Financial institutions rejoiced last year at the victory won by BancorpSouth Bank in the case brought by its customer, Choice Land Title, LLC, alleging that the Bank must compensate it for $440,000 in fraud losses it suffered arising out of fraudulent wire transfer orders executed by the Bank. (Choice Land Title, LLC v. BancorpSouth Bank, 2013 WL1121339, W.D. Missouri, 2013). The trial court recognized the validity of the financial institution’s defense that it had acted in accordance with commercially reasonable standards, and enforced the indemnification agreement between the customer and the Bank. After being confronted with numerous cases finding in favor of the customers who had been the victims of payment fraud, financial institutions finally had a legal precedent for holding firm on refusing to reimburse customers who suffered payment fraud losses as a result of not following the security procedures offered by their financial institutions.
As expected, however, Choice Title appealed the trial court’s decision, and fortunately, it was not a short-lived victory– the 8th Circuit appellate court upheld the trial court’s decision last month. So more rejoicing, right? Not so fast. The court’s opinion deserves closer scrutiny.
Under UCC Article 4A, a financial institution can shift the risk of fraudulent payment transfers to its customer if the financial institutions and customer have agreed to operate in accordance with a security procedure, the security procedure is a commercially reasonable method of preventing fraud, and the financial institution proves it accepted the payment order in good faith and in compliance with the security procedure.
Thus, BancorpSouth Bank had to prove the security procedures it offered were commercially reasonable, and that the Bank had accepted the payment order in good faith and in compliance with Choice Title’s instructions, in order to shift liability.
First, although Article 4A-201 speaks of security procedures established “by agreement,” in a world of form account agreements and the propensity of courts to consider disparate bargaining power and technological sophistication in their analysis of enforceability, Article 4A is often construed to initially place the burden on the bank to prove that its offered authorization process meets a commercially reasonable security standard. However, the Choice Land Title court gave vitality to the Code’s provision by enforcing the agreement embodied in the Bank’s forms. It clearly held that if a customer declines to use one material part of its bank’s offered security procedures, and agrees in writing to be bound by transactions initiated pursuant to a de facto alternative security procedure, the parties to the account will be deemed “by agreement” to have established the alternative security procedure, enforceable by the courts. The Bank’s documentation was determined to be sufficient to establish, either expressly or implicitly, the customer’s adoption of a security procedure different than what had been proposed by the Bank. Since Choice Title suffered a loss which could have been prevented by the use of the Bank’s offered security procedures, except for the alternative procedures agreed upon, the liability for the loss passed from the Bank to the customer.
Secondly, the court analyzed what makes a security procedure “commercially reasonable.” The Court rejected Choice Title’s argument that the Bank’s originally offered security procedures were not reasonable because they did not involve transactional analysis. The Bank’s security procedures consisted of password protection, daily transfer limits, device authentication, and dual control. In concluding that the security procedures were commercially reasonable, the Court pointed to the fact that the Bank followed the FFIEC’s 2005 Guidance recommendation of the use of multifactor authentication of internet banking transactions, and subsequently responded to increasingly sophisticated Internet fraud methods, by adjusting their security procedures to include dual control. Further, the offered procedures were suitable for Choice Title given the circumstances of the customer’s business known to the Bank. Choice Title chose to use a higher risk procedure because it was convenient and cheaper. In doing so, it assumed the risk of fraud and cannot shift that risk to the Bank. An email exchange between Choice Title and the Bank clearly documented Choice Title’s rejection of the use of dual control.
Finally, because the Bank’s employees had no discretion with respect to the acceptance and execution of the payment orders, and the security procedures were automated, the Bank acted in good faith. The Bank executed a transaction that cleared the Bank’s commercially reasonable security procedures, and the Bank had no independent reason to suspect that the transactions were fraudulent.
The availability of irrefutable evidence that the customer had considered and rejected the dual control security procedure was a key reason the Court reached a conclusion favorable to the Bank. Which begs the question – should financial institutions be making a greater effort to clearly document their customers’ agreement to use specific security procedures? And more importantly, how to document a customer’s election to decline a recommended procedure? Financial institutions can mandate the automated use of certain procedures, as BancorpSouth Bank did. But the use of other procedures, such as dual control, password protection, and dedicated computers for payment orders and online banking transactions, are solely within the control of the customer. Obtaining an express commitment from the customer to use such procedures (“opt-in”), or an express waiver of the use of procedures (“opt-out”), can provide important evidence to support a shift of liability to a customer who has been the victim of payment fraud.