JM Test Systems v. Capital One: The Legal Decision-Tree for Determining the Party Liable for an Unauthorized Funds Transfer
As reported by Brian Krebs of the Washington Post, electronic calibration systems firm JM Test Systems, which is based in Baton Rough, Louisiana, has just filed a complaint against its bank, Capital One, to recover two unauthorized wire transfers amounting to some $97,000. See JM Test Systems, Inc. v. Capital One Bank, N.A., 19th Judicial Dist., Parish of East Baton Rouge No. 585172D. As reported by Krebs and stated in the complaint, the unauthorized transfers appear to have been initiated by hackers. The funds were ultimately transferred to "Alpha-Bank Moscow." Eastern Europe is the destination of choice for funds from hacked bank accounts.
This complaint involves just one of dozens of cases that Krebs has unearthed in the past year in which a small business has lost a significant sum of money through wire transfer fraud. While some businesses have filed lawsuits against their banks in an attempt to recover the stolen funds, according to Krebs, many small businesses have been leery to go after their banks.
So can a business expect its bank to cover its losses from hacker wire transfer fraud? The answer is "sometimes." The result in an individual case is largely determined by rules found in an obscure section of the Uniform Commercial Code -- Article 4A. Here is a synopsis of the key rules:
• Rule 1 -- Insider fraud: If the person who initiated the transfer was authorized under agency law to initiate the transfer, then the customer is generally liable for the unauthorized transfers. UCC § 4A-202. In other words, if an unauthorized transfer results from an act of embezzlement by a person otherwise authorized to act on behalf of the company, the customer, not the bank, will generally be liable.
• Rules 2-4 -- Outsider fraud: If the person who initiated the transfer was not an agent of the corporation, then following rules apply:
• Rule 2: The bank is not liable for a fraudulent transfer if the four following conditions exist: (i) the bank and it customer have agreed to verify the authenticity of transfers by security procedures, (ii) the bank instituted a commercially reasonable method of providing security against unauthorized transfers, (iii) the bank complied with these security procedures for the transfers in question; and (iv) none of the exceptions to this rule apply. UCC § 4A-202(b).
What constitutes commercially reasonable security procedures will depend on the customer account involved. According to the UCC, "A customer that transmits very large numbers of payment orders in very large numbers may desire and reasonably expect to be provided with state of the art procedures that provide maximum security." While smaller customer accounts may not need this level of security, according to the UCC, "a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable." For further information on what constitutes commercially reasonable security procedures, see our post on the Shames-Yeakel case and the FFEIC's 2006 Report on Authentication in an Internet Banking Environment.
If the bank fails to comply with any of these four rules, then it is liable for fraudulent transfers initiated by outsiders (e.g., hackers).
• Rule 3: Even if the bank has complied with Rule 2, it is still liable if has entered into a contract with its customer agreeing to take on liability for unauthorized transfers. UCC § 4A-203(a)(1).
• Rule 4: Even if the bank has complied with Rule 2, it is still liable if the customer proves that the fraudulent transfer was not caused by one of the customer's agents, or by a person who obtained information that facilitated the security breach from the customer. UCC § 4A-203(a)(2).
What this means is that the bank's liability can turn on the specific method used by the hacker to get into the customer's account. For example, if the hacker used an SQL injection attack, and obtained the customer's log-in data from the bank, then a court would be likely to find the bank liable. On the other hand, if a hacker used a phishing scam, and obtained the relevant access information by spoofing the customer, a court could well find that the bank is not liable for the loss. Of course, if the bank's security system is so lax that it makes it easy for hackers to phish for customer access information, a court could conclude that the bank had not implemented commercially reasonable security procedures - thus rendering it liable, regardless of the hacker's breach method.
So far, I have seen no clear information on the method used by the hackers to obtain access to JM's bank accounts. In its complaint, JM does allege that Capital One's online security procedures are not commercially reasonable. However, the complaint also reports that Capital One insists that its security measures were "great" and "perfect."
Moving on to another issue, many bank wire transfer agreements require customers to review their account statements and report any unauthorized transfers, sometimes by the close of business of the day on which the transfer occurred. Some agreements also disclaim any liability for unauthorized transfers if disclosure is not made immediately However, these attempts to limit bank liability may not be authorized by the UCC.
• Rule 5: UCC § 4A-204 requires a bank to refund any unauthorized transfer to a customer for which the bank is liable under Rules 1-4,above. A customers is not entitled to payment of interest on that transfer, if it fails to exercise due care and fails to notify the bank within a reasonable time, not exceeding 90 days, after it receives notification of the unauthorized transfer. UCC § 4A-204.
If a customer fails to provide notice within the 90 day period, the sole effect is that the customer loses the right to demand interest on its money. The UCC expressly provides that "the bank is not entitled to any recovery from the customer on account of a failure by the customer to give notification. . . " While a bank can modify the time in which a customer is required to give it notification of a fraudulent transfer, the UCC expressly provides that it cannot change its obligation to refund the wire transfer itself. UCC § 4A-204(b).
The issue of notification may not be critical to the JM case. According to the complaint, JM notified Capital One of the fraudulent transfers within hours after each occurred.
Given the fact-intensive nature of the rules governing electronic funds transfers, it is too early too tell whether the JM or Capital One will have to bear the $97,000 in losses JM suffered. We will watch this case, and provide further reports as it develops. One more note: the rule provided in UCC Article 4A only applies to electronic transfers from business accounts. It does not apply to wire transfers from consumer deposit accounts, which are governed by the EFTA. See 15 U.S.C. § 1693.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
