We continue to see an increase in claims against financial institutions for fraudulent electronic payment orders. Typically these claims involve large sums of money wired to overseas banks and quickly collected by unknown individuals. Under U.C.C. Section 4A-204, a bank will be liable for such payment orders unless it falls within one of two exceptions. A bank may shift liability for the fraudulent order to the customer if either (1) the customer is bound to the order under the law of agency, or (2) the bank and the customer agree to a commercially reasonable security procedure and the bank adhered to that procedure in good faith.
The most common issue arising in these situations is whether the bank’s security procedures are commercially reasonable. This standard is constantly evolving in response to the changing nature of the schemes employed by cyber-criminals. The most recent decision to discussing this issue, Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879 (8th Cir. June 11, 2014) (see opinion here), provides some guidance to the types of security procedures banks should consider offering to their customers at the present time to protect themselves against potential fraudulent wire transfer claims.
In BancorpSouth, a customer argued that its bank had failed to employ a commercially reasonable procedure when it honored a fraudulent request to transfer $440,000 from the company’s account to a bank in the Republic of Cypress. The customer’s expert cited to U.C.C. Section 4A-202 to argue that BancorpSouth should have employed a “transactional analysis” that analyzed every payment order based on their “size, type, and frequency” to identify orders that are outside of the customer’s normal pattern.
The Eighth Circuit, applying Mississippi law, rejected this claim. Section 4A-202(c) does instruct a bank to consider the “size, type, and frequency” of the wire transfers it issues. As the court noted, however, a bank must consider this information only to the extent of determining whether the security procedures it employs are “commercially reasonable” for the type of orders it receives. Section 4A-202 does not mandate that such an individualized analysis must become part of the security procedure itself.
The Eighth Circuit also strongly endorsed the bank’s offering of dual controls as a security procedure. The court noted:
[D]ual control . . . dramatically reduces the possibility of such a breach. With dual control in place, a customer’s account remains secure even if a third party manages to obtain an employee’s password and IP address; to issue a payment order, that third party would have to obtain a second, wholly independent set of identifying information. Phishing scams work because one out of every few thousand recipients of a malicious email will clink on a link containing a virus, and the probability that two employees at the same company would fall for the same scam is quite low.
BancorpSouth, p. 23.
BancorpSouth follows three other notable decisions in recent years that provide helpful guidance to financial institutions in this developing area. Braga Filho v. Interaudi Bank, No. 03 Civ. 4795 (S.D.N.Y. April 15, 2008) and Chavez v. Mercantil ComerceBank, N.A., 701 F.3d 896 (11th Cir. 2012) provide guidance as to the type of language financial institutions should incorporate into their customer agreements to make certain that all security procedures it provides are considered in a commercial reasonableness inquiry. Under U.C.C. §7-402, only security procedures agreed to by a customer or security procedures that the customer declined to use in agreeing to other procedures may be considered in judging the bank’s reasonableness.
In Filho, the customer signed an agreement that expressly provided that the bank would select the security procedures for accepting wire instructions. The court held that this language was sufficient to indicate the customer agreed to whatever procedures the bank selected In Chavez, in contrast, the deposit agreement provided that the bank “may use” other security procedures other than those specified. The court held that this language was insufficient to make the security procedures part of the agreement under Section 7-402.
In Patco Constr. Co. v. People’s United Bank, 684 F.3d 19 (1st Cir. 2012), the court held that the bank’s security procedures were not commercially reasonable because its primary protection was the use of a challenge question, which it employed on all payment order transactions. The court held that reliance on this procedure alone was not commercially reasonable given the increasing availability of keyloggers or other malware that can capture such information for unauthorized users. The court found that the bank’s procedure actually increased the risk of fraud for its customers who frequently used payment orders, since it increased the chances that the customer’s access information could be intercepted.
Synthesizing the holdings in these four important decisions, there are several steps that banks might consider to avoid being liable for this type of scheme. First, financial institutions should review the language in their agreements to confirm that the customer has agreed to be bound by whatever commercially reasonable security procedure the bank has selected. Otherwise, it will run the risk that procedures it actually followed will not be considered by a court in evaluating this issue. Second, banks should consider whether they need to review and adapt their security procedures as new threats come to their attention. Finally, in light of the strong endorsement in BancorpSouth, financial institutions should consider whether to make a dual control security procedure available to their customers if they do not already.