Question: A customer was recently the victim of a phishing fraud where they were convinced by a caller claiming to be with our bank to log in to a webpage and provide their access credentials – the fraudster then initiated a large wire transfer to a foreign account. The customer wants the bank to reimburse them for the loss. Who bears the loss of a fraudulent wire transfer under these circumstances?
Answer: As a general rule, the customer bears the loss under these circumstances unless the bank fails to employ commercially reasonable security procedures to prevent the loss. However, responsibility for a fraud loss under these circumstances can be argued to transfer to the bank depending on the kind of security procedures you employ to prevent fraud and the language in your account agreements assigning responsibility for any transactions made using the customer’s access credentials.
The bank must be able to prove the customer authorized the payment order, and that its security procedures were “commercially reasonable.” Indiana Code provides that a payment order received by a bank is the authorized order of the identified sender if that person authorized the order or is bound by it under the law of agency.1 Even if the order was not authorized, the identified sender will still be bound by the payment order if the customer agreed to a security procedure that verified the payment order, so long as: (1) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (2) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders in the name of the customer.2
Commercial reasonableness of a security procedure is determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.3 A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in a record to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the bank’s obligations under the security procedure chosen by the customer.4
While every fraud claim is fact-sensitive, ensuring your account agreements have strong language assigning liability for transactions made using the customer’s access credentials and acknowledging that the bank’s security procedures are commercially reasonable will typically ensure the customer remains responsible for a loss incurred as a result of phishing and initiation of a fraudulent wire transfer.
This information is provided for general education purposes and is not intended to be legal advice. Please consult legal counsel for specific guidance as to how this information applies to your institution’s circumstances or situation.
FOOTNOTES
- Ind. Code § 26-1-4.1-202(a)
- Ind. Code § 26-1-4.1-202(b)
- Ind. Code § 26-1-4.1-202(c)
- Ind. Code § 26-1-4.1-202(c)
Brett Ashton, Partner, Krieg DeVault LLP
Brett is chair of Krieg DeVault’s Financial Institutions Practice. He counsels a wide array of financial institutions on complex bank acquisitions, litigation defense and avoidance strategies, strategic planning, new product development, negotiation and defense of regulatory enforcement actions, and general regulatory compliance issues.
Krieg DeVault LLP is a Diamond Associate Member of the Indiana Bankers Association.
