Payments

Federal Regulatory Updates

CFPB Issues Frequently Asked Questions Regarding Regulation E

On June 4, 2021, the Consumer Financial Protection Bureau (CFPB) issued Frequently Asked Questions (FAQs) regarding compliance with the Electronic Fund Transfer Act (EFTA) and Subpart A to Regulation E, which implements provisions of the EFTA related to electronic fund transfers (EFTs). The CFPB subsequently issued updated FAQs on December 13, 2021, which supplement the FAQs issued in June by covering additional topics.

Regulation E (Subpart A) provides a basic framework that establishes the rights, liabilities, and responsibilities of consumers who engage in EFTs and the financial institutions that provide EFT services. Regulation E and the EFTA apply to a variety of consumer electronic payments, such as debit card transactions, automated clearing house (ACH) entries, and person-to-person (P2P) payments, among others.

The FAQs are a CFPB “compliance aid” intended to “present the requirements of existing rules and statutes in a manner that is useful for compliance professionals, other industry stakeholders, and the public.” The FAQs initially issued in June of 2021 focused on issues related to the definition of an unauthorized EFT under Regulation E, as well as related topics regarding a financial institution’s error resolution obligations. In addition to expanding upon those topics, the updated FAQs cover two additional topic areas—transactions and financial institutions.

Among other things, the “Transactions” section of the FAQs confirms that a P2P payment may be an EFT that is covered by Regulation E, including a P2P payment that uses the consumer’s debit card to transfer funds, a “credit-push” payment that transfers funds out of a consumer’s deposit, prepaid, or mobile account, or a debit card “pass through” P2P payment. The “Financial Institutions” section of the FAQs provides information about the definition of covered “financial institutions” under Regulation E by quoting the existing regulatory definition and confirming that certain entities may satisfy that definition, including non-bank P2P payment providers and “a non-bank P2P payment provider [that] initiates a debit card ‘pass-through’ payment from the consumer’s account held by a depository institution to a different person’s account at another institution.” This section also confirms that, where “a consumer uses a non-bank P2P payment provider to initiate a debit card ‘pass-through’ payment from the consumer’s account held by a depository institution, . . . the depository institution [is] considered a financial institution under Regulation E [with error resolution obligations], even though the transfer [is] initiated through the non-bank P2P payment provider.”

The “Error Resolution” segment of the FAQs includes information about the definition of an “error” for purposes of Regulation E, such as an unauthorized EFT or “incorrect EFT to or from the consumer’s account,” and a financial institution’s error resolution investigation obligations once it receives oral or written notice of an error from a consumer. More notably, perhaps, the FAQs highlight important points regarding key provisions of the regulatory text as well as the regulation’s official commentary by emphasizing that less protective private network rules do not change a financial institution’s Regulation E obligations, and that “a financial institution [cannot] require a consumer to file a police report or other documentation as a condition of initiating an error resolution investigation.” In explaining this issue, the CFPB pointed to existing official comments to Regulation E, as well as a 2019 enforcement action and related consent order.

The “Error Resolution: Unauthorized EFTs” section of the FAQs provides guidance on the definition of an unauthorized EFT, including that an EFT from a consumer’s account that is initiated by a fraudster through a non-bank P2P payment provider is considered an unauthorized EFT. Moreover, “when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.” In support of this statement, the CFPB cites the Regulation E commentary, which explains that “[a]n unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.” Among other things, the CFPB also emphasizes that a financial institution is not permitted to consider a consumer’s negligence when determining a consumer’s liability under Regulation E, and that a financial institution’s error resolution obligations begin upon receipt of a notice of error (including an unauthorized EFT) from the consumer. Thus, on the latter point, a financial institution may not require a consumer to first contact the merchant about the potential unauthorized EFT before the financial institution initiates its error resolution investigation.

Computer–Security Incident Notification Rule

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC, and each of the OCC, the Board, and the FDIC, a “federal banking agency”) published on November 23, 2021 a final rule that requires a banking organization supervised by one of the federal banking agencies and its bank service provider, if any, to provide notifications regarding certain computer-security incidents. The rule becomes effective April 1, 2022, with a compliance date of May 1, 2022.

A banking organization covered by the rule is required to notify the applicable federal banking agency “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred,” through one of the notification methods specified in the rule. A “notification incident” is “a computer–security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade” a banking organization’s business operations, activities, processes, business lines, products, or services identified in the rule. A “computer–security incident” is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

When a bank service provider covered by the rule determines that it “has experienced a computer–security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade,” for four or more hours, services covered by the Bank Service Company Act that it provides to banking organizations, the bank service provider must notify (in accordance with the notification methods specified in the rule) each affected banking organization as soon as possible.

In response to comments received on the proposed rulemaking, the federal banking agencies made changes to the final rule, including to narrow and clarify the scope of incidents that require notification and exclude from the scope of the rule (both as banking organizations and as bank service providers) financial market utilities (FMUs) designated as systemically important by the Financial Stability Oversight Council. The final rule explains that designated FMUs (DFMUs) supervised by the Securities and Exchange Commission or the Commodity Futures Trading Commission are subject to incident notification requirements in other federal regulations and that Board-supervised DFMUs are subject to risk-management standards under the Board’s Regulation HH. Also, according to the final rule, the Federal Reserve Bank financial services are subject to separate risk-management standards or incident communication protocols and are not within the scope of the rule.

Proposed Amendments to Regulation J

The Board published on June 11, 2021 proposed amendments to its Regulation J. The Board adopted the amendments, largely as proposed, on June 6, 2022, wtih an effective date of October 1, 2022. The Board had sought comments on its proposal to (i) make technical corrections to subpart A (which governs the collection of checks and other items by the Federal Reserve Banks), (ii) make technical changes and clarifications to subpart B (which governs funds transfers through the Fedwire^® Funds Service), and (iii) add a new subpart C that will provide a set of rules governing funds transfers over the Federal Reserve Banks’ new FedNow℠ Service.

For subpart A, the Board proposed updating cross-references to regulations that are no longer current. For subpart B, the Board proposed making a number of technical changes and clarifications, including to clarify that a sender may not send a payment order to a Federal Reserve Bank that specifies an execution date or payment date that is later than the day on which the payment order is issued, unless the Federal Reserve Bank agrees in writing to follow such instructions. The Board also proposed removing Appendix B to subpart B, through which the 1989 version of U.C.C. Article 4A was incorporated into subpart B; instead, the 2012 version of U.C.C. Article 4A will be incorporated into Regulation J through a new Appendix A to the regulation (not just as an appendix to subpart B only).

With respect to new subpart C, while “[m]any of the concepts embodied in the proposed subpart C are similar to those currently in subpart B,” there are unique provisions that reflect the different nature of the FedNow Service in comparison to the Fedwire Funds Service. These provisions include (i) a provision obligating a beneficiary’s bank to pay the amount of a payment order to the beneficiary of the order “immediately” after it has accepted the payment order (which reflects that the FedNow Service is designed for end-to-end transfers to be completed in seconds), (ii) provisions reflecting that the FedNow Service will permit a participant to settle activity over the FedNow Service in the master account of a correspondent bank (by contrast, the Federal Reserve Banks do not permit the use of correspondent bank master accounts to settle activity over the Fedwire Funds Service); and (iii) a provision stating that all funds transfers over the FedNow Service are governed by proposed subpart C (whether large institutional transfers or consumer transfers), even if a portion of the funds transfer is governed by EFTA (though in the event of an inconsistency between subpart C and EFTA, EFTA will prevail to the extent of the inconsistency).

U.C.C. Article 4A Cases

Misdescription of Beneficiary

Under U.C.C. section 4A-207(b), if a beneficiary’s bank receives a payment order identifying a different beneficiary by name and account number, but the beneficiary’s bank does not know of the discrepancy, it may rely on the number to identify the appropriate beneficiary; “knowledge” means “actual knowledge.”

In Nirav Ingredients, Inc. v. Wells Fargo Bank, N.A., the court considered the standing of the beneficiary identified by name in a payment order to bring a claim against the defendant beneficiary’s bank for making payment to the beneficiary identified by account number in the payment order, which identified a fraudulent bank account. The plaintiff alleged that the defendant knew of the mismatch between the beneficiary’s name and account number in the payment order and that the beneficiary identified by account number did not have rights as beneficiary; as a result, under section 4A-207(b)(2), acceptance could not occur. Instead, the plaintiff argued that the funds should be transferred to it because it was the intended beneficiary. The court held that the plaintiff did not have a right of action under Article 4A as the supposed intended beneficiary of the payment order.

In Golden State Concessions LLC v. Wells Fargo Bank N.A., the district court for the Northern District of California held that plaintiff originator had adequately alleged that defendant, as both originator’s bank and beneficiary’s bank for the payment orders at issue in the case, made a payment to the beneficiary identified by account number even though it had actual knowledge of a discrepancy between the beneficiary’s name and account number. The plaintiff alleged that the account into which the funds were transferred was a business account, and that Wells Fargo confirms that, when a payment is made via payment order to a Wells Fargo business account, the account is maintained by the entity identified as the beneficiary in the payment order. Plaintiff alleged that Wells Fargo’s internal systems had identified the owner of the beneficiary’s account as a different entity than the beneficiary identified by name in the payment order.

The district court for the Central District of California, in Grand Bayman Belize, Ltd. v. Wells Fargo & Co., granted the defendant beneficiary’s bank’s motion for summary judgment under section 4A-207(b). The defendant argued that it processed the payment order at issue based on the beneficiary’s account number, with no human intervention and no actual knowledge of the mismatch. The defendant presented declaration testimony and business records—none of which was challenged—showing that the defendant’s funds transfer system processed the payment order automatically, without human intervention or actual knowledge of the mismatch, within seven seconds of receipt of the payment order. The court concluded that the plaintiff had failed to raise a genuine dispute of fact, even though the log for the payment order had noted a “possible name mismatch,” which the defendant attributed to a missing software application.

Security Procedures

U.C.C. section 4A-204 sets out loss-allocation rules for fraudulent payment orders. Under section 4A-204, a receiving bank may shift the loss of a fraudulent payment order to its customer that sent the order if, under section 4A-202, “the bank proves that it accepted the payment order in good faith and in compliance with . . . [an agreed-upon, commercially reasonable] security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.” The definition of “good faith” has both subjective and objective components: honesty in fact and the observance of reasonable commercial standards of fair dealing.

In Precision Computer Services, Inc. v. Newtown Savings Bank, the Superior Court of Connecticut considered whether the defendant receiving bank accepted a fraudulent payment order in good faith and in compliance with the agreed-upon security procedure in accordance with section 4A-202(b). The security procedure required the customer’s payment orders to be originated by one of three authorized employees of the customer and one of those three authorized employees (though not the same one) to then confirm the payment order request; the defendant was not required to confirm the payment order request on a telephone call with an authorized employee. For the payment order at issue, an imposter sent the payment order instructions via email to the defendant, using an email address that spoofed one of the authorized employees’ email addresses; one of the three authorized employees subsequently confirmed the payment order. The court held that the defendant did not accept the order in compliance with the security procedure because an authorized individual did not originate the payment order.

In dicta, the court further noted that the defendant did not accept the payment order in objective good faith. The court explained that the defendant had effectively used a procedure that included only single-factor authentication: obtaining confirmation of the payment order by an authorized individual via email. In comparison, “contemporary reasonable commercial standards of fair dealing require multifactor authentication.” The court identified how the defendant could have used multifactor authentication to verify the payment order: The defendant could have called the employee that supposedly originated the payment order or required him to answer security questions or provide an identification code.

The district court for the Southern District of Florida, in Alvarez Rodriguez v. Branch Banking & Trust Co., considered, in dicta, whether the defendant receiving bank accepted the payment orders at issue in good faith and in compliance with a commercially reasonable security procedure. The security procedure relied on a two-factor authentication process that required the customer to provide (i) a customer ID, user ID, and password, and (ii) a token to originate payment orders. The court concluded that, because the security procedure complied with the multifactor authentication standards set forth in the Federal Financial Institutions Examination Council’s 2005 Guidance and 2016 Information Technology Handbook, the security procedure was commercially reasonable. The court further noted that the defendant met its burden of showing that it acted in good faith because the two-factor authentication process was completed for all the payment orders at issue, and the plaintiff presented no evidence that defendant failed to act with honesty in fact.

Obligation to Pay

In Levin v. Islamic Republic of Iran, the court analyzed the application of section 4A-402(e) to a funds transfer that was not completed due to the blocking of funds by Wells Fargo Bank, N.A., an intermediary bank in the funds transfer at issue, at the direction of the Office of Foreign Asset Control. In that case, judgment creditors against the Islamic Republic of Iran sought to recover the blocked funds to satisfy their judgment. Their ability to recover under applicable federal law hinged on whether the Republic of Iran had a property interest in the blocked funds.

If the sender of a payment order pays the order but is not obligated to do so, including where the funds transfer was not completed, “the bank receiving payment is obliged [under section 4A-402(d)] to refund payment to the extent the sender was not obliged to pay.” Known as the “money-back guarantee,” this provision reflects the general rule that each party in a funds transfer may only recover payment from the next party in the funds transfer chain. An exception exists under section 4A-402(e):

If . . . an intermediary bank is obliged to refund payment . . . but is unable to do so because [it is] not permitted by applicable law[,] . . . a sender in the funds transfer that executed a payment order in compliance with an instruction . . . to route the funds transfer through that intermediary bank is entitled to receive or retain payment from [the preceding sender]. The first sender in the funds transfer that issued an instruction [to route the funds transfer] through [the] intermediary bank is subrogated to the right of the bank that paid the intermediary bank to refund [from the intermediary bank].

The Levin court first concluded that, under the general principle of section 4A-402, the Republic of Iran, as originator, had no claim to the funds against Wells Fargo since it had not received the payment order directly from the Republic of Iran; the Republic of Iran, as the originator, had sent its payment order to the originator’s bank, which in turn sent a payment order to Wells Fargo. The court subsequently concluded that the Republic of Iran also had no claim to the funds against Wells Fargo through the subrogation provision in section 4A-402(e), on the grounds that the bank in the chain that sent the payment order to Wells Fargo had chosen to use a different intermediary bank than the one requested by the Republic of Iran. Thus, the sender did not execute a payment order in compliance with an instruction to use that intermediary bank, and the originator was not subrogated to the sender’s right to a refund from the intermediary bank.

The district court for the Eastern District of Virginia, in Blue Flame Medical LLC v. Chain Bridge Bank, N.A., considered when a beneficiary’s bank may cancel an accepted payment order, and the impact of cancellation on a beneficiary’s bank obligation to pay under section 4A-404. When a beneficiary’s bank accepts a payment order in accordance with section 4A-209, the bank is obliged to pay the amount of the order to the beneficiary under section 4A-404(a), other than when the accepted payment order is subsequently cancelled under section 4A-211(e) (in which case, no person has any right or obligation based on the acceptance). If the beneficiary’s bank refuses to pay after demand by the beneficiary and notice of particular circumstances that will give rise to consequential damages due to nonpayment, the beneficiary may recover damages that result from the refusal to pay.

In Blue Flame, defendant beneficiary’s bank had accepted a payment order by crediting the funds to plaintiff ’s account. Because of concerns about the business transaction underlying the funds transfer, JPMorgan Chase Bank, N.A. ( JP Morgan), which had sent the payment order to the defendant, requested cancellation of the payment order. Beneficiary’s bank agreed to cancel the payment order and returned the funds to JPMorgan. The court noted that, in order for the defendant to cancel an accepted payment order, it must have agreed to the cancellation, and the cancellation must have been made to correct one of three mistakes specified in section 4A-211(c)(2): the payment order was a duplicate order, the payment order orders payment to a beneficiary not entitled to receive payment from the originator, or the payment order orders payment in an amount greater than the beneficiary was entitled to receive from the originator. The court found that, while the defendant agreed to cancel the payment order, there was no mistake that met the requirements of section 4A-211(c)(2); it rejected the defendant’s argument that there was a mistake because the originator had originated the funds transfer after being misled about the nature of the beneficiary’s business. As a result, the defendant could not avoid its obligation to pay under section 4A-404(a). Notwithstanding that, the court granted the defendant’s summary judgment motion because the plaintiff could not prove that it sustained any damage from the defendant’s return of the funds to JPMorgan.

Statute of Repose

The court, in Alvarez Rodriguez, considered the ability of parties to contractually shorten the one-year statute of repose in section 4A-505. Under section 4A-505, if “a receiving bank has received payment from its customer” for the customer’s payment order, “and the customer received notification reasonably identifying the order, the customer is precluded” from disputing payment for the order “unless the customer notifies the bank of . . . [its] objection to the payment within one year” after the customer received the notification. The one-year limit may be contractually modified by parties to a funds transfer under section 4A-501(a).

The customer and receiving bank, in Alvarez Rodriguez, agreed that the customer shall notify the receiving bank within thirty days of “any errors, discrepancies, or fraudulent transactions.” Citing other decisions, the court held that the thirty-day period was enforceable, and that it applied to and barred customer’s section 4A-204 claims as untimely.

Displacement of Common Law

U.C.C. Article 4A is intended to be “the exclusive means of determining the rights, duties and liabilities of the affected parties in any situation covered by particular provisions of the Article,” and “resort to principles of law or equity outside of Article 4A is not appropriate to create rights, duties and liabilities inconsistent with those stated in [Article 4A].” In 2021, a number of courts considered Article 4A’s displacement of inconsistent common law claims.

In Clayton v. Dollar Bank, the district court for the Western District of Pennsylvania considered whether the Board’s Regulation J completely preempted the plaintiff ’s state law negligence claim such that the case was removable to federal court under the complete preemption doctrine. The complete preemption doctrine applies when a federal cause of action completely displaces a state law cause of action in a complaint such that the state law claim effectively is converted into a federal law claim and thus is removable to federal court; the court must assess whether Congress, in enacting the enabling statute, intended for the regulation to preempt completely state law and create a federal law clause of action. The plaintiff alleged that the defendant was negligent in protecting her from a fraudulent scheme and violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law through misleading advertising claims regarding keeping client information safe. The court held that there was no evidence that Congress, in enacting the Federal Reserve Act, intended for Regulation J to preempt completely the state law claims asserted in the case. The court determined that it would remand to the state court on the grounds that the relevant provisions of the Federal Reserve Act and Regulation J do not create a federal law private right of action.

U.C.C. Articles 3 and 4 Cases

Employer’s Responsibility for Fraudulent Checks

Two recent cases explore the operation of U.C.C. sections 3-405 and 3-406 as they relate to an employer’s responsibility for certain fraudulent checks. Section 3-405 addresses liability where an employer entrusts an employee with responsibility for a check, the employee fraudulently indorses the employer’s check in the name of the person to whom it is payable, and the employer’s bank pays the check. Under such circumstances, the employer is generally liable for the amount of the check unless the employer’s bank acted negligently in paying it. The policy underlying this provision is that an employer is in a better position to avoid the loss through its hiring processes and selection of employees, ability to supervise them, and use of other methods to prevent fraud involving checks payable to, or issued by, the employer. Under U.C.C. section 3-406, which applies more broadly, “[a] person whose [negligence] substantially contributes to an alteration of an instrument or . . . a forged signature on an instrument is precluded from asserting the alteration or forgery against a person who, in good faith, pays the instrument or takes it for value or collection.” This provision acts as a defense to liability for a person that accepted the fraudulent check in good faith. If the “person asserting the preclusion [e.g., a bank that paid the fraudulent check] fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to [the] loss,” a comparative negligence scheme allocates the loss “between the person precluded and the person asserting the preclusion according to the extent to which the failure of each to exercise ordinary care contributed to the loss.”

In Severin Mobile Towing, Inc. v. JP Morgan Chase Bank, N.A., the Court of Appeal of California reversed a trial court decision and held that JP Morgan was not entitled to summary judgment under U.C.C. section 3-405 because the bank had failed to establish that the employee of Severin Mobile Towing, Inc. (Severin) had endorsed the checks in the towing company’s name. In addition, the bank was not entitled to summary judgement under U.C.C. section 3-406 because, on the record before it, the court could not say “as a matter of law that a family-owned business ‘fail[ed] to exercise ordinary care’ in supervising its long-time, trusted employee, who was intentionally stealing checks and misfiling corresponding invoices.”

A Severin employee misappropriated 211 checks (totaling $156,805.30 in associated funds) made payable to “USA Towing”—the plaintiff ’s “doing business as” name—endorsed them with what appeared to be the employee’s own name or initials, and deposited them into the employee’s personal account at JP Morgan. These checks were deposited at the bank’s ATMs and were not subject to “human review.” When the plaintiff discovered the fraud, it sued the bank for negligence and conversion under the U.C.C. and for violating California’s unfair competition law. The bank moved for summary judgment on all of the plaintiff ’s claims, arguing that the plaintiff ’s claims as to 34 of the 211 checks were time barred by the statue of limitations and the others were barred by defenses under sections 3-405 and 3-406 of the U.C.C. due to the plaintiff ’s alleged negligence in supervising its employee.

In its analysis, the court explained that “(generally speaking) … [section 3-405 of the U.C.C.] shields a bank from liability for accepting a check made out to an employer if an employee ‘fraudulently indorse[d]’ the check by signing it in a manner ‘purporting to be that of the employer’ … and the bank exercised ‘ordinary care’ in accepting the check ‘in good faith.’” In granting the bank’s motion for summary judgment, the trial court accepted the bank’s argument—supported by an expert witness—that its automated deposit procedures met the ordinary care standard. JP Morgan emphasized the definition of “ordinary care” set forth in section 3-103 of the U.C.C., “which, in certain circumstances, allows banks to accept checks ‘by automated means’ without ‘examin[ing]’ them.” The trial court did not reach the issues raised by the claims involving U.C.C. section 3-406 and entered judgment for the bank.

On appeal, Severin argued that the bank had not established that Severin’s employee fraudulently indorsed the checks at issue “in a manner ‘purporting to be that of [his] employer’” as required under section 3-405(a)(2). The appellate court agreed that, because the employee “endorsed the checks with what appears to be his own name or initials, rather than the name Severin or USA Towing,” no fraudulent indorsement under section 3-405 had occurred. Thus, because there was no fraudulent endorsement and section 3-405 of the U.C.C. did not apply, the U.C.C. provision allocating liability to the employer did not govern. In rejecting the trial court’s decision to grant summary judgment in favor of the bank, the appellate court explained:

We agree with section 3405’s risk-shifting policy as it relates to fraudulent indorsements. In that context, in which an employee’s endorsement “purport[s] to be that of the” employer or its payee, the employer is better situated than the bank to prevent or detect fraud—all the bank sees is a seemingly proper endorsement by the payee. But in the context presented here, in which an employee endorsed checks made payable to his employer in a name that does not appear on its face to be that of the employer, the bank is equally well-suited to detect the apparent mismatch and there is no need to shift the risk of loss to the employer.”

As previously noted, section 3-406 provides a defense to liability for paying a fraudulent check where the victim’s negligence substantially contributed to the fraud, and the person paying the check did so in good faith. JP Morgan introduced evidence that Severin failed to exercise ordinary care because, for example, the employee at issue had greater control over the process of receiving check payments than other managers. Severin introduced contrary evidence demonstrating, among other things, that the employee was “a trusted employee and Severin’s first hire[,]” that “a subsequent background check . . . came back clean,” and that Severin had other controls. Ultimately, the appellate court determined that it “cannot say as a matter of law that a family-owned business ‘fail[ed] to exercise ordinary care’ in supervising its long-time, trusted employee, who was intentionally stealing checks and misfiling corresponding invoices.” Thus, JP Morgan was not entitled to summary judgment under section 3-406 of the U.C.C.

In contrast, in Dog Bites Back, LLC v. JPMorgan Chase Bank, N.A., JP Morgan was successful in its motion to dismiss under U.C.C. sections 3-405 and 3-406. The U.S. District Court for the District of Nevada evaluated JP Morgan’s motion to dismiss in response to the plaintiff ’s complaint that the bank had failed to exercise ordinary care under these provisions, among other claims, when the bank accepted fraudulent checks that had been forged by an employee of the plaintiff, Dog Bites Back, LLC (Dog Bites Back).

Between June 18, 2019 and March 24, 2020, Dog Bites Back’s accounting manager forged forty-three checks, which totaled approximately $142,457.35, which were drawn on Dog Bites Back’s business checking account at JP Morgan. Upon discovery, Dog Bites Back notified JP Morgan and sought reimbursement for the misappropriated funds, but the bank denied the request. Dog Bites Back then brought claims under sections 3-405 and 3-406, among others, based on the bank’s alleged negligence.

In its examination of the plaintiff ’s claims, the court noted that, in Nevada, “there are two [U.C.C.] provisions that create causes of action by an employer against a depositary bank to recover instruments fraudulently endorsed by an employee” and explained the operation of U.C.C. sections 3-405 and 3-406. Ultimately, the court highlighted a key takeaway: “Both statutes impose liability if a person fails to exercise ordinary care.”

The court then cited the definition of “ordinary care” set forth in section 3-103 of the U.C.C., which, as discussed in Severin, permits banks in certain circumstances to accept checks “by automated means” without examining them, provided “the failure to examine does not violate its prescribed procedures and its procedures do not vary unreasonably from general banking usage not disapproved by this Article or Article 4.” The court pointed out, however, that Dog Bites Back “does not allege how JPMorgan’s failure to compare the signatures on the forty-three . . . checks violated the non-alleged policies, or even general banking usage” as required for a violation of the ordinary care standard defined in section 3-103. Describing such failure as fatal, the court thus granted JP Morgan’s motion to dismiss Dog Bites Back’s claims under both sections 3-405 and 3-406.

Stop Payment Orders

In Harpeth Financial Services LLC v. Pinson, the Court of Appeals of Tennessee evaluated issues relating to a drawer’s ability to stop payment of a check, as well as holder-in-due-course status, which grants the holder special rights to enforce an instrument. The case involved a $3,000 check payable to “Jim Tinson Elec Ser” that Jimmy Clay Pinson, Jr. cashed at Harpeth Financial Services, LLC (Harpeth), a non-bank check-cashing company. Prior to cashing the check, Harpeth reached out to the drawer (Flora E. Morris) to confirm the check and payee. The check was later returned by the paying bank due to the drawer’s stop payment order. Harpeth sued both Mr. Pinson and Ms. Morris. However, Mr. Pinson was not served and was not a party to the case. Harpeth alleged that Ms. Morris fraudulently stopped payment on her check after confirming the check to Harpeth under a Tennessee “bad check” law that provides certain remedies to the holder of a check when the check’s maker establishes a stop payment order with fraudulent intent.

Ms. Morris claimed she had hired a man named Jim Tinson to perform electrical work and wrote the check to “Jim Tinson Elec Ser,” however, he did not show up and, believing she had been defrauded, claimed she stopped payment on the check two days before Mr. Pinson cashed it. Harpeth’s claims were dismissed at the trial court level, and on appeal, Harpeth argued that it was a holder in due course and thus, even if Ms. Morris had the right to stop payment on the check, she remained liable on the instrument to the holder in due course. Ms. Morris argued that Harpeth was not a holder in due course because it had not accepted the check “in good faith,” a requirement for holder-in-due-course status under the U.C.C. Among other things, she cited facts that she claimed conclusively established Harpeth’s lack of good faith, including that: “[t]he number [Harpeth’s] customer provided [for Harpeth to contact Ms. Morris] was not the number of [Ms. Morris] and had never been her number[,]” “[Harpeth] claims to have verified [Ms. Morris’s] social security number and date of birth but never wrote it in their file and admitted that they had no way to know [Ms. Morris’s] actual social security number and date of birth to ascertain if it was even accurate[,]” and “[Harpeth] was on notice that their own customer had a bad check history with them on prior occasions.”

However, the court determined that additional findings were necessary to evaluate whether Harpeth was a holder in due course, including with respect to whether the check was properly indorsed and Harpeth had taken it in good faith, and remanded to the lower court. The court also dismissed Harpeth’s claims under the “bad check law” because stopping payment on a check after Mr. Pinson failed to perform services that Ms. Morris had paid for with a check was not fraudulent. Thus, the court held that Harpeth did not “establish that Ms. Morris fraudulently stopped payment on the check or allowed the check to be dishonored due to insufficient funds.”

Altered vs. Counterfeit Checks

Under the U.C.C., the depositary bank generally bears the loss for an alteration (e.g., a change to the terms of a check), while the paying bank generally bears the loss for a forged drawer’s signature. This is because a paying bank may not pay a check that is not properly payable, and a presenting bank warrants that a check it presents is not altered. With respect to an unauthorized drawer’s signature, a presenting bank warrants to the paying bank only that it has no knowledge of an unauthorized drawer’s signature. This fundamental principle of check fraud loss allocation between banks is based on the longstanding rule from the seminal decision in Price v. Neal. It reflects the policy view that the paying bank is in the best position to assess the validity of a drawer’s signature to determine whether it is the authorized signature of the drawer, while the depository bank is in the best position to review the check at the time of deposit to determine if the item has been altered.

In Provident Savings Bank, F.S.B. v. Focus Bank, the U.S. District Court for the Eastern District of Missouri highlighted this important distinction between an altered check and a counterfeit check under the law, as well as important rules related to the required timeline for returning a check. The court evaluated which of two banks was liable for a fraudulent check, the depositary/presenting bank, Provident Savings Bank (Provident Bank), or the paying bank, Focus Bank. A customer of Provident Bank (Charlene Baillie) who deposited in her account a check from Medlin Equipment Company (Medlin, the purported drawer), drawn on Focus Bank, for $150,520.00 that was payable to Baillie Client Trust Account. Provident Bank presented the check to Focus Bank for payment and Focus Bank paid it. After the check had been paid, Medlin notified Focus Bank that the check was not authorized. Focus Bank then returned the check. Three days later, Provident Bank submitted an adjustment claim (“Claim of Late Return”) through the Federal Reserve’s check adjustments service, resulting in a credit to Provident Bank’s account and a debit to Focus Bank’s account. This adjustment claim was based on Focus Bank’s return of the item outside the U.C.C. return timing requirements, which require the paying bank to pay or return the item by midnight of the banking day following the banking day of presentment (“midnight deadline”). Focus Bank contested this adjustment by indicating the check was “altered or fictitious” and included an “Affidavit of Alteration” claiming that the check was a “fraudulent item” and contained a “forged signature.” The Federal Reserve then credited Focus Bank’s account and debited Provider Bank’s account. Provident Bank subsequently brought claims against Focus Bank for strict liability under U.C.C. section 4-302 for failing to return the check by the U.C.C. “midnight deadline,” breach of warranty under Regulation CC by which a returning bank warrants compliance with the midnight deadline, and common law negligence. Provident Bank argued that it was entitled to summary judgment on its strict liability claim regarding compliance with the midnight deadline “because it is undisputed that Focus Bank, the payor bank, paid the Check and did not return it or send notice of dishonor until long after the midnight deadline, and instead returned the Check through the Federal Reserve at a later date, stamped as Altered/Fictitious.” While the U.C.C. does generally provide for strict liability for non-compliance with the midnight deadline, an exception exists when there is a breach of a presentment warranty.

As an affirmative defense, Focus Bank pleaded “that Provident Bank breached one or more of its presentment warranties.” In particular, Focus Bank alleged that Provident Bank had breached the presentment warranties in U.C.C. section 4-208(a)(3) (“that it did not have knowledge the signature of the purported drawer on the check was unauthorized”) and section 4-208(a)(2) (“that the check had not been altered”). Focus Bank relied on an expert witness to support its argument that the check was “altered” by alleging that:

[T]he Check was created by (i) making a digital image of a genuine, original check drawn on Medlin’s account at Focus Bank and signed by Mr. Parris, then (ii) digitally altering the captured image to create an altered version of the digital image by changing the payee, the amount, the check number, and the date while leaving every other element of the digital image unchanged, and finally (iii) printing the Check on commercially available check stock.

However, the court did not agree. Referencing the definition of “alteration” under the U.C.C., the court illustrated the core distinction between altered and counterfeit checks and related allocation of liability. Quoting prior decisions on the issue, the court explained that “[a]n altered check is an original, genuine check that has undergone a physical change, modification, or effacement of some sort,” whereas a “forged or counterfeit check replaces the genuine check, such as where fraudsters use ‘sophisticated copying technology to produce a copy that was identical in every respect to the original check (including the authorized signature by [the purported payor]) except for an undetectable change of the payee’s name.’” The court held that Provident Bank was entitled to summary judgment on Focus Bank’s affirmative defense that it breached its presentment warranty that the check had not been altered because “Focus Bank does not cite any case to support the proposition that a digitally altered copy of a genuine check, modified and then printed on commercially available check stock, is an ‘alteration’ under the [U.C.C.]”

Notably, because the original paper check at issue in Provident Savings Bank was available for inspection, the Regulation CC presumption of alteration did not apply here. The Federal Reserve amended Regulation CC in 2018 to establish an evidentiary presumption of alteration, which became effective on January 1, 2019. In issuing the rule, the Federal Reserve explained that: “Courts have reached opposite conclusions as to whether a paid, but fraudulent, check should be presumed to be altered or forged in the absence of evidence (such as the original check).” The rule is intended to “address situations where there is a dispute as to whether a check has been altered or was issued with an unauthorized signature, and the original paper check is not available for inspection.” In explaining the rule’s rationale, the Federal Reserve stated that this evidentiary presumption “was intended to create a uniform starting point that recognized the operational realities of check fraud in the absence of evidence.”