Member Article

Could your institution be at risk of liability for unauthorized wire transfers and Automated Clearing House (“ACH”) credit transfers? Data security breaches continue to garner headlines, and criminals continue to engage in targeted activities to steal millions of dollars in unauthorized funds. Community banks and small financial institutions must heed the warnings of recent cases addressing the issue, as well as the statutory framework of Article 4A of the Uniform Commercial Code (“UCC”), which explains who is responsible for resulting losses.Because criminals are targeting smaller and mid-sized companies, which they believe to have less extensive security protocols than larger companies, community banks that service the small business and middle market must stay aware of these issues. If criminals obtain account access credentials through breaching a small business’s servers, and then use that data to issue payment orders or transfers from the community bank, the financial institution must ensure it is following legally defensible protocols to avoid liability for this unauthorized conduct.Under UCC, Article 4A (“Funds Transfers”), a bank is responsible for unauthorized electronic payment orders on a non-consumer account. UCC § 4A-204. Notwithstanding, the bank may shift the risk of loss to its customers through very specific procedures:

• The bank and customer agree that the bank will verify the authenticity of any transfer pursuant to a “security procedure”;
• The security procedure is “commercially reasonable”; and
• The bank acts in good faith, complies with the agreed-upon security procedure, and follows any written instructions from the customer restricting payment orders. UCC § 4A-202(b).

The safe-harbor largely hinges upon commercial reasonableness, which is discussed in section 202(c), explaining that “commercial reasonableness of a security procedure is a question of law” to be determined by:

1. The wishes of the customer expressed to the bank;
2. The circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank;
3. Alternative security procedures offered to the customer; and
4. Other procedures generally used by customers and receiving banks in similar circumstances. UCC § 4A-202(c).

Another way of proving commercial reasonableness comes into play where the customer wants to use its own security procedure and therefore declines the procedure offered by the bank. UCC § 4A-202(c). Here, the customer must expressly agree in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer. Id.Recent Decisions Regarding Commercially Reasonable Security Procedures

1. Yes, the Bank’s Procedure Was Commercially Reasonable.

In Choice Escrow & Land Title, LLC v. Bankcorp South Bank, 754 F.3d 611 (8th Cir. 2014), an unknown third-party accessed Choice Escrow & Land Title, LLC’s (“Choice Escrow”) accounts at Bankcorp South and stole $440,000 through unauthorized ACH transactions. An employee of Choice Escrow fell prey to a “phishing attack” and clicked on a link in an e-mail message, which resulted in a virus being installed on the employee’s computer that gave an unknown third-party access to the employee’s username and password. The unknown third-party used this information to access Choice Escrow’s online bank account and issue a payment order instructing Bankcorp South to transfer $440,000 from Choice Escrow’s account to a banking institution in the Republic of Cypress. 754 F. 3d at 616. When attempts to recover the funds failed, Choice Escrow sued Bankcorp South for the lost funds. Id.The bank’s security contained four security measures designed to ensure that only the customer’s employees would be able to access the customer’s accounts. First, each employee had a unique ID and password. Second, the system logged each employee’s primary terminal IP address and required authentication questions if the employee attempted to login elsewhere. Third, the bank allowed customers to place dollar limits on the daily volume of wire transfer activity from their accounts. Fourth, the bank offered “dual control,” which required two authorized users to approve every payment order. 754 F. 3d at 613-14.Choice Escrow declined the dollar limit on transactions and the “dual control” feature and signed the requisite waiver with the bank. In analyzing the bank’s security measures, the court determined that the security procedures were “commercially reasonable.” The court examined what similarly situated banks were doing, and it analyzed the Federal Financial Institutions Examination Council guidance from 2005 on various authentication protocols. The court also explained that bypassing “dual control” resulted in Choice Escrow assuming the risks of its decision and limited its ability to shift the loss to the bank.Finally, the court explained that the bank acted in good faith and that the bank acted in accordance with the requests of the customer and the parties’ agreement. Accordingly, Bankcorp South offered a commercially reasonable security procedure, and the bank was not responsible for the unauthorized transaction and resulting $440,000 loss.2. No, the Bank’s Procedure Was Not Commercially Reasonable.The court found that the bank’s security procedures were not commercially reasonable under UCC Article 4A in Patco Construction Co. v. People’s United Bank, 684 F. 3d 197 (1st Cir. 2012). Unauthorized ACH transfers that totaled $588,851 were taken from the construction company’s account with Ocean Bank, which was later acquired by People’s United Bank. When the customer sued the bank to recover its losses, the bank’s security procedures became the focus of the lawsuit.The bank implemented a security system provided by an outside vendor, and the system had several security attributes. Additionally, several features were offered to the bank that it chose not to adopt. The court found flaws in the implementation of the security system and focused on several features in particular. First, if a payment transfer exceeded a dollar threshold, the customer had to answer special security questions. For all of its customers, the bank set the threshold at $1.00, and the court found that consequently, every transfer required answering special security questions. Where a user’s computer was infected with “keyloggers” or other malware that would capture keystrokes, the answers to the security questions would be easy to obtain because the user would be entering the same answers at many points during the day. 684 F. 3d at 210-11.Additionally, the court found that the bank was not monitoring warnings from its software that showed the customer was making uncharacteristic transactions. The bank was not monitoring scores from its warning software and therefore did not stop the payment transfers or notify the customer. 684 F. 3d at 213. The court looked at similarly situated institutions and identified that they were using additional security procedures not implemented at Ocean Bank.Although the United States Court of Appeals for the First Circuit concluded that the Bank’s security procedures were not reasonable, it also said that the customer had responsibilities for implementing certain security procedures. Therefore, the matter was remanded for further finds on this point. Notwithstanding, the case settled for the amount of the loss plus interest before the trial court could address the customer’s conduct.Best PracticesAs is evident from a review of these cases, the determination of commercially reasonableness is the key to determining whether a financial institution or its commercial customer bears the risk of loss under UCC Article 4A.

• The FFIEC guidelines are a standard. Both of the cases discussed above analyzed the FFIEC guidelines as part of an industry standard. The guidelines as amended must be the cornerstone of security standards.

• Shop around and document a decision. Identify what different vendors are offering by way of security standards and protocols and understand what works for one’s institution and customers. Part of the process is assessing what similarly situated institutions are doing, so utilize vendors to help one understand that aspect as well.
• Security procedures can and should vary among customers. Analyze what the transfer habits and patterns are for given customers and work to implement an appropriate solution for that account. One size does not fit all.
• Monitor security software notifications. Do not be the institution, like Ocean Bank, that failed to monitor notifications that it had implemented and paid to receive. The UCC requires that the bank’s employees perform acts required by the security procedure.
• Discuss the process with customers. Banks can assist customers with avoiding cyberattacks and in mitigating risks. Build the partnership with clients, and they can avoid these types of thefts that are costly and problematic for both customers and banks.

As this area of the law develops and as criminals become more sophisticated, it is imperative that community banks and smaller financial institutions implement security procedures that are reasonable for the customer and the institution itself. The process of selecting and implementing the procedures should be thorough and well-documented. Investments on avoiding these issues will pay dividends in happy customers, safe deposits, and improving one’s institution’s capabilities.If you have any questions about this issue, please contact us.