Big or small, all bank accounts are susceptible to hijacking and fraudulent wire transfers. Banks ordinarily bear the risk of loss for unauthorized wire transfers. Two independent frameworks exist to govern these transfers: the Electronic Fund Transfer Act (“EFTA”) for consumer accounts, and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts.

While the EFTA will ordinarily shield consumers from having to pay for most unauthorized charges as long as they provide notice to their bank, UCC §4A-202 shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.

The commercial reasonability of a security procedure is a question of law, and courts will consider several factors, including:

  • Customer instructions expressed to the bank
  • The bank’s understanding of the customer’s situation, including the size, type, and frequency of payment orders ordinarily issued
  • Alternative security procedures offered to the customer
  • Security procedures in general use by similarly situated banks and customers.

In addition, a security procedure will be found commercially reasonable if the customer selected it after refusing a security procedure that was commercially reasonable for the customer’s needs.

Given the flexibility built into the UCC, judicial scrutiny of bank security procedures has led to divergent outcomes. Some of the leading cases include the following:

  • Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014): The Eighth Circuit affirmed the district court’s finding that the customer bore the risk of loss when a Choice Escrow employee fell victim to a phishing attack and contracted a computer virus that led to a series of fraudulent wire transfers.

The Eighth Circuit found the bank’s security procedures adequate, noting that they complied with the Federal Financial Institution Examination guidance and that the bank’s security measures had adapted to address the shifting strategies of cyber-criminals. The court rejected Choice Escrow’s claim that a human needed to manually review each wire transaction. Ultimately, the Eighth Circuit found that the case was one of an informed customer refusing commercially reasonable security procedures such as “dual control,” which required two independent authorized users to separately approve a wire request. The court held that where a customer refused such security procedures, they assumed the risk of failure.

  • Patco Const. Co., Inc. v.  People’s United Bank, 684 F.3d 197 (1st Cir. 2012): The First Circuit reversed the trial court’s grant of summary judgment to People’s United Bank, finding that questions of fact existed as to whether the bank’s security procedures were commercially reasonable. In this case, People’s United Bank processed six fraudulent wire transfers from Patco’s account after the perpetrators were able to correctly answer security questions. The hackers obtained access by installing malware that intercepted authentication credentials.

The First Circuit found that the bank’s decision to decrease the dollar amount triggering additional security questions to $1 raised the risk of fraud from keystroke loggers due to the frequency with which users needed to type the answers. Moreover, the court found that even after the bank’s internal controls flagged each of the transactions as “high risk” because they were “entirely uncharacteristic” of Patco’s ordinary transactions, the bank neither monitored the transfers nor provided the customer with notice. Ultimately, the court found that it could not deem the bank’s security procedures commercially reasonable when its collective failures could have easily been remedied.

  • Experi-Metal, Inc. v. Comerica Bank, Case No. 09-14890, 2011 WL 2433383 (E.D. Mich. June 13, 2011): In this unpublished decision, the trial court found that Comerica did not act in good faith and employ commercially reasonable standards of fair dealing in processing fraudulent wire transfers from Experi-Metal accounts. Here, an Experi-Metal employee fell victim to a phishing email and provided his user log-in, password, and secure token credentials to a hacker. Over the course of several hours, 93 fraudulent wires totaling $1.9 million were executed. The bank began investigating the wires only after the receiving bank notified Comerica of suspicious transactions benefiting accounts in Moscow.

Following a bench trial, the court found that Comerica failed to satisfy its burden, noting (1) the volume and frequency of the wire transfers, including overdrafts totaling $5 million from an account that was normally empty; (2) the limited previous wire activity on Experi-Metal accounts; (3) the destinations of the funds being in Russia, and (4) Comerica’s knowledge of current and prior phishing attempts. Ultimately, the court found that a bank dealing fairly with the customer “would have detected and/or stopped the fraudulent wire activity earlier.”

With hackers consistently seeking to gain unauthorized access to bank accounts, it is foreseeable that banks will challenge the risk of loss with increasing regularity. Given the inherent vulnerabilities of even the most sophisticated security procedures, banks may seek to stop paying for losses that could have been preventable by greater customer care. The current state of the law raises many questions regarding how much security banks are expected to provide while also signaling that customers may be liable for wire fraud where they refuse to adequately protect against unauthorized access.