Pub. 3 2014 Issue 1

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 14 customer’s same computer. Any wire or ACH request needs to be carefully confirmed. In some cultures and countries, stealing from America or Western Europe has become an acceptable and lucrative way of life. Whole communities of crooks operating in multiple foreign countries, as well as the U.S., are specializing in different aspects of breaking into customer’s computers. These crooks have become very skilled at monitoring for financial activity, obtaining customer credentials, and even becoming experts in piggybacking on a customer’s computer to send additional fraudulent transfer requests while the customer is sending legitimate requests. Others specialize in moving the transferred money around the world so that most of it ends up with the crooks without being traceable. The crooks are putting much time and effort into stealing from bank customers. Even the largest banks can’t keep up with the ever increasingly sophisticated and constantly changing ways crooks are targeting bank customers. Is the only solution to stop doing wire transfers? In October 2013, one of the largest banks in the U.S. sent notices to most of it’s business customers indicating the bank would no longer do any international wires for the customer. There was much speculation in the national press about why this mega-bank was no longer doing wire transfers. Then news articles appeared indicating that the mega-bank still allowed international wires, but only for qualifying customers that established a certain type of account. I have no inside information about that bank so I am only speculating. However, it is my educated guess that the bank was probably absorbing so many losses in international wire transfers that it decided to stop doing international transfers unless the customer agreed to be responsible if the wire fraud was caused by someone who obtained security information from the customer or sent the transfer instructions through the customer’s computer. In accordance with the Uniform Commercial Code 4A-202, a bank can put good language in its customer agreements that prevent the customer from holding the bank liable when the bank followed specified security procedures provided the customer agrees in the agreement that the bank will not be liable and provided the security procedures are commercially reasonable. The courts ultimately determine whether the procedures the bank uses are commercially reasonable. Sometimes the courts take into consideration things like whether the bank established parameters regarding the size and frequency of the transactions for the particular customer. So an agreement that requires the customer to set the size and the frequency of ACH or wire transfer transactions places the bank in a better position to show the court that the procedures were commercially reasonable. The bank can also offer very strong security procedures such as requiring a written physical document be received by the bank prior to any wire transfer or ACH transfer being finalized. Customers sometimes desire, due to cost or convenience, to select a less strong security procedure than the strongest security procedure the bank offers. If a business customer chooses less secure procedures after a bank offered a strong commercially reasonable security procedure, which the customer declined, an agreement between the bank and the customer can provide protection for the bank so the bank will not be responsible for loss when the bank followed the customer’s chosen security procedures. Bank’s should have their attorneys draft a well-written agreement that follows UCC 4A-202 requirements. The fact is that the bank has no way of knowing if the customer allowed his computer system or other information to be compromised thus allowing a crook to send valid looking requests to the bank to ACH or wire funds from the customers accounts. As long as the customer can hold the bank liable for any fraudulent (or even alleged fraudulent) transaction, the customer has little incentive to make certain he secures his business with good controls and good computer protection. Banks should stop doing wire transfers for business customers until the bank and the customer have entered into an agreement that discloses the specific security procedures, allows the customer to establish the parameters for transfers and which agreement prevents the customer from holding the bank responsible when the bank follows the security procedures selected by the business customer. Prevention of losses is the only reasonable solution. Safeguards on the business customers end of the transaction are necessary to prevent these losses. Bank customers need to understand the high risk of wire transfer fraud through electronic communication. For business customer’s that want that convenience and are willing to accept the risk when a bank follows the disclosed security procedures, banks can still offer this service based on electronic communication, provided the bank has a good agreement with its business customer and the bank always follows the security procedures. A non-business individual consumer is protected by other laws. These laws can prevent the consumer from agreeing not to hold the bank liable for a fraudulent ACH or wire transactions regardless of the acts of the consumer. Many banks require non-business customers to be physically present in the bank and physically sign in ink any request for a large ACH or wire transfer request. For business customers that are unwilling to accept the risk when the customer’s credentials or computer is compromised, and for all consumer accounts, banks should never rely solely on electronic communications to authorize large ACH or wire transfers. For more information, please give us a call at (785) 228-0000. continued frompage 12