How one determines the “commercial reasonableness” of a security procedure based on Article 4A of the Uniform Commercial Code (UCC) has been a focus of recent court cases. Financial institutions should review these cases to ensure they are offering adequate security measures to their business customers, because an increasing number of customers who experience CATO fraud are seeking judicial relief for their losses.
Experi-Metal, Inc. v. Comerica Bank
In the Experi-Metal case, a customer lost approximately $561,000 through fraudulent wire transfers executed using stolen online banking credentials. The U.S. District Court for the Eastern District of Michigan found the bank liable for the losses and determined that it should have detected and stopped the fraudulent transfers earlier than it did. While the court found the existing security procedures were commercially reasonable as defined by the UCC, it also found that the bank failed to prove that it accepted the payment orders in “good faith,” defined as “reasonable standards of fair dealing,” because it failed to monitor the customer’s funds transfer activity and compare it to the customer’s previous funds transfer history to identify the fraudulent transfers in a timely fashion.
Patco Construction Company, Inc. v. People’s United Bank d/b/a Ocean Bank
In the Patco case, a customer lost approximately $345 million due to six fraudulent ACH transfers. The federal district court ruled in favor of the bank on summary judgment, finding its security procedures commercially reasonable. However, the U.S. Circuit Court of Appeals for the 1st Circuit reversed the decision. While the bank had implemented an anomaly monitoring system to review outgoing funds transfers, it failed to monitor and alert Patco to these unusually high-risk transactions. Had the bank been adequately monitoring the customer’s activity, the fraudulent transfers would have been detected.
Choice Escrow and Land Title, LLC, v. BancorpSouth Bank
In the Choice Escrow case, a customer was the victim of a phishing attack resulting in the fraudulent transmission of a $440 million wire transfer. The federal district court found the bank accepted the wire transfer in good faith and in compliance with its security procedures, which included a user ID, password, and device cookie for authentication to the online banking account. The bank also offered the option of requiring dual control — where one person inputs the funds transfer and another verifies and sends it to the bank. Choice Escrow did not implement the dual control option, because it usually did not have two authorized employees in the office at the same time to perform the dual control duties. The court found that if the customer had implemented dual control, the fraudulent wire transfer would not have been transmitted; therefore, the customer bears the loss. The ruling was appealed to the U.S. Circuit Court of Appeals for the 8th Circuit, which concurred with the district court’s decision.