Article 4A of the UCC Allocates Risk of Loss From Fraudulent Payment Orders in Some Circumstances Ar t icle 4 A of t he Un ifor m Commerc i a l C o de (UC C) gover n s “ f u n d t r a n s f e r,” c o m m o n l y r e f e r r e d to a s w i r e t r a n s f e r. T he UC C at tempt s to ba l a nc e t he c ompet ing interests of t he ba n k s t hat prov ide f u nd t ra nsfer ser v ices , a nd t he commercia l a nd f i na nc i a l orga n i z at ion s t hat u se t he ser v ices. Pa r t of t he ba la nci ng ac t relates to t he r isk t hat a t h i rd pa r t y w i l l stea l a c u stomer’s ident it y a nd issue a f raudu lent pay ment order to t he ba n k . Genera l ly, t he ba n k bea rs t h is r isk . There is, however, a per t inent except ion: “If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer...” [Emphasis added.] RCW 62A.4A-202(b). By defi nition, a “securit y procedure” is a “procedure established by agreement of a customer and a receiving bank for the purpose of... verifying that a payment order... is that of the customer.” [Emphasis added.] (RCW 62A.4A-201) Just having procedures is not enough. A bank must have “commercially reasonable” security procedures. A security procedure is commercially reasonable if: “(i) The security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name, and accepted by the bank in compliance with the security procedure chosen by the customer.” [Emphasis added .] RCW 62A.4A-202(c). In selecting security procedures it offers customers, a bank shou ld consider factors like customers’ anticipated issuance of payment orders, the complexity of the security procedures, and what proven security procedures are used by similarly situated banks and customers. Id. It may not be reasonable for a customer that infrequently submits modest payment orders to have the same security procedures as a customer that transfers millions of dollars daily. Similarly, small banks may find it difficult to conduct manual approval of large volume customers. The exception was tested last year in a case involving a fraudulent wire transfer resulting from a breach of established security measures for transfers. The Eighth Circuit Court of Appeals, in Choice Escrow & Land Title v. BancorpSouth Bank (2014 U.S. App. LEXIS 10817), shifted liability from the bank to the customer for funds fraudulently wired 7 The exception was tested last year in a case involving a fraudulent wire transfer resulting from a breach of established security measures for transfers. f rom t he c ustomer’s accou nt because t he bank showed: (1) it had an agreement with the customer regarding security procedures, (2) its security procedures were commercially reasonable, and (3) it accepted the payment order in compliance with the customer’s written instructions. Washington state is in the Ninth Circuit, which means the Choice Escrow case is not binding, but is very instructive on how to benefit from the UCC exception. The Fac t s : Choice Escrow & La nd Tit le, LLC (“Choice”) maintained a trust account at BancorpSouth Bank (the “Bank ”) to wire funds to sellers upon the closing of real estate transactions. Bank offered its customers the following security procedures: 1. Assigning unique passwords and IDs; 2. I mplem ent i ng a n a ut h ent ic at i on system to verif y the IP address of the computer from which the customer accesses its accounts is registered on the Bank ’s system; 3. Placing dollar limits on the volume of daily wire transfers from customer accounts; and/or 4. A llow ing customers to require two aut hor i z e d u s ers to approve e a c h transfer. The first two procedures were part of the Bank ’s wire procedures, and transfers could not be sent without them. The third and four t h secur it y procedures were optiona l. Choice provided a written waiver declining to participate in the optional security measures. T here a f ter, one of C hoic e’s u nd er w r iters warned Choice of email phishing scams that permit third parties to access accounts. After discussing the threat of phishing emails with the Bank, Choice again provided a written waiver of the optional security procedures. Thereafter, one of Choice’s employees downloaded a v ir u s t hat replic ated Choice’s IP add ress, password a nd ID, render i ng t he authentication systems at the Bank ineffective and resulting in the fraudulent wire transfer of $440,000 to an international account. Choice sued the Ban k to recover t he fraudu lent ly transferred amount. The Trial Decision: The trial court, the U.S. District Court for the District of Missouri, held t hat: 1) t he Ba nk ’s security measures were commercially reasonable; 2) the Bank executed the transfer in accordance with all then-current applicable state and federal statutes and the guidelines issued by the Federal Financial Institutions Examination Council (FFIEC); 3) the Bank executed the transfer in good faith; and, 4) the Bank followed Choice’s written orders. The Appellate Decision: The Court of Appeals upheld the ruling in favor of the Bank that, as a matter of law, Choice’s written waiver of pa r t icipat ion i n t he Ba n k ’s heig htened securit y measures for wire transfers made Choice wholly liable for the amount of the fraudulently transferred funds. The Court’s rationale was that the Bank of fered fou r secur it y procedu res t hat t he Court found to be commercially reasonable. The computer v irus t hat infected Choice’s computer permitted the scammers to by pass Choice’s on ly defenses a ga i nst at tack, t he u nique pa ssword , a nd I D a nd I P add ress. Had Choice accepted t he optiona l security procedures, the transfer could not have been completed. Ensure the Protections of Article 4A Apply to Wire Transfer Arrangements: The Choice Escrow ruling is a reminder that implementation of “commercially reasonable” security policies and procedures in dealing with wire transfers is essential to comply with the law. With increasing hacking, phishing and other threats, now is a good time to revisit this issue and your fund transfer agreement (FTA). Remember to update your FTA’s as the bank implements new or revised — and, of course, commercially reasonable — security procedures to combat new security threats. As noted in t he Choice opinion, Article 4A provides incentive for you to verify that you have policies and procedures, and that you: 1) identif y your security procedures in a way that is clearly disclosed to customers; 2) document each customer’s knowledge of and agreement to your security procedures; and 3) require each customer to provide written waiver of any optiona l security procedures it declines to use. You should know and stay aware of updated FFIEC guidelines applicable to your institution — changes may require you to revise your security procedures in accordance with them. Although this article cannot address all relevant case law, statutes and scenarios, it identifies some core UCC Article 4A issues that can shield you from liability for fraudulent wire transfers. It is essential that you consult an attorney or security expert to ensure your security procedures keep pace with the threats. Jane E. Brown is Counsel to the Fir m at L ane Powell, w he re s h e focuses her practice on representing clients in civil litigation, representing l oc a l g ov e r n men t s and p r i vat e client s from intake through trial. Brown strategically supervises legal projects and case matters with an emphasis in civil litigation, probate, qui tam defense, premises liability and Deceptive Trade Practices Act claims. She can be reached at brownje@lanepowell. com or 206.223.7126.