Margaretha Widjaja v. Jpmorgan Chase Bank, N.A. ( 2021 )

                     FOR PUBLICATION
UNITED STATES COURT OF APPEALS
FOR THE NINTH CIRCUIT
MARGARETHA NATALIA WIDJAJA,                        No. 20-55862
Plaintiff-Appellant,
D.C. No.
v.                           2:19-cv-07825-
MWF-AFM
JPMORGAN CHASE BANK, N.A., a
national banking association,
Defendant-Appellee,                  OPINION
Appeal from the United States District Court
for the Central District of California
Michael W. Fitzgerald, District Judge, Presiding
Argued and Submitted July 6, 2021
Pasadena, California
Filed December 20, 2021
Before: D. Michael Fisher, * Paul J. Watford, and
Patrick J. Bumatay, Circuit Judges.
Opinion by Judge Watford
*
The Honorable D. Michael Fisher, United States Circuit Judge for
the U.S. Court of Appeals for the Third Circuit, sitting by designation.
2            WIDJAJA V. JPMORGAN CHASE BANK
SUMMARY **
Electronic Fund Transfer Act
The panel affirmed in part and reversed in part the
district court’s dismissal of an action under the Electronic
Fund Transfer Act against JPMorgan Chase Bank.
Reversing the dismissal of plaintiff’s claim under the
EFTA or its California counterpart and remanding, the panel
held that, to avoid liability for unauthorized electronic fund
transfers, a consumer must report an unauthorized
withdrawal within 60 days after a bank sends a monthly
statement reflecting the withdrawal. The panel held that
plaintiff did not plausibly allege extenuating circumstances
excusing her failure to report unauthorized withdrawals, and
notice to Chase from a third-party source did not excuse her
failure to report. Nonetheless, under 15 U.S.C. § 1693g(a),
a consumer may be held liable for unauthorized transfers
occurring after the 60-day period only if the bank establishes
that those transfers “would not have occurred but for the
failure of the consumer” to timely report the earlier
unauthorized transfer reflected on her bank statement. The
panel held that plaintiff met her pleading burden by alleging
facts plausibly suggesting that even if she had reported an
unauthorized transfer within the 60-day period, the
subsequent unauthorized transfers for which she sought
reimbursement would still have occurred.
Affirming the dismissal of additional state law claims,
the panel held that plaintiff’s claim for breach of contract
**
This summary constitutes no part of the opinion of the court. It
has been prepared by court staff for the convenience of the reader.
WIDJAJA V. JPMORGAN CHASE BANK                  3
failed because a Privacy Notice appended to her Deposit
Account Agreement did not impose any substantive duties
on Chase. The panel held that plaintiff’s claim for breach of
the implied covenant of good faith and fair dealing failed
because the Deposit Account Agreement expressly
permitted Chase to close plaintiff’s accounts.
COUNSEL
Paro Astourian (argued), Astourian & Associates Inc.,
Pasadena, California, for Plaintiff-Appellant.
Karin L. Bohmholdt (argued) and Blakeley S. Oranburg,
Greenburg Traurig LLP, Los Angeles, California, for
Defendant-Appellee.
OPINION
WATFORD, Circuit Judge:
To address concerns raised by the increasing prevalence
of electronic banking transactions, Congress enacted the
Electronic Fund Transfer Act of 1978 (EFTA), 

 et seq. Lawmakers viewed such transactions—
processed through computer networks without human
interaction—as “much more vulnerable to fraud,
embezzlement, and unauthorized use than the traditional
payment methods.” Bank of America v. City and County of
San Francisco, 

, 564 (9th Cir. 2002) (quoting
H.R. Rep. No. 95-1315, at 2 (1978)). Consumer groups
urged Congress to provide protection from liability for
unauthorized transfers, similar to the protection Congress
had already afforded for unauthorized credit card charges.
4          WIDJAJA V. JPMORGAN CHASE BANK
See 

(a) (imposing a $50 cap on liability for
unauthorized credit card use); Lewis M. Taffer, The Making
of the Electronic Fund Transfer Act: A Look at Consumer
Liability and Error Resolution, 

, 238
(1979). Congress responded in the EFTA by imposing a
similar, but not identical, cap on a consumer’s liability for
unauthorized electronic fund transfers.
The plaintiff in this case, Margaretha Widjaja, alleges
that she was the victim of unauthorized electronic fund
transfers from her checking account at JPMorgan Chase
Bank (Chase).        Identity thieves made a series of
unauthorized withdrawals that ultimately totaled more than
half a million dollars. Chase reimbursed Widjaja for some
of those losses, but it has refused to repay $300,000 of the
funds stolen from her account. Widjaja sued Chase for
violating the EFTA, alleging that the bank has imposed
liability on her in excess of what the EFTA allows. The
district court dismissed Widjaja’s complaint at the pleading
stage on the ground that Widjaja’s lengthy delay in reporting
the unauthorized withdrawals to Chase barred her claims as
a matter of law. We conclude that the district court
misinterpreted the relevant provision of the EFTA and
reverse the dismissal of Widjaja’s EFTA claim.
I
According to the complaint, whose allegations we accept
as true at this stage of the litigation, Widjaja is a foreign
national who held several accounts at Chase, including the
checking account at issue here. Although she maintains a
residence in California, Widjaja resides primarily outside the
United States and spends a significant portion of the year
traveling overseas.
WIDJAJA V. JPMORGAN CHASE BANK                  5
Widjaja alleges that, through unknown means,
unidentified individuals gained access to her Chase checking
account in October 2017 and began making unauthorized
withdrawals without her knowledge. The first withdrawal
involved a transfer on October 31 of less than two dollars to
Union Bank, followed by a much larger transfer of $29,000
to Union Bank on November 2. This second transfer aroused
Union Bank’s suspicion, which led it to contact Chase’s
fraud department. The banks jointly determined that the
transaction was fraudulent, as the Union Bank customer who
received the $29,000 had no relationship with Widjaja.
Union Bank accordingly refunded the money to Widjaja’s
Chase account.
Although Chase learned through this episode that
Widjaja’s account had been compromised, it did nothing to
protect her account from further unauthorized withdrawals.
It did not change Widjaja’s account number and password or
freeze her account. Nor did it inform her that an
unauthorized transfer had taken place. Due to this inaction,
Widjaja alleges, the same individuals were able to make
more than 100 unauthorized withdrawals from her checking
account between November 2017 and March 2019.
Widjaja did not report any of the unauthorized
withdrawals to Chase until March 2019. She does not
dispute that each of the withdrawals appeared on the
monthly bank statements Chase sent her. Widjaja alleges
that, between November 2017 and March 2019, she was
traveling overseas and had “very limited or no” internet
access to check her bank statements. When Widjaja returned
to California in March 2019, she reviewed her statements
and noticed the unauthorized withdrawals. She reported
them to Chase and thereafter the withdrawals stopped.
6            WIDJAJA V. JPMORGAN CHASE BANK
Chase reimbursed Widjaja for some of the unauthorized
withdrawals through its internal dispute resolution process.
But it has refused to reimburse her for $300,000 of the losses
she suffered, citing her failure to report the initial
unauthorized withdrawals within 60 days of their appearance
on her bank statements, as the EFTA ordinarily requires. See
15 U.S.C. §§ 1693f(a), 1693g(a); 

(b)(3). 1
In June 2019, Widjaja filed this action against Chase.
After amending her complaint, she asserted four claims:
(1) violation of the EFTA or, alternatively, California’s
EFTA counterpart, 

 et seq.;
(2) breach of contract; (3) breach of the implied covenant of
good faith and fair dealing; and (4) negligence. The district
court granted Chase’s motion to dismiss under Federal Rule
of Civil Procedure 12(b)(6). The court agreed with Chase
that the EFTA generally requires consumers to report an
unauthorized withdrawal within 60 days after the bank sends
a monthly statement reflecting the withdrawal. Because it is
undisputed that Widjaja failed to report the withdrawals at
issue within that time frame, the court held that the EFTA
bars her claim as a matter of law. The court therefore
dismissed Widjaja’s EFTA claim with prejudice, along with
her remaining state law claims.
1
Regulation E, which implements the EFTA, was originally
promulgated by the Board of Governors of the Federal Reserve System
and published in Part 205 of Title 12 of the Code of Federal Regulations.
See 

(a). After the Dodd-Frank Act transferred
rulemaking authority to the Consumer Financial Protection Bureau, the
Bureau republished Regulation E in Part 1005 of Title 12. See Electronic
Fund Transfers (Regulation E), 

 (Dec. 27, 2011);

(a). The provisions relevant to this case, now found
at 

, are identical to the provisions in 

.
WIDJAJA V. JPMORGAN CHASE BANK                    7
II
This appeal requires us to interpret the EFTA provision
limiting a consumer’s liability for unauthorized electronic
fund transfers, 15 U.S.C. § 1693g. The provision states that
in most instances a consumer’s liability for an unauthorized
transfer (or a series of related unauthorized transfers, see

(b)) may not exceed $50. That baseline
cap on liability is subject to two exceptions, however.
The first exception raises the cap to $500 when the
unauthorized transfers occur due to the loss or theft of an
access device (such as an ATM card) and the consumer fails
to notify her bank within two business days of learning that
the device has been lost or stolen. 15 U.S.C. § 1693g(a); see

(b)(2). The second exception—the one
relevant here—provides that the cap on liability will be lifted
if: (1) an unauthorized transfer appears on the monthly
statement banks must send to consumers under 15 U.S.C.
§ 1693d(c); (2) the consumer fails to report the unauthorized
transfer to her bank within 60 days after the statement is sent
to her; and (3) the bank can establish that unauthorized
transfers made after the 60-day period would not have
occurred but for the consumer’s failure to provide timely
notice of the earlier unauthorized transfer. 15 U.S.C.
§ 1693g(a). In that scenario, the consumer’s liability for
unauthorized transfers that occur within the 60-day period
cannot exceed $50 or $500 (depending on the
circumstances), but the consumer faces unlimited liability
for unauthorized transfers occurring outside the 60-day
period. See 

(b)(3); 12 C.F.R. pt. 1005,
Supp. I, 6(b)(3) ¶ 1.
8           WIDJAJA V. JPMORGAN CHASE BANK
The statutory language creating this second exception
reads as follows:
Notwithstanding the [default liability cap],
reimbursement need not be made to the
consumer for losses the financial institution
establishes would not have occurred but for
the failure of the consumer to report within
sixty days of transmittal of the statement (or
in extenuating circumstances such as
extended travel or hospitalization, within a
reasonable time under the circumstances) any
unauthorized electronic fund transfer or
account error which appears on the periodic
statement provided to the consumer under
section 1693d of this title.
15 U.S.C. § 1693g(a); see also 

(b)(3). A
neighboring subsection makes clear that the bank bears the
burden of proving that “the conditions of liability set forth in
subsection (a) have been met.” 15 U.S.C. § 1693g(b).
Widjaja does not dispute that she failed to report any of
the unauthorized withdrawals to Chase within the 60-day
period set by the EFTA. She contends instead that her
compliance with the 60-day reporting requirement was
excused for two reasons, both of which, we conclude, the
district court properly rejected.
First, Widjaja asserts that, during her time abroad, she
had “very limited or no access to her banking records and/or
to the internet,” and that her extended international travel
thus constituted “extenuating circumstances” under
§ 1693g(a). The district court held that this cursory
allegation does not plausibly explain how someone with
Widjaja’s financial means lacked adequate internet access to
WIDJAJA V. JPMORGAN CHASE BANK                    9
view her banking records for more than a year. We agree
with the district court that Widjaja has not plausibly alleged
“extenuating circumstances” excusing her failure to timely
report the unauthorized withdrawals.
Second, Widjaja contends that she did not need to report
the unauthorized withdrawals to Chase because it was
already aware of the initial $29,000 withdrawal in November
2017 by virtue of its communications with Union Bank. The
district court properly rejected this argument as well.
Section 1693g(a) plainly states that “the consumer” must
report an unauthorized withdrawal to her bank within the
prescribed 60-day period to avoid facing potentially
unlimited liability for subsequent withdrawals occurring
after that period. The statute says nothing about a bank
receiving notice from third-party sources unaffiliated with
the consumer. It is true that a different portion of § 1693g(a)
refers to losses that occur “prior to the time the financial
institution is notified of, or otherwise becomes aware of,
circumstances which lead to the reasonable belief that an
unauthorized electronic fund transfer involving the
consumer’s account has been or may be effected.”
§ 1693g(a) (emphasis added); see also 

(b)(5)(iii) (notice is deemed “constructively given
when the institution becomes aware of circumstances
leading to the reasonable belief that an unauthorized
transfer” has taken place). But that language addresses
whether the default cap on liability for unauthorized
transfers will be $50 or some lesser amount. When the
statute addresses the issue relevant here—the circumstances
under which the default cap on liability will be lifted—it
10            WIDJAJA V. JPMORGAN CHASE BANK
unambiguously provides that “the consumer” must report an
unauthorized transfer to her bank within the 60-day period. 2
Despite our agreement with the district court on the two
points just discussed, we must nonetheless reverse the
dismissal of Widjaja’s EFTA claim. While the Act requires
a consumer to notify her bank of unauthorized transfers
within the prescribed 60-day reporting period, a consumer
who fails to do so is not automatically liable for all
subsequent losses. A consumer may be held liable for
unauthorized transfers occurring after the 60-day period only
if the bank establishes that those transfers “would not have
occurred but for the failure of the consumer” to timely report
the earlier unauthorized transfer reflected on her bank
statement. 15 U.S.C. § 1693g(a). The district court’s
analysis overlooked this requirement, and the error was not
harmless.
The EFTA authorizes a private right of action against a
bank that “fails to comply” with any provision of the Act,
including the provision limiting a consumer’s liability for
unauthorized transfers. § 1693m(a). When, as here, a bank
concludes that the EFTA authorizes liability in excess of the
default cap, the consumer must allege facts plausibly
suggesting that the bank’s conclusion is wrong in order to
state a claim that the bank has violated § 1693g. That will
often prove difficult when the consumer fails to report an
unauthorized transfer within the 60-day period and seeks
reimbursement for losses suffered as a result of further
2
The official staff interpretations of Regulation E state that notice
may also be provided by “a person acting on the consumer’s behalf.”
12 C.F.R. pt. 1005, Supp. I, 6(b)(5) ¶ 2. Widjaja does not contend that
Union Bank was acting on her behalf when it notified Chase of the
fraudulent transfer in November 2017.
WIDJAJA V. JPMORGAN CHASE BANK                   11
unauthorized transfers occurring after that period. When
notified by a consumer that an unauthorized transfer has
taken place, most banks have procedures in place to prevent
subsequent unauthorized transfers, such as freezing the
consumer’s account or changing the account number and
password. A consumer must therefore allege facts plausibly
suggesting that even if she had reported an unauthorized
transfer within the 60-day period, the subsequent
unauthorized transfers for which she seeks reimbursement
would still have occurred. See Nayab v. Capital One Bank
(USA), N.A., 

, 495–97 (9th Cir. 2019) (holding
in a similar context that the plaintiff must allege facts giving
rise to a reasonable inference that a statutorily available
affirmative defense does not apply).
We think Widjaja has met her pleading burden here. She
alleges that Chase became aware of a security breach that
enabled unknown individuals to make an unauthorized
withdrawal of $29,000 from her checking account in
November 2017. Yet, according to Widjaja’s allegations,
Chase took no action to protect her account from further
unauthorized withdrawals, despite having a strong financial
incentive to do so. If Widjaja had notified Chase of the
unauthorized withdrawals within the EFTA’s 60-day
reporting period, Chase itself would have borne liability for
all related unauthorized withdrawals, save for the $50 or
$500 loss Widjaja would bear. The only outer limit on
Chase’s liability in that scenario (assuming the thieves acted
quickly enough) was the amount of money in Widjaja’s
checking account—in this instance, at least half a million
dollars. And at the time Chase allegedly failed to act in
November 2017, it of course had no way of knowing
whether Widjaja would fail to report the unauthorized
withdrawals within the 60-day period, or how quickly or
slowly the thieves would move to drain her account.
12         WIDJAJA V. JPMORGAN CHASE BANK
The EFTA thus gave Chase a strong financial incentive
to take immediate corrective action in November 2017,
regardless of the source of its notice that fraud was afoot. In
these circumstances, to hold Widjaja liable for subsequent
losses, Chase will have to explain why its response to notice
from Widjaja herself would have been substantially different
from its (non)response to the notice it received from Union
Bank. At a later stage in the case, Chase may be able to
provide such an explanation. But at the pleading stage,
Widjaja’s allegations plausibly suggest that some sort of
failure in the bank’s fraud-prevention procedures occurred
with respect to her checking account. Put differently,
Widjaja’s allegations give rise to a reasonable inference that
Chase would not have taken action to prevent subsequent
losses even if she had reported the initial unauthorized
withdrawals within the 60-day period. Her allegations
suffice to survive a motion to dismiss.
We reverse the district court’s dismissal of Count One,
the count alleging a claim under the EFTA or, in the
alternative, California’s EFTA counterpart.
III
Widjaja also contests the district court’s dismissal of her
state law claims for breach of contract and breach of the
implied covenant of good faith and fair dealing. (She has
not challenged the dismissal of her negligence claim.) The
district court held that Widjaja’s failure to provide notice to
Chase within the EFTA’s 60-day reporting period foreclosed
these state law claims as well. We affirm the district court’s
dismissal of Widjaja’s state law claims, but for different
reasons.
As to her breach of contract claim, Widjaja argues that
Chase’s failure to safeguard her account and to take action
WIDJAJA V. JPMORGAN CHASE BANK                  13
in response to the notice from Union Bank violated the
Deposit Account Agreement (DAA) that governs the
relationship between Chase and its depositors. Widjaja does
not cite any specific provision of the DAA that Chase
allegedly violated. She points generally to the Privacy
Notice appended to the DAA, which states: “To protect your
personal information from unauthorized access and use, we
use security measures that comply with federal law.” The
Privacy Notice does not impose any substantive duties on
Chase; it merely explains Chase’s policies and a consumer’s
ability to limit the sharing of personal information.
Widjaja’s breach of contract claim therefore fails.
Widjaja alleges that Chase breached the implied
covenant of good faith and fair dealing by failing to act when
it became aware that Widjaja’s account had been
compromised and by abruptly closing Widjaja’s accounts
after she filed this lawsuit, allegedly in retaliation for her
legal action against the bank. While the DAA gives Chase
the discretionary power to decline or prevent transactions,
Widjaja does not allege that Chase exercised this discretion
in bad faith when it failed to take action to prevent the
unauthorized withdrawals.          And the DAA expressly
permitted Chase to close Widjaja’s accounts “at any time for
any reason or no reason without prior notice.” The implied
covenant of good faith cannot “prohibit a party from doing
that which is expressly permitted by an agreement.” Carma
Developers (California), Inc. v. Marathon Development
California, Inc., 

, 728 (Cal. 1992). Thus,
Widjaja’s claim for breach of the implied covenant of good
faith and fair dealing also fails.
AFFIRMED in part, REVERSED in part, and
REMANDED.
Widjaja shall recover her costs on appeal.