In a case decided last month, a federal district court ruled that the Uniform Commercial Code (“UCC”) allows a bank to shift the risk of loss arising from an incident of wire transfer fraud to its customer under certain circumstances. The March 18 decision by the U.S. District Court for the Western District of Missouri came in a dispute between a bank and a commercial customer that lost several hundred thousand dollars when criminals fraudulently initiated a wire transfer from the customer’s deposit account at the bank. The wire transfer was initiated via the internet using a username and password assigned to an authorized representative of the bank’s customer that had been obtained by a hacker who remotely accessed the computer of an employee of the customer. The bank had recommended on more than one occasion that its customer allow the bank to implement a dual-control system to authenticate wire transfer requests initiated via the internet on behalf of the customer. The dual-control system would have prevented any wire transfer request that was not separately initiated using two separate usernames and passwords assigned to two different authorized representatives of the customer. The bank’s customer repeatedly declined to allow the bank to implement such a dual-control system to authenticate wire transfer requests. The court held that the dual-control system was a commercially reasonable method of providing security against unauthorized transfers.
Nutter Notes: The decision of the court in Missouri follows a number of recent wire transfer fraud cases that have been decided against banks. Those earlier rulings suggested that customers could be held liable under certain circumstances. In general, the UCC provides that a bank bears the risk of loss for unauthorized wire transfers. However, the UCC provides an exception if the bank can establish that its “security procedure is a commercially reasonable method of providing security against unauthorized payment orders,” and the bank “accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.” Official UCC commentary cited by the court provides that when an informed customer declines a commercially reasonable security procedure and insists on a higher risk procedure for convenience, the customer has assumed the risk of the failure of the higher risk security procedure and cannot shift the risk of loss to the bank. According to the court, the experts called to testify in this case agreed that the fraud would not have occurred if a dual-control procedure had been implemented. However, banks should note that after the incident of fraud at issue in this case occurred, the FFIEC issued guidance recommending that banks consider multi-factor authentication procedures and a layered security approach to fraud prevention technologies.