On March 12, 2016, the Washington Post reported that a nearly $1 billion cyber theft was blocked at the last minute by a bank employee who noticed a typo in the wire instructions at a foreign bank. According to the Post, but for the crooks misspelling the name of the purported recipient, a charitable foundation, as a “fandation,” the Federal Reserve Bank of New York would have sent approximately $870 million of assets to a phony account after already transmitting $80 million. Link here
As my aunt would have said, “We should all be so lucky.” Since March this story has evolved to be part of a hack involving the SWIFT international bank messaging network. Michael Corkery, Once Again, Thieves Enter Swift Financial Network and Steal, N.Y. Times, May 12, 2016, Link here. As news comes in, discomfort grows for both banks and their corporate and institutional clients.
I have published research (How Safe Are Institutional Assets in a Custodial Bank’s Insolvency?, 68 Bus. Law. 103 (2013) (“Bank Custody”) on whether a client can recover its assets after a custodial bank’s insolvency. Although one hopes the risk of bank insolvency is relatively remote, hacking attacks are a fact of life. As hacking techniques evolve, antihacking vendors release new software to overcome them, and the game of cat and mouse continues.
Where does this leave corporate banking clients? Who bears the loss if a hacker raids their accounts?
This article summarizes the relevant law and the practical challenges for commercial and institutional clients and concludes with items the client might consider in order to improve the likelihood of recovery. Although the law seeks a balance between the competing interests of bank and client, the client may face an uphill road to recovery.
This article does not address rights of consumers, which is covered under different law (the Electronic Fund Transfer Act, 15 U.S.C. § 1693 et seq.).
This area of law is relatively new and is intended to evolve with technology. What this means is that there are guiding principles but not absolute clarity.
A first principle is that, as noted, the law seeks a level playing field between the bank and the commercial or institutional client. The bank has the burden to prove that its security procedure was “commercially reasonable” and that it acted in “good faith,” or that the client overruled a commercially reasonable procedure of the bank’s for one of its own. If the bank meets this burden, then the client may still shift the risk of loss to the bank if the client can prove it had nothing to do with the hack.
Thus, the law does not impose liability simply on who was hacked – the bank or the client. If the bank can show it acted reasonably and in good faith, however, then the client will be liable unless it can show lack of culpability. This presents the very real question of whether current technology always is capable of “proving a negative” – that is, that the client was not hacked.
Second, the courts seem inconsistent in their “commercial reasonableness” analysis, nor is there a national standard of commercial reasonableness. Courts are permitted to be more forgiving of a local bank’s procedures than those of a major financial institution, even though the local bank may have less sophisticated tools. This may draw more clients to big banks, especially clients who do not have internal teams to monitor cash movements in real time.
Third, although the law’s focus is on electronic transfers, it also covers oral instructions. In my experience, banks continue to require broad authority to accept oral instructions regardless of client objections. The risk of loss from phony phone orders is a ticking time bomb and, in this case, the law seems to place the risk of liability on the bank.
The Recommendations section that follows offers ideas to corporate and institutional clients and their counsel looking for ways to increase the likelihood that the bank will bear the risk of loss from a cyber theft. Ultimately, though, the question is whether technology exists – and is readily available to not just the wealthiest companies – to enable a client to prove it was not responsible for the hack.
I note that this article does not address the state of law covering liability for cyber attacks at nonbanks, fintech, and other new financial intermediation platforms. This may soon become an even bigger subject than the focus here, and indeed blockchain or other developing technologies may eventually circumvent the risks discussed here.
Article 4A of the Uniform Commercial Code (UCC), first adopted in 1989, seeks to balance the rights and obligations of banks and commercial clients (referred to in the law as “customers”) arising from “payment orders,” which include oral, written, and electronic transfers. U.C.C. §§ 4A-103(a)(1), 4A-105(b)(3). It is considered the exclusive source of rights and remedies, although parties may agree to supplement the terms so long as they are not inconsistent with underlying principles. U.C.C. § 4A-202(f); Patco Const. Co. v. People’s United Bank, 684 F.3d 197, 214 (1st Cir. 2012). The UCC or its federal analog governs payment orders at all U.S. banks.
Although the law seeks to balance competing interests, article 4A initially imposes risk of loss on the bank unless: (a) the bank’s security procedure was “commercially reasonable” or the client rejected a commercially reasonable procedure; and (b) the bank accepted the payment order in “good faith” and in compliance with the security procedure and any written agreement or instruction of the client restricting acceptance of payment orders issued in the client’s name. If a bank has been commercially reasonable and acted in good faith, or even if the client directed the bank to run a faulty security procedure, article 4A nonetheless relieves the client of responsibility if it can show that the instruction came neither from an authorized representative, nor by way of a source controlled by the client. U.C.C. § 4A-202(b) and (c).
Thus, client culpability is irrelevant as a direct matter. Ultimately, however, the burden will fall back on the client and liability will ensue if, for example, an employee accepted a phishing attack that led to the hack, or the client cannot prove otherwise.
In sum, absent proof of the client’s innocence, the key questions under article 4A will be the commercial reasonableness of the bank’s security procedure, its good faith in processing the fraudulent payment orders, and whether the client demanded weaker protocols.
Under section 4A-202(c), “commercial reasonableness” is a question of law to be determined by considering the customer’s wishes and its circumstances, including the standard size, type, and frequency of its banking transactions. As recognized in the leading Patco case, commercial reasonableness is an evolving standard that should reflect market conditions and standard practices, including consideration of industry guidance, such as that published in 2005 by the Federal Financial Institutions Examination Counsel (FFIEC). http://www.ffiec.gov/pdf/authentication_guidance.pdf. The FFEIC guidelines recommend consideration of one or more of the following three factors:
- something the user knows, like a password or PIN;
- something the user has, like an ATM card or smart card; and
- something the user is, like a person with a unique fingerprint or biometric characteristic.
The FFEIC guidelines endorse periodic adjustment of bank security procedures in light of technological advances, the sensitivity of customer information, and known threats. “Out-of-band” protocols, such as callback verification, are also encouraged. The case law frequently cites the FFEIC guidelines.
Article 4A does not impose a best practice or even one set of standards on all banks. As stated in Patco, the “commercially reasonable” analysis does not ask whether the bank has in place the best procedure, but whether the procedure is “reasonable for the particular customer and the particular bank” or whether it satisfies “prevailing standards of good banking practice applicable to the particular bank.” In this context, Patco and the other leading cases cite section 4A-202(c) to recognize that practices found deficient at a large financial institution could be deemed reasonable at a local bank.
The facts-and-circumstances nature of the commercial reasonableness test is shown by the disparate outcomes in the two leading cases.
In Patco, the First Circuit held that a community bank’s security procedure was not commercially reasonable because the bank had the capacity but failed to monitor or report the fraudulent transactions as high risks based on the bank’s risk-scoring metric. The court remanded for further consideration. Here, the client was a small business in property development and construction that used the bank’s web-based platform mainly for weekly payroll.
Two years later in Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the Eighth Circuit upheld the commercial reasonableness of the security procedure of a regional bank despite the bank lacking any of the risk measures cited in Patco and having no means to monitor or report offshore wires. In that case, the bank wired $440,000 to an account in Cyprus. Ironically, the client earlier had asked the bank to block all offshore transfers. The client was a real estate escrow company and, unlike the Patco client, routinely wired funds.
So a small bank in Patco had insufficient procedures, whereas those of a regional bank in Choice were fine despite lacking not only the procedures of the Patco bank but even the ability to put a control on offshore transfers, which would seem to be a simple and obvious measure to have in place. Clearly, then, the Choice decision is hard to mesh with Patco. What led to the opposite result regarding “commercial reasonableness”?
Client Rejection of Bank Security Procedure
Here is where Choice can teach a lesson to all companies and institutions. To reach the legal issue of whether a client rejected the bank’s procedure, a court must first determine that the bank’s procedure was commercially reasonable. If it is not commercially reasonable, then the law looks no further; the client’s decision to take a less safe option is irrelevant, as is the client’s responsibility, if any, for the hack.
Rejection by bank clients of a commercially reasonable procedure can be unforgiving under article 4A. The client’s desire to save costs or simplify usage may be irrelevant. In Choice, the court dismissed the client’s argument that it was so small that a dual-control procedure would be a hardship. The Choice court not only questioned the client’s election to keep a single approval procedure, but also noted that an employee of the client had accepted a rather obvious phishing request that probably led to the hack.
Can the fact that the client was foolhardy or foolish rebalance the equities toward the bank outside the four corners of the written law? The Choice court clearly seemed unhappy with the client, noting that the wire should not have “raised eyebrows” (even though it was intended for an account in Cyprus) and, in dictum, without citation, that phishing scams are successful only in “one of out every few thousand recipients.” Perhaps the lesson here is simply that, putting aside client blame, the bank offered a customer a commercially reasonable procedure and the customer rejected it. However, the disparity remains between the stronger procedure rejected by Patco and the weaker one approved in Choice. It is also true that a real estate escrow company, as in Choice, is expected to send out wires of large amounts to sellers who may be located anywhere, even though the customer specifically asked not to remit offshore wires. In addition, perhaps the claims made by Choice Escrow on appeal were poorly pled, as it may appear.
There is enough in Choice to call attention to all clients of the potential risk if they reject the bank’s proposed procedure. Even if it means leaving the bank to find more palatable terms elsewhere, the client accepts all risk of staying at its current bank if something goes wrong later.
If the bank’s procedure is commercially reasonable under section 4-202(b), the bank still must act in good faith in order to shift the risk of loss back to the client. Case law defines “good faith” as: (i) honesty in fact (what has been called a “pure heart and empty head” standard, see Experi-Metal, Inc. v. Comerica Bank, 2011 WL 2433383, slip op. at 11 (E.D. Mich. 2011)), which requires a fairly straightforward factual review; and (ii) “reasonable commercial standards of fair dealing,” which not only is more subjective but, as noted in Choice, seems similar to the commercial reasonableness standard.
It has followed that courts have evaluated fair dealing consistently with their finding of commercial reasonableness. This was so in Choice, and in Experi-Metal, after concluding that the bank’s security procedure was not commercially reasonable, the court found that the bank failed to show it had acted in good faith by carrying out the fraudulent payment order. The court cited several factors, including the client’s limited prior wire activity, the volume and frequency of the false payment orders, the destinations of the orders, and the bank’s awareness of then-current phishing attempts. Again, the good-faith analysis was consistent with the commercial reasonableness analysis.
Unless there is a question of actual honesty on the part of the bank, the good-faith test may simply be a reiteration of a “commercial reasonableness” analysis.
Even if the bank can show its procedure was commercially reasonable and it had acted in good faith, or even if it shows the client demanded a weaker procedure, the client can escape liability if it can prove that the payment order was not caused directly or indirectly by someone either: (i) with authority to act on behalf of the client with respect to payment orders or the security procedure; or (ii) who obtained access to the client’s facilities or otherwise obtained access without authority of the bank, regardless of how and whether the client was at fault. U.C.C. §§ 4A-105(a)(7), 4A-203(a).
Although article 4A is intended to keep current with the technology, the official comments to article 4A-203 seem to assume that a client’s lack of fault will be fairly easy to establish because each cyber attack on a bank will lead to internal and criminal investigations, the results of which the client can use if they prove the bank was responsible.
I do not know whether the official comments are correct that every cyber-originated bank theft will prompt an investigation, or that each investigation will be fair and thorough. However, based on my discussions with computer scientists, I am not certain that today’s more sophisticated hacks will leave a “fingerprint” proving where they originated; if they do, whether current technology can adduce it; and if it can, whether that technology is generally available, inexpensive, and easily usable. Even if there is free and simple technology that does this, however, which again is unclear, what happens if the client’s forensics show up with nothing? Does the absence of evidence of a hack prove it did not happen? What if the bank and the company each run the most cutting-edge tests and each shows nothing?
In this respect, article 4A may not account for the increasing sophistication of hackers or the technological and evidentiary challenges facing a client who was not at fault. At the very least, a company or institution is prudent if it can significantly limit employees who may initiate a payment order to a small and responsible group who will be credible witnesses and impose callbacks and other additional controls.
In addition to the tests above, there are other factors for banking clients to consider, especially in terms of documentation, oral instructions, and to the extent article 4A extinguishes other claims against the bank.
What is the parties’ “written agreement”? Do client instructions matter? What about bank updates? As part of the article 4A analysis, under section 4A-202(b), the relevant “security procedure” encompasses the parties’ “written agreement,” which includes any “written instruction of the customer restricting acceptance of payment orders issued in the name of the customer” so long as the bank has received and has reasonable opportunity to act on it. The law does not similarly embrace a unilateral amendment or announcement by the bank, and so courts have found them not to be binding without client acceptance in writing or by course of conduct. See Chavez v. Mercantil Commercebank,701 F.3d 896, 903 (11th Cir. 2012).
The official comments explain that the written-agreement requirement is there not to give the bank the means to restrict culpability or customize an acceptable security procedure, but rather to allow the customer to impose additional restrictions. U.C.C. Art. 4A-203, Cmt. 3. Hence the different treatment for unilateral action by the client versus that by the bank.
However, to date the courts have seemed uncomfortable with the asymmetry here. So in Choice, the client had explicitly asked the bank to bar foreign wires, yet the court found that that was an “inquiry” and not an instruction or direction. Given that a key element of commercial reasonableness under article 4A is addressing “the wishes of the customer,” the court’s parsing of the request as an “inquiry” suggests that other courts may interpret the law narrowly.
This underscores that the case law is still evolving and that clients may have a difficult time convincing a court that a bank is bound by a client instruction that the bank did not accept or cannot follow. In fairness, this may be a hard position for a bank to find itself. In this situation, I would advise a client to go to a new bank that can accommodate its needs rather than rely on the rule finding that a client’s unilateral instruction or other action is binding on the bank under article 4A.
What is the “written agreement” specifically? In my experience, a commercial or institutional client’s overall agreement with a bank has many parts. In addition to the main agreement, often called the custody agreement, typically there are various addenda that include the website access agreement; the form of client authorization list; possibly a securities lending agreement (although less common after 2008); an FX rider; and perhaps other documents, along with updates the bank may circulate from time to time. In addition, the bank’s draft of the overall agreement typically will include a number of terms to be negotiated, including exculpatory provisions to benefit the bank, such as ones excluding recovery of punitive damages or damages in excess of, for example, one year of fees, and indemnification provisions requiring the client to pay the banks costs of litigating suits relating to the client’s account, including possibly lawsuits brought against the bank by the client itself. Note that sometimes one document may contain language restricting or expanding rights or duties from another document.
As noted above, courts will not incorporate updates or riders issued from time to time by the bank as part of the client’s written agreement unless the client accepted them. The common practice of automated group mailings of amendments likely will be valid if the bank can show the client received the information and failed to object or terminate the contract. The cases are replete with clients disputing receipt of updates. This raises a question of fact whether the updated terms are part of the “written agreement.” See Patco, 684 F.3d at 214.
Here the client is at a disadvantage. Given that federal regulators encourage banks to adopt uniform agreements, as noted in Bank Custody, the bank should be accustomed to mass mailings, whereas clients may not be attuned to them. In addition, although the bank would certainly keep a record of sending the notice to the client’s e-mail address, will the client’s hard drive or other storage facilities be robust enough to later recover evidence to show the client failed to open the e-mail, or that it got trapped in a spam filter? As with the question whether technology can prove a client’s blamelessness for the hack, the client may be hard-pressed to “prove a negative,” namely, that it never opened or read the communication. Given that there can be no evidence to prove a nonevent, the issue likely would be one of credibility for the trier of fact. Chelan County, Wash. v. Bank of America Corp., 2015 WL 4129937 (E.D. Wash. 2015), slip op. at 16.
To address this risk and others, I have advised clients to confirm periodically with the bank the full set of documents that the bank has on record for the client. The client should not only review all updates but ask the bank to fill in missing exhibits, delete outdated documents (which sometimes can still be there), and ensure that the bank has the client’s current list of authorized representatives and the client’s standing instructions and requisites for approvals, especially of money transfers.
Oral instructions. Recently, a leading custodial bank told my client, a billion-dollar institution, that it could not accept language banning acceptance of oral instructions. The bank explained that there are times it must track down someone by phone to approve proxy instructions if no one had responded by the deadline. Although this seemed a reasonable request for proxies or even all noncash transactions, the bank required broader language to accept oral instructions in all instances and be exculpated if it failed to validate the oral instructions in writing. The bank said that this was in all its institutional agreements.
Naturally this language is alarming to any banking client. As risky as written instructions may be, the risks of oral instructions are manifestly greater. This is magnified further by the fact that many bank custody agreements impose low standards (or in this example, no standards) on the bank for adducing the genuine identity of the people purporting to represent the client by phone.
What is the outcome of a bank’s broad authority to accept oral instructions? Assuming it is clear that the authority was sought by the bank and not the client, the key questions will be whether this is a “security procedure” and whether it is commercially reasonable. Under section 4A-201 and the attendant case law, a “security procedure” must be identified as such, and if the overall agreement is silent, then section 4A-204 deems the risk of loss to reside with the bank. So unless the bank can show the existence of a valid security procedure and that this practice is reasonable, the client should be protected here.
My concern is the reasonableness peg. If many large banks still insist on accepting oral instructions, could doing so be “commercially reasonable”? I urge my clients to ban oral instructions. If a bank insists, however, I seek to ring-fence the authority as narrowly as possible to require at least dual approvals by written or electronic action prior to any movement of cash or assets.
As noted, the bank in my client’s situation sought exculpation for its transfers under oral instructions. Does exculpation survive under article 4A?
Do contractual claims survive an article 4A litigation? As explained in Bank Custody, the custody agreement must have certain provisions to adequately protect the client. Among them is a fiduciary level of duty. On the other hand, as noted, banks typically insert provisions to limit their liability and cover their indemnification.
Given that article 4A is deemed the “exclusive” source of rights and remedies in a cyber theft, several cases have addressed whether article 4A supervenes client claims for breach of contract or of fiduciary duty, or bank exculpation or indemnification claims.
As stated in Patco and confirmed in Choice and Wright v. Citizen’s Bank of East Tennessee, __ F.3d __, 2016 WL 97673 (6th Cir. 2016), article 4A precludes other claims only to the extent that they “create rights, duties, and liabilities inconsistent with Article 4A.” Therefore, claims may be made under contractual duties that impose a higher standard than article 4A or from common law remedies for injuries or misconduct not addressed in article 4A. As such, Patco reversed the district court’s dismissal of the client’s claims for breach of contract and breach of fiduciary duty. Although it admitted it was a “closer question,” the court affirmed dismissal of negligence claims based on the jurisprudence of negligence. The Sixth Circuit drew a similar conclusion in Wright.
Thus, case law would support claims that a bank is in breach of an obligation to prevent fraud or of the requisite fiduciary duty.
On the other hand, bank exculpation and limits on recovery would seem to be blocked. Patco did not address the bank’s argument to this effect or its disclaimer of liability under the bank’s website access agreement. In remaining silent on this question while approving the client’s prosecution of the breach claims, however, Patco can be read to hold contractual exculpation to be inconsistent with article 4A.
Similarly, Choice held that bank indemnification claims were barred by article 4A. The court ordered the client to pay the bank’s attorney fees, however, even though the right to recover fees came from the contract’s indemnity provision. The provision stated that the client will “indemnify and hold [the bank] harmless from any and all … costs and expenses, including reasonable attorney’s fees.” As I read it, the award of fees here seems closer to that of an indemnity award than the court acknowledged.
Although I think it unlikely that a court will honor a bank’s exculpatory provisions in a cyber theft case, the case law may not yet be so strong as to mandate this outcome, especially if a court believes that the client was more at fault than the bank.
Note that banks have not pressed force majeure as a contractual defense. It will be interesting to see whether this happens and how a court responds. Force majeure does not seem to be consistent with the principles of article 4A.
Conclusions from the case law. There does not yet seem to be a clear principle for evaluating the central question under article 4A: the commercial reasonableness of a bank’s security procedure. The security procedure in Choice seemed significantly less robust than those in Patco and Experi-Metal, for example, yet Choice is the only one that found them to be commercially reasonable. As the newest case, the Choice court clearly had the capacity to contrast those controls with those described in the earlier cases. Client culpability is not a factor under article 4A, but I suspect it played a part in the decision in Choice and, thus, cannot be ignored when a client contemplates action against the bank for losses arising from a hack.
Following the recommendations in Bank Custody, commercial and institutional clients can take positions to protect against risk of loss from cyber theft, including the following:
First, article 4A’s client protections fly out the window if the client insists on a separate security procedure if the one offered by the bank is “commercially reasonable.” If the client cannot afford the bank’s procedure, or otherwise wants to lower the standards, it should stop and find a bank whose plan comports with its needs. Otherwise, if something goes wrong, the bank, seeing it is not at risk, may be uninterested in discussing a settlement to avoid litigation.
Second, on the flip side, a client should leave a bank that cannot offer the protection it requires. Choice Escrow stayed with its bank even though the bank could do nothing to address the client’s request to block wires to offshore accounts. If a bank cannot address the client’s needs, the client should seek another bank.
Third, although available technology may not help prove a client’s lack of responsibility, it makes sense to permit only a small group of highly professional employees to have wire authority. Likewise, using dual or triple controls with out-of-band controls and imposing other fortifications is appropriate, both as a business matter and to help the effort to prove lack of responsibility for the hack. These practices should defray any effort by the bank to paint the client as a negligent or improvident partner. Clients should also have an effective compliance manual and engage in regular internal training. For more ideas, see Patco Owner on Fraud Settlement, (Nov. 29, 2012), http://www.bankinfosecurity.com/interviews/patco-i-1726/op-1. Given that IT forensics may never be manageable, the client should at least be able to show that old-fashioned means of theft – an office break-in or a crooked employee – are not a factor.
Next, clients should resist the bank’s insistence on accepting oral instructions of any kind. If any are permitted, they should be limited to noncash activities such as proxy voting. In addition, as discussed in Bank Custody, the client should ensure that the contract satisfies legal requirements for validity and enforceability, and knows what its “agreement” consists of. The client should go back periodically to ratify all relevant documents and exhibits and update and confirm current authorizations. In sum, the contract process can aid a bank’s defense of liability. A client should make sure there are no surprises that could limit article 4A remedies or enforceability.
Last, insurance can ease risk of loss and experts can assist in selecting and negotiating cyber security coverage. Many plans have exceptions that can obliterate coverage for mistakes made by employees or offer less protection than meets the eye. In addition, policy limits on cyber insurance for institutional accounts may come nowhere near the total loss suffered in an attack on the company’s bank account. Bank insurance should be examined too.
When I first studied the question of bank custody law a few years ago, I was disturbed to discover that many bank custody contracts failed to address legal requirements enabling institutional investors to protect their assets in the event of the bank’s insolvency. This remains an important issue and must be addressed in contract negotiation. Even more urgently, however, clients should review their cyber security rights and their security procedures to increase their chances of recovery of losses from bank cyber theft.