On November 10, 2025, the U.S. District Court for the Northern District of California issued a notable ruling in Little Seeds Children’s Center, Inc. v. Citibank, N.A., granting in part and denying in part Citibank’s motion to dismiss claims brought by bank customers arising from a series of allegedly fraudulent wire transfers totaling over $717,000. The decision offers important guidance for financial institutions regarding the scope of tort liability in contractual banking relationships, the viability of UCC Article 4A claims, and the pleading requirements for data privacy causes of action under California law.
Factual Background
The plaintiffs — Little Seeds Children’s Center, Inc. (“LSCC”), its CEO Mahvash Kamrani, and its CFO Hossein Kamrani — had held bank accounts with Citibank since 1999. For over two decades, Citibank’s standard practice was to contact the plaintiffs by email, text, or phone to confirm any transaction that appeared out of the ordinary. In July 2024, Citibank employees at an Alameda branch persuaded the plaintiffs, over their initial reluctance, to begin using a security key token to authorize transactions remotely. The plaintiffs allege they were told the security key would provide added protections on top of the existing monitoring and phone-call security protocols.
On October 1, 2024, an individual calling himself “Jason B.” used a Citibank phone number to contact the plaintiffs, posing as an employee of Citibank’s fraud department. Under the guise of freezing suspicious wire transfers, Jason B. tricked the plaintiffs into using their security key to authorize the very transfers he had initiated. Nearly twenty wire transfers were completed — many within the span of a single hour — draining $717,293.08 from the plaintiffs’ accounts, with most funds routed to recipients in Florida. The plaintiffs had no history of ever requesting or authorizing wire transfers.
Key Holdings
Negligent Misrepresentation — Dismissed with Leave to Amend. The court applied the California Supreme Court’s recent decision in Rattagan v. Uber Technologies, Inc. (2024), which refined the “independent tort principle” governing tort claims between contracting parties. Under Rattagan, a plaintiff asserting a tort claim in a contractual relationship must show that (1) the defendant violated an independent legal duty and (2) the resulting harm was beyond the reasonable contemplation of the parties when they entered the contract. While the court acknowledged that the plaintiffs may have adequately alleged a violation of an independent duty, it found that the only harm alleged — the loss of stolen funds — was purely economic and fell within the reasonable contemplation of a banking agreement designed to safeguard money. The court noted that the plaintiffs’ arguments about reputational damage and regulatory non-compliance were raised only in their opposition brief and were not alleged in the complaint itself.
Intentional Misrepresentation — Motion Denied. The court found that the plaintiffs satisfied the heightened pleading standard of Federal Rule of Civil Procedure 9(b). The plaintiffs alleged with sufficient particularity that Citibank’s agents at the Alameda branch misrepresented the security token as an additional safeguard, when in reality Citibank silently withdrew its prior account monitoring and phone-call protections once the plaintiffs adopted the token. The court held that the plaintiffs adequately alleged knowledge of falsity, intent to induce reliance, actual reliance, and resulting damage.
UCC Article 4A — Partially Dismissed, Partially Sustained. The court dismissed the plaintiffs’ claims under California Commercial Code sections 11201(b) (conceded typographical error) and 11205 (inapplicable to the facts), both without leave to amend. The claim under section 11202, which defines authorized and effective payment orders but does not itself impose liability, was also dismissed. However, the court sustained the plaintiffs’ claim under section 11204, which requires a bank to refund unauthorized wire transfers that were neither authorized nor verified pursuant to a commercially reasonable security procedure. The court found plausible allegations that Citibank’s security procedures were commercially unreasonable, noting that the bank allowed twelve wire transfers in an hour — draining over $300,000 from accounts that had never before made a wire transfer — without flagging the activity.
California Consumer Privacy Act — Dismissed with Leave to Amend. The court held that the plaintiffs’ CCPA allegations merely restated the statutory elements and did not sufficiently allege that unauthorized access to their personal information resulted from Citibank’s failure to maintain reasonable security procedures. The court noted that the plaintiffs failed to establish a causal connection between any alleged deficiency in Citibank’s security and the fraudster’s access to the plaintiffs’ information.
California Consumer Records Act — Partially Dismissed without Leave to Amend, Partially Dismissed with Leave to Amend. The claim under section 1798.81.5, requiring reasonable security procedures, was dismissed without leave to amend because financial institutions are statutorily exempt from that provision. The claim under section 1798.82(a), requiring breach notification, was dismissed with leave to amend because the plaintiffs did not plead specific facts about whether the unauthorized transfers constituted security breaches or when the bank learned of the breach.
UCL Claim — Dismissed with Leave to Amend. The court found that the plaintiffs’ stated basis for lacking an adequate remedy at law — that damages are not available under the UCL — was legally defective because the relevant inquiry considers the plaintiffs’ other available causes of action. The court also dismissed for lack of Article III standing to seek injunctive relief, as the plaintiffs did not allege their current relationship with Citibank or what specific injunctive relief they sought.
Negligent Hiring — Dismissed with Leave to Amend. The plaintiffs conceded this claim was insufficiently pleaded.
Little Seeds Children’s Center, Inc. v. Citibank, N.A., No. 25-cv-01517-HSG (N.D. Cal. Nov. 10, 2025).
