Jesus Alonso Alvarez Rodriguez, et al v. Branch Banking & Trust Company, et al, No. 21-11763 (11th Cir. 2022)

Annotate this Case
Justia Opinion Summary

Appellants lost over $850,000 when an alleged BB&T employee and a co-conspirator impersonated them, changed their passwords, and transferred the money out of their BB&T bank accounts. Appellants sued BB&T under contract and tort theories. The district court dismissed the tort claims as duplicative of the contract claim, concluding that Appellants’ demand was time-barred because BB&T’s standard bank account contract limited the time to assert a demand from the statutory one-year period to just 30 days. In the alternative, the district court entered summary judgment for BB&T because it concluded the bank had and had followed commercially reasonable security procedures.

The Eleventh Circuit vacated (1) the district court’s order dismissing the complaint and (2) the district court’s order entering summary judgment for BB&T on the remaining counts in the Fourth Amended Complaint, finding, as a matter of law, that Appellants’ claim for statutory repayment is not time-barred.

Download PDF
USCA11 Case: 21-11763 Date Filed: 08/26/2022 Page: 1 of 27 [PUBLISH] In the United States Court of Appeals For the Eleventh Circuit ____________________ No. 21-11763 ____________________ JESUS ALONSO ALVAREZ RODRIGUEZ, ALIXON LOURDES COLOMBO DE ALVAREZ, MARIANA ALVAREZ COLOMBO, INVERSIONES LA MARIANA C.A., ACCD, C.A., ALVAREZ & PARILLI DESPACHO DE ABOGADOS, Plaintiffs-Appellants, versus BRANCH BANKING & TRUST COMPANY, STARCHEM LLC, GUILLERMO GAMBOA, Defendants-Appellees, USCA11 Case: 21-11763 2 Date Filed: 08/26/2022 Page: 2 of 27 Opinion of the Court 21-11763 BANK OF AMERICA CORPORATION, Defendant. ____________________ Appeal from the United States District Court for the Southern District of Florida D.C. Docket No. 1:19-cv-25191-KMM ____________________ Before JORDAN, ROSENBAUM, Circuit Judges, and SCHLESINGER,* District Judge. ROSENBAUM, Circuit Judge: Jesus Alvarez Rodriguez, Alixon Colombo, their daughters, and their companies (the “Appellants”) lost over $850,000 when an alleged BB&T employee and a co-conspirator impersonated them, changed their passwords, and transferred the money out of their BB&T bank accounts. The Appellants sued BB&T and the thieves asserting contract and tort claims as well as a Florida-law statutory demand for * The Honorable Harvey E. Schlesinger, United States District Judge for the Middle District of Florida, sitting by designation. USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 3 of 27 3 repayment. 1 The district court dismissed the tort claims as duplicative of the contract claim. At summary judgment, the district court found for BB&T on the contract claim because none of the duties the Appellants claimed were breached were part of the contract. As to the statutory demand for repayment, the district court concluded that the Appellants’ demand was time-barred because BB&T’s standard bank account contract limited the time to assert a demand from the statutory one-year period to just 30 days. In the alternative, the district court entered summary judgment for BB&T because it concluded the bank had and had followed commercially reasonable security procedures. While this case was on appeal, BB&T produced discovery that, the Appellants say, could make a difference in this case. After a thorough review of the record and with the benefit of oral argument, we vacate both (1) the district court’s order dismissing the Third Amended Complaint and (2) the district court’s order entering summary judgment for BB&T on the remaining counts in the Fourth Amended Complaint. We decide as a matter of law that the Appellants’ claim for statutory repayment is not time-barred. And we remand for further proceedings consistent with this opinion. 1 Florida law generally requires banks to refund customers for fraudulent wire transfers unless the wire transfer is verified as the customer’s. USCA11 Case: 21-11763 4 Date Filed: 08/26/2022 Opinion of the Court Page: 4 of 27 21-11763 I. FACTUAL BACKGROUND AND PROCEDURAL HISTORY Because we are reviewing the district court’s summary-judgment order, we present the evidentiary background in the light most favorable to the Appellants. St. Charles Foods, Inc. v. America’s Favorite Chicken Co., 198 F.3d 815, 819 (11th Cir. 2020). The actual facts may or may not be as set forth in this opinion. A. The Plaintiffs The Appellants are Venezuelan citizens who live in Venezuela. Between 2012 and 2015, they opened personal and commercial bank accounts at a Florida branch of BB&T. The commercial bank accounts were governed by the Commercial Bank Services agreement (“CBSA”). The 2012 version 2 of the CBSA required the Appellants to notify BB&T within 30 days of any unauthorized transaction from the account. It also required that, if the Appellants did not receive a monthly bank statement, they would notify BB&T within 10 days of the regular statement date. In addition, Colombo executed, on behalf of Inversiones—a co-plaintiff and a company owned by the family—a document entitled the 2013 Treasury Management Agreement (the “TMA”). The TMA incorporated the 2012 CBSA. The TMA required the 2 This is the version that was in effect at the time of the events at issue and which the district court analyzed (without objection on appeal) at summary judgment. USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 5 of 27 5 Appellants to examine every bank statement and to notify BB&T of any unauthorized transfers within 30 days of the statement date. As a security measure to prevent unauthorized wire transfers, Inversiones and BB&T agreed to use the “CashManager Online” system. The CMOL system was a security protocol. It (1) required Inversiones to change its password every 30 days; (2) issued Inversiones a physical security token that created a one-time passcode to use to log in, as a type of dual-factor authentication; and (3) sent event notifications to alert Inversiones of “potentially suspicious” activity—like a password change. On July 11, 2016, a BB&T employee named Giancarlo Paredes changed the email account associated with the ten bank accounts from Colombo’s email to a new (fraudulent) email. Within a month, on August 10, an unknown person called BB&T and spoke with BB&T agent Juan Carlos Martinez. Martinez remembered that the caller answered the two security questions— designed to ensure that the caller was the owner of the account— correctly but didn’t recall which questions he asked. The next day, an unknown person (maybe the same, maybe a different person) emailed BB&T from the fraudulent email account and asked to set up a CashManager Online token. Martinez responded with the necessary forms to complete. The next day, the same fraudulent email sent the completed forms back. Martinez forwarded the forms to another BB&T employee, Luis Avina. Avina compared the signatures on the forms to a 2013 Inversiones corporate resolution on file: the signatures USCA11 Case: 21-11763 6 Date Filed: 08/26/2022 Opinion of the Court Page: 6 of 27 21-11763 matched. Avina then sent the forms to another BB&T employee who also confirmed that the signatures matched. Given the correct answers to the security questions and the matching signatures, BB&T sent a CashManager Online token to the Miami address listed on the form. Sometime during July and August 2016, the bank account password was changed, and Colombo could no longer access the bank accounts. Then, between August 2016 and November 2016, about $850,000 was transferred out of Inversiones’s bank account with BB&T to a company called “Starchem LLC.” Before BB&T executed the first wire transfer—for $100,000—BB&T called the phone number newly associated with the account, and the person who answered the phone identified herself as Colombo. So BB&T marked the transfer as non-fraudulent. In the meantime, locked out of their accounts, the Appellants called BB&T from Venezuela “many times” in August, September, and October 2016. But reaching a person was a struggle. They couldn’t leave messages because, in Venezuela, they had to use an operator to call the United States and if BB&T didn’t pick up, the operator would just hang up. They also sent emails but “[it] was very difficult to get a reply to an email.” Finally, in early January 2017, when the Appellants were in Panama, they were able to call BB&T directly, and they left “infinite messages.” 3 By May 3 BB&T’s first record that the transactions were reported as fraudulent is dated May 17, 2017. As we have mentioned, though, at summary judgment, we USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 7 of 27 7 2017, the Appellants had regained access to their bank accounts and discovered the stolen money. B. Procedural History The Appellants sued BB&T4 for a variety of statutory, contract, and tort claims. As for the tort claims, the district court dismissed them as duplicative of the breach-of-contract claim. In the operative pleading, the Fourth Amended Complaint, the Appellants asserted four claims against BB&T. As relevant here, the Appellants claimed that BB&T was required to refund them for the fraudulent wire transfers under Florida Statutes § 670.202. 5 The parties cross-moved for summary judgment. On the statutory repayment claim, BB&T argued that only Inversiones view the evidence in the light most favorable to the non-moving party, here, the Appellants. See B&G Enters., Ltd. v. United States, 220 F.3d 1318, 1322 (11th Cir. 2000). 4 The Appellants also asserted claims against Starchem, LLC, and Starchem’s sole manager, Vincent Gamboa, but dismissed those claims without prejudice before the district court entered final judgment. The Appellants didn’t advance any claims against Giancarlo Paredes, the man who allegedly changed the Appellants’ password. 5 The Fourth Amended Complaint had three other counts. First, the Appellants said that BB&T breached the CBSA and TMA. Second, they asserted that BB&T had violated Regulation J, 12 C.F.R. § 210.25—which governed wire transfers over the Fedwire Funds Service—by allowing the fraudulent wire transfers. And third, the Appellants sought a declaratory judgment that BB&T had breached the contract. USCA11 Case: 21-11763 8 Date Filed: 08/26/2022 Opinion of the Court Page: 8 of 27 21-11763 could state a claim because only its account was impacted. But, BB&T said, Inversiones’s claims were time-barred because the 2013 TMA required Inversiones to notify BB&T about fraudulent transactions within 30 days of the statement date, and Inversiones had failed to do so. On the merits, BB&T argued that it had (1) established commercially reasonable procedures and (2) followed those procedures, so it was not liable for any unauthorized transactions. BB&T contended that only the security procedures listed in the CashManager Online documents could be a predicate for liability. The pre-wire transfer steps, BB&T said, like changing the email, sending the forms, and sending the CashManager Online token were not part of the security procedures. BB&T claimed that the agreed-upon procedures were reasonable and that the Appellants hadn’t explained what the heightened procedures should have been. In support of its summary-judgment motion, BB&T included an expert report on the commercial reasonableness of its procedures. The Appellants responded that they all had standing to sue because the money had gone from the individual accounts to Inversiones’s account and then out to Starchem. As to timing, the Appellants said that the Florida Statutes provided a one-year timeperiod to notify a bank of an unauthorized wire transfer and further provided that the time-period could not be modified by agreement. On the merits, the Appellants contended that because they lived abroad and used the bank accounts only sparingly, BB&T should have designated those accounts as “higher risk” and applied stricter USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 9 of 27 9 anti-fraud controls. Like BB&T, the Appellants also included an expert report in support of their argument—only the Appellants’ expert opined that BB&T’s procedures weren’t commercially reasonable. And, the Appellants said, BB&T hadn’t complied with its own procedures because it failed to require in-person authentication. BB&T moved to strike the Appellants’ expert witness report as a discovery sanction for not disclosing it. It later moved to exclude the expert from testifying at trial. The district court entered summary judgment for BB&T on all four counts. As to the Appellants’ statutory repayment claim, the district court concluded that the one-year period was modifiable and that the parties had modified it. On the merits, the district court decided as a matter of law that BB&T’s procedures were commercially reasonable and that BB&T had followed them in good faith. Therefore, the district court concluded, BB&T wasn’t liable to the Appellants to repay the wire transfers. The district court denied BB&T’s motion to strike the Appellants’ expert witness as moot. The Appellants appealed. C. Post Judgment Motions BB&T moved in this court for an extension of time to file its responsive brief on appeal, explaining that it had found documents relevant to the case. In response, the Appellants moved for relief from the judgment under Rule 60, Fed. R. Civ. P., in the district USCA11 Case: 21-11763 10 Date Filed: 08/26/2022 Opinion of the Court Page: 10 of 27 21-11763 court and asked the district court to order production of the documents. The district court denied the motion without prejudice in the event of a limited remand. II. STANDARD OF REVIEW We review the grant or denial of summary judgment de novo. St. Charles Foods, Inc., 198 F.3d at 819. As we have noted, we must view all evidence and all factual inferences reasonably drawn from the evidence in the light most favorable to the nonmoving party. Id. III. ANALYSIS Ideally, we would resolve all the factual and legal issues in a single appeal to preserve “the historic federal policy against piecemeal appeals.” Sears, Roebuck & Co. v. Mackey, 351 U.S. 427, 438 (1956). But because the late-breaking discovery implicates factual issues related to the contractual, tort, and statutory repayment claims, we resolve only a single legal issue and then vacate and remand the rest of the case to the district court for discovery, repleading, and further litigation. The only issue that we decide is a question of pure law: whether the one-year period to make a demand for a refund of a fraudulent wire transfer under Florida Statutes § 670.202 may be modified by the parties. We hold that the parties may not modify that period by agreement. USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 11 of 27 11 A. The Time to Demand Repayment in § 670.202 May Not Be Modified by Agreement Before we get to the actual arguments, we need to first lay out the statutory framework. Florida adopted portions of the Uniform Commercial Code to “predict risk with certainty, to insure risk with certainty, to adjust operational and security procedures, and to price funds transfer services appropriately.” Corfan Banco Asuncion Paraguay v. Ocean Bank, 715 So. 2d 967, 970 (Fla. Dist. Ct. App. 1998) (citation omitted). In particular, in drafting Article 4A—which governs “funds transfers” and is at issue here—the drafters made “a deliberate decision . . . to write on a clean slate and to treat a funds transfer as a unique method of payment to be governed by unique rules that address the particular issues raised by this method of payment.” FLA. STAT. § 670.102 cmt. “[G]iven the very large amounts of money that are involved in funds transfers,” the drafters wrote, this was particularly important. Id. A “funds transfer” occurs when a bank customer instructs her bank—also known as a “receiving bank” because the bank receives the instruction—to send money to a second person’s bank account. Id. § 670.104. The second bank is the “beneficiary’s bank,” and this direction is called a “payment order.” Id. §§ 670.103, 670.104. If the customer has more money in her bank account than is being transferred, then “payment” occurs—and happens immediately—when the receiving bank “debits” the money from the originator’s account and the beneficiary’s bank “credits” the money to the beneficiary’s account. Id. § 670.403(1)(c) (“If the USCA11 Case: 21-11763 12 Date Filed: 08/26/2022 Opinion of the Court Page: 12 of 27 21-11763 receiving bank debits an account of the sender with the receiving bank, payment occurs when the debit is made to the extent the debit is covered by a withdrawable credit balance in the account.”). When a receiving bank—really, the paying bank—receives a payment order, it must determine whether the payment is “verified.” Id. § 670.204(1). 6 The bank and the customer may agree beforehand to security procedures to verify the authenticity of payment orders. Id. § 670.202(2). If (1) the bank and the customer agree on a security procedure, (2) the security procedure is “commercially reasonable,” and (3) the bank can prove it followed the security procedures in good faith, then payment order is “effective as the order of the customer, whether or not authorized.” Id. The term “commercially reasonable” is one we will return to later in our discussion. If a bank accepts a payment order that isn’t verified, then the bank “shall refund any payment” and “shall pay interest on the refundable amount.” Id. § 670.204(1). There is a penalty for failing to timely report a fraudulent transfer, though: the customer isn’t entitled to the interest if the customer failed to exercise ordinary care and to notify the bank of the fraudulent transfer within a reasonable time that cannot exceed 90 days. Id. Florida provides that 6 A payment order can also be “authorized.” Id. § 670.202(1). “Authorized” payment orders aren’t relevant to this case because the parties don’t dispute on appeal whether the fraudulent email sender was an authorized person on the account. We therefore do not discuss authorized payment orders further. USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 13 of 27 13 a “[r]easonable time” may be fixed by agreement, but—crucially— “the obligation of a receiving bank to refund payment” may not be varied by agreement. Id. § 670.202(2). We realize this is a bit of a slog, but we have just two more provisions to wade through: First, Chapter 670 has a general rule that “the rights and obligations of a party to a funds transfer may be varied by agreement of the affected party.” Id. § 670.501(1). But importantly, that general rule does not apply to “670” sections when “otherwise provided in this chapter.” Id. And second, if a bank receives “payment from its customer with respect to a payment order”—which happens immediately when the customer has more money in his or her account than the outgoing payment order—then “the customer is precluded from asserting that the bank is not entitled to retain the payment unless the customer notifies the bank of the customer's objection to the payment within one year after the notification was received by the customer.” Id. § 670.505 (emphasis added). The comment further explains the one-year rule. “This section is in the nature of a statute of repose . . . . A receiving bank that executes payment orders of a customer may have received payment from the customer by debiting the customer’s account with respect to a payment order that the customer was not required to pay.” Id. cmt. “For example,” the comment explains, “the payment order may not have been authorized or verified pursuant to Section 4A-202 . . . . In either case the receiving bank is obliged to refund the payment to the customer and this obligation USCA11 Case: 21-11763 14 Date Filed: 08/26/2022 Opinion of the Court Page: 14 of 27 21-11763 to refund payment cannot be varied by agreement.” Id. The oneyear statute of repose also applies when “the funds transfer [wasn’t] completed . . . [or] if the receiving bank is not entitled to payment from the customer because the bank erroneously executed a payment order [under Section 303] . . . or [when] the sender of a payment order pays the order and was not obliged to pay all or part of the amount paid [under Section 402(4)].” Id. To recap, Section 670.501 provides that any section in Chapter 670 is modifiable by agreement “except as otherwise provided.” Id. § 670.501. Section 670.204 requires a bank to refund a payment order if it was not verified (unless the bank followed commercially reasonable security procedures in good faith), and this obligation may not be varied by agreement. Id. § 670.204(1). And Section 670.505 provides that a customer may not assert a claim for a refund for a fraudulent transfer after one year after the customer received notice of the transfer. Id. § 670.505. We now turn to the dispute here: is the one-year period in Section 670.505 modifiable by the parties? BB&T argues that it is modifiable and that the parties shortened it to 30 days. So because the Appellants didn’t notify BB&T of the fraudulent wire transfer within 30 days of the last statement in November 2017, BB&T asserts, the Appellants’ claim for statutory repayment is time-barred. For their part, the Appellants respond that the period in Section 670.505 cannot be varied by agreement. So by their assessment, their notification to BB&T (either in January 2017 or May 2017) fell within a year of the last statement containing notice of USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 15 of 27 15 the fraudulent transfer in November 2017 and was therefore timely. We agree with the Appellants. As always with statutory interpretation, we start with the text. 7 GTC Inc. v. Edgar, 967 So. 2d 781, 785 (Fla. 2007). When it comes to Florida’s adoption of the UCC, Florida courts have explained that the commentary is persuasive, but not controlling, authority. United Auto. Ins. Co. v. Rivero Diagnostic Ctr., 327 So. 3d 376, 380 n.2 (Fla. Dist. Ct. App. 2021); See, e.g., Corfan Banco Asuncion Paraguay, 715 So. 2d at 970 (noting that “[a]lthough the commentary to the UCC is not controlling authority, we are persuaded by the expressed intent of the drafters” (internal citations omitted); Allen v. Coates, 661 So. 2d 879, 882 (Fla. Dist. Ct. App. 1995) (“[W]e are guided by the official comments of the Uniform Commercial Code adopted in Florida.”). Finally, under Florida law, “[w]here possible, courts must give full effect to all statutory provisions and construe related statutory provisions in harmony with one 7 As a federal court sitting in diversity jurisdiction, we apply Florida’s substantive law. McMahan v. Toto, 256 F.3d 1120, 1131–32 (11th Cir. 2001) (citing Erie R.R. Co. v. Tompkins, 304 U.S. 64 (1938)). The parties haven’t identified—and we haven’t found—any Florida Supreme Court or intermediate appellate court decisions on this point. So we apply the relevant principles of Florida law as the Florida Supreme Court has explained them. SA Palm Beach, LLC v. Certain Underwriters at Lloyd’s London, 32 F.4th 1347, 1357 (11th Cir. 2022) (“We therefore consider whatever might lend us insight, including relevant state precedents, analogous decisions, considered dicta, scholarly works, and any other reliable data tending convincingly to show how the Florida Supreme Court would decide the issue at hand.”) (citations omitted & alterations adopted). USCA11 Case: 21-11763 16 Date Filed: 08/26/2022 Opinion of the Court Page: 16 of 27 21-11763 another.” Forsythe v. Longboat Key Beach Erosion Control Dist., 604 So. 2d 452, 455 (Fla. 1992). The Appellants have the better reading here for three reasons. First, BB&T’s reading ignores the text of Section 670.204. That section makes an important distinction between (1) a fraudulent transfer and (2) the interest that fraudulent transfer would have accumulated had it not been fraudulently transferred. Under that section, if a customer fails to notify a bank of a fraudulent transfer within “a reasonable time,” the sole penalty is that the customer loses the interest on the refunded payment. Id. § 670.204(1). As the commentary explains, “the bank is not entitled to any recovery from the customer based on negligence for failure to inform the bank. Loss of interest is in the nature of a penalty on the customer designed to provide an incentive for the customer to police its account.” Id. § 670.203 cmt. In other words, Florida made a policy choice about who should bear the risk of a fraudulent transfer: the bank or the account holder. It chose the bank. Indeed, the commentary expressly says so: “There is no intention to impose a duty on the customer that might result in shifting loss from the unauthorized order to the customer.” Id. § 670.203 cmt. That makes sense because banks control the security of their deposits, and they are in the best position to safeguard them. So when banks bear the risk, that motivates them to create and enforce better security for the deposits. But BB&T asks us to allow parties to shift the loss of an unauthorized order to the customer USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 17 of 27 17 during the statutorily determined period. The statute does not support such a reading. After all, if the one-year statutory notice period could be varied, then banks could insist that customers sign contracts that make the time to demand a refund of a fraudulent payment a day (or even less). That would impair the account holder’s right to a refund and defeat Florida’s intent that banks—not account holders— bear the risk of a fraudulent transfer for the first year following the transfer. And there’s no limiting principle in the text for how short banks could make the statutory refund period. Nor was BB&T able to identify one at oral argument. So if banks could modify the oneyear period, there’s no principled way to draw the line as to how short of a refund period is too short. There’s also another problem: Section 670.204 imposes a 90day notification period for an account holder to obtain, in addition to her refund, interest on the fraudulent transfer. To be sure, Florida expressly authorized the shortening of that period from 90 days to a “reasonable” period. But that just proves the point. In other words, even though § 670.204(2) authorizes modification to a “[r]easonable period” of the 90-day period during which the customer is entitled to receive interest as well as a refund, it prohibits any changes to the bank’s obligation “to refund payment as stated in subsection (1).” Fla. Stat. § 670.204(2). And Florida did not authorize modification to a “reasonable” period for the oneyear period to which the 90-day period is directly related. So if BB&T were right, then the parties could modify the 90-day period USCA11 Case: 21-11763 18 Date Filed: 08/26/2022 Opinion of the Court Page: 18 of 27 21-11763 to a “reasonable” shorter period, and they could also modify the one-year period to be “[un]reasonabl[y]” short, because there is no textual requirement that the one-year period be “reasonable.” In fact, that one-year period could be modified to be the same as or even shorter than the “reasonable” refund notice period—because, on their faces and unlike for the 90-day period, the statutes do not limit the changes to the one-year period to “reasonable” ones. That would certainly “impair” the right to refund payment, in violation of § 670.204(2)’s prohibition on doing so. Such a result would also make no sense, given the 90-day/one-year-period structure for both putting the risk of fraudulent transfers on the bank and providing incentives in the form of interest on the fraudulently transferred amount to account holders to timely report fraudulent transfers. For that structure to work, the statutory notice period for receiving a refund must be (at least) longer than the notice period for also getting interest. And it must be meaningfully longer. We are not the first ones to reach this conclusion. The New York Court of Appeals and the Second Circuit also determined that the one-year refund period cannot be modified when it was interpreting New York law (which is identical to Florida’s). As the New York Court of Appeals recognized, “[p]ermitting banks to vary the notice period by agreement would reduce the effectiveness of the statute’s one-year period of repose as an incentive for banks to create and follow security procedures.” Regatos v. North Fork Bank, 838 N.E.2d 629, 633 (N.Y. 2005). “To vary the period of repose would, in effect, impair the customer’s section 4–A–204 (1) right to USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 19 of 27 19 a refund, a modification that section 4–A–204 (2) forbids.” Id. See also Regatos v. North Fork Bank, 431 F.3d 394, 395 (2d Cir. 2005). The second reason the Appellants have the better argument stems from the fact that Section 204 is narrower than Section 505. In Florida, a specific provision generally controls over a broader one. McGregor v. Fowler White Burnett, P.A., 332 So. 3d 481, 491 (Fla. Dist. Ct. App. 2021). Section 204 concerns only unauthorized or unverified wire transfers and a bank’s duty to refund. FLA. STAT. § 670.204. Section 505, on the other hand, provides a statute of repose for objecting to all debits to a customer’s account. Id. § 670.505 cmt. It applies to unauthorized or unverified transfers, see id. § 670.202, to uncompleted funds transfers, and to erroneously executed payment orders, see id. § 670.303. It also applies where the sender of a payment order pays the order but “was not obliged to pay all or part of the amount paid.” Id. § 670.402(d). Because Section 204 is narrower than Section 505, where Section 204 and 505 conflict, Section 204 controls. McGregor, 332 So. 3d at 491. And here, that conflict counsels against allowing the parties to modify the time to demand a refund. Third, the commentary to Section 505 describes it as like a “statute of repose.” FLA. STAT. § 670.505 cmt. Statutes of repose, unlike statutes of limitations, can be referred to as “jurisdictional” and are not subject to waiver or tolling. See Nat’l Auto Serv. Ctrs., Inc. v. F/R 550, LLC, 192 So. 2d 498, 513 (Fla. Dist. Ct. App. 2016) (explaining that statutes of repose “erect an absolute bar to the assertion of the extinguished cause of action that is analogous to a USCA11 Case: 21-11763 20 Date Filed: 08/26/2022 Opinion of the Court Page: 20 of 27 21-11763 jurisdictional statute of nonclaim”); see also John R. Sand & Gravel Co. v. United States, 552 U.S. 130, 133–34 (2008). Given that (1) Section 505 is like a statute of repose, see FLA. STAT. § 670.505 cmt., and therefore jurisdictional and that (2) we do not allow parties to create subject matter jurisdiction by agreement, it would make little sense to allow parties to modify Section 505 by agreement. See Morrison v. Allstate Indem. Co., 228 F.3d 1255, 1261 (11th Cir. 2000) (“[Subject matter jurisdiction] cannot be created by the consent of the parties.”). BB&T makes two arguments against this conclusion—both unpersuasive. First, BB&T argues that the Florida intermediate appellate case Cheese & Grill Restaurant, Inc. v. Wachovia Bank, N.A., 970 So. 2d 372 (Fla. Dist. Ct. App. 2007), shows that Florida courts have permitted variation by agreement of analogous notice periods. We don’t find Cheese & Grill persuasive in this context. In Cheese & Grill, the Third DCA affirmed summary judgment for a bank that had paid fraudulent checks because, under the banking contract, the restaurant had a duty to report bad checks within thirty days. Id. This case isn’t controlling or even persuasive because, as BB&T conceded at oral argument, there are important differences between funds transfers (regulated in Chapter 670) and checks (regulated in Chapter 674). Oral Arg. at 35:14. Indeed, in passing Chapter 670, the commentators pointed out that Florida made “a deliberate decision” to write on a clean slate from its regulation of other instruments because of “the very large amounts of money that are involved in funds transfers.” FLA. STAT. USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 21 of 27 21 § 670.102 cmt. Given the legislature’s “deliberate decision” to “use precise and detailed rules” for funds transfers, we won’t apply a case involving bad checks here, where six-figure wire transfers are at issue. Id. Second, BB&T says that Section 505—the one-year period— doesn’t have any language prohibiting variation by agreement. BB&T’s argument goes like this: Section 501 provides that every provision in Chapter 670 can be varied unless “[e]xcept as otherwise provided.” Id. § 670.501(1). Section 505 has no such limitation. Id. § 670.505. Other provisions, BB&T points out, do. See, e.g., FLA. STAT. §§ 670.202(6), 670.305(6), 670.402(6), 670.403(3). Thus, BB&T concludes, we should interpret Section 505 as not containing a limitation against modification. [Id.] This argument sounds a bit like the negative-implication canon. Cf. A. Scalia and B. Garner, READING LAW: THE INTERPRETATION OF LEGAL TEXTS 107 (2012) (“The expression of one thing implies the exclusion of others.”). It isn’t quite the negative-implication canon because we aren’t considering what is and isn’t expressed in Section 505; rather, we are comparing the expression of a prohibition against modification in some parts of Chapter 670 with its absence in Section 505. BB&T makes a fair argument, but ultimately, we find it unpersuasive for two reasons. First, as we discussed earlier, see supra at 17 and 18, Section 670.204 limits modifications to the 90-day period to receive interest to “reasonable” periods. FLA. STAT. § 670.204(2). But if we applied the negative implication canon to this statute, it would mean that the one-year period to assert a USCA11 Case: 21-11763 22 Date Filed: 08/26/2022 Opinion of the Court Page: 22 of 27 21-11763 claim for a refund could be modified to be unreasonably short— even shorter than the interest period—because there is, after all, no use of the word “reasonable” in Sections 670.501 and 670.505. Id. §§ 670.501; 670.505. As we’ve explained, that can’t be right. Second, even Justice Scalia and Bryan Garner, after all, recognized that “[n]o canon of interpretation is absolute” and “[e]ach may be overcome by the strength of differing principles that point in other directions.” Scalia and Garner, READING LAW at 59. See also id. at 107 (“Virtually all the authorities who discuss the negative-implication canon emphasize that it must be applied with great caution, since its application depends so much on context.”). A principle pointing in a different direction is “the presumption against ineffectiveness.” Id. at 63. The presumption against ineffectiveness provides that “a textually permissible interpretation that furthers rather than obstructs the document’s purpose should be favored.” Id. at 63. Here, BB&T’s interpretation—that the oneyear time-period isn’t an unmodifiable obligation referenced in Section 670.204—would allow banks to eviscerate the protection Section 670.204 creates. See Regatos v. North Fork Bank, 838 N.E.2d at 633 (“To vary the period of repose would, in effect, impair the customer’s section 4–A–204 (1) right to a refund[.]”). The Appellants’ alternate interpretation—the one-year period is an unmodifiable obligation referenced in Section 670.204—is reasonable and furthers the text’s purpose, so we adopt it. See FLA. STAT. § 670.204 cmt. (“There is no intention to impose a duty on the customer that USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Page: 23 of 27 Opinion of the Court 23 might result in shifting loss from the unauthorized order to the customer.”). As the New York Court of Appeals recognized, Article 4A was intended “to promote the finality of banking operations and to give the bank relief from unknown liabilities of potentially infinite duration.” Regatos, 838 N.E. 2d at 403. We will not alter “the statute’s fine-tuned balance between the customer and the bank as to who should bear the burden of unauthorized transfers.” Id. B. Commercially Reasonable Security Procedures Given our conclusion that the one-year period in Section 505 isn’t modifiable by agreement—and there is no dispute that the Appellants gave notice within one year—we would ordinarily next turn to whether BB&T’s security procedures were “commercially reasonable” as defined in Section 670.202. But here, we will wait for further proceedings rather than decide the question. Section 670.202 provides that a bank has a safe harbor from refunding fraudulent wire transfers if the bank and the customer agreed upon “commercially reasonable” security procedures and the bank followed those procedures in good faith. FLA. STAT. § 670.202(2). A security procedure is “established by agreement of a customer and a receiving bank” and does not include a bank’s unilaterally adopted internal processes. Id. § 670.201 & cmt. Whether a security procedure is “commercially reasonable” is “a question of law” to be determined by considering all the following: (1) the circumstances of the customer known to the bank (including the size, type, and frequency of payment orders); (2) alternate USCA11 Case: 21-11763 24 Date Filed: 08/26/2022 Opinion of the Court Page: 24 of 27 21-11763 security procedures offered to the customer; and (3) security procedures in general use by customers and receiving banks similarly situated. Id. The commentary explains that “[a] security procedure is not commercially unreasonable simply because another procedure might have been better or because the judge deciding the question would have opted for a more stringent procedure.” Id. § 670.203 cmt. “Rather it is whether the procedure is reasonable for the particular customer and the particular bank, which is a lower standard.” Id. The commentary continues, “On the other hand, a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable.” Id. For three reasons, we vacate the district court’s conclusion that BB&T’s procedures were commercially reasonable and remand the case for the district court to determine whether the procedures were commercially reasonable and if so, whether there is a genuine issue of material fact that those procedures were followed. First, BB&T has produced additional discovery. We aren’t sure whether these new documents will alter the district court’s conclusion about commercial reasonableness. But the district court should have the first opportunity to rule on the importance of the documents. See Fla. v. Cohen, 887 F.2d 1451, 1455 (11th Cir. 1989) (“[A] remand to the district court for further proceedings is USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 25 of 27 25 necessary because new evidence has been developed that may shift the district court’s assessment of the issue.”). Second, we aren’t sure what the parameters of the security procedures at issue in this case are. The district court held that the security procedure at issue was the use of the token authentication system. But it did not discuss (and exclude or include) other measures Appellants say could be part of the security procedures: event notification, required password changes (both mentioned in the 2013 TMA) as well as security questions, signature authentication, and payment limits. On remand, the district court should explain which procedures are part of what the parties agreed to and which are excluded as the bank’s unilateral internal operations. And third, both sides submitted expert witness reports. In concluding that the security procedures were commercially reasonable, the district court cited to and relied on BB&T’s expert report. But it did not mention the Appellants’ expert report. This could be because the district court wasn’t considering the report. But while BB&T moved to exclude the Appellants’ expert witness as a sanction for non-disclosure, the district court denied the motion as moot. On remand, the district court should explain whether it will consider the Appellants’ expert witness. In addition, the district court should apply the factors laid out by statute to the Appellants in this case—that is, whether the procedures were reasonable as applied to the Appellants—not whether the security procedures are commercially reasonable in the abstract. FLA. STAT. § 670.201 & cmt. (explaining that whether a security procedure is USCA11 Case: 21-11763 26 Date Filed: 08/26/2022 Opinion of the Court Page: 26 of 27 21-11763 commercially reasonable turns on the circumstances of the customer as known to the bank). So while we could decide whether the security procedures were commercially reasonable because it is a question of law, we think it prudent for the district court to do so based on the complete record. IV. CONCLUSION In sum, we hold that the district court erred in concluding that the parties could modify the one-year period to assert a claim for repayment under Section 670.204. As a result, the court erroneously concluded that the Appellants had failed to give timely notice. We REVERSE the district court on this point. 8 And, because BB&T produced new discovery, we VACATE the district court’s orders (1) dismissing the tort claims in the Third Amended Complaint and (2) entering summary judgment against the Appellants on their contractual, statutory, and declaratory judgment claims for relief. Given BB&T’s late production of discovery, on remand, the district court should allow the Appellants to take new discovery based on the recently produced discovery and, if necessary, to replead their claims. 8 We do not decide whether any of the Appellants other than Inversiones had standing to assert a claim for repayment because the new discovery may implicate the district court’s decision on this point and because, as long as Inversiones has standing, we have jurisdiction. USCA11 Case: 21-11763 21-11763 Date Filed: 08/26/2022 Opinion of the Court Page: 27 of 27 27 REVERSED IN PART, VACATED IN PART, AND REMANDED WITH INSTRUCTIONS.9 9 All pending motions are DENIED AS MOOT.
Primary Holding
The Eleventh Circuit held, as a matter of law that Appellants’ claim for statutory repayment were not time-barred, and remanded for further proceedings.

Disclaimer: Justia Annotations is a forum for attorneys to summarize, comment on, and analyze case law published on our site. Justia makes no guarantees or warranties that the annotations are accurate or reflect the current state of law, and no annotation is intended to be, nor should it be construed as, legal advice. Contacting Justia or any attorney through this site, via web form, email, or otherwise, does not create an attorney-client relationship.