Managing the Risk of Unauthorized Payments from Business Bank Accounts
by Kenneth Benton, Senior Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia
Unauthorized electronic payments from business bank accounts are a growing concern for banks, businesses, and the general public. Criminals are using a variety of techniques, such as phishing e-mails and malware, to take control of business accounts to initiate payments to an accomplice or a foreign account. According to the 2015 survey of the Association for Financial Professionals, 27 percent of respondent organizations were affected by wire transfer fraud (a nearly 100 percent increase from the 2014 survey), and 10 percent were affected by automated clearing house (ACH) credit fraud (fraud involving an ACH payment order initiated by the person sending the payment).1
For example, in June 2012, a law firm with a real estate escrow account had its computer system compromised and its banking credentials stolen, which resulted in $1.66 million in unauthorized wire transfers.2 Similarly, in 2009, a Michigan corporation was subject to a phishing scheme that resulted in $560,000 in unauthorized wire transfers from its bank account.3 And in April 2011, the Federal Bureau of Investigation (FBI) issued an alert about the growing number of unauthorized wire transfers to China, in which small and medium-sized businesses suffered total losses of $11 million in 20 separate incidents.4 This problem is also reflected in the increased number of Suspicious Activity Reports filed by financial institutions for “account takeovers,” in which an unauthorized person takes control of a customer’s account.5
These headlines undermine the public’s confidence in the payment system. They also raise a critical question for banks and their business6 customers: When funds are stolen from a bank account of a business customer through an unauthorized payment order, who bears the loss? For unauthorized wire transfers and ACH credit transfers, Article 4A of the Uniform Commercial Code (UCC) provides the legal framework for determining who is responsible for any resulting losses.7 This article examines the relevant provisions of Article 4A, reviews two recent federal appeals court decisions interpreting these provisions in the context of funds stolen through unauthorized wire transfers and ACH credit transfers, and discusses sound practices to mitigate this risk in light of the UCC’s requirements and these court cases.
Impact on Community Banks
Account takeovers are an important issue for community banks because criminals are increasingly targeting small and mid-sized companies, which are believed to have less-sophisticated security systems than larger companies.8 These companies, in turn, often bank with community banks.9 According to Symantec, the software security firm, 50 percent of all “spear-phishing” attacks (in which the criminal sends an e-mail with a malware attachment or malicious links that appears to be from an individual or business known to the recipient) targeted businesses with 2,500 or fewer employees in 2011, and by 2013, this number had increased to 61 percent of all attacks.10 By infiltrating a business’s computer system, the criminal can obtain the log-in credentials to the business bank accounts and initiate unauthorized payment orders. Thus, it is important for community banks to understand the requirements of Article 4A of the UCC that come into play when a dispute arises between a bank and its business customers because of unauthorized wire transfers or ACH credit transfers, as well as ways to address the risks arising from unauthorized transfers.
UCC Article 4A
By default, Section 4A-204(a) provides that a bank is responsible for any unauthorized electronic payment orders on a nonconsumer account. However, Section 4A-202(b) permits a bank to shift the risk of loss to its customers if it follows these procedures:
- The bank and its customer agree that the bank will authenticate any payment orders on the account under an agreed-upon security procedure.
- The security procedure is “commercially reasonable.”
- The bank complied with the procedure, acted in good faith, and implemented the customer’s written instructions (if any) restricting payment.
Because these requirements focus heavily on a bank’s use of a “commercially reasonable” security procedure, the definition of this term is critical. Article 4A provides two ways for a bank to establish that its security procedure is commercially reasonable. First, under Section 4A–202(c), a bank can show that its procedure took into account:
- the wishes of the customer expressed to the bank;
- the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank;
- alternative security procedures offered to the customer; and
- the procedures in general use by customers and receiving banks similarly situated.11
The UCC includes Official Comments for clarification. According to Comment 4 for Section 4A–202(c), which is referenced in Section 4A-203, the meaning of “commercially reasonable” is flexible and depends on the particular circumstances of the bank and its customer. For example, a customer transmitting a large number of high-dollar payment orders may reasonably expect state-of-the-art security procedures, while a customer with a small number of transactions or low-dollar amount transactions may have different expectations. Similarly, “it is reasonable to require large money center banks to make available state-of-the-art security procedures. On the other hand, the same requirement may not be reasonable for a small country bank.”12 The comment also notes that the “standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank, which is a lower standard. On the other hand, a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable.”
The second way to establish that a procedure is commercially reasonable applies when a customer declines a security procedure offered by a bank because the customer wants to use its own security procedure. If the customer agrees in writing to be bound by any payment order, whether or not authorized, that is issued in its name and accepted by the bank that complies with the customer’s chosen security procedure, the procedure is deemed commercially reasonable, provided that the procedure offered by the bank that the customer declined satisfied the commercially reasonable requirements set forth previously.13
Recent Court Cases Interpreting Commercially Reasonable Security Procedures
Two recent federal appellate court decisions examined different aspects of Article 4A’s requirements and help to clarify the steps financial institutions must undertake to avoid responsibility for losses incurred by their customers.14
Case One: Bank’s Security Procedure Is Not Commercially Reasonable
In Patco Construction Co. v. People’s United Bank,15 unauthorized ACH credit transfers totaling $588,851 were taken from PATCO Construction Company’s account with Ocean Bank, a mid-sized bank later acquired by People’s United Bank. PATCO was able to recover $243,406, leaving a net loss of $345,444. PATCO sued the bank to recover its loss. The crucial issue on appeal was whether the bank’s security system was commercially reasonable as defined in the UCC.
The court found flaws in the way the bank implemented its security system. First, if a transaction exceeded a specified threshold, the customer had to answer challenge response questions (for example, “What is your mother’s maiden name?”). The bank set the threshold at one dollar or more for all of its customers. The court found the one-dollar threshold meant that every transfer would trigger challenge response questions. If a customer’s computers were infected with key-logging malware, which records a computer user’s keystrokes and transmits the information over the Internet, the risk of malware recording the answers to the challenge questions increased substantially because every transaction — which for PATCO included all payroll transfers — triggered a challenge response.
Second, the bank failed to monitor the warnings from its security software. The software generated a score for every ACH transaction based on certain risk factors. The security system flagged the unauthorized transactions as very high risk. However, because the bank did not monitor the risk scores, it did not notify PATCO or try to stop the transactions pending verification.
Finally, the court noted that key-logging malware was an industry concern when the transactions occurred and that many Internet banking security systems were using hardware tokens as an additional security measure, which the Federal Financial Institutions Examination Council (FFIEC) had recommended as a useful part of a multifactor authentication scheme.16 Other banks performed manual reviews or customer verification for high-risk transactions. Ocean Bank did not use any of these security measures and thus was not complying with the UCC requirement to consider the security procedures used by customers and at similarly situated banks.
In light of these problems, the First Circuit concluded that Ocean Bank’s security procedures were not commercially reasonable. However, the court noted that PATCO also had responsibilities for implementing security procedures, so the court sent the case back to the trial judge to determine if PATCO bore any responsibility for the unauthorized transactions. But after the First Circuit issued its opinion, the bank settled the case for the amount of the loss ($345,444) plus interest.17
Case Two: Bank’s Security Procedure Is Commercially Reasonable
The second case, Choice Escrow & Land Title, LLC v. BancorpSouth Bank,18 concerned the responsibility between BancorpSouth Bank and its business customer, Choice Escrow & Land Title, for $440,000 in unauthorized ACH transactions. An employee at Choice clicked on a link in a phishing e-mail that allowed malware to be installed on a network computer. As a result, hackers were able to issue a fraudulent payment order for $440,000 that was sent to a foreign country. Choice sued the bank to recover the $440,000.
The bank’s security system offered four security features: (1) user ID and password requirement; (2) registration of an authorized user’s Internet protocol (IP) address and computer information when the user first registered; (3) the customer’s ability to place dollar limits on transactions; and (4) dual control, which required that every payment order request by an authorized user be approved by a second authorized user. If a customer declined the dual-control feature, the bank had the customer sign a waiver acknowledging it understood the risks of a single-control security system.
Choice declined the dollar limit on transactions and the dual-control feature and signed the waiver. Thus, the security procedure for Choice’s ACH transactions consisted of a user ID and password and verification of IP address and computer information. Choice had also asked the bank whether its system had the capability to limit ACH transfers to foreign banks because of a concern about phishing scams. The bank responded that it was not possible, but that Choice could mitigate the risk of unauthorized ACH transactions if it implemented dual control, which Choice declined. The court reviewed the bank’s security procedure and determined it was commercially reasonable. For the requirement that a security procedure must be one in general use by similarly situated customer and banks, the court focused on the FFIEC’s 2005 guidance. The guidance states that most modern authentication is multifactor and that “single-factor authentication, as the only control mechanism, [is] inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”19
The court also noted that the FFIEC guidance states that threats change over time and that banks must “[a]djust, as appropriate, their information security program[s] in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information.” The court noted the bank offered the dual-control option in response to increased security threats, which the court said was a reasonable response to the threat of phishing scams and thus was consistent with the FFIEC guidance.
The court next considered the requirement that a bank’s security procedures must be suitable for the customer in light of “the wishes of the customer expressed to the bank” and “the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank.”20
Choice argued that the dual-control option failed to take into account Choice’s circumstances because dual-control verification of every wire transfer was not feasible for Choice because of its small staff. But the court found that dual control was feasible for Choice: Choice’s ACH transfers usually did not require immediate processing, so if an ACH request was received on a day when the dual-control employee was unavailable, that employee could approve it the next day without adverse consequence. When Choice declined the dual-control option, the court noted that it assumed the risks of this decision under the UCC, which states that when “an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper,” the customer assumes “the risk of failure of the procedure and cannot shift the loss to the bank.”21
The court concluded that the bank’s security procedures of password protection, daily transfer limits, device authentication, and dual control were commercially reasonable for the bank’s customer.
Section 4A-202(b)(ii) imposes one final requirement for transferring liability to the customer: The bank must have “accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.” The court distilled this to mean that “the bank must abide by its [security] procedures in a way that reflects the parties’ reasonable expectations as to how those procedures will operate.”
The court noted that Choice was aware that when a payment order was approved through the agreed-upon security procedure, the bank employee’s role was not to look for irregularities but to send the payment. The bank provided testimony that this was common practice in the industry. The bank thus satisfied the final requirement.
After considering this whole analysis, the Eighth Circuit upheld the lower court ruling that the bank’s security procedure was commercially reasonable, and the bank was, therefore, not responsible for the unauthorized transactions.
Sound Practices in Light of Patco and Choice
These two cases help clarify the meaning of a commercially reasonable security procedure under the UCC for purposes of determining whether a bank or its commercial customer bears the risk of loss for unauthorized wire transfers and ACH credit transfers. Several themes that are relevant for community banks emerge from these opinions:
- Understand and compare security procedures offered by different vendors and document the rationale for the procedure selected. The UCC requires that a commercially reasonable security procedure be “in general use by customers and receiving banks similarly situated.” The commentary also states that “a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable.” Therefore, it is important for banks to discuss with security vendors the procedures other similarly situated banks are using for comparable customer situations. In PATCO, the court noted that Ocean Bank’s peers were using tokens and one-time passwords, but Ocean Bank had not implemented either.
- Use security procedures that meet the FFIEC guidelines. Both the PATCO and Choice cases establish that compliance with the FFIEC guidelines, including supplements, is crucial because these guidelines are viewed by the courts as part of the industry security standard. The FFIEC guidelines state that “financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security and other controls as appropriate in response to identified attacks.” As a corollary, a bank is expected to monitor changes to the FFIEC guidance and respond accordingly. For example, the 2011 guidance states that financial institutions should adopt “layered security programs” that detect and respond to suspicious activity and include enhanced controls for system administrators, who have authority to change computer system configurations.
- Have staff monitor and respond to security software notifications. It is not enough to have security software that identifies risks; it is important that staff continuously monitor security alerts from the software and respond appropriately. In PATCO, the software identified high-risk transactions, but the bank was not monitoring this information when the security breaches occurred. The UCC commentary for Section 4A-203 confirms the importance of this by stating: “If the fraud was not detected because the bank’s employee did not perform the acts required by the security procedure, the bank has not complied [with the security procedure].”
- Be aware that security should not be “one-size-fits-all.” The security procedure should take into account “the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank.” A customer who makes five wire transfers of less than $5,000 per year, for example, requires a different security procedure than a customer making thousands of wire transfers every year, in large amounts, and to many foreign countries.
- Proactively discuss security issues and best practices with customers. Many unauthorized transaction cases occur when a bank customer’s employee receives a phishing or malware e-mail that enables criminals to obtain log-in credentials to perform unauthorized transactions. In particular, spear phishing e-mails often target key employees who have access to accounts. Banks should be proactive with their customers to discuss ways to mitigate this risk. For example, a bank could recommend that the customer allow only electronic transfers to be performed on a dedicated computer that cannot access e-mail or the Internet, to reduce the risk of exposure to phishing, malware e-mails, and web pages with malware.22 Banks could also encourage customers to conduct regular cybersecurity training to reduce the risk of an employee falling victim to a phishing or malware e-mail attack. Banks should also encourage their customers to use antiphishing software to help detect and protect against phishing e-mails.
Cybersecurity breaches are on the rise, and lawsuits seeking reimbursement for the resulting losses are rising, too. In the event of a legal dispute over responsibility for unauthorized wire transfers and ACH credit transfers for a business bank account, courts will look to Article 4A of the UCC to determine who bears the loss based primarily on whether a bank has implemented a commercially reasonable security procedure. The standard under the UCC is not whether the security procedure is the best available; rather it is whether the procedure is reasonable for the particular customer and the particular bank.
Of course, no bank wants to be in litigation with its customers. Thus, banks should proactively discuss with their business customers ways to appropriately identify, measure, monitor, and control cybersecurity risks, taking into account the particular risks and circumstances of the customer’s operations. This will help banks to prevent unauthorized payments from occurring, reduce losses, retain satisfied customers, and increase public confidence in payment systems.
Back to top
- 1 Association for Financial Professionals, 2015 AFP Payments Fraud and Control Survey: Report of Survey Results, 2015. Bethesda, MD: Association for Financial Professionals, available at http://ow.ly/MIraf.
- 2 See Brian Krebs, “$1.66M in Limbo After FBI Seizes Funds from Cyberheist,” Krebs on Security, September 14, 2014, available at http://krebsonsecurity.com/tag/luna-luna-llp/ . Actually, $1.75 million in transfers were made, and the bank was able to recover $89,651, leaving a net loss of $1.66 million. The bank is currently in litigation with the law firm over responsibility for the losses. Texas Brand Bank v. Luna & Luna, LLP (Case No. 3:14-1134, N.D. Tex. 2014), available at http://ow.ly/NTVqy.
- 3 See Experi-Metal, Inc. v. Comerica Bank, 2011 WL 2433383 (E.D.Mich. 2011), available at http://ow.ly/MRdsC . The initial amount of unauthorized wire transfers was $1,901,269, but the bank was able to reverse some of the transfers.
- 4 FBI, Financial Services Information Sharing and Analysis Center, and Internet Crime Complaint Center, “Fraud Alert Involving Unauthorized Wire Transfers to China,” April 26, 2011, available at www.ic3.gov/media/2011/chinawiretransferfraudalert.pdf.
- 5 Suspicious Activity Reports for account takeovers are discussed in the U.S. Department of the Treasury, Financial Crimes Enforcement Network, “Account Takeover Activity,” Advisory FIN-2011-A016, December 19, 2011, available at http://ow.ly/MIyUU . Additional information on the incidence of payment fraud is available on the website of the Association for Financial Professionals, which publishes an annual survey of its members, at www.afponline.org/fraud/.
- 6 For consumer bank accounts, the Electronic Fund Transfer Act (EFTA), as implemented by Regulation E, determines who is responsible for unauthorized transactions. See 15 U.S.C. 1693g, available at http://ow.ly/MQDXX, and 12 CFR 1005.6, available at http://ow.ly/MQE9N.
- 7 Article 4A does not apply to an ACH debit transfer, which is initiated by the person receiving the transfer instead of the person sending it. See Official Comment 4 to UCC section 4A-104, available at http://ow.ly/MQG4s . ACH debit transfers are governed by the rules of the National Automated Clearing House Association. Keppler v. RBS Citizens N.A., 2014 WL 2892352 (D.Mass. 2014) (discussing different rules that apply to ACH credit transfers and debit transfers).
- 8 Geoffrey Fowler and Ben Worthen, “Hackers Shift Attacks to Small Firms,” Wall Street Journal, July 21, 2011.
- 9 Allen N. Berger, William Goulding, and Tara Rice, “Do Small Businesses Still Prefer Community Banks?” Board of Governors of the Federal Reserve System, International Finance Discussion Papers 1096, December 2013, available at www.federalreserve.gov/pubs/ifdp/2013/1096/ifdp1096.pdf.
- 10 Symantec Corporation, Internet Security Threat Report 2014, vol. 19, April 2014, available at http://ow.ly/MRfQO.
- 11 These requirements appear in UCC Section 4A–202(c).
- 12 Official Comment 4 to UCC Section 4A-203.
- 13 UCC Section 4A–202(c).
- 14 Decisions of federal appeals courts are binding on the federal courts in their jurisdiction. The First Circuit encompasses Massachusetts, Maine, New Hampshire, Rhode Island, and Puerto Rico, whereas the Eighth Circuit encompasses Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota, and South Dakota. For banks operating in other states, these decisions are persuasive but not binding authority.
- 15 Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), available at http://ow.ly/MQNCG.
- 16 FFIEC, “Authentication in an Internet Banking Environment,” 2005, available at http://www.ffiec.gov/pdf/authentication_guidance.pdf . In 2011, the FFIEC published supplemental authentication guidance to update the member agencies’ expectations “regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.”
- 17 Tracy Kitten, “PATCO Settlement: What It Means,” Bank Info Security, December 24, 2012, available at http://ow.ly/MQQ9U.
- 18 Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014).
- 19 FFIEC guidance, p. 4.
- 20 Section 4A-202(c).
- 21 Section 4A-203, Comment 4.
- 22 For other examples of ways to mitigate cybersecurity risk, see the March 12, 2010, Cyber Security Advisory, “Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks,” of the National Council of Information Sharing and Analysis Centers at http://ow.ly/NTVK8 . In addition, the Texas Bankers Electronic Crimes Task Force, working with other agencies, published “Best Practices: Reducing the Risks of Corporate Account Takeovers” in 2011, which is available at http://ow.ly/NTVMw.