Bank Prevails Over Customer in Third Party Hacking Case
Back in August of 2012, we wrote about a case where the court found a “very close call” between two distinct interpretations of the Fund Transfer Act. In that case, counterclaims by a bank against a commercial customer were dismissed where hackers accessed the customer’s account and drained it of over $400,000. In the original action, filed in 2010, Choice Escrow and Land Title, LLC (“Choice”) brought suit against BankcorpSouth Bank (“BSB”), alleging that BSB failed to provide commercially reasonable security by having only password protection on Choice’s account. Choice alleged that this allowed hackers who had obtained its username and password to make a $440,000 wire transfer to an entity in Cyprus on March 17, 2010. Choice demanded damages and recovery of losses related to the attack under the “Fund Transfers Act” (the “Act”) provisions of the Uniform Commercial Code (“UCC”).
The counterclaims dismissed in the 2012 ruling were based on the fact that certain indemnity obligations in agreements between the parties could be viewed to be in conflict with the Act, where those indemnity agreements could require Choice to pay to BSB the very same amounts that BSB would owe to Choice under the Act. In finding for Choice, the court stated that “the Funds Transfer Act does displace the types of indemnity agreement being relied upon by BankcorpSouth in support of its counterclaims. As such, the Court dismisses such claims.”
In August, we wrote that the “decision has interesting implications from a data protection perspective. Although financial institutions may negotiate broad indemnity obligations from their customers, those indemnities may not protect the financial institutions in cases where the intent of other applicable law…would be thwarted. For example, where applicable law requires security procedures (e.g., UCC 4A-201) and such procedures might include the recommendation of at least two-factor authentication (e.g., the FFIEC’s guidance on authentication from 2011), a financial institution cannot seek indemnity from its customer as a result of a breach of the system due to a failure in the authentication method used, where such authentication method conflicts with the applicable law.”
Even in light of the above reasoning, a March 18, 2013 ruling by the Missouri U.S. District Court found for BSB on a summary judgment motion. The court actually did focus on applicable law but went beyond simply looking at whether the security was appropriate. The court factored in additional actions by the parties as analyzed under the UCC as codified in Missouri. First, the court analyzed the default rule that “the risk of loss for unauthorized transfers lies with the bank.” Second, it looked at the exception to the default rule, which will relieve the bank of liability. Specifically, the Missouri UCC states that if a bank and its customer agree on the security procedures associated with a payment order, any such orders will be accepted by the bank “whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer” (emphasis added).
In this case, BSB produced evidence showing that it typically required its customers to use “dual control” with their system for transmitting funds. Importantly, when BSB first offered the use of dual control with Choice’s account, Choice declined. BSB went further, requiring Choice to sign a memo stating that Choice and its related entities “understand the additional risks we assume by waiving [BSB’s] requirement to utilize Dual Control for outgoing wires. By signing below we understand that although InView can restrict the account from which wires are sent and the amount related to said wire, InView CANNOT restrict to where the wire is sent. Since we wish to waive Dual Control anyone who has a User ID and Password or obtains access to a user ID and Password can wire funds to any other financial institution without restriction by [BSB] or the InView system. We understand that this can occur if our password is stolen. Further if funds are fraudulently wired out in this manner there is a substantial probability that we will be unable to retrieve our funds or recover losses.” When offered a second time, Choice turned down dual control yet again.
In its analysis, the court looked to the official commentary to the UCC. On the matter of security procedures, the court noted that “[s]ometimes an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper. In that case…the customer has voluntarily assumed the risk of failure of the procedure and cannot shift the loss to the bank.”
Although Choice was able to get counterclaims against it dismissed back in August, they could not convince the court on the merits that the bank should be responsible for the loss they suffered due to the outsider attack. Had the circumstances been different, e.g., if there wasn’t clear evidence that the customer accepted the risk, perhaps the court would have found differently. In this case, however, the bank had in place commercially reasonable (though arguably higher risk) security, in the form of single control access. They also had contractual agreement with the customer on that higher risk form of authentication. As a result, they (Choice) cannot transfer liability to the bank.