Gone are the days when paper checks were used as the dominant means for making payments from accounts. The number of checks written has so rapidly declined that the Federal Reserve Bank now operates only one clearing location for paper checks, in Cleveland, down from 45 locations. Press Release, Fed. Reserve System, Fin. Servs. Policy Comm., Federal Reserve Banks Complete Check Processing Infrastructure Changes (Mar. 2, 2010). The majority of Americans, consumers and businesses alike, prefer the ease and convenience of electronic banking. In fact, as of 2013, 51 percent of United States adults and 61 percent of Internet users bank online. Susannah Fox, 51% of U.S. Adults Bank Online(Pew Research Ctr. Aug. 7, 2013). This reflects the modern reality that banking is increasingly becoming an electronic endeavor.
All exchanges of payment, including electronic payments, depend on the concepts of “good faith” and “commercial reasonableness.” These concepts, however, were first memorialized into law when physical paper checks were actually carted across the country between financial institutions. Thus, the age-old idea of good faith presents unique concerns in the modern world of high-speed electronic payment orders. Debate and exploration of the role of good faith in the evolving electronic banking world has been the subject of several important recent federal court decisions. The cases of Experi-Metal, Inc. v. Comerica Bank, No. 09-14890, 2011 WL 2433383 (E.D. Mich. June 13, 2011), and Choice Escrow & Land Title, LLC. v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), offer valuable exploration of the contours of good faith in the context of electronic payment orders; in particular, the potential for conflict between the general definition of good faith under the Uniform Commercial Code (UCC) and its specific use in UCC section 4A-202.
UCC Section 4A-202 In the world of commercial electronic payment orders, the main rules of the legal road are found in Article 4A of the UCC. Payments that are covered by Article 4A are “overwhelmingly between businesses or financial institutions” as opposed to individual, consumer-related payment orders, which are covered by the Electronic Funds Transfer Act. The focus of Article 4A is on commercial fund transfers, or “payment order[s],” which may be oral, written, or electronic, and instruct one bank to pay another bank on behalf of a sender. See UCC § 4A-103(a)(1). Article 4A seeks to use “precise and detailed rules to assign responsibility, define behavioral norms, allocate risks, and establish limits on liability in order to allow parties to predict and insure against risk with greater certainty.” Patco Const. Co., Inc. v. People’s United Bank, 684 F.3d 197, 207 (1st Cir. 2012). This balanced system of risk allocation, particularly UCC section 4A-202, includes as one of its key elements the concept of good faith.
Generally, a bank receiving a payment order bears the risk of unauthorized or fraudulent activity with respect to that payment. See U.C.C. § 4A-204. However, UCC section 4A-202 provides two ways that the bank can shift the risk of loss to the commercial customer. First, under UCC section 4A-202(a), the bank may show that the payment order was authorized by the sender, either in fact or under the laws of agency. Second, a bank may shift the loss to the customer under UCC section 4A-202(b) under a concept often called “authorization by process.” Here the UCC provides:
If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faithand in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.
U.C.C. § 4A-202(b) (emphasis added).
In summary, after establishing that its security procedure is commercially reasonable, the financial institution must also prove it “accepted the payment order in good faith.”
Defining Good Faith in the Context of Electronic Payment Orders Good faith is defined elsewhere in the UCC as “honesty in fact and the observance of reasonable commercial standards of fair dealing.” See U.C.C. § 1-201(20). This definition has both a subjective element, honesty in fact, and an objective element—the observance of reasonable commercial standards of fair dealing. Choice Escrow, 754 F.3d at 622. The subjective, “honesty in fact” prong is often characterized as the “pure heart, empty head” standard. See Margaret L. Moses, “The New Definition of Good Faith in Revised Article 1,” 35 UCC L.J. 47 (2002). In comparison, the objective prong of the definition mandates the observance of reasonable commercial standards of fair dealing. This element of the definition is “concerned with fairness of the conduct rather than the care with which the act is performed.” See U.C.C. § 1-201 cmt. 20.
Legal friction is created when this general UCC definition is layered on the specific directive found in Article 4A. As noted, UCC section 4A-202(b) already contains the objective prong of the good-faith inquiry. The loss-shifting rules cannot be invoked until the bank has proven as a matter of law that its account contract employed “a commercially reasonable method of providing security.” See U.C.C. § 4A-202(b). Yet, the customer must then be given what some commentators suggest is a second bite at the same apple because UCC section 4-A-202(b) also requires the bank to prove it accepted the payment order in good faith as it is defined in the full Article 1 definition of the term.
As the UCC’s drafters elected to do in Article 5, one could argue that only the “subjective” element of the definition of good faith should be employed in section 4A-202(b)’s second phase because the “objective” element had already been addressed when the commercial reasonableness of the security procedures was evaluated. But this is not the present state of the law. Instead, contrary to the UCC’s prime directives of bringing certainty to commercial actors operating within its realm, difficulty in analysis has resulted in disparate legal conclusions. This difficulty is evident in the Experi-Metal, Inc., and Choice Escrow cases.
Experi-Metal, Inc., involved a small metal fabricating company that contracted with Comerica to establish online banking services that enabled Experi-Metal’s customers to send payment orders or receive incoming fund transfers from Comerica’s online accounts. Experi-Metal, Inc., 2011 WL 2433383, at *2. Pursuant to the contract, certain Experi-Metal employees were designated as “users” of the system, were given secure tokens to access the system, and were authorized to initiate wire transfers on behalf of the company. Id. at *3. As a result of a phishing email sent to the company, criminal hackers obtained the personal credentials and authenticating information for one of the authorized users. Id. at *7. In a matter of seven hours, the hackers initiated 93 fraudulent payment orders totaling $1,901,269.00, of which Comerica was able to recover all but $561,399.00. Id. at *7, *9.
In determining responsibility for the loss, the district court first found that the Experi-Metal employee whose credentials were stolen was authorized to make the transaction and that Comerica complied with the account agreement with Experi-Metal when it accepted the fraudulent payment orders. Id. at *11. The court next turned to whether the bank had accepted the fraudulent payment orders in good faith under UCC section 4A-202(b). Because there was no evidence in the record suggesting that the bank’s employees acted dishonestly and in violation of the subjective, “honesty in fact” prong of good faith, the court focused exclusively on the issue of whether the bank acted in “observance of reasonable commercial standards of fair dealing”—the objective prong of the good-faith inquiry. The court adopted the Maine Supreme Court’s approach to this analysis and considered two factors: (1) whether the conduct of the holder comported with industry or “commercial standards” applicable to the transaction, and (2) whether those standards were reasonable standards intended to result in fair dealing. Id. at *12.
The court concluded that Comerica had failed to meet its burden on the objective prong of good faith because it failed to present evidence from which the court “could determine what the ‘reasonable commercial standards of fair dealing’ are for a bank responding to a phishing incident such as the one at issue and thus whether Comerica acted in observance of those standards.” Id. at *13.
Dictum in the case suggests that great weight was placed on the case’s unique facts, including the unusual volume and frequency of the subject payment orders, the $5 million overdraft created by the book transfers in what is normally a zero balance account, Experi-Metal’s prior limited wire activity, the foreign receivers of the funds, and Comerica’s general knowledge of phishing scams. Id. at *14. Therefore, despite the fact that Comerica had complied with its established commercially reasonable security procedures, it failed to prove that it accepted the payment in good faith because it could not show that any bank, anywhere, acting in a commercially reasonable manner would not have detected the phishing scheme earlier and stopped the fraudulent wire activity. Id.
Compare the broad approach of the Experi-Metal court with the more narrow approach of the Choice Escrow court with respect to the issue of good faith under UCC section 4A-202(b). In Choice Escrow, a real estate escrow service sued BancorpSouth Bank, claiming that $440,000 was stolen from its account when a hacker accessed Choice’s online account at BancorpSouth and initiated wire transfers to another account in the Republic of Cypress. Choice Escrow, 754 F.3d at 613. BancorpSouth offered four security measures to Choice to protect its escrow account. Id. at 614. Choice availed itself of only two: (1) the requirement that each Choice employee register a unique user ID and password, and (2) device authentication software that catalogued information about the computer and IP addresses and ensured that only verified computers accessed the accounts. BancorpSouth had also offered available dollar amount limits on the daily volume of wire transfers from the account and also a “dual control” system in which one authorized employee would receive a payment order that would remain pending until a second authorized employee approved the order. However, Choice declined to use these options as part of its security procedures. Id. at 615. Electronic payment orders authorized under these security procedures would be received by BancorpSouth, whose employees would then automatically carry out the payment orders.
As to the UCC section 4A-202 issue of whether BancorpSouth accepted the fraudulent payment orders in good faith, the Choice Escrow court appeared to focus on the narrow issue of whether BancorpSouth acts were commercially reasonable in those aspects of the transfer that were left to the bank’s discretion. Choice Escrow, 754 F.3d at 623. The court struggled to clarify the seemingly duplicative nature of the UCC section 4A-202(b) inquiry into the commercial reasonableness of a bank’s security procedures and the objective prong of good faith. It stated that “while the commercial reasonableness inquiry concerns the adequacy of a bank’s security procedures, the objective good-faith inquiry concerns a bank’s acceptance of payment orders in accordance with those security procedures.” Moreover, the court found that technical compliance with a security procedure is not enough to demonstrate commercial reasonableness; rather, a bank must show that it abided by its security procedures in a way that reflected the parties’ reasonable expectations of those procedures. In those instances where a bank’s security procedures are automated and are agreed upon by the parties, they will generally operate in a manner that is consistent with the customer’s reasonable expectations so long as the procedures do not vary from general banking usage. In other words, they will be commercially reasonable. It is interesting that the court rejected the Maine Supreme Court’s approach in Experi-Metal to define the objective commercial reasonableness prong of good faith, noting that this standard was criticized as conflating fair dealing with due care and its use in the context of Article 4A would “distort the balance of rights and obligations that Article 4A attempts to strike between the bank and its institutional customer.”
Applying this more narrow approach, the court went on to find that BancorpSouth acted in good faith when it accepted the fraudulent payment orders that cleared the bank’s commercially reasonable security procedures and were then later routed to the appropriate beneficiaries without any additional review regarding the authenticity of the orders. Id. at 623. Of particular importance was Choice’s knowledge of the lack of discretion given to BancorpSouth’s employees to review payment orders that cleared the security mechanisms and “the role of those employees not to check for any irregularities but to route these payment orders to the correct beneficiaries.” Thus, Choice got the service it reasonably expected it would receive from the bank and that it had contracted for.
The court in Choice Escrow seemed to narrow the inquiry under the objective, reasonable commercial standards of the fair dealing prong of good faith as used in the context of UCC section 4A-202(b). Under the Choice Escrow standard, the good-faith inquiry is limited to the aspects of the wire transaction where a bank’s employees exercise discretion, rather than a consideration of whether the bank’s overall response to a certain event was consistent with industry or commercial standards. Moreover, Choice Escrow shifts the focus of the good-faith inquiry away from generic, national industry standards and back to the reasonable expectations of the parties regarding the security measures in place for their electronic banking transactions.
Conclusion With the rise of electronic banking, the concept of good faith under UCC section 4A-202 is sure to be tested again. Courts will continue to wrestle with this concept, as banks increasingly interact with their customers through electronic means and these interactions will continue to be the target of cyber criminals. Courts must also not lose sight of business expectations when construing Article 4A. Electronic payment orders are favored precisely because of their relative automation and speed. For example, Choice Escrow’s business of closing real estate transactions, and the closing parties’ own expectations, require near immediate disbursal of funds from one account to another. A definition of good faith that obligates financial institutions to scrutinize a customer’s past history of payments to subjectively judge whether this payment may be unlike any others would appear to run contrary to the very expectations of the commercial actors. After the disparate results seen in Experi-Metal, Inc., and Choice Escrow, financial institutions and their account holders prudently may assume that this remains an unsettled area of legal risk. Doubtless, additional work is required before one may predict with confidence what good faith truly looks like under UCC section 4A-202 for electronic and Internet banking.
Keywords: litigation, business torts, good faith, online banking, Uniform Commercial Code