Back in the days when “phishing” was just something your spell checker changed back to “fishing,” everyone thought they understood how the risk of loss was apportioned between a bank and its customers if a third party fraudulently obtained money from someone’s deposit account. With few exceptions, the risk of loss was born by someone else besides the bank customer. Fast forward to today when there are so many different ways for bank customers to move money in and out of their accounts besides just a paper check. Several years ago the drafters of the UCC adopted a brand new Article 4A to address the dramatic increase in wire and other electronic transfers between commercial accounts.
Article 4A continues the traditional risk allocation framework in that unless certain exceptions exist, the bank bears the risk of loss for fraudulent transfers from a commercial deposit account. The major exception is where the bank and its customer have agreed upon certain commercially reasonable security procedures. In that instance the risk of loss for fraud will reside with the customer if the bank proves that it accepted a fraudulent payment order (1) in good faith, and (2) in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. Further, if a bank has established security procedures that a customer has declined to use, and the customer instead agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order if the declined procedure was commercially reasonable.
A recent decision from the 8th US Circuit Court of Appeals, Choice Escrow and Land Title, LLC v. Bancorp South Bank, applied the provisions of Article 4A to what is becoming a common occurrence today. An employee of Choice clicked on an attachment to an email, which then placed a computer virus on their computer system. Over a period of time the virus gave an unknown third party access to the employee’s username and password and allowed the third party to mimic the computer’s IP address and other characteristics. The thieves wired out $440,000 to an account in the Republic of Cypress. Suffice it to say that when money is fraudulently transferred to an account in the Republic of Cypress, it never comes back. The customer demanded that the bank reimburse it for the loss and the bank refused. The matter ended up in litigation in federal court.
The facts presented at trial showed that the Bank provided Choice with several security measures designed to ensure that Choice’s employees, and only Choice’s employees, would be able to access Choice’s account. The security measures included using IDs and passwords coupled with device authentication software that recorded the IP address of the employee’s computer as well as information about the computer itself—information relating to, for instance, the computer’s operating system, central processing unit, browser, screen, time zone settings, and language settings. Thus, whenever someone acted to initiate a wire, the bank’s security software would verify that the characteristics of that user’s computer were consistent with the information that had been previously recorded about the employee’s computer. If a user attempted to initiate a wire from an unrecognized computer, the user would be prompted to answer “challenge questions” to verify the user’s identity.
The Bank also allowed its customers to place dollar limits on the daily volume of wire transfer activity from their accounts. Choice declined to place daily transfer limits on its account. Finally, the Bank offered its customers a security measure called “dual control.” Under this system, when an employee submitted a payment order, the Bank’s system would not send the order to the bank immediately; rather, the request would create a “pending” payment order. To send a pending payment order to the bank, a second authorized user, using a unique user id and password, would have to log in and separately approve the pending payment order. If a customer declined the use of dual control, the Bank required that customer to sign a waiver acknowledging that it was waiving dual control and that it understood the risks associated with using a single control (i.e., single-user) security system.
Choice declined the use of dual control and signed the requisite waiver. When the phishing attack occurred the computer virus allowed the crooks to mimic the employee’s computer IP address and other characteristics so that the wire order appeared to come from the employee’s computer. That, combined with the ID and password, made it look as though the payment order was legitimate. At trial Choice argued that that a commercially reasonable security procedure must include a process whereby a human being manually reviews every payment order submitted to the bank to ensure that no irregularities exist. The court found no support for Choice’s argument in Article 4A and went on to hold that the procedures put in place by the Bank, including the use of dual control, were commercially reasonable. The court concluded that Choice knew that dual control provided a reliable safeguard against Internet fraud, and Choice explicitly assumed the risks of a lesser procedure notwithstanding the relative ease with which it could have implemented dual control.
KEY TAKEAWAYS: One of the fundamental customer-relations issues for financial institutions is that many commercial customers are still thinking about risk allocation in the context of the old paper check system and haven’t quite got their head around the concept that they might be liable for losses incurred because of internet fraud. In light of the decision in Choice Escrow and Land Title, LLC v. Bancorp South Bank, financial institutions have a number of issues to consider as they seek to minimize risk in this area. For example, when was the last time you read through your deposit, cash management, wire and ACH documentation to see exactly what it says about the use of security procedures and the allocation of risk? Does it discuss specific security procedures, or is it more generic in its references to security procedures? If the security procedures are set out in other documents, are the procedures understandable by customers? Do you have any evidence that the customers have read, much less understood them? Can your customer-facing personnel adequately explain your security procedures? If a customer wants to waive a security procedure, do you have a formal waiver in place?