Pub. 6 2015 Issue 4

www.wvbankers.org 14 West Virginia Banker D ata security breaches continue to gar- ner headlines, and criminals continue to engage in targeted activities to steal millions of dollars in unauthorized funds. Banks and other financial institutions must heed the warnings of recent cases ad- dressing the issue, as well as the statutory framework that explains who is responsi- ble for resulting losses. Under the Uniform Commercial Code (“UCC”), Article 4A (“Funds Transfers”), a bank is responsible for unauthorized electronic payment orders on a non-con- sumer account. But if the bank verifies the payment order using a security procedure, then the transfer is deemed “authorized” by the customer. The bank may shift the risk of loss to its customers through very specific procedures: •The bank and customer agree that the bank will verify the authenticity of any transfer pursuant to a security procedure; •The security procedure is “commer- cially reasonable;” and •The bank acts in good faith, com- plies with the agreed-upon security procedure, and follows any written instructions from the customer restricting payment orders. Shifting risk of loss to the customer largely hinges upon commercial reasonableness, to be determined by: a. The wishes of the customer ex- pressed to the bank; b. The circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the cus- tomer to the bank; c. Alternative security procedures offered to the customer; and d.Other procedures generally used by customers and receiving banks in similar circumstances. If a customer wants to use its own security procedure and declines the procedure offered by the bank, this may also prove commercial reasonableness, but banks should use caution and ensure there is a proper waiver in place. Recent Decisions Regarding Commercially Reasonable Security Procedures 1. Yes, the Bank’s Procedure Was Com- mercially Reasonable. In Choice Escrow & Land Title, LLC v. Bankcorp South Bank, an unknown third-party accessed Choice Escrow & Land Title, LLC’s (“Choice Escrow”) accounts at Bankcorp South and stole $440,000 through unauthorized ACH transactions, the result of a Choice Escrow employee falling prey to a “phishing at- tack.” When attempts to recover the funds failed, Choice Escrow sued Bankcorp South for the lost funds. The bank’s standard security was four parts, including a dollar limit on the daily volume of wire transfer activity from a customer’s account and a “dual control” requiring two authorized users to approve every payment order. Choice Escrow declined the dollar limit on transactions and the “dual control” feature and signed the requisite waiver with the bank. In analyzing the bank’s security measures, the court determined that the security procedures were “commercially reasonable.” The court examined what similarly situated banks were doing, and it analyzed the Federal Financial Institu- tions Examination Council (“FFIEC”) guidance from 2005 on various authenti- cation protocols. The court also explained that bypassing “dual control” resulted in Choice Escrow assuming the risks of its decision and limited its ability to shift the loss to the bank. Finally, the court explained that the bank acted in good faith and that the bank acted in accordance with the requests of the customer and the parties’ agreement. Accordingly, Bankcorp South offered a commercially reasonable security proce- dure, and the bank was not responsible for the unauthorized transaction and resulting $440,000 loss. 2. No, the Bank’s Procedure Was Not Commercially Reasonable. The court found that the bank’s security procedures were not commercially reason- able in Patco Construction Co. v. People’s United Bank. Unauthorized ACH trans- fers totaling $588,851 were taken from the construction company’s account with Ocean Bank, which was later acquired by People’s United Bank. When the custom- er sued the bank to recover its losses, the bank’s security procedures became the focus of the lawsuit. The bank implemented a security system provided by an outside vendor. The court found flaws in the implementation of the UnauthorizedTransfersPresent GrowingRisks for Commercial Accounts By R. Scott Adams, Spillman, Thomas and Battle