According to a May 2017 Public Service Announcement by the Federal Bureau of Investigation (“FBI”), cyber-initiated wire fraud is not just on the rise—it is exploding.  Data collected by the Internet Crime Complaint Center (“IC3”) reflects a 2,370% increase in reported fraud losses between January 2015 and December 2016.  Between October 2013 and December 2016 there were 22,292 reported cases of fraud by domestic victims.  The aggregate loss was $1.6 billion.  Victims of this type of fraud include individuals and businesses of all sizes and across all industries.  IC3 data includes fraud that is occurring in all 50 states and 131 countries.  Suffice it to say, cyber-initiate wire fraud is a real and immediate threat to financial institutions and their customers.

Although the perpetrators of cyber-initiated wire fraud employ an arsenal of tools that are constantly evolving, the schemes generally fall into one of two categories.  One type of fraud involves the use of phishing, social engineering, malware and/or hacking to gain access to the victim’s online bank account in order to directly initiate an unauthorized wire transfer with the victim’s financial institution.  The second type of fraud involves the use of email, sent to the victim by the fraudster from a spoofed or hacked account, containing wire instructions with erroneous account information.  For the purposes of this article, wire transfers resulting from the first category of fraud will be referred to as “unauthorized”.  Transfers resulting from the second will be referred to as “authorized”.

With the dramatic rise in cyber-initiated wire fraud, financial institutions will inevitably be confronted with pre-litigation demands and lawsuits from customers relating to authorized and unauthorized transfers.  The focus of this article is on providing an overview of the legal framework applicable to claims brought against financial institutions by customers relating to unauthorized wire transfers.  Further, this article will examine some of the tools financial institutions have made available to combat cyber-initiated wire fraud and how those tools fit within the legal framework.

The Legal Framework: Uniform Commercial Code Article 4A.  Article 4A (also known as Division 11) of the Uniform Commercial Code (“UCC”) sets forth a carefully chosen set of rules that allocate the risk of loss among the participants in “funds transfers” involving “payment orders” (e.g. wire transfers).  The Official Comments to Article 4A reflect that the rules governing wire transfers were written on a “clean slate” using “precise and detailed rules” in order to balance the “competing interests[] of the banks that provide funds transfer services and the commercial and financial organizations that use the services.”  Cal. U. Com. Code § 11102, Official CMT.  The rules described under Article 4A are “intended to be the exclusive means of determining the rights, duties, and liabilities of the affected parties.”  Id.

Under the framework of Article 4A, a “receiving bank” (the bank that receives wire instructions from a sender) ordinarily bears the risk of loss of any unauthorized transfer.  However, the risk of loss is shifted to the customer under two independent circumstances.

First, under UCC Section 11202(a), the customer will bear the loss when the “payment order received … is the authorized order of the person identified as sender if that person authorized the order or is otherwise bound by it under the law of agency.”  Stated differently, if the financial institution received wire instructions from an authorized agent of its customer, then the customer will bear any resulting loss from any wire transfer.  The liability analysis under UCC Section 11202(a) is straightforward: if the individual who provided the wire instructions to the financial institution was authorized to do so—either expressly or under agency law—then the financial institution’s customer will bear any loss that occurs from the transfer.

Second, the customer may bear the loss of any fraudulent wire transfer if under UCC Section 11202(b) the financial institution and its customer have agreed to security procedures designed to protect against the risk of fraud.  Analysis under Section 11202(b) involves two-steps.  First, the financial institution must prove that the agreed upon security procedures are “a commercially reasonable method of providing security against unauthorized payment orders.”  Whether a particular security procedure is commercially reasonable “is a question of law to be determined by considering” the customer’s stated expectations, the customer’s known needs, alternative security procedures offered, and security procedures used by similarly situated banks and customers.  Cal. U. Com. Code § 11202(c).  Second, the financial institution must “prove[] that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”  Cal. U. Com. Code § 11202(b).

In performing the two-step analysis under UCC Section 11202, it is important to keep in mind that “security procedure” is a term of art specifically defined by Article 4A as “a procedure established by agreement of a customer and a receiving bank for the purpose of … verifying that a payment order or communication amending or canceling a payment order is that of the customer.”  Cal. U. Com. Code § 11201.  So security procedures must be agreed to by the financial institution and the customer.  And their purpose, put most simply, is to make sure that the person providing the wire instructions is the bank’s customer and not an imposter.

It should go without saying that the use of a log-in ID and password alone will not be deemed commercially reasonable in most cases.  There are a number of additional security procedures that financial institutions have made available to their customers for the purpose of preventing unauthorized transfers.  And while not dispositive of the “commercially reasonable” inquiry, the availability of the following procedures weigh heavily in favor of the financial institution.

Tokens.  A token is a physical device that is used to authenticate the person initiating a transaction.  A common example of a token is a key fob that generates a unique numeric authentication code at fixed intervals of time.  The use of tokens satisfies one prong of a “multi-factor” authentication process—“[t]he process of using two or more factors to achieve authentication.  Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).”  See https://ithandbook.ffiec.gov/it-booklets/information-security/appendix-b-glossary.aspx.

Tokens (or the lack thereof) played an important role in Patco Const. Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012).  In Patco, the court of appeals reversed a summary judgment order in favor of the defendant-bank, finding that the bank’s security procedures were not commercially reasonable.  In particular, the court faulted the bank’s failure to offer a hardware-based token to its customer.  Although the opinion does not describe in detail the evidence presented by the parties on this issue, the court concluded that by 2009 most “internet banking security had largely moved to hardware-based tokens and other means of generating ‘one-time’ passwords.”  Patco, 684 F.3d at 212.  Therefore, because tokens were “in general use by … receiving banks similarly situated,” the defendant bank’s security procedures fell below what was commercially reasonable.  See Cal. U. Com. Code § 11202(c).

Although the use of tokens (or at least the offering of tokens to customers) may not be sufficient to determine that a financial institution’s security procedures are commercially reasonable, tokens are an important factor for the fact finder to consider.

Dual Control.  “Dual control” is a security procedure whereby one person initiates a wire and another person is required to approve it.  Like tokens, the availability of “dual control” weighs heavily in favor of a finding that a financial institution’s security procedures are commercially reasonable.  In Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the court of appeal agreed with the trial court that “dual control” is a commercially reasonable security procedure.  Id. at 622.  The court succinctly described the advantage of a “dual control” security feature: “[w]ith dual control in place, a customer’s account remains secure even if a third party manages to obtain an employee’s password and IP address; to issue a payment order, that third party would have to obtain a second, wholly independent set of identifying information.”  Choice Escrow, 754 F.3d at 620.  Of course, it is not enough to simply recommend that customers establish internal levels of authority for requesting and approving wire transfers.  As the trial court in Texas Brand Bank v. Luna & Luna, LLP, 2016 WL 3660579 (N.D. Tex. Jan. 29, 2016) explained, “a recommendation [that the customer establishes two levels of authority to request and transmit monetary transfers] does not automatically yield an offer.”  Id. at *3.

In the Choice Escrow case, the bank did not simply recommend that the customer create two levels of control—it offered a specific “dual control” security feature.  Although the customer declined to implement the bank’s “dual control” procedure, that did not result in an adverse finding against the financial institution.  Rather, the court’s 11202 analysis focused on the fact that the bank offered the “dual control” procedure to its customer, that the customer was advised that “dual control” provided a safeguard against fraud, and that the customer thereby assumed the risk of declining the security procedure.

As with tokens, the availability of a “dual control” security feature may not be sufficient to conclude that a financial institution’s security procedures are commercially reasonable.  But making such a procedure available to customers—even if customers decline this additional layer of security—will certainly weigh in favor of the institution in the eyes of the fact finder.

Internal Security Procedures, Fraud Monitoring, and Risk Scoring.  While tokens and “dual control” are relevant to the “commercially reasonable” analysis of a financial institution’s security procedures under Section 11202(c), there is a good argument to be made that the bank’s internal risk scoring processes should be excluded from that analysis.  As discussed above, “security procedure” has a very specific definition—it must be “established by agreement of a customer and [the] bank.”  Proprietary processes that are not expressly incorporated into the agreement with a customer do not fit within Article 4A’s precise definition.  This interpretation of the limited scope of the definition of “security procedure” is supported by the Official Comments to UCC Section 11201.  “The term does not apply to procedures that the receiving bank may follow unilaterally in processing payment orders.”  Cal. U. Com. Code § 11201, Official CMT.  This argument was accepted by the court of appeal in Skyline Intern. Development v. Citibank, 302 Ill. App. 3d 79.  The court held that “the violation of this internal procedure was not a violation of a security procedure since the bank and its customer had not agreed that the authorization of wire transfers would be verified pursuant to Citibank’s security procedures.”  302 Ill. App. 3d at 84-85.

In Experi-Metal, Inc. v. Comerica Bank, 2011 WL 2433383 (E.D. Mich. June 13, 2011), a phishing scheme resulted in more than 90 fraudulent wires.  At trial, the defrauded bank customer argued that the defendant bank “failed to meet industry or commercial standards” because it did not employ “fraud scoring and fraud screening.”  2011 WL 2433383, at *12.  The trial court rejected this argument, finding that the plaintiff failed to prove that “a bank had to provide fraud monitoring with respect to its commercial customers to comport with ‘reasonable commercial standards of fair dealing.’”  Id.  The court’s conclusion, however, was based on deficiencies in the testimony of plaintiff’s expert witness rather than any interpretation of the definition of “security procedure” under Section 11201.

Lastly, the Choice Escrow court rejected the customer’s argument that a commercially reasonable security procedure requires “transactional analysis” of “the size, type, and frequency” of wire transfers processed by the bank.  Choice Escrow, 754 F.3d at 619.  However, the scope of the court’s holding may be somewhat limited by the fact that the “transactional analysis” the customer was advocating for was a manual review by a human being—something the court rejected as being impractical.

Conclusion.  Cyber-initiated wire fraud presents a growing, undeniable threat.  Financial institutions will face claims from customers over unauthorized wires initiated by third-parties.  To be prepared to defend against these inevitable claims, it is essential for financial institutions to understand the legal framework on which those claims will be analyzed.  The Uniform Commercial Code requires that security procedures be “commercially reasonable.”  What is commercially reasonable is not determined by a fixed checklist, but rather by reference to “banks similarly situated.”  Cases like Patco and Choice Escrow help to provide guidance on what security features have been deemed commercially reasonable.

For more information regarding wire fraud and the legal framework relating to such claims, please contact Mark I. Wraight at miw@severson.com or 415-677-5630.

© 2018, Severson & Werson. All rights reserved.