On June 11, 2014, the Eighth Circuit Court of Appeals (Court) issued a decision regarding cyber security and who should bear the loss for unauthorized funds transfers. In Choice Escrow & Land Title v. BancorpSouth Bank, 2014 U.S. App. LEXIS 10817, the court of appeals affirmed the U.S. District Court for the District of Missouri’s grant of summary judgment in favor of BancorpSouth Bank, concluding that under Article 4A of the Uniform Commercial Code, BancorpSouth Bank complied with commercially reasonable security measures and was not responsible for Choice Escrow & Land Title’s loss resulting from a fraudulent payment. Additionally, the court of appeals reversed the district court’s dismissal of a counterclaim for attorney’s fees filed by BancorpSouth Bank. The Eighth Circuit’s decision in this case was markedly more favorable to financial institutions than the First Circuit’s decision in Patco Construction Co. v. People’s United Bank, 2012 U.S. App. LEXIS 13617. This case is informative for all banks as the issue of loss allocation for fraudulent payment orders continues to evolve.
Review of the Case
Background on the Parties and the Litigation
Choice Escrow & Land Title (the “Customer”) is a Missouri company that provides real estate escrow services. Choice opened a trust account at BancorpSouth Bank (the “Bank”) that was used to hold funds entrusted to Choice by a buyer of real estate until those funds were wired to the seller at closing.
On March 17, 2010, after an employee of Choice fell victim to a phishing scam, an unknown third party accessed Choice’s online account at BancorpSouth and issued a payment order instructing BancorpSouth to wire $440,000 from Choice’s account to a bank account in the Republic of Cypress. BancorpSouth accepted and executed the payment order.
Choice sued BancorpSouth for the lost funds in the district court. BancorpSouth filed a counterclaim for attorney’s fees based on an indemnification agreement that it had executed with Choice. The district court granted summary judgment in favor of BancorpSouth after concluding that under the provisions of Article 4A of the Uniform Commercial Code, the risk of loss from the fraudulent payment order was allocated to Choice. Further, the district court dismissed BancorpSouth’s counterclaim after concluding that the indemnification agreement was unenforceable because it conflicted with Article 4A. Choice appealed the decision of the district court.
Security Measures Offered to Choice by the Bank
BancorpSouth offered four security measures designed to ensure that access to its customers’ accounts was available only to each customer’s employees or authorized users. The four security measures included:
- A unique user ID and password
- Device authentication
- Daily dollar limits on the volume of wire transfer activity from a customer’s account
- Dual control requiring a second authorized user to separately approve a pending payment order
Choice declined two of the four security measures. Specifically, (1) Choice did not place daily transfer limits on its account; and (2) Choice declined the use of dual control and signed the requisite waiver of that security feature. In fact, Choice twice declined dual control. In November 2009, an employee of Choice received an e-mail from one of Choice’s underwriters describing a phishing scam that led to transfers of money to overseas banks. The Choice employee forwarded that e-mail to a BancorpSouth employee and asked whether the Bank could stop all foreign wire transfers. In the response to the e-mail, a BancorpSouth employee indicated that the Bank was unable to stop just foreign wires but reiterated the Bank’s recommendation of dual control. Choice again declined dual control.
Choice’s Use of Wire Transfers
In order to initiate a wire transfer, Choice’s employees used an online banking platform called InView. Choice authorized two of its employees to use InView, and each of those employees was issued a unique user ID and password. One of those employees would log into InView (through BancorpSouth’s website) using her unique user ID and password. A commonly used device authentication software known as PassMark would then authenticate the device the employee used to access InView by checking the IP address and other specifications of the device. If PassMark did not recognize the device, the employee would be prompted to answer challenge questions. Once the device was recognized or the challenge questions were answered correctly, the employee would gain access to InView and could issue payment orders to BancorpSouth. If Choice had sufficient funds, the payment order would be sent to one of BancorpSouth’s six employees responsible for routing payment orders from Choice, and the payment order would be executed. BancorpSouth would debit the funds from Choice’s account and confirm the transaction by sending a fax to Choice.
Applicable Law and Guidance
Article 4A of the UCC
The rights, duties and liabilities of banks and their commercial customers with respect to electronic funds transfers are governed by Article 4A of the UCC. See Miss. Code Ann. § 75-4A-108. (Consistent with Choice Escrow, reference is made to Mississippi’s codification of Article 4A.) In general, the parties may not vary by agreement any rights and obligations arising under Article 4A.
Under Article 4A, the general rule is that a bank receiving a payment order bears the risk of loss of unauthorized funds transfers. Miss. Code Ann. § 75-4A-204. The bank may, in turn, shift the risk of loss to the customer in one of two ways:
- The bank may show that the payment order was the authorized order of the person identified as the sender if that person indeed authorized the order or is otherwise bound by it under the law of agency, Miss. Code Ann. § 75-4A-202(a), or
- If the bank and its customer have agreed that payment orders will be verified pursuant to a security procedure, the payment order is effective, whether or not authorized if:
- the security procedure is commercially reasonable; and
- the bank proves that it accepted the payment in order in good faith and in compliance with the security procedure and any written agreement. Miss. Code Ann. § 75-4A-202(b).
A “security procedure” is established via the agreement of the bank and customer primarily in order to “verify that the payment order or communication amending or cancelling a payment order is that of the customer.” Miss. Code Ann. § 75-4A-201.
A bank can demonstrate that a security procedure is “commercially reasonable” in one of two ways. First, the standard is not whether the security procedure is the best available, but rather whether “the procedure is reasonable for the particular customer and the particular bank.” Miss. Code Ann. § 75-4A-203, cmt. 4 (emphasis added). Second, a security procedure is deemed to be commercially reasonable if:
- the security procedure was chosen by the customer after the bank offered and the customer refused a security procedure that was commercially reasonable; and
- the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure. Miss. Code Ann. §75-4A-202(c).
In the event that the bank proves that the security procedure was commercially reasonable and that it accepted the payment order in good faith and in compliance with the security procedure, the payment order is effective as an authorized order of the customer. Miss. Code Ann. § 75-4A-202(b)(ii), §75-4A-203(a)(1). If the bank is unable to prove that its security procedures were commercially reasonable, the risk of loss remains with the bank. See Miss. Code Ann. §75-4A-202(b)(1).
Even if the bank demonstrates commercial reasonableness, however, the customer may still shift the risk of loss back to the bank if the customer proves that the order did not result from either an insider fraud (e.g., a current or former employee) or a breach of its physical or electronic security. Miss. Code Ann. §75-4A-203(a)(2). In the event that the court determines that the bank bears the risk of loss, the bank must refund the payment order and must pay interest on the refundable amount.” Miss. Code Ann. §75-4A-204(a).
In August of 2001, the agencies of the Federal Financial Institutions Examination Council (FFIEC), first issued guidance titled “Authentication in an Internet Banking Environment.” Available at http://www.ffiec.gov/pdf/pr080801.pdf. That guidance was updated on October 12, 2005. The 2005 Guidance in particular requires that banks should “periodically . . . [a]djust their information security programs in light of relevant changes in technology, the sensitivity of its customer information, and internal or external threats.” Additionally, the 2005 Guidance describes existing authentication methodologies as involving the following factors: (1) something the user knows (e.g., password, PIN), (2) something the user has (e.g., ATM card), and (3) something the user is (e.g., fingerprint). Use of more than one of these methodologies is called “multi-factor authentication,” which presents a more reliable and stronger fraud deterrent than single-factor methods. Accordingly, the 2005 Guidance states:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. . . . Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
Choice and BancorpSouth agreed that BancorpSouth complied with its security procedures in accepting the payment order that resulted in a loss for Choice; however, disputes existed as to whether (1) BancorpSouth’s security procedures were commercially reasonable; (2) BancorpSouth accepted the payment order in good faith; and (3) BancorpSouth accepted the payment order in compliance with the customer’s written instructions.
The Bank’s Security Procedures Were Commercially Reasonable
A threshold question was addressed as to whether the Bank’s use of device authentication was a security procedure. Choice argued that it was not, because under Article 4A, a security procedure must be “established by agreement,” and Choice asserted that the Bank did not mention device authentication in any written contract or make any formal offer to use PassMark.
The court, however, concluded that all four security measures were security procedures because there was ample evidence that the parties agreed to implement PassMark, including:
- all BancorpSouth customers were required to sign up for PassMark when they signed up for InView; and
- an Addendum to Business Services Agreement between the parties states that Choice “assumes full responsibility and risk of loss for all transactions made by BancorpSouth . . . in accordance with . . . the procedures set forth in the InView User Manual(s) and Help screens” and the bank posted a digital manual titled “PassMark Login Security” on the InView portal.
Next, the Court turned to the question of whether the security procedures were commercially reasonable. Choice argued that a commercially reasonable security procedure must include manual review by a human being of every payment order. The Court rejected Choice’s argument calling it a “rigid, foreign standard” that is “essentially at odds with” Article 4A. Like the Court in Patco, the Court here analyzed FFIEC Guidance (described above in Section II) to determine whether BancorpSouth’s security procedures were commercially reasonable. In doing so, the Court determined that BancorpSouth’s security procedures complied with the FFIEC guidance by requiring multifactor authentication – including something that the user knows (correct password) and something that the user has (a recognized computer). The Court took note that BancorpSouth additionally offered dual control, which it characterized as an additional security procedure that addresses the increased security threats since the FFIEC guidance was issued in 2005.
Further, Choice contended that a bank must use a different security procedure for each of its customers in order for the security procedure to be suitable for the customer based on its wishes expressed to the bank and the circumstances of the customer known to the bank. The Court was dismissive of Choice’s argument and noted that if a bank were to develop a “single effective and versatile procedure,” it would not be commercially unreasonable for the bank to apply that procedure to all or substantially all of its customers, making changes to the procedure only when necessary.
Thus, the Court concluded that BancorpSouth’s security procedures were commercially reasonable and characterized this as a case where “an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper,” and Choice “voluntarily assumed the risk of failure of the procedure and cannot shift the loss to” BancorpSouth.
The Bank Accepted the Payment Order in Good Faith
To establish that it acted in good faith, BancorpSouth needed to demonstrate that its employees accepted and executed Choice’s payment order in a way that comported with Choice’s reasonable expectations as established by reasonable commercial standards of fair dealing. The Court concluded that BancorpSouth accepted the March 17 payment order in good faith based, in part, on testimony that it was “normal banking practice” for a bank’s employees to route payment orders that are submitted in compliance with security procedures without conducting any further review to determine whether that payment order might be suspicious. Additionally, the Court noted that Choice was well aware that:
- BancorpSouth employees saw a payment order only after it cleared the Bank’s security procedures; and
- the role of BancorpSouth employees was not to check for any irregularities in payment orders, but rather to route payment orders to the correct beneficiaries.
Further, the Court concluded that even if the March 17 payment order had been pulled for further review, it was not so unusual that it would have caused alarm because:
- the Bank provided evidence that it was not the largest payment order ever submitted by the Customer; and
- the Customer’s payment orders varied in size from a few thousand dollars to a few hundred thousand dollars.
Choice argued that a notation on the memo line, which was inconsistent with Choice’s business and past practice, should have been a red flag for BancorpSouth. The Court disagreed, however, that two words on the memo line of the payment order were enough to make the transaction so suspicious that BancorpSouth’s failure to notice it amounts to bad faith. In fact, the Court said, “if BancorpSouth’s employees had to remember the business of each of BancorpSouth’s 400,00 clients to ensure the memo line of each payment order made sense, BancorpSouth would not be in business long.”
The Bank Accepted the Payment Order in Compliance with Customer’s Written Instructions
The only evidence of an instruction to the Bank by the Customer was the November 11, 2009 e-mail from a representative of the Customer asking if it would be possible to stop foreign wire transfers. This e-mail resulted from the Customer’s employee learning of phishing scams from one of the Customer’s underwriter. The Court did not find that this exchange constituted an instruction (rather, it was an inquiry); therefore, the Bank did not violate any instruction made by the Customer.
The district court dismissed a counterclaim filed by BancorpSouth, in which it sought attorney’s fees based on an indemnification provision in its contract with Choice. The district court concluded that the indemnification clause, in which Choice agreed to indemnify and hold harmless BancorpSouth for, among other things, all “damages, losses [and] liabilities,” frustrated Article 4A’s attempts to balance the risk of fraudulent payment orders between a bank and its customer. The Eighth Circuit disagreed with the district court’s analysis, finding that the provision focused on by the district court is not at issue in the Bank’s counterclaim. Rather, the Bank sought attorney’s fees, not damages, stemming from the fraudulent payment order, and no provision in Article 4A allocates attorney’s fees between a bank and its customer in the event of litigation.
Some Takeaways for Banks
The outcome of this case does not change the First Circuit’s decision in Patco, and the lessons learned from Patco remain relevant for all banks. The Eighth Circuit’s decision in Choice Escrow does, however, provide some useful take-away points for banks to think about and be aware of as the issue of loss allocation for fraudulent payment orders continues to evolve:
- Banks should continue to require and/or offer various security procedure options, such as dual control or authorizations for some or all customer actions, out-of-band verifications of transactions (e.g., call-backs), account limitations that are customer-specific, etc. However, it is important that those communications are documented and preserved – particularly any election by the customer to refuse, waive or otherwise opt out of any such options – so that they can be used as evidence to show what options were made available to but not implemented by a customer.
- The bank’s agreements with its commercial customers should invoke and carefully track the requirements of Article 4A of the UCC in order to shift liability to the customer for fraudulent transactions.
- Banks and their commercial customers need to be thoroughly versed in and trained on the importance of security systems and procedures. Both sides need to fully understand how Article 4A of the UCC allocates liability for fraudulent transactions in order to make informed decisions about what steps should be taken when processing high-risk payment orders. If a customer understands that refusing an out-of-band verification option or call-back procedure – or dual control – just because it is inconvenient could result in liability for unauthorized transfers, they may choose otherwise – or they can certainly accept the risk but do so only after being fully informed of the ramifications. The element of surprise has no place in this high-risk space.