Rodriguez v. Branch Banking & Trust Co.

• Citation: 46 F.4th 1247
• Decision Date: 26 August 2022
• Docket Number: 21-11763
• Parties: Jesus Alonso Alvarez RODRIGUEZ, Alixon Lourdes Colombo De Alvarez, Mariana Alvarez Colombo, Inversiones La Mariana C.A., ACCD, C.A., Alvarez & Parilli Despacho De Abogados, Plaintiffs-Appellants, v. BRANCH BANKING & TRUST COMPANY, Starchem LLC, Guillermo Gamboa, Defendants-Appellees, Bank of America Corporation, Defendant.
• Court: U.S. Court of Appeals — Eleventh Circuit

46 F.4th 1247

Jesus Alonso Alvarez RODRIGUEZ, Alixon Lourdes Colombo De Alvarez, Mariana Alvarez Colombo, Inversiones La Mariana C.A., ACCD, C.A., Alvarez & Parilli Despacho De Abogados, Plaintiffs-Appellants,
v.
BRANCH BANKING & TRUST COMPANY, Starchem LLC, Guillermo Gamboa, Defendants-Appellees,

Bank of America Corporation, Defendant.

No. 21-11763

United States Court of Appeals, Eleventh Circuit.

Filed: August 26, 2022

Richard Lincoln Richards, Richards Legal Group, Coral Gables, FL, Roberto Villasante, Law Offices of Roberto Villasante, Coral Gables, FL, Maria L. Larrabure, Sanchez Vadillo, LLP, Doral, FL, FOR Plaintiffs-Appellants Jesus Alonso Alvarez Rodriguez, Alixon Lourdes Colombo De Alvarez, Mariana Alvarez Colombo, Inversiones La Mariana C.A., ACCD, C.A., ACCD, C.A.

David Stockton Hendrix, GrayRobinson, PA, Tampa, FL, Veronica Andrea Meza, GrayRobinson, PA, Miami, FL, for Defendant-Appellee.

Guillermo Gamboa, Kissimmee, FL, Pro Se.

Before Jordan, Rosenbaum, Circuit Judges, and Schlesinger,^* District Judge.

Rosenbaum, Circuit Judge:

46 F.4th 1249

Jesus Alvarez Rodriguez, Alixon Colombo, their daughters, and their companies (the "Appellants") lost over $850,000 when an alleged BB&T employee and a co-conspirator impersonated them, changed their passwords, and transferred the money out of their BB&T bank accounts.

The Appellants sued BB&T and the thieves asserting contract and tort claims as well as a Florida-law statutory demand for repayment.¹ The district court dismissed the tort claims as duplicative of the contract claim.

At summary judgment, the district court found for BB&T on the contract claim because none of the duties the Appellants claimed were breached were part of the contract. As to the statutory demand for repayment, the district court concluded that the Appellants’ demand was time-barred because BB&T's standard bank account contract limited the time to assert a demand from the statutory one-year period to just 30 days. In the alternative, the district court entered summary judgment for BB&T because it concluded the bank had and had followed commercially reasonable security procedures.

While this case was on appeal, BB&T produced discovery that, the Appellants say, could make a difference in this case. After a thorough review of the record and with the benefit of oral argument, we vacate both (1) the district court's order dismissing the Third Amended Complaint and (2) the district court's order entering summary judgment for BB&T on the remaining counts in the Fourth Amended Complaint. We decide as a matter of law that the Appellants’ claim for statutory repayment is not time-barred. And we remand for further proceedings consistent with this opinion.

I. FACTUAL BACKGROUND AND PROCEDURAL HISTORY

Because we are reviewing the district court's summary-judgment order, we present the evidentiary background in the light most favorable to the Appellants. St. Charles Foods, Inc. v. America's Favorite Chicken Co. , 198 F.3d 815, 819 (11th Cir. 1999). The actual facts may or may not be as set forth in this opinion.

A. The Plaintiffs

The Appellants are Venezuelan citizens who live in Venezuela. Between 2012 and 2015, they opened personal and commercial bank accounts at a Florida branch of BB&T. The commercial bank accounts were governed by the Commercial Bank Services agreement ("CBSA"). The 2012 version² of the CBSA required the Appellants to notify BB&T within 30 days of any unauthorized transaction from the account. It also required that, if the Appellants did not receive a monthly bank statement,

46 F.4th 1250

they would notify BB&T within 10 days of the regular statement date.

In addition, Colombo executed, on behalf of Inversiones—a co-plaintiff and a company owned by the family—a document entitled the 2013 Treasury Management Agreement (the "TMA"). The TMA incorporated the 2012 CBSA. The TMA required the Appellants to examine every bank statement and to notify BB&T of any unauthorized transfers within 30 days of the statement date.

As a security measure to prevent unauthorized wire transfers, Inversiones and BB&T agreed to use the "CashManager Online" system. The CMOL system was a security protocol. It (1) required Inversiones to change its password every 30 days; (2) issued Inversiones a physical security token that created a one-time passcode to use to log in, as a type of dual-factor authentication; and (3) sent event notifications to alert Inversiones of "potentially suspicious" activity—like a password change.

On July 11, 2016, a BB&T employee named Giancarlo Paredes changed the email account associated with the ten bank accounts from Colombo's email to a new (fraudulent) email. Within a month, on August 10, an unknown person called BB&T and spoke with BB&T agent Juan Carlos Martinez. Martinez remembered that the caller answered the two security questions—designed to ensure that the caller was the owner of the account—correctly but didn't recall which questions he asked. The next day, an unknown person (maybe the same, maybe a different person) emailed BB&T from the fraudulent email account and asked to set up a CashManager Online token. Martinez responded with the necessary forms to complete.

The next day, the same fraudulent email sent the completed forms back. Martinez forwarded the forms to another BB&T employee, Luis Avina. Avina compared the signatures on the forms to a 2013 Inversiones corporate resolution on file: the signatures matched. Avina then sent the forms to another BB&T employee who also confirmed that the signatures matched. Given the correct answers to the security questions and the matching signatures, BB&T sent a CashManager Online token to the Miami address listed on the form. Sometime during July and August 2016, the bank account password was changed, and Colombo could no longer access the bank accounts.

Then, between August 2016 and November 2016, about $850,000 was transferred out of Inversiones's bank account with BB&T to a company called "Starchem LLC." Before BB&T executed the first wire transfer—for $100,000—BB&T called the phone number newly associated with the account, and the person who answered the phone identified herself as Colombo. So BB&T marked the transfer as non-fraudulent.

In the meantime, locked out of their accounts, the Appellants called BB&T from Venezuela "many times" in August, September, and October 2016. But reaching a person was a struggle. They couldn't leave messages because, in Venezuela, they had to use an operator to call the United States and if BB&T didn't pick up, the operator would just hang up. They also sent emails but "[it] was very difficult to get a reply to an email." Finally, in early January 2017, when the Appellants were in Panama, they were able to call BB&T directly, and they left "infinite messages."³

46 F.4th 1251

By May 2017, the Appellants had regained access to their bank accounts and discovered the stolen money.

B. Procedural History

The Appellants sued BB&T⁴ for a variety of statutory, contract, and tort claims. As for the tort claims, the district court dismissed them as duplicative of the breach-of-contract claim.

In the operative pleading, the Fourth Amended Complaint, the Appellants asserted four claims against BB&T. As relevant here, the Appellants claimed that BB&T was required to refund them for the fraudulent wire transfers under Florida Statutes § 670.202.⁵

The parties cross-moved for summary judgment. On the statutory repayment claim, BB&T argued that only Inversiones could state a claim because only its account was impacted. But, BB&T said, Inversiones's claims were time-barred because the 2013 TMA required Inversiones to notify BB&T about fraudulent transactions within 30 days of the statement date, and Inversiones had failed to do so. On the merits, BB&T argued that it had (1) established commercially reasonable procedures and (2) followed those procedures, so it was not liable for any unauthorized transactions. BB&T contended that only the security procedures listed in the CashManager Online documents could be a predicate for liability. The pre-wire transfer steps, BB&T said, like changing the email, sending the forms, and sending the CashManager Online token were not part of the security procedures. BB&T claimed that the agreed-upon procedures were reasonable and that the Appellants hadn't explained what the heightened procedures should have been. In support of its summary-judgment motion, BB&T included an expert report on the commercial reasonableness of its procedures.

The Appellants responded that they all had standing to sue because the money had gone from the individual accounts to Inversiones's account and then out to Starchem. As to timing, the Appellants said that the Florida Statutes provided a one-year time-period to notify a bank of an unauthorized wire transfer and further provided that the time-period could not be modified by agreement. On the merits, the Appellants contended that...