A recent lawsuit filed by Charlotte-based Park Sterling Bank against a corporate customer highlights the importance of financial institutions having "commercially reasonable" security procedures in place to avoid losses in connection with cyber-attacks on customer accounts. In the suit, Park Sterling seeks $336,000 from a law firm that was duped into giving its user name and password to fraudsters who were then able to hijack the firm’s account and transfer funds from the account through JPMorgan Chase to an account in Moscow. Park Sterling initially reimbursed the law firm for the loss, but is now suing to recover the funds.

The court will analyze the case under the funds transfer provisions of the Uniform Commercial Code ("UCC") to determine whether the bank’s security procedures were "commercially reasonable" and whether the bank acted in "good faith" in allowing the transfers to be made.

While some court decisions have gone against banks on these issues, a recent case from Missouri was decided in the bank’s favor where the security procedure recommended by the bank included "dual control" (i.e., the approval of two employees, using separate user IDs and passwords, required to initiate payment orders). See Choice Escrow and Land Title, LLC v. Bancorp Bank (W.D. Mo., Case No. 10-03531-CV-S-JTM). The corporate customer in the Bancorp Bank case chose not to use dual control for operational and personnel reasons, and signed a waiver acknowledging the risks inherent in foregoing such dual control. Under the UCC, a security procedure will be deemed commercially reasonable if: (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in the name and accepted by the bank in compliance with the security procedure chosen by the customer. In this case, the court held these conditions had been satisfied.