The Fidelity Law Journal · Armen Shahinian, Wolff & Samson PC ... Owen, LLC in Vienna Virginia....

WWW.FIDELITYLAW.ORG

The Fidelity

Law Journal

published by

The Fidelity Law Association

Volume XIX, November 2013

Editor-in-Chief Michael Keeley

Associate Editors Jeremy T. Brown

Adam P. Friedman Jeffrey S. Price

Scott L. Schmookler

Cite as XIX Fid. L.J. ___ (2013)

WWW.FIDELITYLAW.ORG

THE FIDELITY LAW ASSOCIATION

President Michael Retelle, CUMIS

Vice President Vacant

Secretary Dolores Parr, Zurich

Treasurer Robert Olausen, Insurance Services Office, Inc.

Executive Committee Timothy Markey, CNA Tracey Santor, Travelers Mark Struthers, CUMIS

Michael V. Branley, The Hartford

Advisors Michael Davisson, Sedgwick, Detert, Moran & Arnold CharCretia V. Di Bartolo, Hinshaw & Culbertson LLP

Advisors Emeritus Samuel J. Arena, Jr., Stradley, Ronon, Stevens & Young, LLP

Bernard L. Balkin, Gilliland & Hayes, PC Robert Briganti, Belle Mead Claims Service, Inc.

Michael Keeley, Strasburger & Price, LLP Harvey C. Koch, Montgomery Barnett, LLP

Armen Shahinian, Wolff & Samson PC

The Fidelity Law Journal is published annually. Additional copies may be purchased by writing to: The Fidelity Law Association, c/o Wolff & Samson PC, One Boland Drive, West Orange, New Jersey 07052. The opinions and views expressed in the articles in this Journal are solely of the authors and do not necessarily reflect the views of the Fidelity Law Association or its members, nor of the authors’ firms or companies. Publication should not be deemed an endorsement by the Fidelity Law Association or its members, or the authors’ firms or companies, of any views or positions contained herein. The articles herein are for general informational purposes only. None of the information in the articles constitutes legal advice, nor is it intended to create any attorney-client relationship between the reader and any of the authors. The reader should not act or rely upon the information in this Journal concerning the meaning, interpretation, or effect of any particular contractual language or the resolution of any particular demand, claim, or suit without seeking the advice of your own attorney.

The information in this Journal does not amend, or otherwise affect, the terms, conditions or coverages of any insurance policy or bond issued by any of the authors’ companies or any other insurance company. The information in this Journal is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends upon the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.

Copyright © 2013 Fidelity Law Association. All rights reserved. Printed in the USA. For additional information concerning the Fidelity Law Association or the Journal, please visit our website at http://www.fidelitylaw.org.

Information which is copyrighted by and proprietary to Insurance Services Office, Inc. (“ISO Material”) is included in this publication. Use of the ISO Material is limited to ISO Participating Insurers and their Authorized Representatives. Use by ISO Participating Insurers is limited to use in those jurisdictions for which the insurer has an appropriate participation with ISO. Use of the ISO Material by Authorized Representatives is limited to use solely on behalf of one or more ISO Participating Insurers.

WWW.FIDELITYLAW.ORG

Amy Owen is a founding member of Cochran & Owen, LLC in Vienna, Virginia. Roger Nettie is a Senior Risk Consultant with CUMIS Insurance Society in Madison, Wisconsin. Monica Handa is an associate with Cochran & Owen, LLC in Vienna Virginia. 197

FUNDS TRANSFER AND FINANCIAL INSTITUTION BONDS

Amy Sanborn Owen Roger Nettie

Monica Handa

I. INTRODUCTION

As the banking industry increases the number of vehicles to exchange funds, fidelity insurers may be called upon to insure growing risks from funds transfers. This article reviews how funds transfer losses occur and how they may impact coverage under financial institution bonds. The review focuses on losses to both consumer and commercial bank accounts as a result of fraudulent telephone, fax and electronic funds transfers. This article works through the analysis using two different loss scenarios and the current landscape of legal precedent addressing funds transfer losses. It then recommends best practices for avoiding losses and reviews the practical ramifications of a funds transfer loss in light of typical financial institution bond coverage.

A. Fraud Scenario Involving Consumer Accounts

Sophisticated thieves monitor public databases for real estate transactions and mortgage filings. Focusing on people with million-dollar homes, they identify consumers who recently obtained a home equity line of credit1. After locating a potential victim, the thieves build a profile of information about the victim (including the identity of his/her financial information, his/her credit history, and his/her family history)

1 Hereinafter HELOC.

WWW.FIDELITYLAW.ORG

198 Fidelity Law Journal, Vol. XIX, November 2013

and use technology to copy the victim’s signature from the publicly filed mortgage.

Armed with this information and posing as the victim, the thieves contact the victim’s financial institution and convince it to transfer the available HELOC balance to a checking account. Upon receipt of the funds, the thieves wire transfer the stolen funds to a foreign financial institution. Such wire transfer can be initiated entirely by phone, followed by a faxed wire transfer request containing a copy of the victim’s signature.

Telephone verifications are ineffective because the thieves can, by imitating the victim, change the victim’s phone number or, in recent cases, have the victim’s telephone calls forward to a cellphone they control. Financial institutions calling back a legitimate phone number do not realize that the calls have been forwarded to the scammer’s phone.

B. Fraud Scenario Involving Commercial Accounts

An example of fraud on a commercial account involves a financial institution processing payroll files. The customer is provided with online banking access, which they use to submit the biweekly payroll file. The file contains the destination accounts of the individual payees, along with payroll amounts, and is submitted through the automated clearing house2 network.

The customer’s payroll clerk uses her computer to check emails, and clicks on a link in an email sent to her by a friend. Unbeknownst to her, the link installs malware on her computer, which tracks the websites she visits and captures key strokes of information typed on those websites. When she emails the next payroll file to the financial institution, the malware captures her ID, password, and answers to challenge questions used to log into the financial institution’s site. The fraudster creates his own version of a payroll file, using destination accounts of money mules that were recruited to help transfer the funds, and submits a $700,000 payroll file to the financial institution.

2 Hereinafter ACH.

WWW.FIDELITYLAW.ORG

Funds Transfer and Financial Institution Bonds 199

C. Financial Institution Bond Coverage

These frauds succeed because the thieves transfer the stolen funds as soon as the transfer is complete, with only the financial institution and its customer left to determine who should bear the loss. When a financial institution bears the loss in a fraudulent funds transfer transaction, it may be able to file an insurance claim if it complied with the terms of the financial institution bond. There are two common areas of coverage for fraudulent funds transfers, depending on how the transfers occurred and what type of customer account was involved.

Most fraud on consumer accounts occurs through requests received by telephone, fax, or email. In those instances, an insured may attempt to pursue a claim within the Fraudulent Transfer Instructions insuring agreement or a voice initiated or telefacsimile transfer insuring agreement. These coverages, however, impose security requirements as a condition of coverage (such as callback procedures or written funds transfer agreements between the financial institution and their customer).

Fraud on commercial accounts generally involves unauthorized transactions that are entered directly into, and processed automatically through online banking systems. Faced with a loss, an insured may seek coverage under their computer crime policy. The conditions of coverage and imposition of security procedures vary from policy to policy.

II. FUNDS TRANSFERS AND THE UCC

Promulgated in 1989, Article 4A of the Uniform Commercial Code3 governs the relationships between financial institutions and their customers with respect to electronic funds transfers—and explains who is liable for loss arising from fraudulent funds transfers.4

3 Hereinafter UCC. 4 Patco Constr. Co., Inc. v. People’s United Bank, 684 F.3d 197, 207

(1st Cir. 2012); Paul S. Turner, The UCC Drafting Process and Six Questions About Article 4A: Is There a Need for Revisions to the Uniform Funds Transfers Law?, 28 LOY. L.A. L. REV. 351, 351 (1994). Electronic consumer payments, such as point-of-sale debit card transactions, are governed instead by the

WWW.FIDELITYLAW.ORG


A. What Is a Funds Transfer?

A “funds transfer” refers to a “series of transactions, beginning with the originator’s payment order, made for the purpose of making payment to the beneficiary of the order.”5 Colloquially known as a “wire transfer,” these transfers “involve a series of events that begins when a ‘sender’ . . . gives an instruction to pay a beneficiary to a ‘receiving bank.’ . . . The receiving bank then transmits the instruction to the beneficiary’s bank. The beneficiary bank credits the beneficiary’s account, and the receiving bank is reimbursed by debiting the sender’s account or otherwise receiving payment from the sender.”6 Financial institutions regularly process wire transfers, and such transfers are governed by Article 4A of the UCC.7

B. Funds Transfers under Section 4A of the UCC

Entitled “Funds Transfer,” Section 4A of the UCC defines the standards of conduct for all parties to a funds transfers. “The rules . . . are transactional, aimed essentially at resolving conflicts created by erroneous instruction or execution of payment orders . . . A major objective is to reduce and control risks that arise in payment systems by

Electronic Fund Transfer Act (EFTA). Patco, 684 F.3d at 207 n.7. As the name implies, EFTA only applies to electronic transfers, not to personal presentation of a fraudulent written draft. Vigneri v. U.S. Bank Nat’l Ass’n., 437 F. Supp. 2d 1063 (D. Neb. 2006). The two statutes are mutually exclusive. U.C.C. § 4A-108; Patco, 684 F.3d at 207 n.7. “The drafters of Article 4A felt that a separate framework, apart from the more consumer-focused EFTA, was needed to cover electronic transfers between commercial institutions because of the sheer volume and magnitude of such transfers.” Patco, 684 F.3d at 207 n.7. This paper does not address consumer losses in detail, nor does it reach the new foreign consumer remittance transfer rules issued by the Consumer Finance Protection Board amending Regulation E of the EFTA which go into effect on October 28, 2013.

5 VA. CODE ANN. § 8.4A-104(a) (West 2013). 6 Grabowski v. Bank of Boston, 997 F. Supp. 111, 121 (D. Mass. 1997)

(citing MASS. GEN. LAWS ch. 106, §§ 4A-103(a)(1)-(5) and 4A-103(a)(1)(ii)). 7 Id., at n.5.

WWW.FIDELITYLAW.ORG


defining when and how rights and obligations are incurred and discharged.”8

The drafters of article 4A made ‘a deliberate decision . . . to write on a clean slate and to treat a funds transfer as a unique method of payment to be governed by unique rules that address the particular issues raised by this method of payment. A deliberate decision was also made to use precise and detailed rules to assign responsibility, define behavioral norms, allocate risks and establish limits on liability, rather than to rely on broadly stated, flexible principles. In the drafting of these rules, a critical consideration was that the various parties to funds transfers need to be able to predict risk with certainty, to insure against risk, to adjust operational and security procedures, and to price funds transfer services appropriately. This consideration is particularly important given the very large amounts of money that are involved in funds transfers.’ The drafters’ aim was to achieve national uniformity, speed, efficiency, certainty, and finality in the funds transfer system.9

There are three main categories of errors that occur in funds transfers. First, “[e]rrors may occur during the issuance and acceptance of the payment order—as when a payment order is made for the wrong amount, or identifies the wrong beneficiary, or . . . is untimely cancelled.”10 Second, “[e]rrors may also occur during the execution of the payment order by the receiving bank—as when the originator’s instructions are not followed, or the order is executed late, or is issued in an improper amount, or is not executed at all.” 11 Third, [e]rrors may also stem from payment issues—as in the obligation of the originator to pay the

8 Sheerbonnet, Ltd. v. American Exp. Bank, Ltd., 951 F. Supp. 403,

412 (S.D.N.Y. 1995). 9 Grabowski, 997 F. Supp. at 120 (internal citations omitted). 10 Sheerbonnet, 951 F. Supp. at 412. 11 Id.

WWW.FIDELITYLAW.ORG


receiving bank, of the beneficiary’s bank to pay the beneficiary, and notification of payment and discharge of duties requirements.”12

Although all states have adopted Article 4A,13 several states have modified its terms or declined to adopt its revisions. These subtle

12 Id,. 13 ALA. CODE §§ 7-4A-101 to 7-4A-601 (2013); ALASKA STAT.

§§ 45.14.101 to 45.14.507 (2013); ARIZ. REV. STAT. ANN. §§ 47-4A101 to 47-4A507 (2012); ARK. CODE ANN. §§ 4-4A-101 to 4-4A-507 (2012); CAL. COM. CODE §§ 11101 to 11507 (2013); COLO. REV. STAT. §§ 4-4.5-101 to 4-4.5-507 (2012); CONN. GEN. STAT. §§ 42a-4A-101 to 42a-4A-507 (2013); DEL. CODE

ANN. tit. 6, §§ 4A-101 to 4A-507 (2013); D.C. CODE §§ 28:4A-101 to 28:4A-507 (2012); FLA. STAT. §§ 670.101 to 670.507 (2012); GA. CODE ANN. §§ 11-4A-101 to 11-4A-507 (2012); HAW. REV. STAT. §§ 490:4A-101 to 490:4A-507 (2013); IDAHO CODE ANN. §§ 28-4-601 to 28-4-638 (2012); 810 ILL. COMP. STAT. ANN. §§ 5/4A-101 to 5/4A-507 (2013); IND. CODE §§ 26-1-4.1-101 to 26-1-4.1-507 (2012); IOWA CODE §§ 554.12101 to 554.12507 (2013); KAN. STAT. ANN. §§ 84-4a-101 to 84-4a-507 (2012); KY. REV. STAT. ANN. §§ 355.4A-101 to 355.4A-507 (2012); LA. REV. STAT. ANN. §§ 10:4A-101 to 10:4a-507 (2012); 11 M.R.S. §§ 4-1101 to 4-1507 (2013); MD. COM. LAW CODE ANN. §§ 4A-101 to 4-A-507 (2012); MASS. GEN. LAWS ch. 106, §§ 4A-101 to 4A-507 (2013); MICH. COMP. LAWS SERV. §§ 440.4601 to 44.04957 (2013); MINN. STAT. § 336.4A-101 to 336.4A-507 (2013); MISS. CODE ANN. §§ 75-4A-101 to 75-4A-507 (2012); MO. REV. STAT. §§ 400.4A-101 to 400.4A-507 (2012); MONT. CODE ANN. §§ 30-4A-101 to 30-4A-507 (2012); NEB REV. STAT. (U.C.C.) §§ 4A-101 to 4A-507 (2012); NEV. REV. STAT. §§ 104A.4101 to 104A.4507 (2012); N.H. REV. STAT. ANN. §§ 382-A:4A-101 to 382-A:4A-507 (2013); N.J. STAT. ANN. §§ 12A:4A-101 to 12A:4A-507 (2013); N.M. STAT. §§ 55-4A-101 to 55-4A-507 (2012); N.Y. U.C.C. §§ 4-A-101 to 4-A-507 (2012); N.C. GEN. STAT. §§ 25-4A-101 to 25-4A-507 (2013); N.D. CENT. CODE §§ 41-04.1-01 to 41-04.1-38 (2013); OHIO REV. CODE ANN. §§ 1304.51 to 1304.85 (2013); OKL. ST. tit. 12A,§§ 4A-101 to 4A-507 (2012); OR. REV. STAT. §§ 74A.1010 to 74A.5070 (2011); 13 PA. CONS. STAT. §§ 4A101 to 4A507 (2012); R.I. GEN. LAWS §§ 6A-4.1-101 to 6A-4.1-507 (2012); S.C. CODE

ANN. §§ 36-4A-101 to 36-4A-507 (2012); S.D. CODIFIED LAWS §§ 57A-4A-101 to 57A-4A-507 (2013); TENN. CODE ANN. §§ 47-4A-101 to 47-4A-507 (2012); TEX. BUS. & COM. CODE §§ 4A.101 to 4A.507 (2012); UTAH CODE ANN. §§ 70A-4a-101 to 70A-4a-507 (2012); 9A VT. STAT. ANN. §§ 4A-101 to 4A-507 (2012); VA. CODE ANN. §§ 8.4A-101 to 8.4A-507 (2013); WASH. REV. CODE

ANN. §§ 62A.4A-101 to 62A.4A-507 (2012); W. VA. CODE §§ 46-4A-101 to 46-4A-507 (2012); WIS. STAT. §§ 410.101 to 410.507 (2012); WYO. STAT. ANN. §§ 34.1-4.A-101 to 34.1-4.A-507 (2012).

WWW.FIDELITYLAW.ORG


differences have not yet resulted in obvious distinctions in the interpretation of Article 4A.14

C. Common Law Claims Involving Funds Transfers

Although this article focuses on the treatment of fraudulent funds transfers under Article 4A, a financial institution or customer seeking to avoid shouldering a loss caused by an unauthorized wire transfer request is not limited to claims arising under Article 4A. Article 4A is “the exclusive means of determining the rights, duties and liabilities of the affected parties in any situation covered by particular provisions of the Article.”15 It “embodies an intent to restrain common law claims only to the extent that they create rights, duties, and liabilities inconsistent with Article 4A.”16 Therefore, courts have concluded that while Article 4A cannot “be side-stepped when convenient”, “where the provisions do not venture, the claimant need not turn back; he or she may seek other guides, statutory or judicial.”17 Therefore, “the critical inquiry is whether its provisions protect against the type of underlying injury or misconduct alleged in a claim.”18 If not, the common law applies.

III. COURT INTERPRETATION OF ARTICLE 4A WHEN

FRAUDULENT TRANSFERS HAVE OCCURRED

While funds transfers are an accepted transfer mechanism and Article 4A has existed for decades, the law interpreting this article is still developing. The landscape of funds transfer law began to take shape in the late 1990’s after individual and business internet access became

14 But see infra Section IV, Subsection D (discussing the definition of “good faith” under Article 4A). Because Article 4A no longer contains a definition of “good faith,” and because several states have deleted this definition, it is possible that courts addressing a financial institution’s obligation to act in good faith could reach divergent decisions.

15 Regions Bank v. Provident Bank, Inc., 345 F.3d 1267, 1274-75 (11th Cir. 2003) (quoting U.C.C. § 4A-102 cmt.) (emphasis in original).

16 Patco, 684 F.3d at 215. 17 Regions Bank, 345 F.3d at 1274-75 (quoting Sheerbonnet, 951 F.

Supp. at 408). 18 Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 89-

90 (2d Cir. 2010).

WWW.FIDELITYLAW.ORG


widespread. Although the more notable recent decisions involve anonymous international fraudsters, some cases address an alternative scheme involving account holders trusting fraudsters and providing confidential account and password information.

A. Grabowski v. Bank of Boston: Financial Institution Required to Identify Unusual Account Activity.

Regardless of which party effectuates the fraud, the terms of a financial institution’s security agreement(s) with its customer are a threshold question for the court when meting out liability in a funds transfer matter. Where no such agreement exists, the financial institution will bear the loss.

In Grabowski v. Bank of Boston,19 the depositors sued the Bank of Boston to recover funds that were withdrawn from the plaintiffs’ bank accounts via wire transfer. The party making the withdrawal, a defendant in the action, had been granted power of attorney over the accounts by each plaintiff under the guise of acting as the plaintiffs’ agent in a group investment. Using that power of attorney, the fraudster entered into security agreements with the bank on behalf of the plaintiffs; however, these security agreements were found invalid because Article 4A did not permit an agent to enter into a security agreement with a bank on behalf of a customer. The bank was therefore found liable for the unauthorized withdrawals because it had no valid security agreement with its customers, the plaintiffs, and because it should have been aware of the unusual activity on the accounts, which dipped below their required minimum balances as a result of the transactions.

B. Experi-Metal, Inc. v. Comerica Bank: Financial Institution’s Duty to Discover and Stop the Loss

In Experi-Metal, Inc. v. Comerica Bank,20 Experi-Metal, Inc.21 sought reimbursement from Comerica for ninety-three fraudulent wire transfers totaling more than $1.9 million, effected over a six and a half

19 997 F. Supp. 111 (D. Mass. 1997). 20 2011 U.S. Dist. LEXIS 62677 (E.D. Mich. Jun. 13, 2011). 21 Hereinafter EMI.

WWW.FIDELITYLAW.ORG


hour period. The fraudulent transfers occurred after a phishing22 attack targeted one of EMI’s employees, who unwittingly provided sufficient information to grant the fraudsters access to all of EMI’s business accounts—and to some related personal accounts of EMI employees—at Comerica.

The majority of the payment orders directed funds to accounts in foreign countries. The fraudsters first consolidated funds from multiple EMI business accounts and several EMI employee personal accounts into one centralized account. The transfer requests continued even after the bank was advised of the transfers and after the account was exhausted of its funds. After recovering some of the lost funds, EMI was left with a $560,000 loss.

The court considered several factors to determine which party should bear the loss of this fraudulent activity. These factors include:

the volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders; the $5 million overdraft created by those book

22 “Phishing” occurs when a scammer sends an email to an individual

“falsely claiming to be an established legitimate enterprise.” This misrepresentation requests private information about the recipient, such as passwords, credit card information, and social security or account numbers. The scammer uses this information to commit identity theft. Experi-Metal, 2011 U.S. Dist. LEXIS 62677, at *1-2 n.1. Fraudsters also employ “pharming” and “malware” to obtain sensitive personal information about their victims. Authentication in an Internet Banking Environment, 4 (Oct. 12, 2005), http:// www.ffiec.gov/pdf/ authentication _guidance.pdf). “Similar in nature to e-mail phishing, pharming seeks to obtain personal information by directing users to spoofed Web sites where their information is captured, usually from a legitimate-looking form.” Id. at 4 n.7. Malware, a portmanteau for “malicious software,” includes programs “designed to capture and forward private information such as ID’s, passwords, account numbers, and PINs.” Id. at 4 n.8. Malware attacks allow “corporate account takeovers,” such as the one in Experi-Metal, where a fraudster gains access to a business account by targeting its employees. Pamela Ryckman, Owners May Not Be Covered When Hackers Wipe Out A Business Bank Account, N.Y. TIMES, (Jun. 13, 2012), http://www. nytimes.com/2012/06/14/business/smallbusiness/protecting-business-accounts-from-hackers.html?pagewanted=all&_r=0.

WWW.FIDELITYLAW.ORG


transfers in what is regularly a zero balance account; [EMI]’s limited prior wire activity; the destinations and beneficiaries of the funds; and Comerica’s knowledge of prior and the current phishing attempts.23

Even in light of the phishing attack on EMI’s employee (which opened the door for these fraudulent transfer requests), the court concluded that the factors weighed in favor of EMI and that the bank had not dealt fairly with EMI in stopping these transfers., The bank was therefore liable for the full amount not recovered because it did not act in “good faith.”

C. Patco Construction Company, Inc. v. People’s United Bank: Financial Institution Required to Investigate Unusual Transfers

The First Circuit in Patco Construction Company, Inc. v. People’s United Bank24 held a bank liable for a series of fraudulent funds transfers from a commercial bank account. The accountholder sought reimbursement for its loss following six fraudulent withdrawals effected over the course of seven days. Prior to the fraudulent activity, the accountholder’s usual funds transfers followed a distinct pattern as payroll transfers:

[T]hey were always made on Fridays; they were always initiated from one of the computers housed at Patco’s offices in Sanford, Maine; they originated from a single static Internet Protocol (‘IP’) address; and they were accompanied by weekly withdrawals for federal and state tax withholding as well as 401(k) contributions. The highest payroll payment Patco ever made using eBanking was $36,634.74.25

The fraudulent withdrawals instructed payment to several accounts, the holders of which had never before received money from the accountholder. The transfers were initiated on a device and IP address that had not previously been used by the accountholder. The transfer

23 Experi-Metal, 2011 U.S. Dist. LEXIS 62677, at *37-38. 24 Patco, 684 F.3d 197. 25 Id. at 200.

WWW.FIDELITYLAW.ORG


amounts far exceeded any of the accountholder’s previous transfers. The security system software flagged the transactions as “high-risk” but no one at the bank manually reviewed designated transactions. The parties requesting the fraudulent transfers correctly responded to the accountholder’s security questions. Therefore, the bank permitted the transfers to proceed without informing the accountholder of the unusual requests. The transfers totaled nearly $590,000. The court found that the bank’s failure to monitor the suspect transactions and to notify customers of likely fraudulent activity on the accountholder’s accounts fell short of the “commercial reasonableness” standard required by Article 4A of the UCC, which is explored in greater detail below.26

D. Choice Escrow and Land Title, LLC v. BancorpSouth Bank: Customer Liability

A Missouri federal court recently shifted liability to a customer, rather than to the financial institution, for a fraudulent transfer in Choice Escrow and Land Title, LLC v. BancorpSouth Bank.27 Choice maintained a trust account with BancorpSouth Bank.28 In 2010, BSB received an online request to transfer $440,000 from Choice’s account to another bank in the United States, with a disclosure that the final destination of the transfer was an account at a bank in Cypress.

Prior to the incident at the heart of the case, Choice completed more than 250 wire transfers to individuals, companies, and financial institutions. However, Choice’s legitimate funds transfers followed no identifiable pattern with regard to their amounts, recipients, or destinations, and most failed to complete the “Originator Bank Information” field, or memo line, to identify any additional detail as to their purpose.29

After weighing BSB’s security procedure with respect to the fraudulent activity in Choice’s account, the court concluded that Choice had opted for an inferior procedure–even after BSB had offered a

26 Id. at 204. 27 No. 10-03531-CV-S-JTM, 2013 U.S. Dist. LEXIS 36746 (W.D. Mo.

Mar. 18, 2013). 28 Hereinafter BSB. 29 Id. at *17-19.

WWW.FIDELITYLAW.ORG


procedure that would be considered “commercially reasonable”. Observing that “[t]he tension between modern society and convenience [was] on full display” in the case30, the court ruled that Choice was responsible for the loss.

E. Trends and Themes

Nearing its sixteenth birthday, Grabowski marks the beginning of funds transfer jurisprudence, but stands apart from more recent case law in its facts and its age. Overarching trends in online banking law are more readily apparent from Experi-Metal and Patco, in which the financial institutions were found liable for the loss, and Choice Escrow, where the customer ultimately shouldered the liability. In particular, Choice Escrow provides valuable insight into the security measures and procedures expected of financial institutions seeking to avoid liability for fraudulent wire transfer transactions.

First, the number of wire transfers may impact a court’s interpretation of whether the customer or the financial institution must shoulder the burden. For example, Choice Escrow involved only one fraudulent transfer,31 in contrast to the ninety-three transfers in Experi-Metal32 and six transfers in Patco.33 The financial institution may be able to shield itself from liability where it has less time to catch the mistake because the activity in question occurred on only one day. Courts may also find the financial institution’s conduct is more fairly scrutinized in situations such as Experi-Metal, where Comerica permitted transfers to continue even after it became aware of irregularities in the transactions.34

Second, another salient factor in determining liability may be whether the customer’s business activities have enabled the scheme to succeed. In contrast to the particular transfers at issue in Experi-Metal and Patco, the transfer at issue in Choice Escrow was consistent with the

30 Id. at *25. 31 Id. at *1. 32 Experi-Metal, Inc. v. Comerica Bank, 2011 U.S. Dist. LEXIS 62677,

at *18 (E.D. Mich. Jun. 13, 2011). 33 Patco, 684 F.3d at 199. 34 Experi-Metal, 2011 U.S. Dist. LEXIS 62677 at *20-22.

WWW.FIDELITYLAW.ORG


amount and destination of other transfers made by Chase. The final destination of funds in Choice Escrow was known to be a foreign financial institution, which in Experi-Metal had signaled a high risk transaction.35 The variety of Choice Escrow’s previous wire transfer requests seemingly balanced out the foreign final destination of the funds in that case.

BSB’s ability to insulate itself from a $440,000 fraudulent loss—when similar losses occurred in Experi-Metal (about $560,000 after recovering some transfers)36 and Patco (about $345,000 after recovery)37—might therefore represent a shift away from the earlier trend of generally allocating fraudulent wire transfer costs to financial institutions. The courts are logically inclined to hold the customer to a higher standard where the customer elects for business reasons not to avail itself of additional security procedures offered by the financial institution to prevent such fraud.38 A financial institution with proper safety measures in place, and which follows such safety measures, may therefore be able to protect itself from liability for an unauthorized commercial funds transfer.

However, without exception, a finding of liability for fraudulent funds transfers has required the courts to review the specific details of each institution-customer relationship before determining who should bear the ultimate loss. The analysis offered by the courts highlights “the importance of good drafting within the contracts that financial institutions execute with their commercial customers,”39 which is explored in more detail below.

35 Id. at *38. 36 Id. at *31. 37 Patco, 684 F.3d at 199. 38 Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 2013

U.S. Dist. LEXIS 36746, at *25-26 (W.D. Mo. Mar. 18, 2013). 39 William T. Repasky, What the Patco and the Experi-Metals Cases

Reveal About the Current State of On-Line Banking Law and Operational Risks, FINANCIAL SERVICES BLOG (June 21, 2011), http://fbtbankingresource.com/ patco-and-experi-metals-cases-online-banking-law.

WWW.FIDELITYLAW.ORG


IV. WHO BEARS THE BURDEN OF THE

FUNDS TRANSFER LOSS?

Section 4A-204, the default provision in Article 4A of the UCC, places the weight of any loss resulting from a fraudulent funds transfer upon the financial institution.40 Liability may shift to the customer, and perhaps back again to the financial institution, depending upon certain factors discussed below.41

A. Are there Commercially Reasonable Security Procedures (CRSPs)?

Security procedures are the most efficient method for financial institutions to avoid liability for fraudulent wire transfers.42 A “security procedure” is one which is “established by agreement of a customer and a receiving bank for the purpose of (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission or the content of the payment order or communication.” Such a procedure “may require the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices.”43

If a customer agrees that a financial institution should follow a particular security protocol for funds transfers, and that protocol is still insufficient to prevent fraud, the institution may avoid liability for the fraud. However, the security procedure must be considered “commercially reasonable.” Whether a security procedure is commercially reasonable is a question of law to be decided by the

40 Regatos v. North Fork Bank, 2003 U.S. Dist. LEXIS 4272, at *18

(S.D.N.Y. Mar. 19, 2003). 41 “Convenience and security are on a teeter totter . . . It’s difficult

to get a balance.” Mary Wisniewski, Court Sides With BancorpSouth Against Wire Transfer Fraud Victim, AMERICAN BANKER, (Apr. 5, 2013), http://www.americanbanker.com/issues/178_66/court-sides-with-bancorpsouth- against-wire-transfer-fraud-victim-1058073-1.html.

42 U.C.C. § 4A-202(b). 43 Choice Escrow, 2013 U.S. Dist. LEXIS 36746, at *6; U.C.C. § 4A-

201.

WWW.FIDELITYLAW.ORG


court.44 The court will consider the procedure in light of 1) the wishes of the customer expressed or known to the financial institution; 2) the type, size, and frequency of transfers usually issued by the customer; 3) the alternative security procedures offered to the customer; and 4) the security procedures in use by the financial institution or similar institutions.45

A procedure may be presumed commercially reasonable if the financial institution recommended it to the customer, but the customer declined and chose an alternate security procedure.46 A “commercially reasonable” presumption requires the customer’s written agreement to be bound by any payment order, whether or not authorized, issued in its name and accepted by the financial institution so long as the financial institution complies with that security procedure.47

The “commercially reasonable” designation is meant “to encourage banks to institute reasonable safeguards against fraud but not to make them insurers against fraud.” Financial institutions are not required to choose the best available security procedure. “A security procedure is not commercially unreasonable simply because another procedure might have been better or because the judge deciding the question would have opted for a more stringent procedure.”48 Financial institutions are measured against their peers in this regard: “a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable.”49

44 U.C.C. § 4A-202(c). 45 U.C.C. § 4A-202(c); see also Patco, 684 F.3d at 209; MICH. COMP.

LAWS § 440.4701 (noting that “[c]omparison of a signature on a payment order or communication with an authorized specimen signature of the customer is not by itself a security procedure”).

46 Regatos v. North Fork Bank, 2003 U.S. Dist. LEXIS 4272, at *19 (S.D.N.Y. Mar. 19, 2003).

47 Patco, 684 F.3d at 209. 48 Choice Escrow, 2013 U.S. Dist. LEXIS, at *16-17. 49 Id. at *17; U.C.C. § 4A-203 cmt.

WWW.FIDELITYLAW.ORG


B. Does the Financial Institution Have a Signed Agreement with its Customer?

For a conclusive presumption that a security procedure is reasonable, a customer’s agreement regarding the appropriate security procedure must be in writing and executed by the customer.50 A verbal agreement is insufficient to protect the financial institution in the event of a loss. Furthermore, although in some cases a customer may authorize an agent to act on its behalf in transactions with the financial institution, only the customer may enter into a security procedure agreement with the institution.51

C. Did the Financial Institution Adhere to the Agreement?

The financial institution must follow the security procedure when accepting the fraudulent request in order to avoid liability.52 Perhaps less intuitive is the requirement that the institution must also comply with any other written agreements with its customer when accepting the fraudulent request.53 For example, a written agreement that permits a third party to act on behalf of the customer in its dealings with the financial institution might also bind the institution in a fraudulent transfer situation.54

D. Has the Financial Institution Acted in Good Faith?

The financial institution must accept the fraudulent request in good faith. “The definition for good faith . . . encompasses ‘honesty in fact and the observance of reasonable commercial standards of fair

50 See First Nat’l Bank of N. Cal. v. St. Paul Mercury Ins. Co., No. C

11-6631 PJH, 2013 U.S. Dist. LEXIS 1045, at *12 (N.D. Cal. Jan. 3, 2013) (finding that “a generic signature card, read with an account agreement and a section from a bank’s Operating Manual, does not constitute a ‘Written agreement’”).

51 Grabowski, 997 F. Supp. At 120. 52 See, e.g., Choice Escrow, 2013 U.S. Dist. LEXIS 36746, at *19-22

(requiring a financial institution to comply with the customer’s chosen security procedure to avoid liability for a fraudulent transfer).

53 Grabowski, 997 F. Supp. at 123-24. 54 Id.

WWW.FIDELITYLAW.ORG


dealing.’”55 It, therefore, imposes a two-part test, which encompasses both objective and subjective elements.

In addition to honesty in fact, the law considers “whether the conduct of the holder comported with industry or ‘commercial’ standards applicable to the transaction,” and subjectively “whether those standards were reasonable standards intended to result in fair dealing.”56 Each court’s inquiry varies based on the transaction at issue and the parties involved.57 “The ‘honesty in fact’ prong . . . has been referred to as the ‘pure heart and empty head’ standard . . . The issue . . . is whether they acted in ‘observance of reasonable commercial standards of fair dealing.’”58 A fraudulent funds transfer which is accepted in good faith is considered “effective” “because it can be properly verified. Such an order is effective even if it is actually unauthorized, as in the case of a perfect forgery.”59 Only where a payment order is not “effective” does the financial institution’s liability for the transfer come into play.60

The original UCC Article 4A definition of “good faith” is no longer present in the model law.61 The original definition required

55 Choice Escrow, 2013 U.S. Dist. LEXIS 36746, at *20 (quoting MISS.

CODE. ANN. § 75-4A-105(a)(6)). 56 Id. at *20 (quoting Maine Family Credit Union v. Sun Life

Assurance Co. of Canada, 727 A.2d 335, 343 (Me. 1999)). 57 Id. 58 Experi-Metal, 2011 U.S. Dist. LEXIS 62677, at *30. The “good

faith” analysis should not be confused with the test for negligence: “[a]lthough fair dealing is a broad term that must be defined in context, it is clear that it is concerned with the fairness of the conduct rather than the care with which an act is performed. Failure to exercise ordinary care is conducting a transaction is an entirely different concept than failure to deal fairly in conducting the transaction.” Id. at *30-31.

59 Regatos v. North Fork Bank, 2003 U.S. Dist. LEXIS 4272, at *20 (S.D.N.Y. Mar. 19, 2003).

60 Id. at *20-21. 61 It is not clear why UCC Article 4A no longer contains a definition of

“good faith.” At the time the court in Choice Escrow and Land Title, LLC v. BancorpSouth Bank issued its holding, Missouri’s UCC no longer contained the statutory definition of “good faith.” The court does not address this discrepancy. However, in Choice the fraudulent activity occurred in March 2010, while the term was not deleted from Missouri’s statutes until July of that same year.

WWW.FIDELITYLAW.ORG


“honesty in fact and the observance of reasonable commercial standards of fair dealing.”62 Roughly half of the states have deleted this definition from their statutes.63 It is unclear whether a court in these states will continue to rely on the former definition, look to other sections of the UCC for a definition, or adopt a new definition.64 The court in Experi-Metal permitted modification of the “good faith” requirement by

Therefore, a court considering fraudulent funds transfers occurring after the statutory definition for “good faith” was deleted could feasibly choose either to rely upon precedent, which uses the now-deleted statutory definition, or to look elsewhere for the “good faith” standard.

62 See Regions Bank v. Provident Bank, Inc., 345 F.3d 1267, 1274576 (11th Cir. 2003).

63 The following states no longer include a definition of “good faith” in their UCC statutes: Alaska, Arkansas, California, Connecticut, Delaware, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Minnesota, Mississippi, Nevada, New Hampshire, New Mexico, North Carolina, North Dakota, Oregon, Pennsylvania, South Dakota, Texas, Vermont, Washington, West Virginia. State statutes retaining the definition are as follows: ALA. CODE § 7-4A-105(A)(6); ARIZ. REV. STAT. ANN. § 47-4A105(A)(6); COLO. REV. STAT. § 4-4.5-105(A)(6); D.C. CODE § 28:4A-105(A)(6); FLA. STAT. § 670.105(1)(F); GA. CODE

ANN. § 11-4A-105(A)(6); HAW. REV. STAT. § 490:4A-105(A)(6); IDAHO CODE

ANN. § 28-4-605(1)(F); 810 ILL. COMP. STAT. § 5/4A-105(A)(6); IND. CODE § 26-1-4.1-105(A)(6); MASS. GEN. LAWS ch. 106, § 4A-105(A)(6); MICH. COMP. LAWS

§ 440.4605(1)(F); MO. REV. STAT. § 400.4A-105(A)(6); MONT. CODE ANN. § 30-4A-105(1)(F); NEB. REV. STAT. (U.C.C.) § 4A-105(A)(6); N.J. STAT. ANN. § 12A:4A-105(1)(F); N.Y. U.C.C. LAW § 4-A-105(1)(F); OHIO REV. CODE. ANN. § 1304.51(A)(9) (refers to another code section with an identical definition); 12A OKLA. STAT. § 4A-105(A)(6); R.I. GEN. LAWS § 6A-4.1-105(A)(6); S.C. CODE ANN. § 36-4A-105(A)(6); TENN. CODE ANN. § 47-4A-105(A)(6); UTAH

CODE ANN. § 70A-4A-105(1)(F); VA. CODE ANN. § 8.4A-10F(A)(6); WIS. STAT. § 410.105(1)(F); WYO. STAT. § 34.1-4.A-105(A)(VI).

64 The court in Experi-Metal notes that the definition of “good faith” then found in U.C.C. § 4A-105(a)(6) also “appears in other articles of the U.C.C.” Experi-Metal, Inc., 2011 U.S. Dist. LEXIS 62677, at *18. At the time Experi-Metal was decided, U.C.C. § 1-201 defined good faith only as requiring “honesty in fact;” it is now identical to the former § 4A-105(a)(6) definition. U.C.C. § 3-103 has also been revised since Experi-Metal, when it mirrored the § 4A-105(a)(6) definition of “good faith,” to no longer define the term. These changes may be an attempt to standardize the definition throughout the UCC.

WWW.FIDELITYLAW.ORG


agreement of the financial institution and its customer; without a written agreement the statutory “good faith” definition may be ignored.65

E. What Was the Origin of the Breach?

The final inquiry concerns the origin of the breach: if the fraudster gained access to the customer’s funds because of an overt act or omission by the financial institution, the financial institution will likely bear liability for the unauthorized transfer. Conversely, a financial institution may shift liability for a fraudulent funds transfer if the customer causes the “breach”.66 A customer may cause the “breach” by authorizing the payment expressly or through a third party, as where the third party is authorized to act by virtue of an agreement with the customer or because of agency law principles.67

Even if the financial institution successfully shifts the loss to the customer, the customer may return liability to the institution if the customer can prove that the customer’s “breach” did not cause the fraudulent order.68 The customer must therefore show that no one entrusted with duties to act for the customer caused the fraudulent transfer to be made, whether directly or indirectly. In addition, if a person obtained information that facilitated the fraud from a source controlled by the customer and without the institution’s authority, the customer will not be able to shift the loss back to the institution.

Thus, there are two separate burdens implicated when determining the existence of a “breach.” To avoid liability, the financial

65 Id. at *28. Michigan still retains the definition of “good faith” that

has since been deleted from the UCC, as is explained above. MICH. COMP. LAWS § 440.4605(1)(f) (2013).

66 U.C.C. § 4A-202(a). 67 Grabowski v. Bank of Boston, 997 F. Supp. 111, 123-24 (D. Mass.

1997). A financial institution need not adhere to an instruction that violates its written agreement(s) with the customer, even if that instruction is given pursuant to a third party agreement with an agent authorized to act on the customer’s behalf. U.C.C. § 4A-202(b). “For example, the bank and its customer may have agreed that a funds transfer that creates an overdraft will not be accepted, or that the customer may only send funds transfers to certain listed beneficiaries.” Regatos, 2003 U.S. Dist. LEXIS 4272, at *19.

68 U.C.C. § 4A-203.

WWW.FIDELITYLAW.ORG


institution must prove that its actions were commercially reasonable, were made in good faith, and complied with the agreed upon security procedure and with any other written agreements with the customer. If the institution carries its burden, the customer has a separate burden to avoid liability. The customer must prove that the transfer was not requested, either directly or indirectly, by a person entrusted to act on behalf of the customer or who obtained information which facilitated the breach from a source controlled by the customer and without the authority of the institution.69

V. THE CUSTOMER’S OBLIGATION TO TIMELY DISCOVER

A FRAUDULENT TRANSFER

Online banking cases place additional burdens on customers to ensure timely detection of fraudulent wire transfer requests.70 For example, “a customer must notify her bank within one year of receiving notice of an unauthorized or erroneous funds transfer, or else she will lose the right to object.”71 This one-year notice period is a statute of repose72 and may not be shortened by agreement of the parties.73 Even if the customer is entitled to reimbursement for the amount wrongly transferred, however, the customer will forfeit interest on the amount wrongly transferred if they fail to notify the financial institution of the unauthorized transfer within a reasonable time after the customer

69 Choice Escrow and Land Title, LLC, 2013 U.S. Dist. LEXIS 36746,

at *4, 6. 70 Patco, 684 F.3d at 214 (1st Cir. 2012). The court in this case left

open the question of what obligations a commercial customer may have when a financial institution’s security system is found commercially unreasonable.

71 Regatos, 2003 U.S. Dist. LEXIS 4272, at *23; U.C.C. § 4A-505. 72 “Statutes of repose and statutes of limitations are often confused,

though they are distinct. A statute of limitations creates an affirmative defense where plaintiff failed to bring suit within a specified period of time after his cause of action accrued, often subject to tolling principles. . . . By contrast, a statute of repose extinguishes a plaintiff’s cause of action after the passage of a fixed period of time, usually measured from one of the defendant’s acts.” Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 88 n.4 (2d Cir. 2010) (emphasis in original).

73 Regatos, 2003 U.S. Dist. LEXIS 4272, at *23-30.

WWW.FIDELITYLAW.ORG


receives notification of the transfer request, not to exceed ninety days.74 These time periods run from the date of receiving notice of the transfer, not from the date of the transfer itself.75 In cases where an individual customer regularly banks online and reviews his balance or transactions, or where an organization has a financial designee who regularly reviews a commercial account, a customer could be charged with reporting a fraudulent transfer within hours or days of the transaction.

A. Practical Considerations

Many fraudulent commercial wire transfers follow a similar fact pattern. Commercial losses are typically the result of an online account breach, and the fraudsters generally obtain the necessary information to enable their breach through malware or phishing activity.76 Such fraudulent activity may fall within a financial institution’s electronic crime or computer coverage. However, institutions generally require commercial customers to execute funds transfer agreements to protect the institutions in the event of an unauthorized wire transfer request. These agreements are the basis for much litigation between financial institutions and their commercial customers after fraudulent wire activity.

B. Best Practices Learned from Recent Case Law

Financial institutions should update their security measures regularly to defend against ever-changing and increasingly sophisticated online banking scams.77 No single security measure can effectively

74 Id. at *21-22; U.C.C. § 4A-204(a). 75 Regatos, 2003 U.S. Dist. LEXIS 4272, at *32-35. 76 By contrast, consumer losses generally arise from fraudulent phone,

fax, or email transfer requests, although sometimes fraudsters also use online banking requests or electronic forms—not fully automated transactions—to make their requests. See also Internet Crime Complaint Center, Fraud Alert Involving E-Mail Instructions to Facilitate Wire Transfers Overseas (Jan. 2012), http://www.ic3.gov/media/2012/EmailFraudWireTransferAlert.pdf.

77 See Supplement to Authentication in an Internet Banking Environment 1 (Jun. 28, 2011), http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20%28FFIEC%20Formated%29.pdf (noting that financial institutions face “new and evolving threats to online accounts” and that financial institutions must adjust their security protocols accordingly).

WWW.FIDELITYLAW.ORG


prevent fraudulent funds transfers. To maximize protection from fraud, each financial institution must create comprehensive security plans that include multiple layers of protection.78 Recommended procedures to date have included the following:

1. Requiring customers accessing online banking to do so using a unique user name and password;

2. Using a “cookie” to identify which computers a customer typically uses for online banking, or implementing challenge questions for suspicious transactions or those over a specified dollar amount;79

3. Utilizing risk profiling tools to analyze data about the location from which a customer logs in; when and how often a customer logs in; what a customer typically does while on the system; the size, type, and frequency of transfer requests typically submitted by the customer; and the customer’s usual IP address;80

4. Implementing a protocol to detect suspicious transfer requests, and manually reviewing such transfers before processing the requests;81

5. Executing written funds transfer agreements with commercial customers, which include a list of authorized users of the account so fraudsters cannot create false profiles to access the account,82 and which include annual—or more frequent—notifications to remind commercial customers to review and update information on customer contacts;

78 CUNA Mutual Group, Credit Union Protection 2013 Wire Transfer

Webinar Series at 11-13 (on file with author). 79 Patco, 684 F.3d at 202. 80 Id. Financial institutions can also subscribe to the eFraud Network,

which compares characteristics of a particular transfer request with known instances of fraud and relays any suspicious correlations.

81 Id.; 2013 Wire Transfer Webinar Series, supra note 78, at 11-13. 82 Patco, 684 F.3d at 202.

WWW.FIDELITYLAW.ORG


6. Requiring written security agreements to delineate a clear procedure for handling funds transfers and suspected fraudulent transactions (leaving nothing to the discretion of the financial institution), and to include a phone number where the customer may be reached and the maximum dollar amount the customer will permit to be transferred by wire from their account;83

7. Including user-selected pictures on sign-in pages, or require physical tokens with changing codes that must be entered to access online banking systems to ward off phishing attempts;84

8. Considering additional review and procedures for wire transfer requests to foreign countries;85 and

9. Reducing reliance on electronic signatures, as this method is not a foolproof method of authentication because the electronic signature is only secure if the authentication process prior to the instrument’s signing is secure, and as most general e-signature tools do not accommodate the high risk of a wire transfer and are therefore not sufficient to prevent fraudulent funds transfer requests.86

C. Best Practices Offered by the FFIEC Guidance for Online Banking

The Federal Financial Institutions Examination Council87 was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial

83 Id. This same advice applies with equal force to consumer

agreements. 84 Id. 85 Id. 86 2013 Wire Transfer Webinar Series, supra note 78, at 20. 87 Hereinafter FFIEC.

WWW.FIDELITYLAW.ORG


institutions.88 It is composed of and represents the interests of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and State Liaison Committee.89

Courts rely heavily upon guidelines published by the FFIEC when faced with fraudulent wire transfer cases.90 The FFIEC’s guidance documents are therefore considered “required standards of performance” for financial institutions engaging in electronic banking.91 “While the guidance focuses on Internet banking systems, its principles apply to all forms of electronic banking, including telephone banking systems.”92 The cornerstone of this guidance is the requirement and expectation that financial institutions must “safeguard the information of persons who obtain or have obtained a financial product or service to be used primarily for personal, family or household purposes, with whom the institution has a continuing relationship.”93 In addition, the regulations implementing Section 326 of the USA PATRIOT Act, 31 U.S.C. § 5318(l), require financial institutions to “verify the identity of customers opening new accounts.”94

88 Press Release, FFIEC Releases Supplemental Guidance on Internet

Banking Authentication, at 2 (Jun. 28, 2011), http://www.ffiec.gov/press/ pr062811.htm.

89 Id. 90 See Repasky, supra note 39; Choice Escrow and Land Title, LLC,

2013 U.S. Dist. LEXIS 36746, at *21 (finding that “the standards included in the FFEIC (sic) 2005 Guidelines with regard to security procedures were reasonable standards intended to result in fair dealing”).

91 Repasky, supra note 39. However, the FFIEC’s guidance “does not apply to applications submitted by non-customers . . . customer verification during account origination is a related but separate process from that of authentication.” Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment 3 (Aug. 15, 2006), http:// www.ffiec.gov/pdf/authentication_faq.pdf.

92 Id. at 2. 93 Authentication in an Internet Banking Environment, supra note 22, at

2 (citing section 501(b) of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801). 94 Id.

WWW.FIDELITYLAW.ORG


1. 2005 Guidance

The FFIEC issued its most recent guidelines in 2005, replacing the 2001 Guidance on the same topic (“the 2005 Guidance”).95 The 2005 Guidance focuses on “high-risk transactions,” defined as those online banking transactions “involving access to customer information or the movement of funds to other parties.”96 The 2005 Guidance notes that single-factor identification is insufficient for high-risk transactions.97 Instead, multi-factor authentication or layered security measures are appropriate for such online banking activities.98 “Existing authentication methodologies involve three basic ‘factors’: Something the user knows (e.g., password, PIN); [s]omething the user has (e.g., ATM card, smart card); and [s]omething the user is (e.g., biometric characteristic, such as a fingerprint).”99 A simple login screen requiring only a username and password is a single-factor authentication system; an ATM transaction is a multi-factor authentication system.100 A multi-factor approach combining these tools is obviously more effective than using only one authentication factor, and the FFIEC’s guidance effectively mandates multi-factor authentication for online banking.

The 2005 Guidance also identifies out-of-band controls as a useful technique for thwarting fraudulent activity.101 “Out-of-band” controls are those which require “additional steps or actions beyond the technology boundaries of a typical transaction.”102 For example, a phone call-back to verify an online transfer request or an email notification of a transfer request is an out-of-band control. Phone-based challenge questions in response to online transactions are another out-of-band fraud control mechanism.

95 Id. at 1. 96 Id. 97 Id. 98 Id. 99 Id. at 3. 100 Id. 101 Id. 102 Id.; see also Patco, 684 F.3d at 202. However, out-of-band

authentication is not foolproof, as email can be hacked, signatures and notary seals can be forged, and phone calls can be rerouted. See 2013 Wire Transfer Webinar Series, supra note 78, at 11-13. Therefore, it is best used as part of a multi-factor authentication test.

WWW.FIDELITYLAW.ORG


Another important takeaway from the 2005 Guidance is the notion that simply attempting to thwart suspicious activity is not enough.103 The 2005 Guidance also recommends that financial institutions monitor suspicious activity and report fraudulent activity to the appropriate authorities as required by the Bank Secrecy Act.104 It is important to share information about potential and actual fraudulent online banking activity with customers as well: the 2005 Guidance notes that “customer awareness is a key defense against fraud and identity theft.”105 For example, financial institutions may wish to provide such information to customers yearly, with updates about new scams and the financial institution’s strategies to thwart unauthorized access to customer accounts.

In addition, the 2005 Guidance contains an appendix of suggested security measures, such as the use of physical tokens and shared secrets like PINs, which are useful components of a larger security plan.106 This appendix explores each method, including by noting the advantages and disadvantages of each measure. A financial institution seeking to comply with the FFIEC’s guidelines would be well advised to refer to this appendix when compiling a multi-factor authentication test.

2. 2011 Supplement

Citing “[t]he continued growth of electronic banking and greater sophistication of the associated threats” since the 2005 Guidance, the FFIEC issued a supplement to its guidelines on June 28, 2011 (“the 2011 Supplement”).107 In a press release, the FFIEC noted that electronic banking threats “have increased risks for financial institutions and their

103 Authentication in an Internet Banking Environment, supra note 22,

at 5. 104 Id. 105 Authentication in an Internet Banking Environment, supra note 22,

at 5-6. The 2011 Supplement, noted below, reiterates this emphasis on customer education. Supplement to Authentication in an Internet Banking Environment, supra note 77.

106 See Authentication in an Internet Banking Environment, supra note 22, at 7-14.

107 See Press Release, supra note 88, at 1.

WWW.FIDELITYLAW.ORG


customers,” that both “[c]ustomers and financial institutions have experienced substantial losses from account takeovers,” and that “[e]ffective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions’ electronic agreements and transactions.”108 Expanding upon the 2005 Guidance, the 2011 Supplement notes that it sets forth only “minimum control expectations,” and that financial institutions interested in more robust protection might wish to exceed these expectations in certain circumstances.109

Recognizing that “virtually every authentication technique can be compromised”, the 2011 Supplement emphasizes a “layered” approach to electronic banking security.110 “Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.”111 For example, layered security may include the following: tracking customer behavior and history, dual authorization through different access devices, out-of-band verification for transactions, limitations on transactional use of an account, maximum limits on the amount or number of daily online transactions, monitoring IP addresses used to access accounts, and customer education measures to avoid fraudulent activity.112

Because fraudsters are resourceful and always seeking new ways to breach a financial institution’s security measures, the FFIEC recommends periodic risk assessments (at least every twelve months), considering “changes in the internal and external threat environment, . . . changes in the customer base adopting electronic banking; changes in the customer functionality offered through electronic banking; and actual

108 Id. 109 Supplement to Authentication in an Internet Banking Environment,

supra note 77, at 1. 110 Id. at 2. 111 Id. at 4-5. 112 Id.

WWW.FIDELITYLAW.ORG


incidents of security breaches, identity theft, or fraud experienced by the institution or industry.”113

Security procedures which were once considered highly effective may lose their power over time as fraudsters develop new ways to infiltrate electronic banking systems. For example, complex device authentication, which is a sophisticated form of the widely-known “cookie” technology, is more effective than simple device identification, which is “no longer . . . an effective risk mitigation technique” standing alone.114

Similarly, challenge questions are most effective when they incorporate “out of wallet” inquiries, which do not seek information that is publicly available, rather than simpler questions about a customer’s high school, familial relationships, or college graduation year.115 FFIEC advocates the use of multiple challenge questions for authentication, without exposing all the questions in one session, as a component of a layered security program.116

The FFIEC considers commercial transactions to be higher risk than their consumer counterparts: While all “electronic transactions involving access to customer information or the movement of funds to other parties” fall within the category of high risk transactions, “not every online transaction poses the same level of risk.”117 Online consumer transactions, for example, fall on the lower end of the high risk spectrum because they involve lower dollar amounts and less frequent transactions than their business counterparts. By contrast, online business transactions require more robust security procedures, such as multifactor authentication in addition to the layered security measures which alone would generally be sufficient for consumer transactions.118

113 Id. at 3. Security experts agree: “There’s no such thing as a

perfectly secure system.” Wisniewski, supra note 41. 114 Supplement to Authentication in an Internet Banking Environment,

supra note 77, at 6-7. 115 Id. 116 Id. 117 Id. at 3-4. 118 Id.

WWW.FIDELITYLAW.ORG


D. Other Best Practices to Avoid Fraudulent Funds Transfers

Financial institutions must regularly evaluate every aspect of their security protocols for funds transfers and other online banking activities to effectively combat fraudulent activity on commercial accounts.119 For example, financial institutions should carefully consider their options when evaluating vendors offering business online banking systems. Commercial accounts should include dual controls, which prevent transactions from being completed without the approval of multiple employees of that particular business customer. Business banking systems should also allow business customers to assign specific levels of access for the users who will be accessing its account.

As Experi-Metal highlights, financial institutions should share their recommendations for safe online banking practices with their customers and timely warn them of specific threats when appropriate. A commercial customer should be encouraged to use one dedicated computer for all online financial transactions; that computer should not connect wirelessly to the customer’s server, should be protected with a firewall and antivirus software, and should not be used to check email or for any general internet usage whatsoever. In addition, a business banking customer might consider a “bootable operating system,” which is written onto a read-only USB flash drive and offers another option for secure online financial transactions.120 These operating systems should not be affected by the presence of malware on any computer with which the flash drives are used. At a minimum, simple customer-side security solutions, such as real-time antivirus protection, desktop firewalls, use of caution when opening unknown or unsolicited emails, and installing regular security updates to operating systems and applications will also help to ensure the security of a business’s online banking profile.

119 See Elizabeth H. Johnson & Lynn C. Percival IV, Coping with the

Threat of Fraudulent Funds Transfers 4-5, Oct. 3, 2012, available at http://www .poynerspruill.com/publications/Pages/Coping-with-the-Threat-of-Fraudulent-Funds-Transfers-.aspx.

120 See Brian Krebs, Online Banking Best Practices for Businesses, KREBS ON SECURITY, http://krebsonsecurity.com/online-banking-best-practices-for-businesses/; Brian Krebs, Banking on a Live CD, KREBS ON SECURITY (Jul. 12, 2012), http://krebsonsecurity.com/2012/07/ banking-on-a-live-cd/.

WWW.FIDELITYLAW.ORG


Small institutions should pay particular attention to their security procedures because thieves are increasingly targeting these institutions and their customers: “Smaller banks tend to be a step or two behind their larger peers in security . . . [a]nd small-business customers don’t have as much invested in cybersecurity as a large corporation.”121

VI. FINANCIAL INSTITUTION BONDS

Losses resulting from fraudulent phone and fax requests must be evaluated under the applicable coverage section of a particular Financial Institution Bond to see if the bond’s requirements have been met. Insureds often fail to follow their policy requirements, which results in a denial of claims by insurers. Each case must be addressed under the specific provisions of the bond, but the following cases discuss common issues arising from fraudulent transfer claims.

A. Missouri Bank and Trust Co. of Kansas City v. OneBeacon Insurance Co.: Overlapping Coverage Saved Institution from Denial for not Following Policy

In Missouri Bank and Trust Co. of Kansas City v. OneBeacon Insurance Co.,122 the insured bank sought to recover loss arising from an overseas wire transfer of $196,575 made in reliance upon a fraudulent facsimile request.123 The financial institution bond in that case included an agreement concerning telefacsimile transactions which required adherence to certain protocol when transferring money pursuant to a fax request.124 Missouri Bank sought to recover alternatively under an insuring agreement for a loss resulting from forged “written instructions.”

121 Andrew Dunn, Park Sterling Bank Suing Law Firm After

Fraudulent Wire Transfer, THE CHARLOTTE OBSERVER (Apr. 3, 2013), http:// www.charlotteobserver.com/2013/04/03/3955834/park-sterling-bank-suing-law- firm.html; see also Ryckman, supra note 22 (noting that “small businesses are especially easy prey because many lack firewalls and monitoring systems”).

122 688 F.3d 943 (8th Cir. 2012). 123 Id. at 945. 124 Id.

WWW.FIDELITYLAW.ORG


Missouri Bank failed to follow its own callback procedure required for fax requests and therefore it could not recover under the telefacsimile insuring agreement.125 Missouri Bank argued that the fax request was also a “written” instruction to transfer funds within the meaning of the forgery insuring agreement.126 OneBeacon countered that the fax did not constitute a written instruction, and that the telefacsimile agreement was the sole applicable coverage. The Eighth Circuit ultimately concluded that the incident might be covered under more than one section of the bond.127 The court held OneBeacon was within its rights to deny coverage to the bank under the telefacsimile/funds transfer section of its bond. However, Missouri Bank was entitled to summary judgment on its breach of contract claim against OneBeacon for its failure to provide coverage under the forgery insuring agreement because the wire transfer request constituted a written instruction.128

B. Universal City Studios Credit Union v. CUMIS Insurance Society, Inc.: No Coverage for Failure to Adhere to Callback Verification Policy Requirements

In Universal City Studios Credit Union v. CUMIS Insurance Soc., Inc.,129 a fraudster called Universal City Studios to request a telephone number change for the affected account.130 The imposter answered several security questions about the accountholder before the information was changed.131 Five days later, the credit union received a

125 Id. 126 Id. 127 Id. at 949. 128 Id. at 948. At the time OneBeacon denied coverage, the issue of

whether a facsimile was a “written” instruction was undecided. Id. at 949. The court concluded that the fax request did not fall within the definition of an “Electronic Record” within the meaning of the bond at issue. Id, at 947-48. The court concluded that such a record “is essentially data that is stored in an electronic device such as a hard drive or accessible by means of an electronic device on a digital medium such as a CD or DVD. The data can be ‘retrieved’ and viewed without creating a tangible version in a printed document.” Id. Therefore, the forgery section of the bond should properly have applied to the financial institution’s coverage claim. Id. at 948-49.

129 208 Cal. App. 4th 730 (2012). 130 Id. at 735. 131 Id.

WWW.FIDELITYLAW.ORG


facsimile requesting a wire transfer of $243,678.19 from the customer’s account to an account at a bank in Hong Kong.132 Universal City Studios called the telephone number on the account—which had recently been changed by the fraudster—to verify the request.133 The person answering the call again provided correct answers to multiple security questions.134 The accountholder learned of the transfer two weeks later, but the credit union could not recover the transferred funds.135 After CUMIS denied coverage, the credit union sued the insurer.136

A California court concluded that the credit union was not entitled to coverage under its bond for a fraudulent request because the credit union did not follow the policy’s conditions of coverage.137 The funds transfer provision of the bond in question required either callback verification to a secure telephone number, or a signed written agreement between the credit union and the customer providing for some alternative security procedure.138 Because the fraud was perpetrated only five days after the telephone number was changed, the callback did not meet the secure telephone number requirement set forth in the bond.139

The insured argued that the facsimile transfer request met the alternative requirement of a written funds transfer agreement signed by

132 Id. 133 Id. at 735-36. 134 Id. at 736. 135 Id. 136 Id. at 732, 736. 137 Id. at 739-40. 138 Id. at 733. A secure telephone number was defined as meeting one

of the following requirements: (1) provided by the customer when the account was opened; (2) provided at a later date by the customer in person, with valid identification; (3) confirmed as a replacement number by contacting the customer at the previous number; (4) obtained from a public or private telephone directory; or (5) on file for at least thirty days prior to the transfer request. Id. at 734.

139 Id. at 739. CUMIS had specifically warned of this type of fraudulent activity in an executive summary distributed to its insureds in 2006, among other reminders. Id. at 733-34. The summary stated, in pertinent part, “Some of the recent losses involve situations where the perpetrator requests a telephone number change on the member’s account just prior to requesting the transfer, in an attempt to circumvent callback security.” Id. at 734.

WWW.FIDELITYLAW.ORG


the customer or the customer’s authorized representative and setting forth a commercially reasonable security procedure.140 However, because the transfer instruction was forged, it was not an agreement with the actual customer and therefore could not satisfy this alternative requirement.141 Moreover, the loss did not fall within other sections of the bond, such as forgery coverage, because such coverage excluded a loss from a funds transfer transaction.142 Because the funds transfer exclusion was conspicuous, plain, and clear, it was found to be enforceable.143

VII. ROADBLOCKS TO RESTITUTION OR SUBROGATION

FOR ANY LOSS

A. Statistics on Fraudulent Funds Transfers

Fraudsters have been responsible for hundreds of millions of dollars of losses by financial institutions due to unauthorized funds transfers and other online banking fraud over the past several years.144 For example, between 2007 and 2012, credit unions nationally reported more than $25 million in actual losses due to wire transfer fraud and scams.145 The average loss reported by these credit unions in 2012 alone was $175,000, although some of the losses approached $1 million.146 These schemes target all types of financial institutions, and in many cases the fraudsters attempt to transfer much more money than is actually lost before the unauthorized activity is detected and halted.147

140 Id. at 739-40. 141 Id. at 740. The court did not reach the issue of whether the general

reference to the insured’s security procedures in the faxed funds transfer agreement would have qualified as setting forth a commercially reasonable security procedure. Id. at 740 n.3.

142 Id. at 741. 143 Id. at 742. 144 Supplement to Authentication in an Internet Banking Environment,

supra note 77, at 2. 145 2013 Wire Transfer Webinar Series, supra note 78, at 4. 146 Id. 147 Fraud Alert, supra note 76, at 11.

WWW.FIDELITYLAW.ORG


B. Criminal Enforcement

Considered “the original guardian of the nation’s financial payment systems,” the Secret Service has long been tasked with investigating financial crimes, including access device fraud and computer fraud.148 Access device fraud includes any fraudulent activity involving debit cards, automated teller machine cards, computer passwords, personal identification numbers, and credit or debit account numbers, among other things.149 Computer fraud includes unauthorized access to protected computers, data theft, and distribution of malware.150 The passage of the USA PATRIOT Act in 2001 expanded the Secret Service’s authority and led to the creation of task force networks to investigate electronic and financial crimes.151 These task forces are the primary means of government investigation of fraudulent funds transfers, although some international requests may be subject to additional oversight.

C. Best Practices for Recovery

1. Immediate Detection

Time is of the essence for financial institutions and their customers in detecting, reversing, and prosecuting fraudulent account activity. Timing and diligence are important when dealing with fraudulent account activity.152 Ideally, consumer and business account holders should check their online accounts daily to detect suspicious or unusual activity.153 Because that doesn’t always happen in practice, financial institutions should also diligently monitor transfer requests and unusual account activity to halt fraudulent activity as soon as possible.

148 Criminal Investigations, UNITED STATES SECRET SERVICE, http:// www.secretservice.gov/criminal.shtml.

149 Id.; 18 U.S.C. § 1029. 150 Criminal Investigations, supra note 148; 18 U.S.C. § 1030. 151 Criminal Investigations, supra note 148; United States Secret

Service Fiscal Year 2011 Annual Report, 39-45, http://www.secretservice.gov/ annualreport.shtml. There are also criminal ramifications associated with violations of the EFTA. See 15 U.S.C. § 1693n.

152 Ryckman, supra note 22. 153 Id. (noting that “small businesses are especially easy prey because

many lack firewalls and monitoring systems”).

WWW.FIDELITYLAW.ORG


Federal regulations issued by the Consumer Financial Protection Board also emphasize the importance of timely action when faced with fraudulent activity.154 For example, a customer’s liability for an unauthorized electronic fund transfer155 is limited if they provide timely notice to their financial institution of such the transfer within two business days of learning of the loss.156 Alternatively, if the consumer does not provide timely notice, an institution may be entitled to recover some of the loss directly from the consumer.157

2. Recourse

Assuming that a financial institution and its customer act quickly to detect and reverse fraudulent wire transfer requests, one way to stop fraudulent activity involves freezing the account in question. However, freezing an account would limit the customer’s ability to legitimately access their funds while the account was frozen, which may not be permissible in all cases. In limited circumstances, a financial institution may also be able to reverse a wire transfer request which is determined to be fraudulent.158 Requests to cancel wire transfers must be transmitted with sufficient time to give “the receiving bank a reasonable opportunity to act on the communication before the bank accepts the payment order.”159 After a payment order is accepted, cancellation is more

154 12 C.F.R. § 1005.6. New regulations promulgated by the Consumer

Financial Protection Bureau will be implemented on October 28, 2013. Consumer Financial Protection Bureau, Remittance transfer rule (amendment to Regulation E), http://www.consumerfinance.gov/remittances-transfer-rule-amendment-to-regulation-e/.

155 An “unauthorized electronic fund transfer” is defined as “an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.” 12 C.F.R. § 1005.2. This does not include transfers initiated: (1) by a person the consumer gave access to the account, unless the financial institution has been notified that such access has been revoked; (2) with fraudulent intent by the consumer or by someone acting with the consumer; or (3) by the institution or its employees. Id.

156 12 C.F.R. § 1005.6(b)(1). 157 12 C.F.R. § 1005.6(b)(2). 158 U.C.C. § 4A-211. 159 U.C.C. § 4A-211(b). Such cancellation is also subject to the

requirements of U.C.C. § 4A-211(a).

WWW.FIDELITYLAW.ORG


difficult, as the receiving institution must agree to such cancellation, or a funds-transfer system rule160 must permit the cancellation to occur.161

As noted above, financial institutions are required to abide by applicable provisions of the PATRIOT Act,162 and an institution’s failure to do so may lead to liability for any unauthorized activity resulting from the institution’s failure to adhere to the law. However, there is a common misconception that financial institutions are required to verify a customer’s identity by the PATRIOT Act prior to permitting withdrawal from a customer’s account; this is not true.163

The Patriot Act does require the Treasury Secretary to promulgate regulations that require banks to implement procedures for ‘verifying the identity of any person seeking to open an account to the extent reasonable and practicable’ and for ‘maintaining records of the information used to verify a person's identity, including name, address, and other identifying information.’ 31 U.S.C. § 5318(l)(2)(A), (B) (emphasis added); see also 31 C.F.R. § 103.121(b) (implementing regulations). The statute and implementing regulations, however, stop short of requiring banks to request photo identification from a person simply wishing to make withdrawals from his or her bank account.164

160 See U.C.C. § 4A-501(b). 161 U.C.C. § 4A-211(c). In such circumstances, the sending institution

may also be responsible for the expenses of the receiving institution associated with any loss or legal costs associated with reversing the transfer. U.C.C. § 4A-211(f).

162 Hamze v. Bank of Am., No. CV-05-1315-PHX-FJM, 2006 U.S. Dist. LEXIS 45194, *3 (Ariz. Jun. 30, 2006) “Pursuant to the Financial Action Task Force, an international anti-money laundering organization, the Treasury Department's Financial Crimes Enforcement Network, and the Patriot Act, the Bank has a duty to pay special attention to, among other things, suspicious transactions involving international wire transfers”).

163 See Sanders v. Mich. First Credit Union Tellers, 2010 U.S. Dist. LEXIS 80908, *4 (E.D. Mich. Aug. 10, 2010).

164 Id.; see also Wells v. Craig & Landreth Cars, Inc., 2011 U.S. Dist. LEXIS 43931, *10-11 n.2 (W.D. Ky. Apr. 22, 2011).

WWW.FIDELITYLAW.ORG


Therefore, recovery in these cases is rather limited and depends primarily upon timeliness in detecting fraud and swift action to claw back fraudulent transfers.

VIII. CONCLUSION

As hackers grow more sophisticated, financial institutions must rise to the task of defending against their attacks. The meaning of “commercially reasonable” will undoubtedly evolve to a higher standard over time in response to the increased sophistication of perpetrators of these fraudulent transactions. Financial institutions must stay abreast of technology and of the law to ensure compliance with their obligations under the UCC and under their fidelity bonds.

The Fidelity Law Journal · Armen Shahinian, Wolff & Samson PC ... Owen, LLC in Vienna Virginia....

Documents

Transcript of The Fidelity Law Journal · Armen Shahinian, Wolff & Samson PC ... Owen, LLC in Vienna Virginia....