RealPage was the victim of a phishing scheme that resulted in the diversion of its client funds from the bank account of a third-party payment processer, Stripe Inc. In the ensuing insurance coverage litigation styled RealPage Inc. v. National Union Fire Insurance Company of Pittsburgh, the court ultimately concluded that RealPage was not entitled to coverage for its loss because RealPage did not “hold” the diverted funds and because RealPage did not suffer a direct loss — both of which were required under RealPage’s commercial crime policy.
RealPage provides services for property owners and managers, including the collection of rent and other payments from residents and the transfer of those payments to clients. RealPage contracted with Stripe, a third-party payment processer, to provide software services to enable the processing of the payments. Under this agreement, tenants would log in to their RealPage accounts and initiate a payment to one of RealPage’s clients. RealPage’s website would then provide Stripe with instructions regarding the tenant’s account, the client’s destination account, and the amount of the payment. Upon receipt of these instructions, Stripe would direct Wells Fargo — Stripe’s bank — to process an automated clearing house transaction, pulling the money from the tenant’s account and placing them in Stripe’s Wells Fargo account. Then, Stripe would direct Wells Fargo to complete a separate transfer to pay the funds to the clients in accordance with RealPage’s instructions. Stripe would also conduct another step through Wells Fargo of transferring fees owed to RealPage into RealPage’s account. RealPage had no rights to Stripe’s Wells Fargo account or any of the funds held, was not entitled to withdraw funds from the account, and did not receive interest payments from funds maintained in the account.
In May 2018, threat actors obtained and altered the account credentials of a RealPage employee through a phishing scheme. The bad actors used the credentials to access Stripe’s dashboard and alter RealPage’s fund-disbursement instructions to Stripe, diverting more than $10 million from Stripe’s Wells Fargo account that had not yet been distributed to RealPage’s clients. After discovering the scheme, RealPage directed Stripe to reverse the payments but was unable to recover approximately $6 million. RealPage reimbursed its clients for the lost funds.
RealPage was insured under a commercial crime policy issued by National Union and an excess fidelity and crime policy issued by Beazley, which followed form to the National Union policy. The National Union policy provided insurance for certain covered property, limited to property that RealPage “own[ed] or lease[d]” or that RealPage “h[e]ld for others.”
Two insuring agreements in the National Union policy were also at issue. First, the computer fraud insuring agreement provided:
We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
-
- To a person (other than a “messenger”) outside those “premises”; or
- To a place outside those “premises.”
In addition, the policy’s funds transfer fraud insuring agreement provided:
We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account.”
Finally, the National Union policy contained an indirect loss exclusion that precluded coverage for the following:
Loss that is an indirect result of an “occurrence” covered by this policy including, but not limited to, loss resulting from:
(1) Your inability to realize income that you would have realized had there been no loss of or damage to “money,” “securities” or “other property.”
(2) Payment of damages of any type for which you are legally liable. But, we will pay compensatory damages arising directly from a loss covered under this policy.
(3) Payment of costs, fees or other expenses you incur in establishing either the existence or the amount of loss under this policy.
RealPage provided notice of its alleged loss to National Union, which determined that RealPage was entitled to coverage for the portion of the loss that represented the transaction fees owed to RealPage because RealPage owned those funds. However, National Union denied coverage for the diverted funds that were owed to RealPage’s clients because RealPage did not own or hold those funds, and thus they were not covered property under the policy.
Thereafter, RealPage sued National Union and Beazley in the Northern District of Texas, asserting breach of contract, violations of Texas unfair competition and prompt payment laws, and declaratory relief. All parties moved for summary judgment.
The court first assessed whether the clients’ funds were covered property under the policy. According to the court, because the parties agreed that RealPage did not own or lease the funds, the central issue was whether RealPage “held” the funds despite the use of Stripe as a third-party payment processor. Thus, the court embarked on a plain meaning analysis of the term “hold.” After analyzing several dictionary definitions of the term, the court ultimately determined that the common meaning of “hold” requires possession of property. According to the court, the ability to direct property — without possession — was insufficient to meet the definition of “hold.” The court rejected RealPage’s argument that interpreting “hold” to require possession rendered the term “own” meaningless. Instead, the court found that “own” was distinct from “hold” because “own” encompassed a situation in which the insured rightfully possessed property, such as by legal title.
Applying the unambiguous meaning of “hold” to the phishing scheme, the court ruled that RealPage’s authority to direct the transfer of its clients’ funds did not equate to holding the funds. According to the court, until the funds were diverted to the threat actors, they remained in Stripe’s — not RealPage’s — Wells Fargo account. Because RealPage had no rights to the funds and could not withdraw the funds, and because the funds were commingled with those of other Stripe users, the court found that RealPage did not possess the funds in any manner and thus did not “hold” them, as the National Union policy required. The court was not convinced that RealPage’s possession of the credentials that were used to divert the funds at issue equated to the holding of the funds themselves. It also rejected RealPage’s contention that it held the funds as a bailee, ruling that RealPage was unable to establish a bailment under Texas law because the funds were never actually delivered to RealPage.
In sum, the court ruled that “funds that are maintained in a commingled account in a third party’s name, at a third-party bank, which the insured can direct but not access, are not funds ‘held’ by the insured.” While the court recognized that RealPage may have intended to hold the funds and that the threat actors used RealPage credentials to perpetuate the fraud, it determined that RealPage did not “hold” the funds under the term’s plain meaning, and thus the funds were not covered property under the policy.
In addition to finding that the clients’ funds were not covered property, the court also found that RealPage was not entitled to coverage because it did not suffer a direct loss. The court noted that both the computer fraud and funds transfer fraud insuring agreements, as well as the indirect loss exclusion, incorporated a “resulting directly” requirement, intending to limit coverage to losses sustained by RealPage, not third parties. Because RealPage did not hold the funds, its loss resulted from its decision to reimburse its clients, which the court determined was not a direct loss.
Accordingly, the court granted summary judgment in favor of National Union and Beazley, ruling that RealPage had not met its burden of demonstrating coverage under the policies.