The Supreme Court’s Broad Interpretation of the Bank Fraud Statute May Provide a Potent Tool in Combatting Cybercrime
The Supreme Court in Shaw v. United States recently held that the federal bank fraud statute does not require that defendants cause, or intend to cause, an actual financial loss to the financial institutions they seek to defraud.1 The Supreme Court’s decision helped resolve a longstanding dispute over whether the bank fraud statute requires that a defendant intend not only to trick a bank into giving money to the defendant, but also to cause the bank to suffer a financial loss. In addition – and perhaps inadvertently – the Supreme Court also confirmed the bank fraud statute’s place among the tools that federal law enforcement can use to tackle cybercrime.
The bank fraud statute criminalizes two different but related patterns of conduct. The first is directed at defendants who knowingly execute a scheme to defraud a financial institution.2 The second is directed at defendants who knowingly execute a scheme to obtain property held by a bank “by means of false or fraudulent pretenses, representations, or promises.”3 While § 1344(1) generally targets fraud committed directly against a bank, § 1344(2) targets fraud committed against third parties, such as retailors and vendors, to obtain bank property.
In 2014, the Supreme Court addressed the scope of the bank fraud statute’s second prong in Loughrin v. United States4 where the defendant used forged bank checks to purchase merchandise from a retailer, which he then immediately returned for cash. The Loughrin Court held that under § 1344(2) the government need only prove that the defendant intended to deceive a third party (here, the retailer) to obtain the bank property, and not the bank itself.
However, historically, in many parts of the country, if prosecutors brought charges under the first prong of the bank fraud statute – i.e., to knowingly execute a scheme to defraud a financial institution – they had to prove not only that the defendant intended to deceive a bank into divulging property in its possession, but also that the defendant intended to cause the bank a financial loss.5 This created a risk that the government might not be able to prove the elements of the offense where the defendant targeted a victim’s bank account for fraud, but where the bank itself did not suffer an actual loss.
II. The Supreme Court Provides Clarity in Shaw
In Shaw, the defendant devised a scheme to take just over $300,000 from a victim’s account at a large U.S. financial institution. Using the victim’s account and identity information, which Shaw obtained from bank statements that he stole from the victim’s mail, Shaw opened email and PayPal accounts in the victim’s name which he used to transfer money out of the victim’s bank account and into accounts that Shaw controlled. Eventually, the transfers were discovered by the victim’s son, who reported them to the financial institution. The financial institution itself suffered no loss, as it was indemnified by PayPal for any funds it was required to return to the victim. The victim himself suffered a loss of $170,000, as the financial institution, pursuant to standard banking practice, did not reimburse stolen funds that were not reported by the victim within 60 days.
On appeal, Shaw argued that he could not be convicted of bank fraud because his intended victim was not a bank – which, in any event, did not lose any money – only the individual bank customer. The Ninth Circuit rejected that argument,6 and the Supreme Court unanimously affirmed, finding that § 1344(1) requires neither a showing that a financial institution suffered actual financial harm nor a showing that the defendant intended to cause such harm to the financial institution. The Supreme Court ruled that a bank has enough of a property interest in the funds it holds on behalf of its customers that “a scheme fraudulently to obtain funds from a bank depositor’s account normally is also a scheme fraudulently to obtain property from a ‘financial institution,’” particularly where, as in this case, the defendant “knew that the bank held the deposits, the funds obtained came from the deposit account, and the defendant misled the bank in order to obtain those funds.” 7
In short, the Shaw Court held that a defendant is liable under § 1344(1) if the defendant intended to trick a bank into divulging funds under its care, custody, and control, regardless of whether the ultimate financial loss is suffered by the bank, the bank’s customer, or some other third party.8 Going forward, prosecutors may freely charge defendants who fraudulently take money from bank accounts without concern for whether the bank suffered a loss or whether the defendant intended the bank to do so.
The greatest impact of the Shaw decision may be to help the government pursue sophisticated cybercriminals and computer hackers who use stolen identity information, such as account numbers, usernames, and passwords, to plunder the bank accounts of businesses and individuals in the United States.9 Historically, such conduct would be prosecuted under the mail and wire fraud statutes,10 the National Stolen Property Act,11 or the access device fraud statute.12 Bringing prosecutions under the bank fraud statute allows the government to seek substantially higher maximum prison terms (30 years) and fines (up to $1,000,000) than for most other federal crimes, as well as a ten-year statute of limitations period. In addition to the deterrence factor, the added limitations period – which is twice as long as for most federal crimes – will allow prosecutors the extra time they may require to work with foreign law enforcement to pursue hackers located overseas.
Thus, while the Supreme Court’s decision in Shaw helped resolve an issue regarding the scope of the bank fraud statute, its most impactful application may be in providing another tool in prosecutors’ arsenal in order to effectively combat cyber thieves.
1 No. 15-5991, 580 U.S. ___ (Dec. 12, 2016), available at https://www.supremecourt.gov/opinions/16pdf/15-5991_8m59.pdf.
2 See 18 U.S.C. § 1344(1).
3 Id. § 1344(2).
4 See 134 S.Ct. 2384 (2014).
5 See, e.g., United States v. Nkansah, 699 F.3d 743,748 (2d Cir. 2012) (“[C]onvictions for bank fraud are limited to situations where ‘the defendant (1) engaged in a course of conduct designed to deceive a federally chartered or insured financial institution into releasing property; and (2) possessed an intent to victimize the institution by exposing it to actual or potential loss.’”) (quoting United States v. Barrett, 178 F.3d 643, 647-48 (2d Cir. 1999)) (emphasis added).
6 See United States v. Shaw, 781 F.3d 1130 (9th Cir. 2015).
7 Shaw, Slip Op. at 3.
8 Despite its ruling, the Supreme Court reversed Shaw’s conviction because the trial court’s jury instructions left it unclear whether the jurors had been adequately instructed as to the defendant’s intent even by the terms of the Court’s holding. Specifically, it was unclear whether the jury had been instructed that they were required to find that the defendant intended merely to deceive the bank (incorrect) or whether they were required to find that the defendant intended to deceive the bank to obtain something of value (correct). The Court remanded that question to the Ninth Circuit for further consideration.
9 Such identity information need not be obtained by physically stealing mail from a victim, as was the case in Shaw. More commonly, computer hackers located anywhere in the world can deploy malware that steals information such as account numbers and online bank login credentials from the computer networks of account holders, banks, or third parties.
10 See 18 U.S.C. §§ 1341 & 1343
11 See 18 U.S.C. §§ 2311, 2314-2315.
12 See 18 U.S.C. §§ 1029.