In a recent lawsuit rising from cyber account-takeover fraud, the defending financial institution won summary judgment on two issues of apparent subjective analysis under the Uniform Commercial Code’s Chapter 4A. “The tension in modern society between security and convenience is on full display in this litigation.” Choice Escrow and Land Title, LLC v. BancorpSouth Bank, (U.S.D.C., WD of Missouri; Case No. 10-03531-CV-S-JTM.
The facts were that $440,000.00 was wired from a commercial customer’s account on March 17, 2010. The payment order was initiated on line, after the customer’s computer had been hacked by a fraudster. The funds were wired to New York and then immediately sent on to a bank in the Republic of Cypress. On the day of the wire, the originating bank delivered a faxed confirmation, which was only read the following morning by the commercial customer. Immediate efforts to reverse the single transaction were unsuccessful.
Two issues were addressed by the District Court in granting summary judgment for the bank. First, were the employed security procedures commercially reasonable? Second, did the bank accept the online payment order in good faith and in compliance with the security procedures?
The Court applied the UCC’s “Funds Transfer” provisions, i.e., Chapter 4A. The analysis begins with whether the customer/bank’s contract provided for a commercially reasonable method respecting the authorization of payment orders. As set forth in the expert testimony accepted by the Court, the bank’s nominated security procedures were reasonable, even under the subjective analysis factors suggested in the UCC. Of great significance, the bank’s nominated procedures included a requirement of “Dual Control.” The bank required that one individual at its commercial customer create the payment orders, and that a second individual approve the same prior to instructions be delivered to the bank. However, for operational and personnel reasons, the plaintiff business perceived the dual control requirement as inconvenient.
With the customer’s wishes known, the bank honored its customer’s business interest, but obtained – in writing- the customer’s knowing consent and acknowledgment of the risks consequently presented. Interestingly, a later in time email exchange was proven where the customer once again considered, but ultimately declined, dual control. “There can be little doubt that ‘Dual Control” meets the definition of a security procedure … Thus the first element comes down to whether “Dual Control” was commercially reasonable for [the commercial customer].” The customer, of course, argued that business necessity made the dual control requirement impractical, and therefore not a reasonable part of the security procedure. The Court approached commercial reasonableness as a question of law, “which the Court believes imposes an objective test of reasonableness.” It ruled that dual control was a commercially reasonable element of the bank’s security procedures, and that the customer’s decision to reject that feature “represented more of an inconvenience for [the customer] rather than an impediment.”
Having found that the customer chose an alternative security procedure, i.e., one lacking dual control, as the agreed upon security procedures, the District Court turned to the second issue - Whether the bank accepted the fraudulent wire request in good faith. The modern version of a UCC defines good faith to encompass both subjective and objective elements. Based upon the record created by the parties in the lawsuit, the Court was able to determine that the objective element had been satisfied. Its objective analysis in measure was based upon the FFIEC’s 2005 Guidance, which in dicta the Court noted was “the applicable standards.” (Note: given the timing of the subject transaction, the FFIEC’s Supplement was not considered). As to the subjective element of the UCC definition, the Court noted that no argument had been advanced challenging the bank’s honesty in fact in accepting the online payment order.
“The tension in modern society between security and convenience is on full display in this litigation. [Customer] understandably feels as though it did nothing wrong, but yet is out $440,000.00. [Bank], as well feels as though it has done nothing wrong. In essence, both parties are correct – yet someone must bear the risk of loss. While such a risk generally would lie with the banking institution, the UCC has delineated a particular circumstance where the risk should be shifted to the customer. This case falls within that exception.”
Consequently, the record of the case, including the expert testimony that the fraud would likely not have occurred if dual control had been followed, and the contracting parties’ written acceptance of the risk arising from the customer’s decision not to employ all aspects of the bank’s nominated security procedures, was ultimately determinative in favor of the financial institution.