Banks are tasked by the Uniform Commercial Code (the UCC) with using “commercially reasonable” security procedures when processing funds transfers. This responsibility is constantly evolving as bank fraud becomes more sophisticated, and banks and courts respond to attacks. The UCC allows banks to enforce payment of an unauthorized transfer if the bank meets three requirements:
- The bank and the customer agree that the funds transfer will be verified pursuant to a security procedure,
- The bank’s security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and
- The bank proves that it accepted the payment order in good faith and in compliance with the security procedure.
Courts have focused on the “commercially reasonable” standard when deciding whether the bank or the customer would bear the risk of loss. Just like the tactics of fraudulent bad actors, the legal standard of what is considered “commercially reasonable” will evolve over time.
Banks should stay ahead of the courts by implementing the following six steps to ensure that its security procedures are commercially reasonable:
(1) Review and Document Current Security Procedures.
Before a bank can make a determination as to whether its security procedures are commercially reasonable, it has to know what its procedures are – which may be difficult to determine. An institution must first look at the products it offers that require security procedures. The major areas typically include access to:
- Internet Banking Service
- Wire Transfer Service, and
- Origination of ACH Entries
This documentation process will ensure that banks have identified exactly what its procedures are before they attempt to determine whether the procedures are commercially reasonable. The documentation should be updated as the procedures change.
(2) Document Transaction Monitoring.
While one court has held that transaction monitoring is not a security procedure, another court held that a bank’s failure to review transactions that were identified by the monitoring system was a basis for the court’s ruling that the security procedure were not commercially reasonable. Therefore, an institution should document the various systems it uses to monitor transactions, the action that is required when the system flags a transaction, and who or what department has the responsibility for reviewing the various system reports.
(3) Compare security procedures with FFIEC Guidance.
Several courts have held that the FFIEC Guidance on Authentication in an Internet Environment is the security procedure that must be followed by a financial institution. Right or wrong, these courts have held that the FFIEC Guidance is the "commercially reasonable" security procedure. Therefore, after documenting security procedures, banks should compare their procedures to the procedures contained in the Guidance to ensure that procedures are in line with the Guidance. For example, the Guidance requires that a bank must use multifactor authentication when authenticating access to high risk information or when initiating transfers. So, if a bank’s security procedures only require the use of a password and User I.D. and answering challenge questions, the security procedures would not meet the Guidance requirements. Institutions should have their operations managers go through a step-by-step analysis to understand the Guidance requirements and then compare their procedures to the Guidance to ensure that they meet the basic requirements.
(4) Compare Security Procedures with Other Financial Institutions.
Most financial institutions are willing to share non-competitive information, especially if the organizations both belong to a user group sponsored by the same processor. Once a bank has documented its security procedures, it can compare them to similarly situated financial institutions. This is particularly effective because courts will compare a bank’s procedures to procedures generally used in the industry when determining whether its security procedures are commercially reasonable.
(5) Compare Security Procedures to Case Law.
Several courts have given opinions as to whether the financial institution’s security procedures are commercially reasonable. While some court holdings won’t be binding on courts in every jurisdiction, judges may still rely on these decisions. If anything, the factual circumstances in these cases provide examples of which banks should avoid or focus on. For example, at least two courts have held that Dual Control is a commercially reasonable security procedure. Dual Control is a procedure that requires one employee to initiate a transaction, such as a wire transfer, and for a second employee to verify and release the transaction. Several cases can be found by simply doing an Internet search.
(6) Review Agreements for Proper Language.
The UCC provides that a security procedure is an agreement between the financial institution and the customer. Therefore, the customer and the financial institution must agree that transactions will be authenticated in accordance with the security procedures. This can be accomplished through the various contracts between the financial institution and the customer. The primary agreements that should contain the proper language include the Internet Banking Agreement, the Wire Transfer Agreement, and the ACH Origination Agreement. Other agreements may be necessary, depending on the products and services offered by the bank.
The major topics that should be included in the agreements are:
- The customer and the bank agree that transactions will be initiated in accordance with certain procedures,
- The customer agrees that the security procedures are commercially reasonable, and
- The customer agrees to be bound by transactions initiated in accordance with the security procedures even if the transaction was not initiated or authorized by the customer.
If a financial institution is going to allow the customer to reject any of the security procedures, the agreement should include a provision that if the bank offers the customer a security procedure and the customer rejects the security procedure, that the customer agrees that the customer selected security procedure is commercially reasonable. The specific security procedures should either be included in an attachment to the agreement or referenced to another document or site that contains the security procedure. The customer’s rejection of the bank’s security procedure should be in writing and signed by the customer.