Hot Topics
Blockchain Digital Currency Governance, Risk & Compliance Security Awareness Security Boulevard (Original) 

NY Courts: Who is Liable When Cryptocurrency is Stolen?

Avatar photo by Mark Rasch on August 31, 2023

One of the great things about the blockchain and cryptocurrency is the fact that it operates outside the commercial banking system. Unfortunately, this means that when cryptocurrency is stolen (or, more accurately, when it is transferred without the consent of the account holder), account holders are often left without any meaningful recourse. Unlike a bank, which can trace the funds, block transfers, or “claw back” fraudulent funds, cryptocurrency exchanges have limited ability to regain fraudulently transferred funds. Moreover, user agreements with exchanges eschew any liability to the exchange for such fraudulent transfers, put the onus on the customer to protect their account and require arbitration of any disputes arising from the account.

Whether a cryptocurrency exchange has any liability for a fraudulent transfer under banking regulations depends on whether cryptocurrency is a “fund” under those regulations and the purpose for which the account is created. A pair of conflicting decisions arising from the theft of cryptocurrency from online broker Uphold shows that courts are attempting to navigate the application of new technology to old laws. In one case decided in February 2023, the court held the exchange liable for the fraud, but in a case decided in August 2023, another federal judge found the same exchange not liable under the same statute.

Electronic ‘Funds?’

In 1978, with the rise of “electronic” banking (and the risks thereto), Congress passed the Electronic Fund Transfer Act (“EFTA”), 15 U.S.C. § 1693. One of the purposes of the act and the underlying regulation – Regulation E, 12 C.F.R. § 1005.1 was to set out the liability of sender, recipient, account holder and financial institution for the theft or misdirection of “electronic funds transfers.” These included Automated Clearing House (ACH) transactions and wire transfers, and also things like the use of Automated Teller Machine (ATM) withdrawals or transfers. Under the law and regulations, for consumers (non-commercial customers), there was limited liability for unauthorized transfers, depending on whether the consumer provided the bank with notice of the unauthorized transfer. The liability to the consumer under the regulation was nominal—from $25 to $50 at most, but in practice, to encourage the use of ATMs (and reduce overall costs to banks), virtually every bank agreed to reimburse any fraud losses 100%. For more sophisticated commercial customers, Regulation E does not apply. Rather, those transactions are governed by UCC 4A-205, which immunizes financial institutions from liability for processing fraudulent transfers if the financial institution can demonstrate that it used “commercially reasonable” means of security and authentication. Indeed, many commercial account agreements contain language that requires the account holder stipulate that the bank’s security is “commercially reasonable.”

Cryptocurrency ‘Funds’ Transfer?

Fast forward to the 2020s, and the question is whether these regulations apply to all electronic funds transfers—like cryptocurrencies. If a hacker “steals” cryptocurrency from a broker, a wallet or some other crypto transfer agent or orders the funds transferred to another wallet, is this an electronic “funds” transfer under the 1978 law? If so, the consumer (account holder) is not liable for the fraudulent transfer.

Under the statute, an “electronic funds transfer” means: “[A]ny transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. 15 U.S.C. § 1693a(7). Significantly, the statute defines a “financial institution” as “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person who, directly or indirectly, holds an account belonging to a consumer.” ~15 U.S.C. § 1693a(9)

AWS Builder Community Hub

So, a crypto exchange holds cryptocurrency in an account (a wallet) on behalf of a customer or consumer. They “transfer” that cryptocurrency from one “account” to another at the direction of the customer. That makes them a “financial institution” and makes the transfer an “electronic funds transfer,” for which the consumer has no liability if the transfer is fraudulent or unauthorized.

That is, if—and this is a big if—cryptocurrency is a “fund” since the statute regulates the “transfer of funds.” If crypto is a commodity (like gold bullion, Dutch tulips in 1640, or Beanie Babies) and not a fund, then logic dictates that the Electronic Funds Transfer Act would not apply. Similarly, if crypto is a security, a commodity future or something other than a “fund,” the EFTA’s regulations might not apply.

In February of this year, a federal district court in New York addressed this very issue. In Rider et al v. Uphold HQ Inc. et al, No. 1:2022cv01602 (S.D.N.Y.)(Document 39, 02/22/23), the court addressed whether cryptocurrency was a “fund” under the EFTA and found that the ordinary dictionary definition of “funds” means a means of exchange that can be used to pay for goods and services. So cryptocurrency is a fund, the exchange “transfers” funds and is, therefore, a “financial institution” liable for the fraudulent transfer.

What’s an Account?

Earlier this month, in Yuille versus Uphold HQ, Dkt No. 22-cv-7453 (LJL) (S.D.N.Y., August 11, 2023), the court faced the same issue—the theft of cryptocurrency from a cryptocurrency wallet and whether or not Regulation E applied and immunized the consumer from liability. Unlike in the Rider case, however, the District Court Judge, Lewis Liman, found that Reg E did not apply—not because cryptocurrency was not a “fund,” but because a crypto wallet was not an “account” under the statute. Or, more accurately, because the crypto wallet was not established as a “consumer” account rather than a non-consumer account. The statute defines an “account” as “a demand deposit, savings deposit, or other asset account . . . established primarily for personal, family, or household purposes,” 15 U.S.C. § 1693a(2); 15 C.F.R. § 1005.2(b)(1).

So, the district court looked to the motives of the cryptocurrency account holder in establishing the account. Thus, the relevant question is whether the account was “established primarily” for profit-making purposes. The court noted that the account holder opened his account “to hold [Bitcoin]”; “to sell and reduce to dollars and transfer dollars to his bank” and “to trade crypto coins like those listed on Uphold.”

The judge found that, because the motive in investing in cryptocurrency was not for “personal, family or household purposes” but for “investment” or for a “profit motive,” the crypto wallet was not an “account” entitled to protection.

Consumer or Investor?

Cryptocurrency is supposed to serve two purposes—to be a medium of exchange to buy goods and services (from groceries to housewares, etc.) and, at the same time, to be an investment vehicle based on the speculative nature of the value of cryptocurrency. If we treat it as a medium of exchange, then losses might be protected under a law designed to protect ATM debit cards. What may be needed, however, is a comprehensive assignment of risk of fraud for unauthorized transfers of cryptocurrency either by statute, regulation or agreement.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 195 posts and counting.See all posts by mark