Sal Scanio’s recent article, Interbank Liability for Fraudulent Transfers via SWIFT: Banco del Austro, S.A. v. Wells Fargo Bank, N.A., 36 BANKING & FIN. SERVICES POL’Y REP. 8 (DEC. 2017), analyzes one such case of fraudulent transfers via SWIFT to illustrate the framework for allocating liability between banks.  In Banco Del Austro, S.A. v. Wells Fargo Bank, N.A., No. 1:16-CV-00628 (S.D.N.Y. filed Jan. 20, 2016), an Ecuadorian bank’s computer system was infiltrated by cybercriminals who were able to steal the login credentials of a bank employee, logon to the bank’s SWIFT terminal, and cause at least 13 unauthorized transfers via SWIFT by re-issuing cancelled or rejected transactions that remained in the bank’s SWIFT outbox and altering the amounts, beneficiary, beneficiary bank, and destination.  Between January 12 and January 21, 2015, a dozen SWIFT messages were sent from Banco Del Austro to its correspondent bank in New York, Wells Fargo Bank, N.A. that enabled fraudulent transfers totaling $12,172,762.  Banco Del Austro alleged that these transfers were unusual, suspect, or anomalous because they were inconsistent with the bank’s normal activity in its correspondent account at Wells Fargo. Banco Del Austro brought suit against Wells Fargo, asserting causes of action for violations of Uniform Commercial Code (UCC) Article 4A and common law claims of negligence and breach of contract.  The article discusses the development of this litigation and analyzes the legal theories of liability as applied to this case of SWIFT cybercrime.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.

Sal’s presentation focused on the legal regime for allocating liability for unauthorized fund transfers, including wire transfers, ACH transactions, and SWIFT transfers.  He discussed several key and recent cases under UCC Article 4A that have grappled with the breadth of the “security procedure” defense, applied the UCC test for determining whether a bank’s procedures are “commercially reasonable,” and addressed circumstances where banks were considered to have or have not acted in “good faith.”  He covered applicable regulatory guidelines issued by the Federal Financial Institutions Examination Council and the New York State Department of Financial Services, including recent developments on reporting cybercrime.

Sal’s presentation also addressed the continuing trend in the payment card arena in which fraud liability is shifting from issuers to acquirer/merchants under card network rules and recent suits brought by issuing banks against merchants for data breaches.   (For an overview of the evolving payment card system and developing loss allocation, see Sal Scanio’s prior article, Payment Card Fraud, Data Breaches and Emerging Payment Technologies, XXI Fidelity L.J. 59 (2015)).

Finally, Sal outlined a number of practical measures that can be taken by financial institutions to reduce their legal and compliance risk.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.

The bank received a $440,000 wire request purportedly from the customer, an escrow company, for transfer to a beneficiary’s account in the Republic of Cyprus.  The request, received over the Internet using the customer’s login and password, was authenticated via a secure ID token downloaded on the customer’s computer to show it had been initiated from its registered IP address. The customer, a common malware target as an escrow company, had been attacked and its purported request was unauthorized.

Significantly, in establishing online banking services, the customer had declined the use of “Dual Control,” as offered by the bank, requiring two users using separate logins and passwords to process wire transfers, as well as daily limits on wire transfer activity.  Subsequently, the customer inquired whether foreign wire transfers could be blocked to avoid fraudulent wires.  The bank advised that it was unable to stop just foreign wires, recommending again dual control which the customer still declined.

On appeal as in the district court, the customer argued that the security procedures offered were not commercially reasonable because none involved transactional analysis whereby wire transfers are subject to individual fraud review.  The Eighth Circuit disagreed, affirming thatit would be impracticable for the bank to review every outgoing wire and that there was no genuine question of fact whether the bank was required to use transactional analysis as a matter of reasonable commercial procedures.  The Eighth Circuit concluded that the security procedures offered were commercially reasonable for that customer, observing:

[T]his appears to be a case where “an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper[,]” in which case “the customer has voluntarily assumed the risk of failure of the procedure and cannot shift the loss to the bank.”

Id. at *26-27 (quoting UCC § 4A-203 cmt. 4).

Turning to whether the bank had proved it accepted the payment order in good faith under UCC § 4A-202(b), the Eighth Circuit described the good faith test as follows:

[W]hile there may be some evidentiary overlap between the commercial reasonableness of a bank’s security procedures and its compliance with reasonable commercial standards of fair dealing, we do not believe that the two inquiries are coextensive. While the commercial reasonableness inquiry concerns the adequacy of a bank’s security procedures, the objective good faith inquiry concerns a bank’s acceptance of payment orders in accordance with those security procedures. In other words, technical compliance with a security procedure is not enough under Article 4A; instead . . . the bank must abide by its procedures in a way that reflects the parties’ reasonable expectations as to how those procedures will operate.

[T]he focus of our good faith inquiry is on the aspects of wire transfer that are left to the bank’s discretion. . . .Where, as here, a bank’s security procedures do not depend on the judgment or discretion of its employees, the scope of the good-faith inquiry under Article 4A is correspondingly narrow. . . . [T]o establish that it acted in good faith, [the bank] must establish that its employees accepted and executed the . . . payment order in a way that comported with [the customer’s] reasonable expectations, as established by reasonable commercial standards of fair dealing.

Id. at *29-31.  The court concluded that the bank met its burden because: (1) the customer was aware that the only time the bank’s employees saw the payment order was after the wire had cleared its security procedures, (2) the customer was also aware that the employees’ role was to route payment orders, not to check for irregularities, (3) the “payment order was not so unusual that it should have raised eyebrows,” as the amount was not unusual for the customer, and (4) the bank was under no obligation to review the memo line of the payment order.  Id. at *32-33.  The Eighth Circuit contrasted this case with Experi-Metal, Inc. v. Comerica Bank, 2011 U.S. Dist. LEXIS 62677 (E.D. Mich. June 13, 2011), where the district court found a lack of good faith by the bank in allowing, inter alia, $5 million in overdrafts from an account that had a zero balance.

Finally, the Eighth Circuit addressed the bank’s counterclaim for attorney’s fees based on an indemnification provision in the customer agreement.  The district court had found that the indemnification provision conflicted with Article 4A, and dismissed the counterclaim.  The Eighth Circuit reversed:

[The bank’s] counterclaim seeks attorney’s fees, not damages stemming from the fraudulent payment order, and Article 4A contains no provision allocating attorney’s fees between the bank and its customer in the event of litigation.  Although awarding attorney’s fees to a bank under an indemnification agreement might reduce a customer’s overall recovery against that bank, it would do so for reasons extrinsic to Article 4A’s attempts to balance the risk of loss due to a fraudulent payment order. We thus conclude that the portion of the indemnification provision relating to attorney’s fees is not inconsistent with Article 4A and that [the bank] may seek attorney’s fees from [the customer] under this provision.

Id. at *38-39. Plainly, a bank’s ability to obtain attorney’s fees upon prevailing in customer claims under Article 4A may become a significant factor in the resolution of such claims.

Choice Escrow represents another decision illustrating the importance of bank customer agreements in allocating losses for unauthorized electronic funds transfers.  See Salvatore Scanio and Robert W. Ludwig, Surging, Swift and Liable? Cybercrime and Electronic Payments Fraud Involving Commercial Bank: Who Bears the Loss?, 16 J. of Internet L. 3 (April 2013). 

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605, or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

In Clemente Bros. Contracting Corp. v. Aprile Hafner-Milazzo, 2014 N.Y. LEXIS 1003 (N.Y. May 8, 2014), the New York Court of Appeals recently addressed whether a customer agreement reducing the UCC’s one-year notice period to 14 days was enforceable.  (Although New York has not adopted Revised UCC Article 4 (1990), the provisions applicable here are substantially similar.)  In a split 5-2 decision, the court held that a bank may cut-down the one-year notice by agreement as long as the modification is not manifestly unreasonable.  Specifically, the court held that the 14-day period was enforceable in cases where the customer is “a corporate entity that either is financially sophisticated or has the resources to acquire professional guidance.”  Id. at *17.  In this case, the court noted that the customer had numerous employees, regularly moved hundreds of thousands of dollars in and out of its accounts, had the resources to make an informed decision about opening an account at its bank and to monitor its accounts once a month within 14 days of each statement, and critically, had executed a corporate resolution containing the 14-day notice provision.  Id. at *16-17.  In dicta, the court observed that a 14-day period could be manifestly unreasonable for unsophisticated customers, small family businesses, or consumers, in which cases a 30- or 60-day period may be appropriate.  Id. at *17.

One other court has upheld a 14-day notice period, Borowski v. Firstar Bank Milwaukee, N.A., 579 N.W.2d 247, 251 (Wis. App. 1998), though commentators have suggested such a short period is manifestly unreasonable because it can serve effectively to enable a bank to escape liability as an outright disclaimer.  Several other courts, however, have enforced 60-day notice periods.  See, e.g., Peters v. Riggs Nat’l Bank, N.A., 942 A.2d 1163, 1168 (D.C. 2008); National Title Ins. Corp. Agency v. First Union Nat’l Bank, 559 S.E.2d 668, 672 (Va. 2002); American Airlines Employees FCU v. Martin, 29 S.W.3d 86, 96 (Tex. 2000).

While the New York decision provides authority for varying the UCC’s one-year notice provision to as little as 14 days for many commercial customers, the case is also a reminder that a one-size-fits-all approach may not be appropriate, with longer reporting periods potentially required for other types of customers.  Indeed, in 2001 the Uniform Law Commissioners circulated a draft amendment to section 4-406 that would have made any shortening of the one-year period to less than 90 days unenforceable against a consumer.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605, or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.