Wire Fraud. Who Bears the Risk?


By: Allison S. Hyatt
Wire fraud is on the rise in recent years. Finding out that escrow funds were mistakenly wired into the wrong hands is every broker, banker, consumer or escrow agent’s worst nightmare. Article 4A of the Uniform Commercial Code governs wire transfers and the unique issues raised by this method of payment commonly used in commercial transactions. The purpose of Article 4A was to define precise and detailed rules to assign responsibility, allocate risks, and establish limits on liability with respect to the complex claims that may result when a wire transfer goes awry. Critical consideration was given with respect to each party’s need to predict risk with certainty, insure that risk, adjust operational and security procedures, and to price wire transfer services appropriately, especially given the substantial amounts of money commonly involved in these transactions.
One of the liabilities balanced by Article 4A is the risk that a third party will steal a customer’s identity and issue a fraudulent payment order to the bank. Usually the bank bears the risk for unauthorized wire transfers. However, in a real estate transaction, whether the bank, broker, or escrow agent employed commercially reasonable security procedures in the transaction may shift this liability. For instance, as the Eighth Circuit found in Choice Escrow & Land Title, LLC v. BancorpSouth Bank, if a bank’s security procedures are commercially reasonable and it complies with those procedures along with its customer’s wiring instructions, the loss of funds resulting from an unauthorized wire transfer will fall on the customer if the bank is found to have accepted the fraudulent payment order in good faith. 754 F.3d 611, 625 (8th Cir. 2014).
In Choice Escrow, an employee of the escrow company fell prey to a phishing scam causing the company to contract a computer virus that led to a series of fraudulent transactions. 754 F.3d at 615. Choice Escrow maintained a trust account with BankcorpSouth. The bank received a request for a wire transfer of $440,000.00 from Choice Escrow’s trust account via the bank’s internet wire transfer system. Because the request was made using Choice’s User ID and Password, the bank approved the fraudulent transfer request even though the account lacked sufficient funds to cover the transfer. Id. at 616.
In its analysis, the Eighth Circuit evaluated BankcorpSouth’s security procedures, which provided its customers with four different security measures. Choice Escrow had declined two of these measures. 754 F.3d at 617-622. Looking to a recommendation report published by the Federal Financial Institutions Examination Council (FFIEC), the court found that BankcorpSouth’s security procedures complied with the FFIEC’s guidance. In addition, the bank had also expanded its security procedures to address security threats that arose after the report was issued. Taking these factors into consideration, the court found that BankcorpSouth’s security procedures were commercially reasonable. Id.
Next, the court analyzed whether BankcorpSouth acted in good faith, finding that “[w]here, as here, a bank’s security procedures do not depend on the judgment or discretion of its employees, the scope of the good-faith inquiry under Article 4A is correspondingly narrow.” 754 F.3d at 623. The court reasoned that because the bank had promptly executed a payment order that had cleared the bank’s commercially reasonable security procedures and the bank had no independent reason to suspect the order was fraudulent, the bank met its burden of establishing it had acted in good faith. Id. at 624. Thus, Choice Escrow was left liable for its customer’s loss. The fact that the escrow company had declined two of the security procedures offered by the bank appears to have been a significant factor in the court’s reasoning.
The lesson to glean from the Choice Escrow opinion is that to protect against liability, escrow companies, brokers, and other parties involved in commercial transactions, should all continually assess the commercial reasonableness of their security measures, which may include: 1) the use of email accounts that require additional forms of authentication; 2) the use of digital signatures for messages; 3) the use of encryption to communicate with clients; and 4) the frequency of password changes, among others. In addition, if a breach occurs resulting in an unauthorized wire transfer, courts will likely evaluate the reasonableness of the company’s wiring procedures, including steps taken to review wiring instructions to verify their authenticity. Strict adherence to commercially reasonable security measures is key.
If you have any questions or would like additional information, please contact Allison S. Hyatt at [email protected] or (916) 472-3302.