Criminal schemes to steal consumer and business funds through fraudulent wire transfers are increasing in frequency and sophistication. Funds stolen from small business accounts, for example, total more than $2 billion, according to a recent estimate.1 In response to this trend, courts’ and regulators’ expectations of financial institutions are becoming more demanding. Courts ruled in two recent decisions that banks failed to provide adequate funds transfer security and either were, or could be found, liable for customers’ losses. In another case, a federal court ruled that Article 4A of the Uniform Commercial Code invalidated an indemnification clause that may have protected a bank from liability. Financial institutions must redouble their efforts to enhance the security of their accounts in light of these recent court decisions and increased threats from criminals.
Article 4A and Recent Case Law
All three cases involve Article 4A of the Uniform Commercial Code, which governs funds transfers and has been adopted in most states. Generally speaking, a bank must refund an unauthorized payment order under section 204.2 However, section 202 protects a financial institution from liability for an unauthorized transfer of funds if: (1) the customer and the bank agreed to a security procedure, (2) the security procedure was commercially reasonable, and (3) the bank accepted payment orders in good faith and in compliance with the security procedure and any relevant written agreement or instruction of the customer.3 Section 202 provides that commercial reasonableness is determined by reference to the wishes of the customer, the circumstances of the customer (including size, type, and frequency of payment orders), the security procedures offered to the customer by the bank, and the types of security procedures that are used by similar banks and customers.4 Thus, section 202 does not necessarily require the security procedure at issue to be the best available. Rather, the commercial reasonableness inquiry focuses on whether the procedure is a reasonable one for the particular customer and the particular bank. The meaning of the “commercially reasonable” and “good faith” requirements are continuously changing in response to advances in technology and increasingly sophisticated criminal fraud schemes. The cases discussed below demonstrate how these requirements are evolving.
In Experi‐Metal v. Comerica Bank, criminals accessed Experi‐Metal’s accounts with Comerica Bank after using a phishing email scheme to gain access credentials.5 They made over ninety wire transfers in one day to destinations around the globe totaling over $1.9 million.6 The court found that Comerica and Experi‐Metal agreed to an authentication procedure and that the procedure was commercially reasonable because the contract between the parties contained an express acknowledgment to that effect.7 However, the court found that the bank did not accept payment orders in good faith because it should have recognized the highly unusual account activity and responded to it sooner.8 Accordingly, the bank failed the objective prong of the good faith standard created by the UCC—“the observance of reasonable commercial standards of fair dealing.”9 The court concluded that the following anomalies should have been red flags for the bank: the volume and frequency of payment orders, the $5 million overdraft from what was regularly a zero balance account, Experi‐Metal’s limited prior wire activity, the destinations and beneficiaries of the funds (mostly individuals in Russia and Estonia—areas known for this type of fraudulent activity), and Comerica’s awareness of the existence of such a phishing scheme.10 A better monitoring system could have detected the intrusion earlier and prevented much of the damage.
The First Circuit Court of Appeals reached a similar result in Patco Construction Co. v. People’s United Bank. There, a bank authorized six fraudulent transactions over seven days, totaling $588,851.26.11 Patco made weekly payroll payments through the bank.12 These payments always took place on Friday, they were always initiated from a computer in Patco’s Sanford, Maine office, and the highest payment Patco ever made was $36,634.74.13 Whenever Patco sought to transfer an amount greater than $1, the bank’s security system required the Patco employee to answer three pre‐determined “challenge questions.”14 The bank also employed a risk profiling system that assigned a risk score to every login attempt and transaction based on data, including IP address and geo‐location.15 The bank’s security system flagged each of the fraudulent payments as unusually “high risk” because they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders.16 The fraudsters were able to access the account by supplying the proper login credentials and answers to challenge questions.17 Remnants of the Zeus/Zbot malware were found on Patco computers, but it was unclear whether the malware was responsible for capturing Patco’s login credentials.18
Patco filed suit alleging a variety of claims, including liability under Article 4A. The district court granted the bank’s motion for summary judgment, concluding that the bank’s security procedures were commercially reasonable. On appeal, the court of appeals ruled that the bank’s security procedures were commercially unreasonable, reversing the trial court on this point.19 Particularly troubling to the court of appeals was the bank’s failure to adopt a variety of security measures endorsed by a guidance document prepared by the Federal Financial Institutions Examination Council (“FFIEC”),20 which was updated in June 2011 in response to a wave of fraudulent funds transfer incidents.21 According to the court, the bank substantially increased the risk of fraud by asking the same three challenge questions at the $1 level, rather than using more questions and requiring them to be answered only for larger transactions. This greatly increased the likelihood that a keylogger would be able to record the answers because they were exposed during every transaction.22 Additionally, the court explained, when the bank received warning from its risk profiling system that fraud was likely occurring, the bank neither monitored the transaction nor gave notice to customers before completing the transaction.23 Due to these “collective failures,” the court held that the bank’s security system was commercially unreasonable.24 The court did not address whether the bank accepted payment orders in good faith and remanded so the district court could address additional issues, including the customer’s responsibility for the fraudulent transfer.
The Experi‐Metal and Patco Construction courts focused on similar factors in their analysis, but it is important to note that Experi‐Metal was decided on the ground that the bank did not accept a particular payment order in good faith. Patco Construction, on the other hand, was decided on the ground that the bank’s overall security procedure was commercially unreasonable. Future decisions may elaborate on this distinction.
A third decision demonstrates that financial institutions should not rely on indemnification clauses to protect themselves against fraudulent funds transfers. In Choice Escrow and Land Title, LLC v. BancorpSouth Bank, Choice Escrow sued its bank under Article 4A, alleging that the bank’s security practices allowed a criminal to steal $440,000 from Choice Escrow through a fraudulent wire transfer.25 The bank filed counterclaims based on indemnity agreements signed by Choice Escrow, through which
Choice Escrow agreed to indemnify the bank for any “losses, costs, liabilities, or expenses.”26 Choice Escrow moved for the trial court to dismiss the counterclaims. The trial court granted that motion, reasoning that the counterclaims were inconsistent with Article 4A, and therefore unenforceable.27
Coping with Threats and Recent Case Law Developments
Financial institutions can protect themselves in several ways in light of Experi‐Metal and Patco Construction. They should review their customer agreements to ensure that they contain an express acknowledgment that the institution’s specific authentication measures are commercially reasonable. Under the court’s analysis in Experi‐Metal, this acknowledgment may decrease some exposure to liability, although a bank cannot avail itself of section 202 if it fails to accept a payment order in good faith.28
In light of the weight that the Patco Construction court gave FFIEC guidance, financial institutions also should look to that guidance as a starting point for ensuring adequate security procedures are in place. The FFIEC guidance emphasizes that financial institutions should institute a system of layered security for “high‐risk” transactions,29 which includes electronic transactions involving access to customer information or the movement of funds to third parties.30 At a minimum, a financial institution should have a layered security program that contains the following two elements: (1) processes designed to detect and respond effectively to anomalies related to initial login and initiation of electronic funds transfers; and (2) for business accounts, enhanced controls for system administrators who are allowed to set up or change system configurations, such as setting access privileges.31
The FFIEC guidance explains that authentication methodologies involve three basic “factors”: (1) something the user knows (e.g., password, PIN), (2) something the user has (e.g., ATM card), and (3) something the user is (e.g., biometric characteristic, such as a fingerprint).32 Procedures that rely on more than one of these factors are more difficult to compromise. The guidance recommends multifactor authentication, especially for business customers who perform high‐risk transactions.33
Patco Construction highlights the importance of a multifactor approach. There, the bank relied too heavily on one factor—static login IDs, passwords, and challenge questions (things the user knows).34 Adding another factor, such as a token, to the login process is a highly effective way to improve security. Tokens are physical devices in the user’s possession that provide a cookie or dynamic password so that only the person in possession of the token can log in. These include USB token devices, smart cards, and dynamic password generating tokens.35
Patco Construction also teaches that challenge questions are not always effective. When frequently repeated, they are more likely to be exposed to fraudsters. The FFIEC guidance notes that an Internet search engine is all it takes to answer many challenge questions, such as questions asking for a mother’s maiden name or year of graduation.36 Due to the amount of information available on the Internet, the FFIEC no longer views these basic challenge questions to be an effective risk mitigation technique.37 Sophisticated challenge questions, however, can be part of an effective layered security approach. These questions should not rely on publicly available information. The FFIEC recommends using numerous questions, without exposing all questions during one session. They should include red herring questions that a fraudster would attempt to answer but the intended user would not.38 Financial institutions should also consider requiring complex login user names and passwords that include a mix of letters, numbers, and special characters.
A strong user authentication process is just one of many layers of a robust security system. The case law and FFIEC guidance make clear that financial institutions should also consider implementing behavioral analytics programs in order to recognize and respond to anomalous activity related to the amount, destination, and frequency of funds transfers, among other things. The FFIEC guidance makes clear that financial institutions should periodically review their information security programs and make adjustments as needed in light of changes in technology and threats to information systems. Risk assessments should be updated at least every twelve months, and they should always be updated prior to implementing new electronic financial services.39
Finally, financial institutions that are attempting to avoid developing a robust security system by relying on indemnity agreements should reconsider their strategy. If courts follow the Choice Escrow decision, indemnity agreements will have little, if any, value in this arena. And with courts increasingly siding against banks in funds transfer cases, the Choice Escrow rule may be ripe for adoption. Financial institutions must therefore be proactive in their security efforts, rather than relying on indemnity agreements as a shield when litigation arises.
Financial institutions should ensure that, at the very least, their security programs meet the minimum requirements described by the FFIEC guidance. Keep in mind that, as the FFIEC guidance makes clear, there is not a one‐size‐fits‐all solution to protecting sensitive financial information and safeguarding high ‐risk transactions. Nor is any one solution likely to be appropriate over an extended period. Criminal threats and the Article 4A case law are constantly evolving; therefore, financial institutions should ensure that they are well ‐versed in these areas in order to protect themselves against financial and reputational harm.