The Eleventh Circuit recently overturned a district court’s grant of summary judgment in a case concerning whether a bank was liable for a fraudulent wire transfer and whether its security procedures were commercially reasonable.

The case, Chavez v. Mercantil Commercebank, N.A., 2012 WL 5907151 (11th Cir. Nov. 27, 2012), involved a fraudulent payment order that resulted in the transfer of $329,500 from the plaintiff’s account to an account in the Dominican Republic. A person claiming to be the plaintiff provided a payment order at a bank branch. A bank employee confirmed the information on the order, the identification provided by the person and the authenticity of the signature on the order. The customer sued the bank to recover the money. The bank argued that it was protected by the safe harbor provided under Article 4A, which relieves a bank of liability for fraudulent transfers if the bank and customer have agreed to a commercially reasonable security procedure and the bank followed the procedure in good faith.

As part of the account’s Funds Transfer Agreement, the customer had agreed to the security procedures selected in an Annex. The procedure selected required only signature verification for written payment orders delivered in person, and the agreement stated that the security procedure selected would be the “sole security procedure required.” The plaintiff alleged that the security procedure selected was not a commercially reasonable security procedure for verifying authenticity or detecting errors. The district court found the agreed-upon procedure met the statutory definition of a “security procedure,” that the procedure was commercially reasonable and that the bank had complied with it in good faith. The Eleventh Circuit, however, held that the agreed-upon procedure did not constitute a security procedure. The court noted that Article 4A states that a comparison of signatures is not a security procedure in and of itself, and so the “agreed-upon” security procedure was deficient as a matter of law.

Although the bank used other discretionary security procedures, and the Funds Transfer Agreement provided that the bank “may use . . . any other means to verify” payment orders or instructions, the bank had not explicitly included these discretionary security procedures in the definition of “security procedure.” Instead, the appellate court held that the security procedure selected in the Annex was the only “agreed-upon” security procedure because it was described as the “sole security procedure required.” Although the agreement allowed the bank to use other means of validation, the court held the agreement did not properly incorporate these discretionary security procedures, and found the security procedures provided in the Annex could only be changed by written agreement.

The court did indicate that such discretionary security procedures could be incorporated into a properly drafted agreement, stating “the bank could edit the [agreement] to permit it to use commercially reasonable security procedures without providing additional detail about what those procedures are; then it would be free to choose whatever procedures it wanted to verify payment orders, of course mindful that ‘a bank that chooses unreasonable procedures does so at its own peril.’”

The case builds upon previous jurisprudence regarding “commercially reasonable security procedures,” and particularly the Patco decision issued earlier this year. Perhaps the most important take-away is the court’s stance on discretionary security procedures. Although the decision was adverse to the bank, the court’s opinion did allow the possibility of an agreed-upon security procedure which incorporated additional discretionary procedures. The decision highlights the need for financial institutions to review provisions in their funds transfer agreements that concern security procedures, and particularly any reference to discretionary security procedures.

A copy of the opinion can be found here: