Pub. 4 2014 Issue 4

14 www.azbankers.org Bank Can Transfer Liability For Fraudulent Payment Orders To Its Customer I N A RECENT 8TH CIRCUIT DECISION, 1 THE COURT CONSID- ERED WHETHER A BANK’S SECURITY PROCEDURES FOR WIRE TRANSFERS WERE COMMERCIALLY REASONABLE AND WHETHER THE BANK COULD TRANSFER LIABILITY FOR A FRAUDULENT PAYMENT ORDER TO ITS CUSTOMER. Plaintiff Choice Escrow and Land Title LLC provided real estate escrow services. Parties involved in a real estate transfer would designate it to hold money for them in safekeeping in anticipation of a closing. Choice selected a bank to be its depository institution and to make wire transfers pursuant to Choice’s payment orders. In an effort to avoid the risk of a fraudulent payment order, the bank provided Choice with four protective measures. These were designed to insure that only Choice’s employees would to have access to its deposit account. First, the bank required each Choice employee designated to issue payment orders to have a unique user ID and pass- word, a system called InView. Second, the bank used device authentication software called PassMark that, on first use, recorded information about the computer being employed. If a subsequent user tried to access InView using his user ID and password, PassMark had to verify that the characteristics of the computer be- ing employed were consistent with the previously-recorded information about the employee’s computer. PassMark had to verify that the InView user accessing InView was using a recognized computer. Third, the bank permitted its customers to place dollar lim- its on the daily volume of wire transfer activity through their accounts. Choice declined this option. Fourth, the bank offered a system of dual control. Under this system, when an InView user submitted a payment order, it did not immediately go to the bank. Instead, a “pending” payment order was created. To actually transmit the pay- ment order, a second authorized user, using a unique user ID and password would have to log into InView and approve the pending payment order. If a customer decided not to utilize dual control, it was required to sign a waiver. Choice signed a waiver. Based on the foregoing, Choice’s account at the bank was only protected by (a) the user IDs and passwords of its employees and (b) PassMark. Choice authorized two of its employees to use InView. Sometime after November 2009, a Choice employee fell victim to a phishing attack in which an unscrupulous person tricks an Internet user into downloading a virus, uses that vi- rus to collect the victim’s user ID and password, and then uses that information to issue a fraudulent payment order transfer- ring funds to overseas banks. On March 17, 2010, a third party gained access to Choice’s bank account and issued a payment order to the bank direct- ing the transfer of $440,000 to a bank in the Republic of Cyprus. The payment order was executed. That led to a lawsuit by Choice against the bank. After a careful examination of Article 4A of the Missis- sippi Uniform Commercial Code, the court concluded that the bank had successfully transferred the risk of loss to Choice. The court pointed out that a bank may transfer the risk of loss due to a fraudulent payment order if: (1) the customer is bound by the payment order under agency law, or (2) if the bank and customer agree to a security procedure that is com- mercially reasonable and the bank establishes that it accepted the payment order in good faith and in compliance with an agreed-upon security procedure. 2 Since Choice conceded that the bank complied with the security procedure in accepting and acting upon the March 17 payment order, the only issues were: first, whether the bank’s security procedures were commercially reasonable; second, whether the payment order was accepted in good faith; and third, whether the bank accepted the payment order in com- pliance with Choice’s written instructions. When it reviewed the bank’s security procedures, the court found them to be commercially reasonable. To be a “security procedure” the arrangement must have been established by agreement between a customer and a receiving bank. 3 There is, however, an exception to the “established by agreement” requirement. That is, if the bank offers its customer a security procedure that is commercially reasonable and the customer refuses to use that procedure but agrees in writing to be bound by another procedure that the By MICHAEL L. WEISSMAN