In Jetcrete, the parties entered into an agreement for the purchase of trucks, with plaintiff seeking to buy $518,124 of trucks from defendant dealer. Like a typical email scheme, the dealer sent wire instructions to the buyer, the dealer’s email was then hacked, and new wire instructions were sent by the cybercriminal to the buyer.

The plaintiff argued that the seller “was in the best position to avoid the loss by employing reasonable security measures to prevent the hack of [its] email[.]” The seller contended “it took reasonable security steps by hiring an IT consultant[,] installing Symantec virus scanner software on its system, and hosting its email server at Intermedia,” and that plaintiff “was in the best position to avoid the loss by simply calling [it] to verify the wiring instructions.” Id. at *8-9.

In resolving the dispute, the court adopted plaintiff’s argument that because the contract involved the sale of goods resolution should be governed by the Uniform Commercial Code, and looked by analogy to UCC § 3-404, which provides in part:

(a) If an impostor . . . induces the issuer of an instrument to issue the instrument to the impostor, . . . by impersonating the payee of the instrument or a person authorized to act for the payee, an endorsement of the instrument by any person in the name of the payee is effective as the endorsement of the payee in favor of a person who, in good faith, pays the instrument or takes it for value or for collection.

. . . .

(d). With respect to an instrument to which subsection (a) . . . applies, if a person paying the instrument or taking it for value or for collection fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.

UCC § 3-404 (emphasis added).

While UCC Articles 3 and 4 governing negotiable instruments provide a comparative negligence loss-allocation regime, UCC Article 4A governing electronic funds transfers does not, but rather a strict liability regime. See, e.g., Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 795 Fed. Appx. 741, 744, n.4 (11^th Cir. 2019) (quoting UCC § 4A-207, cmt. 2 and contrasting the Articles 3 and 4 approach, citing Salvatore Scanio & Robert W. Ludwig, Contracting Out of the Uniform Commercial Code: Reducing Bank Liability by Shortening the One-Year Notice Period for Reporting Check Fraud, 33:11 Banking & Fin. Servs. Policy Report 15, 17 n.8 (Nov. 2014)). UCC Article 4A was inapplicable because it applies to the parties to funds transfers; the email hacked business which did not receive the funds was never a party to a funds transfer.

The Jetcrete court concluded: “The hack of [the seller’s] email account created the scenario for the loss. But [plaintiff] was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone. Thus, even under an analysis based on [UCC § 3-404, plaintiff] should suffer the loss.” Jetcrete, at *12.

Even though the UCC did not apply directly to this cybertheft dispute, the court’s application of its loss allocation principles demonstrates the UCC’s continued importance in resolving commercial payment disputes involving fraud.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Unless a customer objects to a fraudulent funds transfer within one year, its claims against the bank are subject to UCC Article 4A’s one-year statute of repose. See UCC § 4A-505 cmt.  UCC § 4A-505 provides:

If a receiving bank has received payment from its customer with respect to a payment order issued in the name of the customer as sender and accepted by the bank, and the customer received notification reasonably identifying the order, the customer is precluded from asserting that the bank is not entitled to retain the payment unless the customer notifies the bank of the customer’s objection to the payment within one year after the notification was received by the customer.

As a statute of repose, section 4A-505 does not provide an “affirmative defense . . . often subject to tolling principles,” but “extinguishes a plaintiff’s cause of action after the passage of a fixed period of time,” here, one year. Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 88 n.4 (2d Cir. 2010).

In Cardino, the bank attempted to cut down Article 4A’s one-year notice period to 60 days. Relying on Regatos v. N. Fork Bank, 838 N.E.2d 629 (N.Y. 2005), the court reasoned that because “Banks are liable under article 4-A of the UCC for improper funds transfers . . . and UCC [§ 4A-204(b)] provides ‘the obligation of a receiving bank to refund payment . . . may not otherwise be varied by agreement,’ . . . shortening the one-year period effectively would vary the bank’s obligation to refund payment[.]” Cardino, at *7. Therefore, the bank could not shorten the one-year period in any way. Id. at *8.

In contrast, courts generally permit the one-year notice rule in UCC Article 4 covering unauthorized checks and other items, UCC § 4-406(f), to be cut down by contract to as little as 14 days in some cases. See Salvatore Scanio & Robert W. Ludwig, Contracting Out of the Uniform Commercial Code: Reducing Bank Liability by Shortening the One-Year Notice Period for Reporting Check Fraud, 33 Banking & Fin. Servs. Policy Report 15 (Nov. 2014).

This case is an important reminder for customers and banks alike to consider whether particular cut-down provisions in bank-customer agreements are enforceable in the event of a dispute.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.