Setting a Precedent | By Laura Alix
A bank does not bear responsibility for making whole a commercial customer that lost more than $400,000 to a phishing scam, because the customer declined the bank’s “commercially reasonable” security measures, according to a recent appellate court decision that some Boston attorneys say could set a precedent for the industry as a whole.
Furthermore, the Eighth Circuit Court of Appeals also ruled that Tupelo, Miss.-based BancorpSouth Bank may seek attorneys’ fees from the commercial customer in question, Missouri-based Choice Escrow and Land Title.
The decision turned on Article 4A of the Uniform Commercial Code (UCC), which governs funds transfers. Under Article 4A, a bank would ordinarily bear the risk of loss when an unauthorized transfer occurs, except when the bank has offered a “commercially reasonable” security measure or when it can prove that it accepted the payment order in good faith and “in compliance with the security procedure and any written agreement or instruction of the customer.”
In this case, the appeals court decided that BancorpSouth’s security measures were commercially reasonable and that Choice Escrow should bear liability for the loss because it rejected those security measures.
“I think it’s a very measured opinion that shows that the justices understand the banking system and the business side for banks in a way that I think strikes a fair balance, which is what the legislature was trying to do in Article 4A,” said Brenda Sharton, a litigation partner at Goodwin Procter and chair of the firm’s business litigation practice. “I think this recognizes that balance in a way that shows some business acumen on the part of the justices.”
Fool Me Once …
At the root of the case was a phishing scam that befell one of Choice Escrow’s employees and infected their computer with a virus. That virus gave an unscrupulous third party access to that employee’s username and password and, additionally, allowed the thief to mimic that user’s IP address, effectively fooling the bank’s device authentication software.
That’s how a hacker was able to conduct a fraudulent wire transfer of $440,000 from Choice Escrow’s account to a bank account in Cypress. Choice Escrow sued BancorpSouth for the loss of funds, and BancorpSouth counterclaimed for its attorney’s fees.
BancorpSouth offered Choice Escrow a dual control security measure, in which any payment order submitted through the bank’s online account platform would have to be approved by a second authorized user with a unique username and password before the bank would make the payment.
Choice Escrow declined the use of dual control – not just once, but twice. First, Choice declined the measure when it first opened its trust account with BancorpSouth, and then again in November 2009, when one of the company’s underwriters alerted a Choice executive to the threat of a phishing scam and said executive wrote the bank asking whether it could limit wires to foreign banks.
BancorpSouth couldn’t stop wire transfers only to foreign banks, a banker wrote back, but perhaps Choice might like to implement dual control now?
The Choice executive declined, saying it would be “really tough unless we all shared passwords.”
In March 2010, scammers targeted a Choice employee and made off with the cash.
A Two-Way Street
The case bears some similarities to a previous appellate court case, PATCO Construction Co. vs. People’s United Bank, in which a Maine-based construction company brought a suit against Bridgeport, Conn.-based People’s United Bank after it lost more than $500,000 in a series of fraudulent ACH transactions.
Choice Escrow vs. BancorpSouth is “an important case because it is a second Circuit Court of Appeals opining on facts that are similar to the First Circuit case, but coming to a different – and in my opinion, correct – conclusion,” said Lynne Barr, partner at Goodwin Procter and chair of the firm’s banking and consumer financial services practices. “The efficient operation of the payments system is dependent on certain compromises among the party and recognition of the fact that security measures that are appropriate for one bank and its customers may not necessarily be appropriate for another.”
In the PATCO case, while a lower court initially ruled in favor of the bank, the First Circuit court overturned the summary judgment and remanded it back to a lower court. The case settled shortly thereafter.
Other cases, certainly, have dealt with Article 4A of the UCC, but many settle well before reaching the circuit court of appeals. That may be in some measure because the money in question wasn’t worth the attorneys’ fees to bring the case very far, but it may also be that bankers are unwilling to potentially set a negative precedent for their industry, said Sharton, who represented People’s United in the First Circuit case, but declined to comment on the particulars of that case.
The Choice Escrow case applies only to commercial customers, of course, but it establishes an important precedent: Customer security is a two-way street.■
Laura Alix is a staff writer for The Warren Group, publisher of Banking New York. She may be reached at email@example.com.