Pub. 4 2014 Issue 4

15 FALL 2014 1 2014 WL 2598764 (th Cir. June 11, 2014). 2 Miss. Code. Ann. § 75-4A-202(b). 3 Miss. Code. Ann. § 75-4A-201. 4 Miss. Code. Ann. § 75-4A-202(c). 5 https./ /www.ffiec.gov/pdf/authentication-guid- ance.pdf 6 Miss. Code. Ann. § 75-4A-202. parties agree upon. 4 If a fraudulent pay- ment order is acted upon under those circumstances, the risk of loss is with the customer. Taking into account the bank’s offer of password protection, daily transfer limits, PassMark, and dual control, the court ruled that the bank’s security procedures were commercially reason- able. In making that determination, it said the standard is not what the best available procedure is, but rather, whether the procedure was reasonable for a particular customer and bank. The court expressly rejected Choice’s assertion that a commercially reason- able security procedure had to include a manual review by a human being of every payment order submitted to the bank. The court said: “This attempt to graft a rigid, foreign standard onto the commercial reasonableness inquiry is at odds with essentially all of Article 4A, and we reject it”. This conclusion was backed by testimony from the bank’s Senior Vice President that the bank sends tens of thousands of wire trans- fers on behalf of its 400,000 customers and that it was impractical to expect that each and every one of them would be manually reviewed. In determining that the bank was not required to do a manual review of each payment order, the court cited a 2005 Report of the Federal Financial Institu- tions Examination Council (“FFIEC”) that provided guidance on standards of commercial reasonableness. 5 The 2005 Guidance called for a bank to use at least two factors to protect against fraud. BancorpSouth satisfied this requirement by employing multifac- tor authentication i.e., to access InView a bank customer had to enter the correct password and use a recognized computer. Nevertheless, the court recognized that what was satisfactory in 2005 would not necessarily deter cybercrimi- nals in the current environment. The court said the bank had responded to new threats by offering dual control that could dramatically reduce the possibility of a security breach. In the view of the court, the bank’s security procedures were consistent with those in general use by customers and banks that were similarly situated. That was not the end of the story. It was necessary for the court to determine whether the bank’s security procedures were suitable for Choice given “. . . the wishes of the customer expressed to the bank” and “the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank.” 6 The court rejected the notice that the above-quoted statutory language man- dated that a bank must use a different security procedure for each customer saying: “If a bank develops a single ef- fective and versatile security procedure, it is not commercially unreasonable for the bank to use that security procedure for the majority of its customers and depart from the procedure only when necessary.” The court expressed no doubt what- ever that the bank’s security procedures were commercially reasonable. Choice knew dual control was a reasonable safeguard against Internet fraud but elected to assume the risks of a lesser procedure. There was one more hurdle the bank had to jump over before it absolved itself of liability – it had to establish it accepted the payment order in good faith and that it did not violate Choice’s written instructions. The court said: “. . . to establish that it acted in good faith, BancorpSouth must establish that its employees accepted and executed the March 17 payment order in a way that comported with Choice’s reasonable expectations, as established by commer- cial standards of fair dealing.” The court noted that the bank had met that burden. The March 17 pay- ment order was, in the view of the court, not so unusual that it should have attracted attention. The bank offered testimony that the March 17 payment was not the largest one Choice had ever submitted and that Choice’s payment orders followed no general pattern vary- ing in size from a few thousand dollars to a few hundred thousand dollars. It was true, however, that the memo line of the March 17 payment order con- tained the words “invoice: equipment” and that this was inconsistent with Choice’s business as a real estate escrow company. But the court did not feel that the two-word description was so suspicious that the bank had not acted in good faith in failing to notice it. Finally, the court ruled that the bank had accepted the March 17 payment order in compliance with Choice’s in- structions, finding no credible evidence to the contrary. What’s the point? The decision makes the following points about Ar- ticle 4A: 1. Article 4A initially places the burden of an error on the trans- mitting bank. 2. But a transmitting bank may transfer the risk of loss due to a fraudulent payment order if: a. the bank’s security procedures are commercially reasonable (but commercially reasonable security procedures do not call for manual inspection of each payment); b. the bank offers security proce- dures (such as dual control) that are more stringent than mul- tifactor authentication but the customer rejects the extra protec- tion; and c. the bank accepts the payment order in good faith and in accor- dance with what it believed were the customer’s directions. w