Fourth Circuit Clears Credit Union in ACH Fraud Case

If ACH sounds like a sneeze, that is unfair to sneezes. The Automated Clearing House network is one of the quiet giants of American commerce, moving payroll, vendor payments, bill payments, and business-to-business transfers at a scale that would make most spreadsheets faint. So when a federal appeals court says a receiving financial institution is not liable for a six-figure ACH fraud loss, people in banking, compliance, treasury, and cybersecurity all sit up a little straighter.

That is exactly what happened in Studco Building Systems US, LLC v. 1st Advantage Federal Credit Union, the case behind the headline “Fourth Circuit Clears Credit Union in ACH Fraud Case.” In a closely watched ruling, the U.S. Court of Appeals for the Fourth Circuit reversed a lower court decision that had held a credit union liable after fraudsters used spoofed vendor-change emails to divert more than $550,000 in ACH payments. The appeals court’s message was crisp: under Uniform Commercial Code Article 4A, a beneficiary bank is not on the hook for a name-and-account mismatch unless it had actual knowledge of that mismatch at the time of payment.

That may sound like a technical legal distinction. It is. It is also a very big deal. The decision reinforces the rule that ACH systems can operate at speed and scale without forcing receiving institutions to manually inspect every name mismatch that pops up in the background. At the same time, it gives businesses a not-so-gentle reminder that changing payment instructions based on an email alone is a terrible way to audition for a fraud loss.

What happened in the case?

A familiar fraud, with a very expensive ending

Studco, a metal fabricator in New York, had a long-standing relationship with supplier Olympic Steel. Like countless businesses, it paid invoices by ACH. Then came the classic trap: an email that appeared to come from the supplier, saying future payments should go to a new bank account. Studco followed the instructions and redirected four ACH payments to an account at 1st Advantage Federal Credit Union in Virginia.

The problem, of course, was that the email was fake. The account number belonged not to Olympic Steel, but to an account controlled by scammers through a credit union customer who appears to have been used as a money mule. By the time the dust settled, more than $558,000 was gone. The scammers were never identified, and Studco ended up paying Olympic again for the invoices, which is the accounting equivalent of stepping on the same rake twice through no real fault of your own.

The lower court said the credit union should have caught it

The district court originally ruled for Studco after a bench trial. Its reasoning leaned heavily on the idea that 1st Advantage had internal systems that generated warnings about mismatches between the named payee and the receiving account holder. The court concluded that if the credit union had used commercially reasonable routines and exercised ordinary care, it would have recognized the problem early enough to stop the fraud. The district judge awarded Studco $558,868.71, plus attorneys’ fees and costs, based on a misdescription claim under Virginia’s version of UCC Section 4A-207 and on a separate bailment theory.

That trial-level ruling alarmed banks, credit unions, and payments lawyers for a simple reason: it seemed to move the liability standard from “did the institution actually know?” to “should the institution have known if it had done more?” In fast-moving payment systems, that is not a tiny adjustment. That is a full-blown change in how operational risk would be assigned.

Why the Fourth Circuit reversed

“Actual knowledge” means actual knowledge

The Fourth Circuit rejected the lower court’s approach and restored the stricter standard embedded in UCC Article 4A. Under Section 4A-207, when a payment order identifies a beneficiary by both name and account number, and those identifiers point to different people, the beneficiary’s bank may rely on the account number unless it knows the name and number refer to different persons.

That word “knows” did the heavy lifting here. The appeals court said knowledge means actual knowledge, not constructive knowledge, not institutional hindsight, and definitely not “you would have known if your routines had been better.” In other words, the court refused to turn internal alerts, scattered facts, or unrealized opportunities to detect fraud into legal knowledge after the fact.

This is the heartbeat of the ruling. The court said 1st Advantage deposited the ACH payments into the exact account number specified in the payment orders. Because there was no evidence that the credit union had actual knowledge of the misdescription at the time of deposit, it could not be held liable under Section 4A-207 just because better monitoring might have led someone to discover the fraud.

Automation won the day

The opinion is also a love letter to operational reality. Not a romantic one, exactly. More like a practical marriage of convenience between law and banking infrastructure. The Fourth Circuit stressed that ACH processing depends on automation. Requiring receiving institutions to investigate every potential mismatch between account name and account number would, in the court’s view, be impractical, expensive, and disruptive to a payment system that handles an enormous volume of transactions.

That logic tracks both the structure of Article 4A and the broader ACH ecosystem. Nacha materials have long reflected that receiving depository financial institutions are permitted to post entries based on account number and are not generally required to perform name matching as part of ordinary receipt and posting. The court’s decision therefore did not come out of nowhere. It aligned with the system’s existing design philosophy: speed, certainty, and reliance on the number, unless the receiving institution truly knows something is wrong.

The bailment argument also failed

Studco also won below on a bailment theory, but that part did not survive appeal either. The Fourth Circuit held that an ACH deposit into a bank account is not a bailment under Virginia law. That makes sense in plain English. A bailment usually involves handing over a specific physical thing for safekeeping and return. ACH funds transfers do not work like checking your coat at a restaurant. They are accounting entries involving fungible funds, not a tagged object waiting patiently by the door.

So the appellate court not only rejected liability under the misdescription provision, it also said the legal theory treating the deposits as a bailment was simply the wrong fit.

The concurrence added an important wrinkle

Judge James Wynn agreed with the outcome but wrote separately, which is where the case gets more interesting than a simple “bank wins, end of story” headline suggests. Wynn agreed that Article 4A requires actual knowledge and that an individual employee would need to possess that knowledge at the relevant time. But he also said the record may have supported an inference that the credit union obtained actual knowledge before the final two deposits.

Why? Because after suspicious outbound wire activity triggered an OFAC-related alert, a compliance manager opened an investigation into the account. Wynn suggested that if someone reviewing the account history had looked at the DataSafe reports, they could have seen warnings showing the ACH entries named Olympic Steel while the account belonged to someone else. In his view, the evidence might have supported actual knowledge for at least part of the timeline.

Still, Wynn concurred in the judgment because he saw another problem for Studco: privity. In his view, the UCC’s remedial structure points the originator first toward its own bank, not directly toward the beneficiary’s bank. That nuance did not control the majority opinion, but it matters because it hints at future arguments in ACH fraud litigation. Translation: the credit union won, but plaintiffs’ lawyers probably did not throw away their briefcases.

Why this ruling matters beyond one credit union

For banks and credit unions

The decision is a significant win for financial institutions that receive ACH payments. It confirms that they can rely on account numbers in high-volume automated processing without being automatically exposed to liability every time a name mismatch exists somewhere in the background. That is a major operational relief.

But this is not a permission slip to ignore fraud risk. A bank that truly acquires actual knowledge of a mismatch, or whose employees review specific alerts tied to suspicious activity, may still face trouble. The ruling protects automated processing; it does not bless institutional blindness once a real human being knows what is happening. Financial institutions would be smart to read this case as both shield and warning: automation is protected, but documented awareness can change the analysis quickly.

In practical terms, the safest takeaway for institutions is not “do less.” It is “be deliberate.” Review what your systems flag, define escalation paths, document investigations, and understand when a suspicious pattern stops being noise and starts becoming knowledge. Compliance teams do not need panic. They do need clean process design.

For businesses that send ACH payments

This case is also a flashing neon sign for accounts payable teams. If a vendor changes payment instructions, verify the change through a known phone number, a secondary contact, or a previously established channel. Not the number in the email. Not the email signature with the suspicious domain. Not the attachment called “new banking details final final v2.” That road leads to misery.

Courts in fraud cases often look hard at who was in the best position to prevent the loss. And in social engineering scams, the sender often has the easiest opportunity to stop the fraud before the money moves. One call to the real vendor may feel old-fashioned, but so does not losing half a million dollars.

The ACH fraud backdrop is getting bigger, not smaller

The legal importance of this case is magnified by the scale of the ACH network and the persistence of business email compromise. Nacha says the ACH Network handled 35.2 billion payments valued at $93 trillion in 2025. The FBI, meanwhile, has described business email compromise as a multibillion-dollar threat and reported more than $2.77 billion in BEC losses in 2024 alone. Over a longer period, the FBI has pegged global exposed losses from BEC schemes above $55 billion.

That combination explains why this decision landed with such force. The ACH system is massive, and BEC fraud is not some quirky corner problem. It is a daily hazard for businesses, banks, and treasury departments. The law has to decide who bears loss when scammers exploit trust, speed, and ordinary payment behavior. The Fourth Circuit chose a framework that favors system efficiency and legal predictability over a negligence-style review of what a receiving institution might have discovered with more scrutiny.

Rehearing was denied, and the ruling stuck

Studco did not quietly shrug and move on. It sought rehearing, and later filed a petition for Supreme Court review. The Fourth Circuit denied rehearing in April 2025. Then, in October 2025, the U.S. Supreme Court denied certiorari. So, at least for now, the Fourth Circuit’s holding stands as an important appellate precedent: no actual knowledge, no liability under this theory.

That does not mean every ACH fraud case will end the same way. Facts matter. Timing matters. Internal reviews matter. Contract terms matter. Different claims can produce different outcomes. But for receiving institutions in name-mismatch cases under UCC 4A-207, this ruling is a clear statement that courts should not casually slide from actual knowledge into “should have known” territory.

Bottom line

The Fourth Circuit’s decision clearing 1st Advantage Federal Credit Union is more than a win for one defendant. It is a strong reaffirmation of how Article 4A allocates risk in ACH fraud cases. The court said the beneficiary bank may rely on the account number, need not independently verify name-and-number consistency, and is not liable unless it had actual knowledge of the mismatch. It also rejected the effort to treat the transfer as a bailment.

For financial institutions, that is a meaningful legal boundary. For businesses, it is a costly reminder that vendor-payment fraud is often stopped before the transfer, not after the lawsuit. And for anyone working in payments law, treasury operations, fraud prevention, or compliance, this case is now required reading. It is the sort of opinion that does not just decide a dispute. It tells an entire industry how the rules will be read when the next spoofed email lands in someone’s inbox pretending to be a trusted supplier.

Experiences from the field: what ACH fraud feels like in real life

In real-world terms, cases like this usually do not begin with a dramatic hacker-movie moment. They begin on a perfectly ordinary Tuesday, with an accounts payable employee trying to clear invoices before lunch. The email looks familiar. The vendor name is right. The tone is believable enough. Maybe the grammar is a little odd, but who has not sent a messy email while racing a deadline? Then the banking instructions change, someone updates the record, and the money moves.

What happens next is painfully consistent across companies. First comes confusion. The real vendor asks where the payment is. Then comes denial. Surely it went out. Then comes dread. The payment did go out, just not where anyone intended. Finance teams scramble through inboxes, ERP logs, bank confirmations, and phone records. Someone says, “Did anybody call to verify the change?” and the room gets very quiet.

For businesses, the experience is not just financial. It is operational and emotional. Treasury teams lose days or weeks untangling what happened. Controllers have to explain the loss to leadership. Legal teams start analyzing contracts, insurance, and recovery options. Cybersecurity gets pulled in because even a simple vendor spoof may point to mailbox compromise, weak email authentication, or both. Meanwhile, the actual supplier still expects to be paid. Fraud has a nasty habit of turning one payment problem into five management problems.

For banks and credit unions, the experience is different but no less intense. Once fraud is reported, operations teams review transaction logs, fraud alerts, account activity, withdrawal timing, and any internal case notes. Compliance teams ask whether suspicious activity monitoring worked the way it was supposed to. Lawyers ask whether the institution merely had data in its systems or whether a real employee actually saw and understood something that could count as actual knowledge. That distinction sounds academic until it becomes the center of a lawsuit worth hundreds of thousands of dollars.

Then there is the documentation problem. In many disputes, institutions are judged not only by what they did, but by what they can prove they did. A clean, well-documented investigation looks very different from “we think someone probably checked that.” In fraud litigation, “probably” is often the least comforting word in the building.

The most common lesson from these experiences is embarrassingly simple: old-school verification still works. A callback to a known number. Dual approval on banking changes. A short cooling-off period before new payment instructions go live. Training employees to treat urgency as a red flag rather than a command. None of those measures are glamorous. None of them will impress anyone at a cocktail party. But they prevent losses, and that is much more useful than being interesting.

So the lived experience behind the headline is this: ACH fraud is rarely about one single failure. It is usually a chain of ordinary assumptions that nobody stopped in time. The Fourth Circuit’s ruling clarifies the legal side of who may bear that loss. The business side is even clearer. Trust, but verify. Preferably before the money leaves.