Fraudulent wire transfers initiated by sophisticated cyber criminals pose a significant risk to businesses and financial institutions. Technologically savvy fraudsters can steal confidential information through a variety of mechanisms, including malicious software installed on an unwitting victim's computer through the use of so-called email "phishing" scams. The end result is that faceless and far-flung criminals can mimic a local bank customer's computerized identity, causing significant loss to customers and/or their banks. By way of example, the Federal Bureau of Investigation issued a Fraud Alert in April 2011 reporting a series of twenty instances in which online banking credentials of small-to-medium sized business were used to initiate fraudulent wire transfers in the amount of approximately $20 million, sending funds from U.S. account holders to accounts held in various port cities near the China-Russia border. The total loss suffered is this series of frauds amounted to $11 million incurred over a thirteen-month time period.
This article provides a brief overview of the risk-allocation provisions relative to fraudulent wire transfers that are set forth in the Uniform Commercial Code's Article 4A as adopted in Massachusetts ("Article 4A"). See Mass. G.L. c. 106, ' 4A-101, et seq.
I. 'Authorized' And 'Effective' Payment Orders
A. 'Authorized' Payment Orders
For purposes of Article 4A, a wire transfer payment order is the "authorized" order of the bank's customer (the "sender") if "such person authorized the order or is otherwise bound by it under the law of agency." See Mass. G.L. c. 106, ' 4A-202(a). Thus, "authorized," for purposes of Article 4A, has two components: (i) authorized in fact, and/or (ii) authorized pursuant to common law principles of agency.
B. 'Effective' Payment Orders
A wire transfer order is "effective," even if it is not "authorized," if:
i. The bank and its customer have agreed that authenticity of a wire transfer order issued in the name of the customer will be verified pursuant to a security procedure, and
ii. The security procedure is a "commercially reasonable method of providing security against an unauthorized payment order," and
iii. The bank proves that it accepted the payment order in good faith and in compliance with both (a) the security procedure, and (b) any written agreement or instruction of the customer restricting acceptance of a wire transfer order.
See G.L. c. 106, ' 4A-202(b).
C. 'Commercially Reasonable' Security Procedures
Notably, an unauthorized wire transfer order is not "effective" if the security procedure agreed-upon by the bank and the customer is not a "commercially reasonable" method of guarding against wire transfer fraud. See id. "Commercial reasonableness" is question of law under Article 4A. See G.L. c. 106, ' 4A-202(c). Although the outer boundaries of what constitutes "commercial reasonableness" will expand and contract as the technologies available to fraudsters and financial institutions evolve, Article 4A provides some guidance regarding how a court should determine whether a security procedure is "commercially reasonable." Specifically, courts must consider:
- The wishes of the customer as expressed to the bank;
- The circumstances of the customer known to the bank, including the size, type, and frequency of wire transfers it normally performs;
- Alternative security procedures that were offered to the customer; and
- The security procedures in use at the relevant time by similarly-situated banks and customers.
See G.L. c. 106, ' 4A-202(c).
Additionally, Article 4A provides that a security procedure will be deemed to be "commercially reasonable" if:
(i) the customer chose the procedure after refusing a security procedure offered by the bank that was commercially reasonable for that customer; and
(ii) the customer expressly agreed in writing to be bound by a wire transfer payment order issued in its name and accepted by the bank in compliance with the customer's chosen security procedure.
See G.L. c. 106, ' 4A-202(c).
II. Risk Allocation
As between a financial institution and its customer, losses from fraudulent wire transfers will be allocated in the following ways under Article 4A:
A. Orders that Are Neither 'Authorized' Nor 'Effective'
If a wire transfer order is not authorized and is not effective, the bank will suffer the loss and must refund the transferred funds to its customer with interest calculated from the date the bank received the customer's funds in satisfaction of the payment order. See G.L. c. 106, ' 4A-204(a).
B. Orders that Are 'Authorized'
If a wire transfer order is "authorized" by the customer, the customer will bear the loss and the bank will have no obligation to repay the amount of the transfer to the customer. See id.
C. Orders that Are Not 'Authorized' But Are 'Effective'
If a wire transfer order is "effective," the customer will bear the loss associated with the transfer unless:
i. The bank has entered an express written agreement requiring it to bear the loss, or
ii. The customer proves that the wire transfer was not initiated by a person who:
(a) was entrusted at any time with duties to act for the customer with respect to initiating wire transfers or wire transfer security procedures, or
(b) obtained access to the transmitting facilities of the customer, or
(c) obtained, from a source controlled by the customer and without authority of the customer's bank, information (including an access device or computer software) facilitating breach of the security procedure, regardless of how the information was obtained or whether the customer was at fault.
See G.L. c. 106, ' 4A-203(a).
Generally speaking, if a fraudulent wire transfer order is "effective," the customer will bear any loss associated with the wire transfer unless the customer can prove that the wire transfer order was not placed by a person with access to the customer's confidential security information, and was not caused by a breach of the customer's security. Effectively, Article 4A presumes that if the customer can prove that its own security systems were not compromised or accessed by an internal wrongdoer, there must have been a security breach at the bank. In the latter circumstance, the bank will be burdened with the loss.