Bank Held Liable For Wire Transfer Losses in Phishing Scam
June 27, 2011
In one of the first published decisions regarding responsibility for wire transfer losses arising from phishing, a federal district court in Michigan ruled in favor of a company against Comerica Bank after the company’s controller divulged account access information in response to an email message. Wire transfers are subject to the Uniform Commercial Code, and Michigan’s version of the Code is similar to California’s. The central question before the court was whether the bank acted in good faith in carrying out the disputed payment orders. The applicable section of the UCC in California is Commercial Code Section 11202(b):
If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.
Good faith is defined as “honesty in fact and the observance of reasonable commercial standards of fair dealing.” Commercial Code Section 1201(b)(20). The definition consists of two parts: the subjective “honesty in fact” standard which pertains to a person’s intent, and the more objective standard that considers what other banks do in similar circumstances as necessary to help ensure fairness.
On the morning of January 21, 2009 Comerica Bank became aware that phishing emails had been sent to its customers by third parties trying to lure them to divulge sensitive account information. The next day, at 6:48 a.m. the controller at Experi-Metal Inc., a Comerica customer, received and responded to one of these email messages believing it to have been sent by Comerica. He replied to the message and included all of the information necessary for the criminal to initiate wire transfer payment orders. Between 7:30 a.m. and 2:02 p.m. that day, ninety-three fraudulent payment orders totaling $1,901,269.00 were executed using the controller’s user information. The majority of the orders were directed to accounts at banks in Russia and Estonia. To facilitate the fraud from the customer’s sweep account, one of the accounts from which wire transfers were authorized to originate, the criminal transferred funds from Experi-Metal’s other accounts to the sweep account. Some of the wired funds created overdrafts, which the bank covered.
At approximately 11:30 a.m., an investigation analyst at the bank was alerted by telephone from its correspondent JPMorgan Chase regarding six suspicious wire transfers. Staff at Comerica immediately investigated and then contacted the president of Experi-Metal and confirmed that the company had authorized no payment orders that day. The bank then proceeded to attempt to recall all of the processed wires and stop future activity. Its efforts were only partially effective as some orders initiated after the bank disabled Experi-Metal’s user identifications still went through because this measure did not preclude a user already logged onto the system from continuing to initiate transfers. Eventually, Comerica recovered all but $561,399 of the fraudulent transfers. A few months later Experi-Metal filed an action against Comerica seeking to hold it liable for the unrecovered amount.
The court first determined that Comerica and the customer, Experi-Metal, had agreed that the authenticity of payment orders would be verified pursuant to a security procedure, and that the bank’s security procedure was commercially reasonable. (The bank had adopted an authentication procedure using secure token technology). It also determined that the controller was authorized to initiate transfers for the company. The court then turned to the question of good faith.
As is the rule in California the bank in this case bore the burden of demonstrating that it acted in good faith in allowing the transfers (see quoted rule above). The court found no evidence of dishonesty by the bank’s staff; they had no knowledge that the orders were fraudulent, and they reacted reasonably promptly once they became aware of the scam. Still the court held that the bank could not prove that it acted in good faith because the bank failed to demonstrate that it observed reasonable commercial standards of fair dealing.
In effect, this analysis erects a second threshold on the question of commercial reasonableness. After all, the court had already determined that the bank and the customer had agreed to use security procedures and that the procedures were commercially reasonable. The court explained that the objective prong of the good faith test requires that the bank’s actions were also fair to its customer. The bank’s key deficiency, according to the court, was its failure to articulate what those standards were with respect specifically to responding to a phishing incident.
Experi-Metal had offered expert testimony suggesting that the bank’s fraud monitoring procedures fell short of industry standards because it did not use fraud scoring and fraud screening monitoring programs. With such a program the bank could have recognized that the amount, frequency, and destination of the fraudulent orders were entirely inconsistent with Experi-Metal’s previous wire activity. However, the court decided not to accept the company’s expert testimony because the witness did not convincingly state the extent that other banks deployed such tools. Nevertheless, as discussed below, the court ultimately held the bank responsible for failing to perform the kind of real-time analysis that could only be done by employing such analytical tools.
Comerica Bank also offered an expert witness who testified that its staff reacted within a reasonable time after being alerted of the unauthorized transfers by JPMorgan Chase. But the court questioned the witness’s qualification to address phishing incidents specifically. What appeared to trouble the court the most was that, while the bank enforced its own security procedures as to authenticating a user, contacting the customer, de-authorizing access, etc., the bank nevertheless carried out the highly out-of-range orders (for this customer) without engaging in any heightened scrutiny. For example, the bank allowed overdrafts totaling $5 million from a single account that usually had a zero balance, and the ten unauthorized transactions that caused overdrafts were entered consecutively within minutes of each other during a single online session. The company’s prior overdraft activity had been minimal. Moreover, the bank had become aware just the day before that its customers had been the target of phishing messages and the transfers were directed to suspicious destinations.
The court’s sentiment was summed up in the concluding section of its opinion: “This trier of fact [the judge] is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.” In practice, it would be very difficult for a bank to conduct this level of analysis (comparing current transactions with historical transactions) in real time without employing the kind of monitoring software that the plaintiff’s expert suggested was the industry standard, and which the court putatively rejected. The lesson from this case is that banks should enhance their monitoring activities in order to avoid taking losses for fraudulent wire transfers.
Absent from the court’s analysis is a discussion of how the company controller’s falling for a phishing expedition should affect the allocation of loss. If the case had been decided under principles of negligence and the controller’s actions were deemed to fall below the applicable standard of care, then principles of contributory negligence would reduce the bank’s liability. But the UCC is intended to be construed as an almost exclusive body of authority as to matters that it clearly addresses.
In the seminal California case that also, incidentally, involved Comerica Bank (Zengen v. Comerica Bank), the California Supreme Court rejected negligence claims against the bank for allowing unauthorized wire transfers initiated by a customer’s dishonest employee. The court ruled that the matter at issue must be decided in accordance with the UCC only because the matter (whether the customer had timely notified the bank of the unauthorized transfer) fell squarely within Section 11204 of the Commercial Code. Generally, strict adherence to the UCC favors banks by excluding such actions as contract, negligence, and common law claims, and by providing a road map for compliance. This case suggests that Commercial Code Section 11202(b) places a significant and specific burden on banks first to state what the standards are and prove that it conformed to those standards.
The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice. Please consult with your counsel for more detailed information applicable to your institution.
© This CBA Regulatory Compliance Bulletin is copyrighted by the California Bankers Association, and may not be reproduced or distributed without the prior written consent of CBA.