Back in the days when “phishing” was just something your spell checker changed back to “fishing,” everyone thought they understood how the risk of loss was apportioned between a bank and its customers if a third party fraudulently obtained money from someone’s deposit account. With few exceptions, the risk of loss was born by someone else besides the bank customer. Fast forward to today when there are so many different ways for bank customers to move money in and out of their accounts besides just a paper check.  Several years ago the drafters of the UCC adopted a brand new Article 4A to address the dramatic increase in wire and other electronic transfers between commercial accounts.

Article 4A continues the traditional risk allocation framework in that unless certain exceptions exist, the bank bears the risk of loss for fraudulent transfers from a commercial deposit account. The major exception is where the bank and its customer have agreed upon certain commercially reasonable security procedures. In that instance the risk of loss for fraud will reside with the customer if the bank proves that it accepted a fraudulent payment order (1) in good faith, and (2) in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. Further, if a bank has established security procedures that a customer has declined to use, and the customer instead agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order if the declined procedure was commercially reasonable.

A recent decision from the 8th US Circuit Court of Appeals,  Choice Escrow and Land Title, LLC v. Bancorp South Bank,  applied the provisions of Article 4A to what is becoming a common occurrence today. An employee of Choice clicked on an attachment to an email, which then placed a computer virus on their computer system. Over a period of time the virus gave an unknown third party access to the employee’s username and password and allowed the third party to mimic the computer’s IP address and other characteristics. The thieves wired out $440,000 to an account in the Republic of Cyprus. Suffice it to say that when money is fraudulently transferred to an account in the Republic of Cyprus, it never comes back. The customer demanded that the bank reimburse it for the loss and the bank refused. The matter ended up in litigation in federal court.

Read More