You're a bank, and you receive a wire instruction from your customer. To make sure it's legit, you use a security protocol to which your customer agreed when it opened its account. At the time, the security protocol made sense given industry standards and the customer's situation. But now, years later, are you required to reassess that security protocol given subsequent developments? That's the question in a pending court case in New York federal court.

By way of background, Uniform Commercial Code Article 4A § 202 says that if a bank honors a customer's wire instruction, and the bank validates the instruction using a security procedure to which the customer has agreed, then the bank is legally in the clear—even if it turns out that the instruction is bogus and sent by some evil hacker. But not just any security procedure will do. The procedure has to be "commercially reasonable."

According to § 202(c) (sometimes cited as § 202(3)): "Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated."

Take note of the emphasized text. That phrase is currently the basis of a discovery dispute in the ongoing cybersecurity lawsuit between Banco del Austro and Wells Fargo. (By way of reminder, Wells Fargo used the SWIFT authentication protocol to validate instructions received from Banco del Austro. Those instructions turned out to be the work of hackers, so Banco del Austro is suing Wells Fargo to recover the amounts that Wells Fargo sent out of Banco del Austro's account. See previous posts here, here, here, here, and here for more.) To prove its case, Banco del Austro wants Wells Fargo to turn over all payment orders that Banco del Austro sent to Wells Fargo using the SWIFT system. As articulated by Banco del Austro, "all SWIFT payment orders concerning the Correspondent Account, [are] relevant to gain an understanding of which, if any, circumstances of BDA’s Correspondent Account were known to Wells Fargo.... [A]ny pattern in the size, type and frequency of orders normally issued by BDA can be used to support BDA’s claims under § 202(3)." In other words, Banco del Austro's transfer history bears on whether Wells Fargo's use of the SWIFT authentication protocol was reasonable.

A lot hinges on whether the court adopts Banco del Austro's interpretation of §202(3). If it does, then it will effectively be deciding that the statutory text "including the size, type, and frequency of payment orders normally issued by the customer to the bank" means the size, type, and frequency of payment orders on an ongoing basis—and not just the size, type, and frequency of payment orders contemplated by the customer and the bank at the outset of their relationship, when they initially agreed to a certain authentication protocol. That's a troubling thought. It suggests that after a bank and its customer have agreed to an authentication protocol, subsequent events may upend that decision, rendering the authentication protocol "commercially [un]reasonable." And that just injects more uncertainty into the worldwide wire transfer system.

Of course, as with most discovery disputes, there may be other theories for why the documents are relevant. Maybe other argument will emerge from subsequent briefing or at a hearing, or even from the court itself. Or perhaps these documents are somehow relevant to Banco del Austro's contract claims, which are separate from its §202(c) contentions, or to allegations that Wells Fargo otherwise didn’t act in good faith. Those theories may justify disclosure of the agreements even if the court doesn't adopt Banco del Austro's view of §202(c).

Postscript: No more than a day after Banco del Austro filed its motion to compel with the court, the court denied the motion. Banco del Austro's motion, totaling 30 pages, didn't obey the judge's rule that motions like this should be four pages or fewer. But the court allowed Banco del Austro to re-file its motion in shorter form, so this dispute is still likely to get teed up for a decision.