Spencer Fane LLP Logo

Reducing the Bank’s Liability for Internet and Electronic Fraud Losses

Internet and electronic fraud losses are increasing drastically for financial institutions.  Although the fraudster has ultimate liability for the fraud loss, the fraudster rarely can be found so the liability for the fraud loss generally is shifted to the bank.  This article explains how the bank can reduce its liability for Internet and electronic fraud losses with respect to commercial accounts if the bank utilizes reasonable security procedures and a properly drafted agreement with its customer.

The bank’s legal liability varies depending on whether the fraud was committed against a consumer account versus a commercial account.  If it is a consumer account, the Electronic Fund Transfer Act and Regulation E limit the consumer’s liability to a maximum amount of $50 provided the consumer promptly reports the fraudulent activity, making the bank liable for the remainder of the fraud loss to the consumer.  On the other hand, if it is a commercial account, the Uniform Commercial Code Article 4A (“UCC 4A”) generally permits the bank to shift the liability for fraud loss to the commercial customer if the following four requirements are satisfied: (1) the bank has adopted commercially reasonable security procedures; (2) the bank and the customer have agreed to use these security procedures to verify the authenticity of the customer’s payment orders; (3) the bank has in fact employed these security procedures; and (4) the bank has acted in good faith and in compliance with any written instruction from the customer.  Conversely, if the bank does not satisfy all of these four requirements, the bank generally will be liable for the entire fraud loss.

  1. Commercial Reasonable Security Procedures – The looming question is:  What are considered “commercially reasonable security procedures”?  UCC 4A defines security procedures as procedures established by an agreement of a customer and its bank for the purpose of verifying the payment order is that of the customer and for detecting errors in the transmission or content of the payment order.The commercial reasonableness of the security procedures is a question of law to be determined by the particular circumstances including the wishes of the customer expressed to the bank, the customer’s situation known to the bank (such as the size, type and frequency of payment orders normally issued by the customer), any alternative security procedures that were offered to the customer, and the security procedures in general use by customers and banks similarly situated.  Fortunately for banks, the commercial reasonableness standard is not whether the security procedure is the best available, but rather whether the security procedure is reasonable for the particular customer and bank.
  2. Bank and Customer Agreed to Use Specific Security Procedures – The second requirement to be able to shift liability to the commercial customer is that the bank and the customer have agreed to use specific security procedures.  Notice that there must be an agreement between the bank and its customer.  This is a strong impetus for a bank to enter into a security procedures agreement with its customer because, if a bank has followed the security procedure set up between the customer and the bank, the risk of Internet and electronic fraud losses generally can be shifted to the commercial customer.  Conversely, if there is no security procedures agreement with its customer, the bank generally will be liable for the entire loss.It is wise for the bank to include in its customer agreement a statement whereby the customer acknowledges and agrees that the security procedures used by the bank are commercially reasonable.  Other relevant provisions to include in the customer agreement are: (1) the customer acknowledges there may be other security procedures that are more state-of-the-art but the bank’s existing security procedures are reasonable for the customer’s particular situation; and (2) the customer agrees to be bound by any payment order that is accepted by the bank in compliance with these security procedures whether or not the payment order was actually authorized by the customer.
  3. Bank Complied with Security Procedures – The third requirement is that the bank must have actually complied with the bank’s security procedures.  If the bank did not comply with its own security procedures, the bank arguably should be held liable for the loss.  The obvious legal principle is that the bank must do what it has contractually agreed to do.
  4. Bank Acted in Good Faith – The fourth and final requirement to shift liability to the commercial customer is that the bank must have acted in good faith.  Equitable principles will not permit the bank to shift the loss to its customer if the bank did not act in good faith.

To summarize this article, it is possible to reduce a bank’s liability for Internet and electronic fraud losses on commercial customer accounts by adhering to the four specific requirements discussed above.  Utilizing commercially reasonable security procedures together with a properly drafted customer agreement generally will permit the bank to shift these fraud losses to its commercial customers.

If you have any questions regarding this article or desire additional information, you are welcome to contact Elizabeth Fast (efast@spencerfane.com) or Pat Whalen (pwhalen@spencerfane.com) at the law firm of Spencer Fane Britt & Browne LLP, (800) 526-6529.

The article originally appeared in the May 2013 addition of BankNews.