to upload onto Plaintiff’s server. For there to have been an alteration, the Clients must have created a non-fraudulent batch file and then changed the character of those already-created files to effectuate the scheme. Instead, Plaintiff alleges the Clients created the batch files and then submitted those newly-created batch files, albeit containing data that differed from prior batch file submissions.
The Court rejected Cachet’s contention that the alleged fraudulent batch files were “altered” in that they were different from non-fraudulent submissions made for prior pay periods:
That [MyPayrollHR and iGreen] had previously submitted non-fraudulent batch files is beside the point. As counsel for Defendant aptly argued, a batch file cannot have been “altered” solely because it differed from what Plaintiff expected the files should contain. Indeed, as counsel pointed out during oral argument, every batch file submitted by [MyPayrollHR and iGreen] is unique and differs from one another, including the number of employers and employees they have contracted with as clients. Such a broad reading of the Berkley Policy would lead to the absurd result of allowing Plaintiff to seek coverage every time [MyPayrollHR and iGreen] create and upload batch files that differ from one another. … For there to have been an “alteration,” Plaintiff must have alleged that [MyPayrollHR and iGreen] created the batch files that they submitted to perpetrate the fraud and then altered those very same batch files at some point to carry out the scheme. Absent such an allegation, the Court finds it implausible that an alteration occurred.
This was sufficient to dismiss Cachet’s claim under Insuring Agreement A.2.a. The Court noted that there were separate issues as to (a) whether the batch instructions were qualifying instruments under the insuring agreement; and (b) whether they were “made or drawn by or drawn upon” Cachet, but did not reach those issues.
The Computer Fraud Coverage
Insuring Agreement A.6.a provided, in pertinent part:
Loss resulting directly from a fraudulent … Entry of “electronic data” or “computer program” into … any “computer system” owned, leased or operated by you … provided the fraudulent entry … causes…:
(i) “Money”, “securities” or “other property” to be transferred, paid or delivered; or
(ii) Your account at a “financial institution” to be debited or deleted.
The Insurers observed that Cachet authorized MyPayrollHR and iGreen to create and upload batch files onto its server, and pointed out that the entries of data themselves were not fraudulent, although they may have contained inaccurate information. As the Court noted:
Plaintiff argues it never authorized [MyPayrollHR and iGreen] to upload fraudulent batch files. While that may be true, Plaintiff does not dispute that it authorized [them] to upload batch files to initiate the ACH process on Plaintiff’s computer system. See [complaint] (alleging that Plaintiff entered into written agreements with [MyPayrollHR and iGreen] to “use Cachet’s system”)). The fact that the data itself was fraudulent does not negate that [their] “entry” into Plaintiff’s computer system was done pursuant to authorization.
Relying on Universal American (discussed in our January 6, 2015 post on Pestmaster), the Court concluded:
… the Complaint alleges [MyPayrollHR and iGreen] were authorized to conduct business with Plaintiff via uploading ACH batch files onto Plaintiff’s servers — which is exactly what they did. Thus, their “entry” into Plaintiff’s “computer systems” cannot have been “fraudulent.” Whether the “electronic data” or “computer program” that entered Plaintiff’s computer system proved to be fraudulent is irrelevant because the Court interprets subsection A.6.a.(1) to cover only fraudulent “entry” or “change.”
As MyPayrollHR and iGreen were authorized to upload batch files to Cachet’s system, there was no fraudulent entry and Cachet’s claim under Insuring Agreement A.6.a was dismissed.
Cachet Financial Services is instructive as to the meaning of “alteration” in commercial crime and financial institutions coverages. For an alteration to occur, there must first be some form of legitimate qualifying instrument in existence, which is then altered in some material way to effect a fraud. One can think of the analogous example of a materially altered cheque. There must first be a validly issued cheque in existence, which is then altered in some respect (such as changing the payee’s name or the amount) to carry out a fraud. A cheque or other qualifying instrument that is fraudulent at the time it is created is not an altered instrument.
Cachet Financial Services also reinforces the Computer Fraud insuring agreement’s conceptual distinction between fraudulent entries and entries which, although they contain false information, are nevertheless authorized. The Computer Fraud insuring agreement is intended to be limited to unauthorized access and “hacking” situations, and does not extend to fraudulent misuse of authorized access.
Cachet Financial Services v. Berkley Insurance Company, 2023 WL 2558413 (C.D.Cal.)