COUNSELOR’S CORNER
By Jane E. Brown, Lane Powell PC
Commercially Reasonable Security Procedures
for Wire Transfers May Avoid Fraud Risk
6
Article 4A of the UCC Allocates Risk of Loss
From Fraudulent Payment Orders in Some
Circumstances
A
a commercially reasonable method of providing
security against unauthorized payment orders,
and (ii) the bank proves that it accepted the
payment order in good faith and in compliance
with the security procedure and any written
agreement or instruction of the customer re­
stricting acceptance of payment orders issued in
the name of the customer...” [Emphasis added.]
RCW 62A.4A-202(b).
“If a bank and its customer have agreed that
the authenticity of payment orders issued to the
bank in the name of the customer as sender will
be verified pursuant to a security procedure, a
payment order received by the receiving bank is
effective as the order of the customer, whether
or not authorized, if (i) the security procedure is
By defi nition, a “securit y procedure” is
a “procedure established by agreement of a
customer and a receiving bank for the purpose
of... verifying that a payment order... is that
of the customer.” [Emphasis added.] (RCW
62A.4A-201) Just having procedures is not
enough. A bank must have “commercially
reasonable” security procedures. A security
procedure is commercially reasonable if: “(i)
The security procedure was chosen by the cus­
tomer after the bank offered, and the customer
refused, a security procedure that was com­
mercially reasonable for that customer, and (ii)
the customer expressly agreed in writing to be
bound by any payment order, whether or not
authorized, issued in its name, and accepted
r t icle 4 A of t he Un ifor m Com­
merc i a l C o de (UC C) gover n s
“ f u n d t r a n s f e r,” c o m m o n l y
r e f e r r e d to a s w i r e t r a n s f e r.
T he UC C at tempt s to ba l a nc e t he c ompet ing interests of t he ba n k s t hat prov ide
f u nd t ra nsfer ser v ices , a nd t he commercia l
a nd f i na nc i a l orga n i z at ion s t hat u se t he
ser v ices. Pa r t of t he ba la nci ng ac t relates
to t he r isk t hat a t h i rd pa r t y w i l l stea l a
c u stomer’s ident it y a nd issue a f raudu lent
pay ment order to t he ba n k . Genera l ly, t he
ba n k bea rs t h is r isk . There is, however, a
per t inent except ion:
www.communitybankers-wa.org
by the bank in compliance with the security
procedure chosen by the customer.” [Emphasis
added.] RCW 62A.4A-202(c).
In selecting security procedures it offers
customers, a bank shou ld consider factors
like customers’ anticipated issuance of pay­
ment orders, the complexity of the security
procedures, and what proven security proce­
dures are used by similarly situated banks and
customers. Id. It may not be reasonable for
a customer that infrequently submits modest
payment orders to have the same security pro­
cedures as a customer that transfers millions
of dollars daily. Similarly, small banks may
find it difficult to conduct manual approval of
large volume customers.
The exception was tested last year in a
case involving a fraudulent wire transfer re­
sulting from a breach of established security
measures for transfers. The Eighth Circuit
Court of Appeals, in Choice Escrow & Land
Title v. BancorpSouth Bank (2014 U.S. App.
LEXIS 10817), shifted liability from the bank
to the customer for funds fraudulently wired
SPRING 2015
The exception was tested last year in a case involving a fraudulent wire transfer resulting from a breach of established security measures for transfers. f rom t he c ustomer’s accou nt because t he
bank showed: (1) it had an agreement with
the customer regarding security procedures,
(2) its security procedures were commercially
reasonable, and (3) it accepted the payment or­
der in compliance with the customer’s written
instructions. Washington state is in the Ninth
Circuit, which means the Choice Escrow case
is not binding, but is very instructive on how
to benefit from the UCC exception.
The Fac t s : Choice Escrow & La nd Tit le,
LLC (“Choice”) maintained a trust account
at BancorpSouth Bank (the “Bank ”) to wire
funds to sellers upon the closing of real estate
transactions. Bank offered its customers the
following security procedures:
1. Assigning unique passwords and IDs;
2. I mplem ent i ng a n a ut h ent ic at i on
system to verif y the IP address of the
computer from which the customer
accesses its accounts is registered on
the Bank ’s system;
3. Placing dollar limits on the volume
of daily wire transfers from customer
accounts; and/or
4. A llow ing customers to require two
aut hor i z e d u s ers to approve e a c h
transfer.
The first two procedures were part of the
Bank ’s wire procedures, and transfers could
not be sent without them. The third and
four t h secur it y procedures were optiona l.
Choice provided a written waiver declining to
participate in the optional security measures.
T here a f ter, one of C hoic e’s u nd er w r iters
warned Choice of email phishing scams that
permit third parties to access accounts. After
discussing the threat of phishing emails with
the Bank, Choice again provided a written
waiver of the optional security procedures.
Thereafter, one of Choice’s employees down­
loaded a v ir u s t hat replic ated Choice’s IP
add ress, password a nd ID, render i ng t he
authentication systems at the Bank ineffective
and resulting in the fraudulent wire transfer of
$440,000 to an international account. Choice
sued the Ban k to recover t he fraudu lent ly
transferred amount.
The Trial Decision: The trial court, the U.S.
District Court for the District of Missouri,
held t hat: 1) t he Ba nk ’s security measures
were commercially reasonable; 2) the Bank
executed the transfer in accordance with all
then-current applicable state and federal stat­
utes and the guidelines issued by the Federal
Financial Institutions Examination Council
(FFIEC); 3) the Bank executed the transfer in
good faith; and, 4) the Bank followed Choice’s
written orders.
The Appellate Decision: The Court of Ap­
peals upheld the ruling in favor of the Bank
that, as a matter of law, Choice’s written waiver
of pa r t icipat ion i n t he Ba n k ’s heig htened
securit y measures for wire transfers made
Choice wholly liable for the amount of the
fraudulently transferred funds.
The Court’s rationale was that the Bank
of fered fou r secur it y procedu res t hat t he
Court found to be commercially reasonable.
The computer v irus t hat infected Choice’s
computer permitted the scammers to by pass
Choice’s on ly defenses a ga i nst at tack, t he
u nique pa ssword , a nd I D a nd I P add ress.
Had Choice accepted t he optiona l security
procedures, the transfer could not have been
completed.
Ensure the Protections of Article 4A Apply
to Wire Transfer Arrangements: The Choice
Escrow ruling is a reminder that implemen­
tation of “commercially reasonable” security
policies and procedures in dealing with wire
transfers is essential to comply with the law.
With increasing hacking, phishing and other
threats, now is a good time to revisit this is­
sue and your fund transfer agreement (FTA).
Remember to update your FTA’s as the bank
implements new or revised — and, of course,
commercially reasonable — security proce­
dures to combat new security threats.
As noted in t he Choice opinion, Article
4A provides incentive for you to verify that
you have policies and procedures, and that
you: 1) identif y your security procedures in
a way that is clearly disclosed to customers; 2)
document each customer’s knowledge of and
agreement to your security procedures; and
3) require each customer to provide written
waiver of any optiona l security procedures
it declines to use. You should know and stay
aware of updated FFIEC guidelines applicable
to your institution — changes may require
you to revise your security procedures in ac­
cordance with them.
Although this article cannot address all
relevant case law, statutes and scenarios, it
identifies some core UCC Article 4A issues
that can shield you from liability for fraudu­
lent wire transfers. It is essential that you con­
sult an attorney or security expert to ensure
your security procedures keep pace with the
threats.
Jane E. Brown is Counsel to the
Fir m at L ane Powell, w he re s h e
focuses her practice on representing
clients in civil litigation, representing
l oc a l g ov e r n men t s and p r i vat e
client s from intake through trial.
Brown strategically supervises legal
projects and case matters with an
emphasis in civil litigation, probate,
qui tam defense, premises liability
and Deceptive Trade Practices Act
claims. She can be reached at brownje@lanepowell.
com or 206.223.7126.
7