Author: Nathan Danielson
(As seen in the April 2013 issue of the Indiana Bankers Association Hoosier Banker)
A growing number of businesses are experiencing security breaches resulting in unauthorized access to passwords, user names and other sensitive information. Sometimes, these breaches result in the initiation of fraudulent wire transfers, which can put the business’s deposit banks at risk. Indiana banking institutions should acquaint themselves with how these breaches typically occur, the body of law relating to unauthorized wire transfers, and what can be done to try to avoid liability for losses.
In most instances, a security breach results from a third party computer hacker “phishing” for information, utilizing malware, or otherwise gaining unauthorized access to a bank customer’s computer system. Upon obtaining access and discovering private user identification and password information, the hacker then initiates a wire transfer request, which is payable to an account at another bank. After the funds are transferred, they usually are wired immediately to a foreign bank by a waiting accomplice. The impacted business frequently learns of the fraud after the funds are irretrievable and then informs its deposit bank that the transfer was not authorized. Assuming the funds have been debited from the customer’s account, what happens next? Is the deposit bank liable?
Article 4A of the Uniform Commercial Code provides a comprehensive body of law relating to wire transfers, including how losses resulting from fraudulent wire transfers are apportioned between a customer and its bank. Article 4A has been adopted by Indiana and nearly all other jurisdictions, and banks should become familiar with its provisions. The scope of Article 4A is broad, but some types of transfers are excluded, including consumer transactions governed by other federal laws.
The general rule under Article 4A is that bank customers will be bound by an authorized payment order under the law of agency; however, a bank must refund any payment transferred, plus interest, with respect to an unauthorized payment order. This refund obligation cannot be varied by agreement, except with regard to what constitutes a reasonable time in relation to interest to be paid by the bank. Thus, since fraudulent wire transfers are by definition unauthorized, the general rule is that the risk of loss is on the bank.
There are two exceptions to the general rule. First, if a customer does not object within one (1) year after receiving notice of the debit associated with the transfer, the bank may avoid liability. Second, and more importantly for banks looking to protect themselves, a customer will be bound to an unauthorized payment order if:
(a) the bank and customer have agreed that payment orders will be verified pursuant to a security procedure;
(b) the security procedure is commercially reasonable; and
(c) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure (as well as any written agreement or instructions of the customer). ,
A “security procedure” is established by an agreement with a customer intended to verify authenticity and errors in content. Some examples are passwords, encryption, use of algorithms, and specified callback procedures. Generally, the commercial reasonableness of security procedures is a matter of law for the court. Among other things, the court will consider the customer’s expressed wishes, the customer’s circumstances, alternatives offered by the bank, and procedures used by similarly situated parties in evaluating commercial reasonableness.
On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) released a supplement to its 2005 guidance regarding Authentication in an Internet Banking Environment. This supplement describes updated supervisory expectations regarding authentication, security and other controls given the current online environment, including the increasing danger of fraudulent online activity. Banks should give these 2011 guidelines a thorough review as they are likely to be utilized by courts in the future when considering whether a bank’s security procedures are commercially reasonable.
By way of example, in one recent case involving a phishing episode that resulted in unauthorized wire transfers totaling over $500,000, the bank was held liable based on a determination that its security procedures were not commercially reasonable for, among other reasons, an improper implementation of challenge questions and a failure to utilize additional protections associated with out-of-pattern transactions. The court’s analysis gave attention to the FFIEC guidelines.
Moreover, simply having commercially reasonable security procedures in place is not enough on its own. A bank must be certain to comply in good faith with its own security procedures. Courts have held banks liable when they have failed to meet this burden.
Banks should work within the confines of Article 4A and the FFIEC guidelines to implement security procedures and take steps to reduce the risks associated with fraudulent wire transfers. Strategies to consider include:
• Conducting regular risk assessments of bank procedures and systems
• Requiring dual control to initiate payments
• Utilizing “layered security” procedures
• Reviewing the effectiveness and appropriate use of challenge questions
• Using multi-factor and multi-channel authentication procedures
• Creating an alert system to raise a flag for out-of-pattern activity
• Providing for a method to confirm out-of-pattern payments
• Establishing and monitoring exposure limits
In addition to these internal steps, banks should educate their customers. By sharing information about the dangers associated with security breaches and unauthorized wire transfers, a bank may strengthen its customer relationships and protect itself in the process. Customers might be encouraged to adopt their own protective measures, including:
• Requiring dual control to initiate payments
• Maintaining updated hardware and antivirus and anti-malware software
• Providing training to appropriate employees regarding security measures
• Specifying a particular computer to be utilized to initiate payment orders
• Implementing a strategy to keep tight control of security information
In a world increasingly reliant on online commerce, it is only to be expected that new risks and dangers will arise. Taking appropriate steps to anticipate and avoid liabilities is essential-and in the world of wire transfers, this means understanding and implementing security procedures consistent with Article 4A and the FFIEC guidelines.