Posted on 04/04/2018 at 12:51 PM by John Lande
A recent case from southern Florida provides an excellent summary of the rules that apply when fraudsters compromise a bank customer’s email account and use that access to initiate unauthorized wire transfers. Capten Trading Ltd. v. Banco Santander International began when fraudsters hacked into Capten Trading, Ltd.’s (“Capten’s”) email account. Fraudsters used that access to send emails to initiate a series of wire transfers out of Capten’s account at Banco Santander (“Santander”). After the unauthorized transfers were uncovered, and wire transfers reversed, Capten’s accounts lost approximately $190,000 to fraudsters. Capten filed a lawsuit against Santander to recover the stolen funds.
Capten alleged that Santander breached its deposit account agreement with Capten, acted negligently, and breached a fiduciary duty to Capten. Santander countered by arguing that it performed its obligations under its deposit account agreement with Capten, and that under Article 12 of the Uniform Commercial Code (“UCC”) the bank was not liable.
Santander’s argument relied on the special rules that govern liability for unauthorized wire transfers in UCC Article 12. This blog has previously covered the nuts and bolts of liability for unauthorized wire transfers. Under UCC Article 12, banks are permitted to rely on a wire transfer request from a depositor if (1) the depositor and bank have agreed to authenticate the wire transfer request using a commercially reasonable security procedure, and (2) the bank accepts the request in good faith. If the bank authenticates the wire transfer request according to its agreement with the depositor, then the wire transfer is effective as against the depositor, even if it later turns out the depositor did not actually authorize the transfer.
These rules can come as a surprise to many business owners because of their experiences as consumers. When an individual loses a debit or credit card for their personal or family accounts, banks will generally reimburse those consumers because of federal banking regulation E. Regulation E generally requires banks to reimburse consumers for unauthorized transfers from their accounts primarily for personal or household expenses. Regulation E does not apply to non-consumer accounts, such as accounts for businesses and even local governments. Instead, UCC Article 12 determines responsibility for unauthorized transfers.
The Court in Capten v. Santander ruled that Capten’s lawsuit was covered by UCC Article 12. As a result, the Court had to determine whether Capten and Santander agreed to use a commercially reasonable security procedure to verify any emailed wire transfer request. Under the agreement between Santander and Capten, Santander agreed to verify any emailed wire transfer request by combining a PIN number with values on a “Code Card” that generated a unique transaction identification number. That transaction identification number had to be included in any email requesting a wire transfer. Santander agreed to verify the authenticity of any wire transfer by mathematically verifying the transaction code. The fraudsters in this case sent properly verified transaction codes for all of the wire transfers.
The Court ruled that the security procedure was commercially reasonable, and that Santander acted in good faith when it approved the wires. The Court also ruled that Santander did not owe Capten any fiduciary duty, nor was Santander negligent when it approved the wires with the properly authenticated code.
UCC Article 12 intends that banks and depositors will tailor security procedures for the particular characteristics of the bank and depositor. This means that even though the Court ruled the security procedure in this case was commercially reasonable, it doesn’t mean that it would be in every case. Depositors should carefully review the terms of any wire transfer, or cash management agreement that governs wire and ACH transfers. This case could have also turned out very differently for Santander if Santander had not entered into a written agreement with Capten. Without a written agreement, if Santander had initiated the wire transfer it could have been liable to Capten.
This case has lessons for depositors and banks. Depositors need to be sure they don’t rely on consumer protection rules in their business and professional lives. Banks need to make sure their agreements with depositors for ACH and wire transfers protect the bank in the event a depositor’s email is compromised.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande