Posted on 01/02/2019 at 11:00 AM by John Lande
With cyberattacks and data breaches now a routine part of life, banks and depositors need to make sure they secure funds from unauthorized wire transfers. In the recent case Essgeekay Corp. v. TD Bank, TD Bank may be liable for unauthorized wire transfers from a business depositor’s account because TD Bank failed to follow the account’s security procedure.
Essgeekay Corp. d/b/a American Prescription Surgical Center (“Plaintiff”) sued TD Bank after unauthorized wires totaling more than $176,000 were initiated via TD Bank’s online portal. The transfers were initiated using login credentials for one of Plaintiff’s employees. Plaintiff claimed the transfers were initiated by fraudsters, and TD Bank was liable for the loss because it failed to stop the transfers.
Each month, one of Plaintiff’s employees initiated five to six wire transfers to pay the wholesalers. TD Bank and Plaintiff agreed to use a security procedure to verify that all wire transfer requests were in fact from Plaintiff. To initiate a transfer, one of Plaintiff’s employees, named Vajinepalli, logged into TD Bank’s online portal with a username and password. If he logged in from an unfamiliar computer, TD Bank would lock the account and require Vajinepalli to call the bank and answer a security question.
In June 2016, Vajinepalli logged in and noticed three wire transfers to banks in California, Oklahoma, and Texas. He had never initiated wire transfers to any of these states in the past. According to the account, these transfers were not initiated by Vajinepalli, but by another employee named Dave. Dave never initiated wire transfers through his login before these three transfers. Dave attempted to login to cancel the transfers but his account was locked.
Plaintiff claims that TD Bank never tried to contact Dave to inform him of a login attempt from an unfamiliar computer, or to request that Dave answer a challenge question. TD Bank claimed it tried to contact Dave, but refused to provide him the contact information it used to reach out to him.
Plaintiff sued TD Bank claiming that TD Bank failed to follow the agreed upon security procedure for verifying wire transfers. TD Bank filed a motion to dismiss the lawsuit. The court denied TD Bank’s request.
In reaching its conclusion, the court first looked at the applicable law. Liability for unauthorized wire transfers is governed by the Uniform Commercial Code (“UCC”). Under the UCC, banks are liable for unauthorized transfers from non-consumer accounts unless the bank and depositor agree to use a commercially reasonable security procedure to verify wire transfer requests before they are sent. If the bank and depositor agree to such a procedure, and the bank sends a wire after following that procedure then the depositor is liable for the loss. However, the bank only avoids liability if it accepts the payment order in good faith. In other words, in order for a bank to avoid liability it must (1) agree with the depositor to verify wire transfer requests with a commercially reasonable security procedure, and (2) follow that procedure in good faith.
In this case, the court concluded TD Bank’s security procedure was commercially reasonable. The court found that TD Bank’s procedure followed FFIEC guidance to use multi-factor authentication. In this case, the procedure used two factors. First, TD Bank required usernames and logins, which are something the user knows. Second, the procedure locked out access from unfamiliar computers, which is something the user has, i.e. a familiar computer.
However, TD Bank also had to follow the procedure and accept the payment order in good faith. Good faith requires the bank to accept the request in a way that reflects the parties’ reasonable expectations as to how the procedure will work, consistent with reasonable commercial standards of fair dealing. The court concluded that TD Bank may not have followed its procedure in good faith as demonstrated by its decision to try to contact Dave to confirm the transfers, but then transferring the funds anyway. The court also concluded there were questions about whether TD Bank followed its security procedure. The case will now proceed to discovery where the bank will have to demonstrate that it did comply with the security procedure, and that it acted in good faith.
TD Bank will point to the written terms of its wire transfer agreement to define its obligations regarding the security procedure. However, a bank can inadvertently create an agreement with its depositors if a bank routinely calls depositors before authorizing a transfer, or routinely declines transfers from new computers. The UCC only requires that banks and depositors “agree” on a security procedure, which does not have to be in writing. If TD Bank routinely locked accounts from unknown computers and failed to do so in the case of the transfers from Dave’s login, then TD Bank could be liable for the loss.
Banks should continually review their wire transfer security procedures to make sure employees are following them, and not adding new parts to the written policy. Banks also need to review and update their policies to make sure they are commercially reasonable. As the UCC and FFIEC have made clear, what is commercially reasonable today may not be so in the future.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.