A federal court has sided with a Mississippi bank in a lingering dispute with a customer over financial losses linked to an account takeover incident dating back to March 2010. That means the bank will not have to cover the cost of the loss or pay damages.
On March 18, in a summary judgment filed in a U.S. District Court in Missouri, a magistrate judge favored BancorpSouth in its legal dispute with Choice Escrow Land Title LLC over a $440,000 loss that resulted from fraudulent wire transfers.
In his ruling, Judge John Maughmer points to Choice Escrow's decision to decline BancorpSouth's offers for dual or two-person authorization on wires. That refusal, the judge determined, relieves the bank of responsibility for the losses that later resulted.
"On two different occasions, Choice was offered the opportunity to employ 'dual control' as part of its utilization of BSB's [BancorpSouth's] InView system and Choice refused the option on both occasions," the judgment states. "There can be little doubt that 'dual control' meets the definition of a security procedure."
Maughmer, however, acknowledges in his ruling that cases involving disputes over ACH and wire fraud have been increasingly heated, and while both banks and commercial customers may believe they have taken adequate steps to protect themselves, courts must base decisions on the letter of the law and contractual agreements.
"The tension in modern society between security and convenience is on full display in this litigation," Maughmer states in his summary judgment. "Choice understandably feels as though it did nothing wrong, but yet is out $440,000. BSB [BancorpSouth], as well, feels as though it has done nothing wrong. In essence, both parties are correct - yet someone must bear the risk of loss."
Long Legal Battle
Choice sued BancorpSouth in November 2010 to recover the losses, which resulted from a fraudulent transfer approved by the bank and wired to an overseas account in Cyprus. Since then, the two parties have been in a back-and-forth legal dispute, with each suing the other over the losses.
In August 2012, a district court in Missouri dismissed BancorpSouth's counterclaim that sought to have Choice held liable for losses, damages and legal costs in the case.
Choice executives declined to comment on whether they planned to appeal the latest ruling in favor of BancorpSouth.
Uniform Commercial Code
The court's decision is supported by a provision within the Uniform Commercial Code's Article 4A that governs how financial institutions should handle incidents of wire-transfer fraud. The court notes that if a bank offers security procedures that a commercial customer refuses, then according to that UCC provision, the customer is liable.
"The experts in this case agree that the fraud would not likely have occurred if Choice had utilized the 'dual control'" offered by the bank, the judgment states. "It elected not to ... twice."
Dan Mitchell, the attorney who represented PATCO Construction Inc. in its federal appeal of another fraud-related case, says the Choice ruling marks the first time a court has based its decision involving an ACH/wire fraud dispute on that UCC liability provision.
But Mitchell also says the reason the provision is not often referenced is because it's not typical for a commercial customer to refuse a security feature offered by a bank. "Most clients take the procedure when it's offered," he says.
David Navetta, co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee, offers an analysis of why the bank won a favorable ruling. "It came down to this: The bank customer turned down 'dual control,'" he says. "Under UCC 4A-202(c), if a bank offers a commercially reasonable security procedure and that offer is turned down by the customer, and the customer agrees in writing to be bound by payment orders, even if they didn't authorize them, then the customer bears the risk of loss."
That UCC provision makes the bank's argument rather cut-and-dry, Navetta says. The bank's diligence in documenting its repeated offers to Choice for the use of dual controls also made a difference here, he adds.
"Basically, the bank was smart, and had good lawyers," Navetta says. "They set up a procedure that provided a commercially reasonable security choice, documented the customer turning it down, and got the customer's acknowledgment that they were responsible for wire transfers initiated in their name. They studied the procedure in the UCC and applied it, and that allowed them to prevail."
Still, Mitchell says the Choice ruling, like many involving disputes over account takeover fraud, leaves some questions unanswered. Choice, he adds, could have a legitimate argument on appeal, based on facts presented and argued that were not included in the final judgment.
"One thing the summary judgment establishes is that a dual control is commercially reasonable," Mitchell says. "But the court does not really say much in its ruling about why they think it's commercially reasonable. The court just says its relying on the experts. I'm sure in this case there were some detailed depositions with the experts on the dual controls that could be argued further."
The court's description of dual controls also meeting requirements for multifactor authentication is puzzling, too, he says. "I think it's multilayered, but I don't think it's a multifactor," Mitchell says. "It's all based on something the user knows. It's not based on a token or a card or something like that. So I question that, and the court's reason for this being considered commercially reasonable is not very detailed."
Other Recent Cases
Choice Escrow is just one of several notable cases involved fraudulent ACH and wire transfers. In July 2012, PATCO successfully convinced a federal appellate court to reverse a lower court's decision that favored the former Ocean Bank, now People's United Bank, in its dispute.
The43-page ruling described the bank's security procedures as "commercially unreasonable," stating the bank should have detected and stopped the fraudulent transactions that drained more than $500,000 from PATCO's commercial account in 2009. The ruling stated that Ocean Bank actually increased the Maine-based construction company's fraud risk by relying on what the court calls a "one-size-fits-all" approach to monitoring and authenticating high-dollar transactions.
In June 2011, a Michigan district court ruled that Comerica Bank was responsible for the more than $560,000 Experi-Metal Inc. lost in 2009, after fraudulent wires totaling more than $1.9 million were authorized by the bank and transferred from EMI's account.
In the 27-page bench opinion, the court found that Comerica should have detected and stopped the fraudulent transfers based on EMI's previous transaction history. In particular, the court noted that the bank's account monitoring and fraud-detection systems should have raised a flag when $5 million in overdraft charges accumulated as a result of the fraudulent wires, given that EMI's account typically had a zero balance.
"A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," the court wrote. "Comerica fails to present evidence from which this Court could find otherwise."
And in June 2012, Village View Escrow settled with Professional Business Bank for an undisclosed amount over account takeover losses that in March 2010 cost Village View nearly $400,000. Attorneys representing Village View, however, said the settlement included full recovery of the funds lost to fraud as well as interest paid to the bank.
In their complaint against Professional Business Bank, Village View's attorneys turned to Article 4A of the Uniform Commercial Code. The attorneys argued the case based on UCC standards for California, where Village View is based. But they also referenced case law from other jurisdictions, as well as unpublished cases.
The attorneys said case-law decisions handed down in the PATCO and EMI cases likely convinced the bank to settle.