Widjaja v. JPMorgan Chase Bank, N.A., No. 20-55862 (9th Cir. 2021)

Annotate this Case
Justia Opinion Summary

Plaintiff filed suit under the Electronic Fund Transfer Act (EFTA) against JPMorgan Chase Bank, alleging that she was the victim of unauthorized electronic fund transfers from her checking account at Chase. Chase reimbursed plaintiff for some of those losses, but refused to repay $300,000 of the funds stolen from her account. The district court dismissed plaintiff's complaint at the pleading stage on the ground that her lengthy delay in reporting the unauthorized withdrawals to Chase barred her claims as a matter of law.

The Ninth Circuit concluded that the district court misinterpreted the relevant provision of the EFTA and reversed the dismissal of plaintiff's EFTA claim. The panel concluded that, under 15 U.S.C. 1693g(a), a consumer may be held liable for unauthorized transfers occurring after the 60-day period only if the bank establishes that those transfers "would not have occurred but for the failure of the consumer" to timely report the earlier unauthorized transfer reflected on her bank statement. In this case, plaintiff met her pleading burden by alleging facts plausibly suggesting that even if she had reported an unauthorized transfer within the 60-day period, the subsequent unauthorized transfers for which she sought reimbursement would still have occurred. The panel affirmed the district court's dismissal of plaintiff's state law claims, concluding that plaintiff's claim for breach of contract failed because a Privacy Notice appended to her Deposit Account Agreement did not impose any substantive duties on Chase. Furthermore, plaintiff's claim for breach of the implied covenant of good faith and fair dealing failed because the Deposit Account Agreement expressly permitted Chase to close plaintiff’s accounts.

Court Description: Electronic Fund Transfer Act. The panel affirmed in part and reversed in part the district court’s dismissal of an action under the Electronic Fund Transfer Act against JPMorgan Chase Bank. Reversing the dismissal of plaintiff’s claim under the EFTA or its California counterpart and remanding, the panel held that, to avoid liability for unauthorized electronic fund transfers, a consumer must report an unauthorized withdrawal within 60 days after a bank sends a monthly statement reflecting the withdrawal. The panel held that plaintiff did not plausibly allege extenuating circumstances excusing her failure to report unauthorized withdrawals, and notice to Chase from a third-party source did not excuse her failure to report. Nonetheless, under 15 U.S.C. § 1693g(a), a consumer may be held liable for unauthorized transfers occurring after the 60-day period only if the bank establishes that those transfers “would not have occurred but for the failure of the consumer” to timely report the earlier unauthorized transfer reflected on her bank statement. The panel held that plaintiff met her pleading burden by alleging facts plausibly suggesting that even if she had reported an unauthorized transfer within the 60-day period, the subsequent unauthorized transfers for which she sought reimbursement would still have occurred. Affirming the dismissal of additional state law claims, the panel held that plaintiff’s claim for breach of contract WIDJAJA V. JPMORGAN CHASE BANK 3 failed because a Privacy Notice appended to her Deposit Account Agreement did not impose any substantive duties on Chase. The panel held that plaintiff’s claim for breach of the implied covenant of good faith and fair dealing failed because the Deposit Account Agreement expressly permitted Chase to close plaintiff’s accounts.
Download PDF
FOR PUBLICATION UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT MARGARETHA NATALIA WIDJAJA, Plaintiff-Appellant, v. JPMORGAN CHASE BANK, N.A., a national banking association, Defendant-Appellee, No. 20-55862 D.C. No. 2:19-cv-07825MWF-AFM OPINION Appeal from the United States District Court for the Central District of California Michael W. Fitzgerald, District Judge, Presiding Argued and Submitted July 6, 2021 Pasadena, California Filed December 20, 2021 Before: D. Michael Fisher, * Paul J. Watford, and Patrick J. Bumatay, Circuit Judges. Opinion by Judge Watford * The Honorable D. Michael Fisher, United States Circuit Judge for the U.S. Court of Appeals for the Third Circuit, sitting by designation. 2 WIDJAJA V. JPMORGAN CHASE BANK SUMMARY ** Electronic Fund Transfer Act The panel affirmed in part and reversed in part the district court’s dismissal of an action under the Electronic Fund Transfer Act against JPMorgan Chase Bank. Reversing the dismissal of plaintiff’s claim under the EFTA or its California counterpart and remanding, the panel held that, to avoid liability for unauthorized electronic fund transfers, a consumer must report an unauthorized withdrawal within 60 days after a bank sends a monthly statement reflecting the withdrawal. The panel held that plaintiff did not plausibly allege extenuating circumstances excusing her failure to report unauthorized withdrawals, and notice to Chase from a third-party source did not excuse her failure to report. Nonetheless, under 15 U.S.C. § 1693g(a), a consumer may be held liable for unauthorized transfers occurring after the 60-day period only if the bank establishes that those transfers “would not have occurred but for the failure of the consumer” to timely report the earlier unauthorized transfer reflected on her bank statement. The panel held that plaintiff met her pleading burden by alleging facts plausibly suggesting that even if she had reported an unauthorized transfer within the 60-day period, the subsequent unauthorized transfers for which she sought reimbursement would still have occurred. Affirming the dismissal of additional state law claims, the panel held that plaintiff’s claim for breach of contract ** This summary constitutes no part of the opinion of the court. It has been prepared by court staff for the convenience of the reader. WIDJAJA V. JPMORGAN CHASE BANK 3 failed because a Privacy Notice appended to her Deposit Account Agreement did not impose any substantive duties on Chase. The panel held that plaintiff’s claim for breach of the implied covenant of good faith and fair dealing failed because the Deposit Account Agreement expressly permitted Chase to close plaintiff’s accounts. COUNSEL Paro Astourian (argued), Astourian & Associates Inc., Pasadena, California, for Plaintiff-Appellant. Karin L. Bohmholdt (argued) and Blakeley S. Oranburg, Greenburg Traurig LLP, Los Angeles, California, for Defendant-Appellee. OPINION WATFORD, Circuit Judge: To address concerns raised by the increasing prevalence of electronic banking transactions, Congress enacted the Electronic Fund Transfer Act of 1978 (EFTA), 15 U.S.C. § 1693 et seq. Lawmakers viewed such transactions— processed through computer networks without human interaction—as “much more vulnerable to fraud, embezzlement, and unauthorized use than the traditional payment methods.” Bank of America v. City and County of San Francisco, 309 F.3d 551, 564 (9th Cir. 2002) (quoting H.R. Rep. No. 95-1315, at 2 (1978)). Consumer groups urged Congress to provide protection from liability for unauthorized transfers, similar to the protection Congress had already afforded for unauthorized credit card charges. 4 WIDJAJA V. JPMORGAN CHASE BANK See 15 U.S.C. § 1643(a) (imposing a $50 cap on liability for unauthorized credit card use); Lewis M. Taffer, The Making of the Electronic Fund Transfer Act: A Look at Consumer Liability and Error Resolution, 13 U.S.F. L. Rev. 231, 238 (1979). Congress responded in the EFTA by imposing a similar, but not identical, cap on a consumer’s liability for unauthorized electronic fund transfers. The plaintiff in this case, Margaretha Widjaja, alleges that she was the victim of unauthorized electronic fund transfers from her checking account at JPMorgan Chase Bank (Chase). Identity thieves made a series of unauthorized withdrawals that ultimately totaled more than half a million dollars. Chase reimbursed Widjaja for some of those losses, but it has refused to repay $300,000 of the funds stolen from her account. Widjaja sued Chase for violating the EFTA, alleging that the bank has imposed liability on her in excess of what the EFTA allows. The district court dismissed Widjaja’s complaint at the pleading stage on the ground that Widjaja’s lengthy delay in reporting the unauthorized withdrawals to Chase barred her claims as a matter of law. We conclude that the district court misinterpreted the relevant provision of the EFTA and reverse the dismissal of Widjaja’s EFTA claim. I According to the complaint, whose allegations we accept as true at this stage of the litigation, Widjaja is a foreign national who held several accounts at Chase, including the checking account at issue here. Although she maintains a residence in California, Widjaja resides primarily outside the United States and spends a significant portion of the year traveling overseas. WIDJAJA V. JPMORGAN CHASE BANK 5 Widjaja alleges that, through unknown means, unidentified individuals gained access to her Chase checking account in October 2017 and began making unauthorized withdrawals without her knowledge. The first withdrawal involved a transfer on October 31 of less than two dollars to Union Bank, followed by a much larger transfer of $29,000 to Union Bank on November 2. This second transfer aroused Union Bank’s suspicion, which led it to contact Chase’s fraud department. The banks jointly determined that the transaction was fraudulent, as the Union Bank customer who received the $29,000 had no relationship with Widjaja. Union Bank accordingly refunded the money to Widjaja’s Chase account. Although Chase learned through this episode that Widjaja’s account had been compromised, it did nothing to protect her account from further unauthorized withdrawals. It did not change Widjaja’s account number and password or freeze her account. Nor did it inform her that an unauthorized transfer had taken place. Due to this inaction, Widjaja alleges, the same individuals were able to make more than 100 unauthorized withdrawals from her checking account between November 2017 and March 2019. Widjaja did not report any of the unauthorized withdrawals to Chase until March 2019. She does not dispute that each of the withdrawals appeared on the monthly bank statements Chase sent her. Widjaja alleges that, between November 2017 and March 2019, she was traveling overseas and had “very limited or no” internet access to check her bank statements. When Widjaja returned to California in March 2019, she reviewed her statements and noticed the unauthorized withdrawals. She reported them to Chase and thereafter the withdrawals stopped. 6 WIDJAJA V. JPMORGAN CHASE BANK Chase reimbursed Widjaja for some of the unauthorized withdrawals through its internal dispute resolution process. But it has refused to reimburse her for $300,000 of the losses she suffered, citing her failure to report the initial unauthorized withdrawals within 60 days of their appearance on her bank statements, as the EFTA ordinarily requires. See 15 U.S.C. §§ 1693f(a), 1693g(a); 12 C.F.R. § 1005.6(b)(3). 1 In June 2019, Widjaja filed this action against Chase. After amending her complaint, she asserted four claims: (1) violation of the EFTA or, alternatively, California’s EFTA counterpart, Cal. Comm. Code § 11101 et seq.; (2) breach of contract; (3) breach of the implied covenant of good faith and fair dealing; and (4) negligence. The district court granted Chase’s motion to dismiss under Federal Rule of Civil Procedure 12(b)(6). The court agreed with Chase that the EFTA generally requires consumers to report an unauthorized withdrawal within 60 days after the bank sends a monthly statement reflecting the withdrawal. Because it is undisputed that Widjaja failed to report the withdrawals at issue within that time frame, the court held that the EFTA bars her claim as a matter of law. The court therefore dismissed Widjaja’s EFTA claim with prejudice, along with her remaining state law claims. 1 Regulation E, which implements the EFTA, was originally promulgated by the Board of Governors of the Federal Reserve System and published in Part 205 of Title 12 of the Code of Federal Regulations. See 12 C.F.R. § 205.1(a). After the Dodd-Frank Act transferred rulemaking authority to the Consumer Financial Protection Bureau, the Bureau republished Regulation E in Part 1005 of Title 12. See Electronic Fund Transfers (Regulation E), 76 Fed. Reg. 81,020 (Dec. 27, 2011); 12 C.F.R. § 1005.1(a). The provisions relevant to this case, now found at 12 C.F.R. § 1005.6, are identical to the provisions in 12 C.F.R. § 205.6. WIDJAJA V. JPMORGAN CHASE BANK 7 II This appeal requires us to interpret the EFTA provision limiting a consumer’s liability for unauthorized electronic fund transfers, 15 U.S.C. § 1693g. The provision states that in most instances a consumer’s liability for an unauthorized transfer (or a series of related unauthorized transfers, see 12 C.F.R. § 1005.6(b)) may not exceed $50. That baseline cap on liability is subject to two exceptions, however. The first exception raises the cap to $500 when the unauthorized transfers occur due to the loss or theft of an access device (such as an ATM card) and the consumer fails to notify her bank within two business days of learning that the device has been lost or stolen. 15 U.S.C. § 1693g(a); see 12 C.F.R. § 1005.6(b)(2). The second exception—the one relevant here—provides that the cap on liability will be lifted if: (1) an unauthorized transfer appears on the monthly statement banks must send to consumers under 15 U.S.C. § 1693d(c); (2) the consumer fails to report the unauthorized transfer to her bank within 60 days after the statement is sent to her; and (3) the bank can establish that unauthorized transfers made after the 60-day period would not have occurred but for the consumer’s failure to provide timely notice of the earlier unauthorized transfer. 15 U.S.C. § 1693g(a). In that scenario, the consumer’s liability for unauthorized transfers that occur within the 60-day period cannot exceed $50 or $500 (depending on the circumstances), but the consumer faces unlimited liability for unauthorized transfers occurring outside the 60-day period. See 12 C.F.R. § 1005.6(b)(3); 12 C.F.R. pt. 1005, Supp. I, 6(b)(3) ¶ 1. 8 WIDJAJA V. JPMORGAN CHASE BANK The statutory language creating this second exception reads as follows: Notwithstanding the [default liability cap], reimbursement need not be made to the consumer for losses the financial institution establishes would not have occurred but for the failure of the consumer to report within sixty days of transmittal of the statement (or in extenuating circumstances such as extended travel or hospitalization, within a reasonable time under the circumstances) any unauthorized electronic fund transfer or account error which appears on the periodic statement provided to the consumer under section 1693d of this title. 15 U.S.C. § 1693g(a); see also 12 C.F.R. § 1005.6(b)(3). A neighboring subsection makes clear that the bank bears the burden of proving that “the conditions of liability set forth in subsection (a) have been met.” 15 U.S.C. § 1693g(b). Widjaja does not dispute that she failed to report any of the unauthorized withdrawals to Chase within the 60-day period set by the EFTA. She contends instead that her compliance with the 60-day reporting requirement was excused for two reasons, both of which, we conclude, the district court properly rejected. First, Widjaja asserts that, during her time abroad, she had “very limited or no access to her banking records and/or to the internet,” and that her extended international travel thus constituted “extenuating circumstances” under § 1693g(a). The district court held that this cursory allegation does not plausibly explain how someone with Widjaja’s financial means lacked adequate internet access to WIDJAJA V. JPMORGAN CHASE BANK 9 view her banking records for more than a year. We agree with the district court that Widjaja has not plausibly alleged “extenuating circumstances” excusing her failure to timely report the unauthorized withdrawals. Second, Widjaja contends that she did not need to report the unauthorized withdrawals to Chase because it was already aware of the initial $29,000 withdrawal in November 2017 by virtue of its communications with Union Bank. The district court properly rejected this argument as well. Section 1693g(a) plainly states that “the consumer” must report an unauthorized withdrawal to her bank within the prescribed 60-day period to avoid facing potentially unlimited liability for subsequent withdrawals occurring after that period. The statute says nothing about a bank receiving notice from third-party sources unaffiliated with the consumer. It is true that a different portion of § 1693g(a) refers to losses that occur “prior to the time the financial institution is notified of, or otherwise becomes aware of, circumstances which lead to the reasonable belief that an unauthorized electronic fund transfer involving the consumer’s account has been or may be effected.” § 1693g(a) (emphasis added); see also 12 C.F.R. § 1005.6(b)(5)(iii) (notice is deemed “constructively given when the institution becomes aware of circumstances leading to the reasonable belief that an unauthorized transfer” has taken place). But that language addresses whether the default cap on liability for unauthorized transfers will be $50 or some lesser amount. When the statute addresses the issue relevant here—the circumstances under which the default cap on liability will be lifted—it 10 WIDJAJA V. JPMORGAN CHASE BANK unambiguously provides that “the consumer” must report an unauthorized transfer to her bank within the 60-day period. 2 Despite our agreement with the district court on the two points just discussed, we must nonetheless reverse the dismissal of Widjaja’s EFTA claim. While the Act requires a consumer to notify her bank of unauthorized transfers within the prescribed 60-day reporting period, a consumer who fails to do so is not automatically liable for all subsequent losses. A consumer may be held liable for unauthorized transfers occurring after the 60-day period only if the bank establishes that those transfers “would not have occurred but for the failure of the consumer” to timely report the earlier unauthorized transfer reflected on her bank statement. 15 U.S.C. § 1693g(a). The district court’s analysis overlooked this requirement, and the error was not harmless. The EFTA authorizes a private right of action against a bank that “fails to comply” with any provision of the Act, including the provision limiting a consumer’s liability for unauthorized transfers. § 1693m(a). When, as here, a bank concludes that the EFTA authorizes liability in excess of the default cap, the consumer must allege facts plausibly suggesting that the bank’s conclusion is wrong in order to state a claim that the bank has violated § 1693g. That will often prove difficult when the consumer fails to report an unauthorized transfer within the 60-day period and seeks reimbursement for losses suffered as a result of further The official staff interpretations of Regulation E state that notice may also be provided by “a person acting on the consumer’s behalf.” 12 C.F.R. pt. 1005, Supp. I, 6(b)(5) ¶ 2. Widjaja does not contend that Union Bank was acting on her behalf when it notified Chase of the fraudulent transfer in November 2017. 2 WIDJAJA V. JPMORGAN CHASE BANK 11 unauthorized transfers occurring after that period. When notified by a consumer that an unauthorized transfer has taken place, most banks have procedures in place to prevent subsequent unauthorized transfers, such as freezing the consumer’s account or changing the account number and password. A consumer must therefore allege facts plausibly suggesting that even if she had reported an unauthorized transfer within the 60-day period, the subsequent unauthorized transfers for which she seeks reimbursement would still have occurred. See Nayab v. Capital One Bank (USA), N.A., 942 F.3d 480, 495–97 (9th Cir. 2019) (holding in a similar context that the plaintiff must allege facts giving rise to a reasonable inference that a statutorily available affirmative defense does not apply). We think Widjaja has met her pleading burden here. She alleges that Chase became aware of a security breach that enabled unknown individuals to make an unauthorized withdrawal of $29,000 from her checking account in November 2017. Yet, according to Widjaja’s allegations, Chase took no action to protect her account from further unauthorized withdrawals, despite having a strong financial incentive to do so. If Widjaja had notified Chase of the unauthorized withdrawals within the EFTA’s 60-day reporting period, Chase itself would have borne liability for all related unauthorized withdrawals, save for the $50 or $500 loss Widjaja would bear. The only outer limit on Chase’s liability in that scenario (assuming the thieves acted quickly enough) was the amount of money in Widjaja’s checking account—in this instance, at least half a million dollars. And at the time Chase allegedly failed to act in November 2017, it of course had no way of knowing whether Widjaja would fail to report the unauthorized withdrawals within the 60-day period, or how quickly or slowly the thieves would move to drain her account. 12 WIDJAJA V. JPMORGAN CHASE BANK The EFTA thus gave Chase a strong financial incentive to take immediate corrective action in November 2017, regardless of the source of its notice that fraud was afoot. In these circumstances, to hold Widjaja liable for subsequent losses, Chase will have to explain why its response to notice from Widjaja herself would have been substantially different from its (non)response to the notice it received from Union Bank. At a later stage in the case, Chase may be able to provide such an explanation. But at the pleading stage, Widjaja’s allegations plausibly suggest that some sort of failure in the bank’s fraud-prevention procedures occurred with respect to her checking account. Put differently, Widjaja’s allegations give rise to a reasonable inference that Chase would not have taken action to prevent subsequent losses even if she had reported the initial unauthorized withdrawals within the 60-day period. Her allegations suffice to survive a motion to dismiss. We reverse the district court’s dismissal of Count One, the count alleging a claim under the EFTA or, in the alternative, California’s EFTA counterpart. III Widjaja also contests the district court’s dismissal of her state law claims for breach of contract and breach of the implied covenant of good faith and fair dealing. (She has not challenged the dismissal of her negligence claim.) The district court held that Widjaja’s failure to provide notice to Chase within the EFTA’s 60-day reporting period foreclosed these state law claims as well. We affirm the district court’s dismissal of Widjaja’s state law claims, but for different reasons. As to her breach of contract claim, Widjaja argues that Chase’s failure to safeguard her account and to take action WIDJAJA V. JPMORGAN CHASE BANK 13 in response to the notice from Union Bank violated the Deposit Account Agreement (DAA) that governs the relationship between Chase and its depositors. Widjaja does not cite any specific provision of the DAA that Chase allegedly violated. She points generally to the Privacy Notice appended to the DAA, which states: “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law.” The Privacy Notice does not impose any substantive duties on Chase; it merely explains Chase’s policies and a consumer’s ability to limit the sharing of personal information. Widjaja’s breach of contract claim therefore fails. Widjaja alleges that Chase breached the implied covenant of good faith and fair dealing by failing to act when it became aware that Widjaja’s account had been compromised and by abruptly closing Widjaja’s accounts after she filed this lawsuit, allegedly in retaliation for her legal action against the bank. While the DAA gives Chase the discretionary power to decline or prevent transactions, Widjaja does not allege that Chase exercised this discretion in bad faith when it failed to take action to prevent the unauthorized withdrawals. And the DAA expressly permitted Chase to close Widjaja’s accounts “at any time for any reason or no reason without prior notice.” The implied covenant of good faith cannot “prohibit a party from doing that which is expressly permitted by an agreement.” Carma Developers (California), Inc. v. Marathon Development California, Inc., 826 P.2d 710, 728 (Cal. 1992). Thus, Widjaja’s claim for breach of the implied covenant of good faith and fair dealing also fails. AFFIRMED in part, REVERSED in part, and REMANDED. Widjaja shall recover her costs on appeal.
Primary Holding
The Ninth Circuit concluded that the district court misinterpreted the relevant provision of the Electronic Fund Transfer Act (EFTA) and reversed the dismissal of plaintiff's EFTA claim; the panel affirmed the district court's dismissal of the state law claims.

Disclaimer: Justia Annotations is a forum for attorneys to summarize, comment on, and analyze case law published on our site. Justia makes no guarantees or warranties that the annotations are accurate or reflect the current state of law, and no annotation is intended to be, nor should it be construed as, legal advice. Contacting Justia or any attorney through this site, via web form, email, or otherwise, does not create an attorney-client relationship.