23
84. Despite these promises, when consumers enroll in online and mobile banking with
Citi, they must agree to Defendant’s adhesive online terms and conditions, which supplant the
direct-contact security procedures in the client manual. These revised security procedures are not
negotiated with consumers and rely primarily on single-factor authentication—consumers’
usernames and passwords—while removing any requirement of direct, personal contact. And
many of the potential security procedures that would typically be expected are made entirely
discretionary depending on Citi’s whims. In particular (emphasis added in bold and italics):
Citi Online has been designed to reduce the possibility of fraud and error by
placing the issuance of a User ID and Passwords (“Codes”) under your control
so that accounts may be accessed only upon entry of valid Codes. You authorize
Citibank to treat any instruction made on Citi Online with valid Codes as if the
instructions had been made in writing and signed by you. Unless there is
substantial evidence to the contrary, Citibank records will be conclusive regarding
any access to, or action taken through, Citi Online. You are responsible for
maintaining the confidentiality of the Codes and you will not allow any person
(including another Citibank customer or your employee) to use the Codes. You
agree to inform Citibank promptly of any discrepancies that you discover. Citibank
will therefore consider any access to Citi Online through use of valid Codes to be
duly authorized, and Citibank will carry out any instruction given regardless of
the identity of the individual who is actually accessing the system. You confirm
the security system and controls are commercially reasonable and appropriate for
you. When you place an order for a funds transfer (including a wire or cable
transfer), Citibank may follow a security procedure established for your protection
that may entail a telephone call or other required contact with you or from you prior
to acting upon your instructions. In certain instances, Citibank may also decline to
act upon your instructions. Citibank may employ other controls to verify your
identity as a condition of granting access including the collection and use of data
that authenticate you or your computer. You agree to these security procedures, and
acknowledge that if contacted, either by telephone or electronically, you will act or
respond in compliance with requests resulting from these security procedures and
will be bound by any resulting transfer or decision not to act upon your instructions
or to deny access to persons purporting to be you.
85. The above security procedures in Citi’s online terms and conditions appear in the
21st paragraph of dense, legalistic text. And depending on how consumers enroll in online or
mobile banking with Citi, they need not scroll past these terms or even open them at all.
Case 1:24-cv-00659 Document 1 Filed 01/30/24 Page 23 of 71