Uniform Commercial Code Article 4A | Electronic Banking
Brian Krebs is publicizing many chilling stories of cybertheft, where small-to-medium enterprises lose money from their online accounts maintained at regional banks. Lawsuits abound.
In good part, the electronic funds transfer (EFT) relationship between a bank and its business (commercial) customer is governed by Uniform Commercial Code Article 4A. What are the rules when an unidentified computer thief wires money out of a businesses account? This chart summarizes what Article 4A says on the topic.
Following is an article I published in 1993, where I argued that UCC 4A properly balanced the interests of banks and their business customers. I’ve edited the only slightly from what I wrote in 1993.
The rash of stories that Krebs is publicizing is unprecedented in the 20-some-odd-year history of UCC 4A. In light of this rash, I am re-evaluating what I wrote in 1993. Notice that the hypothetical case I discussed below involved $5 million, whereas the cases Krebs exposes involve only tens or hundreds of thousands of dollars. The corporate victims of today's heist are less able to acquire expertise in IT security.
I’m not finished with my re-evaluation, but here's what I wrote . . .
UCC 4A's Delicate Balance
Hypothetical Question: Suppose a precocious 17-year-old uses her PC to send an electronic payment order to bank, relieves a corporate bank of $5 million, and vanishes with the cash. Neither the bank nor the corporate customer knows who committed the crime or how. Who should eat the loss . . .
This was the single toughest question the drafters of Uniform Commercial Code (UCC) Article 4A had to answer. This the “interloper fraud” case. 4A calls the 17-year-old an “interloper.”
One might argue — from either a banking or corporate perspective — that the drafters have produced the wrong response. But I disagree, regardless of which side thinks Article 4A is wrong. The default terms found in 4A are eminently fair on the question of who bears the loss. Article 4A says that sometimes the bank will bear the kind of loss inflicted by our nefarious 17-year-old, and sometimes the customer will. Distinguishing which of those two results will apply in any particular case can be a complex task, as explained below.
The default terms of Article 4A are indicative of the overall balance contained in this new statute, which resulted from vigorous negotiation on the parts of both corporate and banking interests. Section 4A-202(a) states that the customer bears the loss if the bank can prove that the customer actually authorized the payment order received by the bank. Fair enough, but in our example nobody knows who perpetrated the fraud, so it is not possible to establish that the order was authorized.
That leads us to Section 4A-202(b), which provides that the customer bears the loss if the bank proves that:
1. it properly verified the payment order with a security procedure agreed to by the customer (A security procedure is the use of devices such as passwords and cryptographic codes to show the authenticity of a message.);
2. the security procedure is "commercially reasonable”;
3. it acted in compliance with any written instructions from the customer restricting the acceptance of payment orders that purport to come from the customer; and
4. it acted in good faith.
Section 4A-105(a)(6) defines "good faith" as "honesty in fact and the observance of reasonable commercial standards of fair dealing." Honesty and fairness necessarily imply the use of internal controls by the bank to prevent stealing by employees and third parties and to protect the secrets of the customer's security procedure. (Later in this post I explore in more detail the evidence the bank must produce to prove good faith.)
To successfully march in court through the four steps listed above, the bank must have meticulous records and maintain stringent controls over those records to prevent tampering. It must observe strict secrecy about security procedures and maintain robust checks and balances to prevent breaches on the part of its support staff, its computer consultants and vendors, and anyone else who might have access to its transmission facilities. Otherwise, the bank will have difficulty proving that (a) it received a message instructing it to do what it did; (b) it properly followed each and every aspect of the relevant security procedure; and (c) it acted in good faith.
As we consider our hypothetical question, let us put to one side the questions whether the bank's security procedures were commercially reasonable and whether the customer gave the bank any instructions restricting the acceptance of payment orders. Let's assume that the bank has succeeded in satisfying the four requirements of §4A-202(b). (It is possible - although by no means easy - for a bank with a well-managed funds-transfer operation to meet those requirements.)
At this point, the corporate customer's prospects look grim. Unless the customer can prove something that will be difficult to prove, Article 4A will allocate the loss to the customer. Section 4A-203 provides that the loss is shifted back to the bank only if the customer can prove that the payment order in question was not caused by a person who:
1. was entrusted by the customer to deal with its payment orders or security procedures;
2. used the customer's communication facilities; or
3. obtained from the customer information facilitating the breach of the security procedure.
Only a customer with meticulous records, stringent controls over those records, robust checks and balances among relevant staff members and vendors, and strong controls over transmissions facilities will successfully pass through §4A-203's gauntlet. (Notice the rough similarity between the customer's burden and the bank's burden under §4A-202.) Most customers will not be able to pass, although in theory those with well-managed operations will.
Ultimately, if both parties have acted flawlessly - and can prove it - the bank is left with the loss. (Note that if the interloper who committed the crime is discovered and both parties have acted without fault, it is still the bank that is left with the loss.)
Both Sides Are Left Unhappy
Banking interests are unhappy with the rules of §4A-203 because when both parties have acted impeccably, the bank must bear the full loss. Conversely, corporate customers are unhappy with some of 4A's rules because customers can be exposed to huge potential losses when they are completely innocent.
In my view, however, on this issue Article 4A reaches a fair result. It reflects a compromise that allocates incentives, and therefore the losses, in a reasonable way. ( Just because this result is fair, it should not preclude a bank and a knowledgeable customer from agreeing by contract to a different result.)
Bank Must Make Allegations
Sections 4A-202 and 4A-203 create a presumption that the risk of loss caused by an interloper rests with the bank. That is fair. For a dispute over an unauthorized payment order to arise, the bank must first allege that something actually happened -- that the bank received a payment order purporting to come from the customer.
Unless the bank can support that allegation with records and other evidence showing that it received the order and that there was some significant reason to believe the order really came from the customer, then the bank should carry the loss. (Otherwise, the bank's employees could easily steal from the bank's customers.)
Given that it is fair to require the bank first to make a substantial allegation, the next question is, how substantial? Section 4A-202(b) says that if the allegation is supported by proof of commercially reasonable security and good faith, the allegation is substantial enough. In other words, by demonstrating in this way that the order has come from the customer, the bank has carried its initial burden of proof and has tossed the risk of loss to the customer.
Whether a security procedure is "commercially reasonable" is a tricky issue. Under Section 4A-202(c), it is a question that must take into account all of the circumstances, including the wishes expressed by the customer, the size and frequency of payment orders from the customer, and the general practices used within the banking industry. Thus, commercial reasonableness is -- as it should be -- a flexible, evolving concept. Given how technology changes, what is commercially reasonable today may not be in the year 2015.
Security Incentive for Bank
The burden of proof allocated to the bank gives it strong incentive to assess and reassess constantly the commercial reasonableness of the security of the communications between the bank and its customers. The burden of proof induces the bank to be always vigilant and to keep up with the changes occurring in general banking industry practices and technology, the customer’s banking habits, and the sophistication of criminal methods. The bank should have this incentive: It is in a much better position to assess these matters than are its corporate customers.
Security Incentive for Customer
If the bank does succeed in carrying its initial burden of proof, the customer runs a serious risk of bearing the loss. Although customers may not like this risk, it yields a good byproduct: It motivates customers to watch their bank accounts carefully and to place controls over those accounts and continually reassess and update those controls.
The customer has substantial controls at its disposal. Section 4A-202 and its Official Comment give the customer the unilateral power to place written restrictions on payment orders that the bank may accept. The customer can send to the bank a letter directing that the bank may not accept payment orders from the customer for, say,
1. amounts in excess of $1 million from account #1234 or in excess of $500,000 from account #6789;
2. payment to any party other than five identified trading partners; or
3. payment orders received at any time other than between noon and 4:00 p.m. on Mondays and Fridays.
Customers Can Place Restrictions on Bank
Article 4A places no limits to the restrictions business customers can place over their payment orders to the bank. Thus, customers have incentive to be creative — to spread funds among multiple accounts (and among multiple banks), to limit the amount of funds in any particular account, and to adopt patterns of business that make it very difficult for a criminal to do substantial damage. This incentive is good for the funds transfer business. It motivates the customer to choreograph its cash management practices so as to minimize risk.
In sum, neither banks nor customers are completely happy with 4A's allocation of liability in the event of interloper fraud. But the allocation reflects a sensible compromise in a situation that is inherently unhappy.
Proving Electronic Funds Transfer (EFT) Records
Uniform Commercial Code Article 4A gives a bank powerful incentive to have good internal controls over its funds transfer operations. If the bank does not have good controls, it will not be able to prove its records and will more likely bear the loss for a funds transfer fraud.
Until this point I have argued that Article 4A divides the risk of loss for interloper fraud fairly between banks and corporate customers.
Part of my argument has been that the bank bears a “weighty" or substantial burden of proof under §4A-202(b) -- one that is roughly similar to the burden of proof the customer bears under §4A-203( a).
Is Bank's Burden Easy?
Some lawyers have argued that in an interloper fraud case it should be relatively easy for the bank to meet its burden of proof under §4A-202(b), whereas the customer bears a weighty burden under §4A-203(a). The rationale of that argument is that the bank essentially needs to prove only "commercially reasonable security" (which, by itself, may not be so hard to prove) to carry its burden.
That argument, however, does not take into account what will actually happen in the litigation that follows an interloper fraud involving millions of dollars.
Consider what will happen at a jury trial: Bank alleges its computers received the relevant payment order and charged it against Customer's account. Customer declares, however, that it was in no way involved with this alleged order. Customer angrily assumes the posture that Bank or its employees may very well be trying to steal from Customer.
Bank now must bring forth enough evidence to prove that (a) Bank received a payment order and verified it with a security procedure; (b) the procedure was commercially reasonable; (c) Bank complied with any written restrictions issued by Customer; (d) Bank was "honest in fact"; and (e) Bank observed "reasonable commercial standards of fair dealing." Section 4A-202(b) says one of the things the bank must prove is that it acted in good faith, and §4A-105(6) defines "good faith" with two prongs: honesty in fact, and the observance of reasonable commercial standards of fair dealing.
With the exception of item (b), each of the elements Bank must prove is a jury question. (Official Comment 4 to §4A-203 says, "[w]hether the receiving bank complied with the [security] procedure is a question of fact.") Jury questions are difficult contests of fact.
Bank Must Proof Negative Proposition
Another way of looking at this is that, to a large degree, Bank must prove to the jury a negative proposition - that neither Bank nor its employees is responsible.
Here's my reasoning:
First, to prove that Bank received a payment order and verified it, Bank must prove it had good internal control. If it did not have good control, then Bank's records showing the existence of a payment order and verification of that order could have been fabricated by Bank's employees. The employees have incentive to fabricate the records because that would help them steal. (Official Comment 3 to §4A-203: "The bank is responsible for the acts of . . . employees" who process funds transfers.)
Second, to prove that Bank was "honest in fact" and in observance of "reasonable commercial standards of fair dealing," Bank must prove that it had adequate controls to prevent this fraud from originating from inside Bank. How can Bank be "honest" or "fair" if its management has reason to believe that its employees have good opportunity to steal? Management knows its employees have incentive to steal; the only way management can know that employees are not stealing is to have adequate internal controls.
When you boil it down, for Bank to prove that it did what was required, it must show that it had the internal controls to prevent this fraud from being an inside job. Hence, Bank must deliver roughly the same evidence that it would deliver if it had to prove that the fraud was probably not caused, directly or indirectly, by a relevant bank employee or someone gaining pertinent information from a source controlled by Bank.
Result: Bank's burden under §4A-202(b) is roughly equal to Customer's burden under §4A-203(a). Bank's burden is no lighter than Customer's.
To present the problem in concrete terms, below I sketch out what I perceive as the bank's burden in a hypothetical jury trial.
Let's assume Bank used as its "security procedure" an authentication process that includes a "commercially reasonable" cryptographic method. Bank installed the process with the aid of a well-known security consultant.
At trial the evidence brought forward by Bank must prove dozens, maybe hundreds, of discrete facts. For every aspect of each fact, Customer's counsel will probe, cross-examine, raise doubts, and, to the extent possible, present contradictory evidence. Full presentation of the evidence could take several days or even weeks.
In all respects, underlying the jury's review of Bank's performance is the assumption that Bank's employees had tremendous incentive to have committed or assisted this fraud. Thus, what might appear to be a minor breach of daily internal control procedures in a normal commercial environment can appear here to be a serious problem.
Much of the evidence Bank would like to bring forward (such as testimony from the bank's management and employees - whether delivered directly or through the filter of an independent investigator like the FBI) will be effective only if the source of that information is credible. But Customer's counsel will regularly remind the jury that every person at Bank is suspect and potentially lying in one way or another.
Questions at Trial
Consider in detail some of the questions that must be answered as Bank embarks on the unenviable task of presenting its complex case.
1. Did Bank implement and regularly reexamine an adequate system of internal controls?
2. Is this system of controls, and Bank’s daily compliance with this system, sufficiently documented?
3. Are all relevant aspects of this system always followed in each and every respect? (Note that, given the natural frailties of both individuals and organizations, a customer lawyer worth his salt will at least be able to raise a question in the jury's mind as to whether Bank's system, and the observation of that system, were impeccable. Documentation of a thorough system of internal control in a sophisticated funds transfer operation could easily occupy several volumes of an operations manual.)
4. At the moment in question, did Bank receive a payment order in the alleged form, containing the alleged data, through the alleged channel of communication?
5. Did Bank's facilities immediately record this payment order without alteration? Has it been possible for anyone (or any group of people) to alter the records since then?
6. Are each and every one of Bank's relevant employees screened and periodically rescreened, trained and periodically retrained, and adequately supervised? This inquiry could easily concern 20 or more employees, including all managers, clerks, accountants, programmers, technicians, and auditors who ever had access to any relevant information or computers.
7. Did Bank sufficiently screen its security consultant? Is the person who conducted the screening trustworthy and competent? Did Bank, as a result of its screening process, find anything about the security consultant that did or should have raised doubts?
8. Do outside auditors review the funds transfer operation regularly enough? Are the auditors competent and adequately screened to prevent them from committing fraud? Have auditors ever issued a report raising any questions about controls and security for this operation? Have those questions been satisfactorily addressed since they were raised? (I'll wager that it is very difficult, if not impossible, for a funds transfer operation to consistently obtain an absolutely squeaky clean report from outside auditors.)
9. Is it sufficiently difficult for someone outside Bank to gain access to the relevant computers and information inside Bank? Does Bank regularly hire outside security penetration test teams to probe Bank's security? Have the results been reassuring?
10. Is it adequately difficult for someone inside Bank to uncover Customer's authentication data? Are there adequate controls and audit trails to catch anyone who does uncover it?
11. If two or more of the right people were to collude (and at least one of them was inside Bank), could this fraud have been committed? Did Bank have sufficient internal controls to prevent one or more Bank employees from successfully colluding with Customer employees?
Recognize that answers to most of these questions will never be black and white. The installation and application of internal controls always reflect a long series of judgment calls.
At the end of the day, if Customer's counsel has performed well, the jury has at least some basis for doubt on several points. In a matter as complex as this, it is necessarily true that some Bank witnesses will not appear as perfectly credible as Bank would wish. Some internal control procedures will surely appear weak.
Result: The jury questions as to whether Bank actually received the payment order from an outside source and acted in good faith will be tough to answer.
Comments welcome. This topic keeps me humble; I have much to learn.
Update 2011: Neil Spears sent me this email: "I have followed your blog off and on for a couple of years now. In light of the Maine district court's decision that username/password authentication was sufficient to satisfy 4A, http://www.bankinfosecurity.com/articles.php?art_id=3705&pg=1 I looked up your thoughts on the topic and found this article [the blog post above]. I did not, however, find the results of your re-evaluation. Do you still feel 4A is balanced in an online context? Are we not placing too great of a burden on the business customer?
Thank you for your time.
Spears Technology Law, LLC.
My reply: I am rethinking the conclusion I reached in 1993 (the post above). UCC 4A sets an all-or-nothing standard. Either the bank is liable for all of the fraud, or it is liable for none of the fraud. Yet, often in these interloper fraud cases each party (bank and commercial customer) made some mistakes and should have done better. I feel UCC 4A needs to be reviewed. A better standard may be to split the loss between the parties according to the degree of negligence by each party.
Mr. Wright teaches cyber security law at the SANS Institute.