Posted on 02/19/2018 at 12:00 AM by John Lande
A recent case from Delaware confirms that businesses, not their banks, are responsible for fraud that businesses’ employees commit. In Continental Finance Co. v. TD Bank, the Delaware Supreme Court considered whether TD Bank was liable to Continental Finance (“Continental”) for fraudulent transfers that a Continental employee made electronically from Continental’s account at TD Bank. Continental filed a lawsuit against TD Bank claiming that TD Bank was negligent for allowing Continental’s employee to fraudulently transfer funds from Continental’s account.
The Delaware Supreme Court affirmed the district court’s dismissal of Continental’s negligence lawsuit for two reasons. First, the contract between Continental and TD Bank limited TD Bank’s liability to gross negligence and willful misconduct. In this case there was no evidence that TD Bank had deviated from its normal procedure for funds transfers. The problem, from Continental’s view, was not that TD Bank had failed to follow its procedures, but that TD Bank had responded to the instructions of a Continental employee who was acting without proper authority. This was not gross negligence or willful misconduct.
Second, the Delaware Supreme Court concluded that Continental’s negligence claim was superseded by Delaware statutes that establish liability rules between banks and their depositors. Electronic funds transfers in Delaware, just like in Iowa, are governed by the Uniform Commercial Code (“UCC”). Under the UCC, banks are obligated to verify that payment requests that come from their depositors are authentic. If a bank and depositor agree to use a commercially reasonable security procedure to verify that electronic funds transfer requests are coming from the depositor, and not a third party, then the bank is not liable for an unauthorized transfer. Under the UCC, banks are not required to make sure that the particular employee making the transfer has internal authorization as long as the bank correctly follows the security procedure. If an employee authenticates the transfer by using the correct login credentials, and otherwise meets the bank’s security procedures, then the bank has met its legal obligations. Since TD Bank appears to have followed all procedures correctly, TD Bank was not responsible for Continental’s employee’s unauthorized transfers.
Organizations, regardless of their size, cannot outsource their responsibility to supervise employees to their banks. Organizations should carefully consider who they trust with important financial information. For the same reason that organizations shouldn’t leave the keys to the front door hanging in the lock, organizations also need to carefully protect access to the company checkbook and online banking login credentials. If an organization fails to properly secure its financial information then the only one responsible for a loss could be the organization.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande