A recent Eighth Circuit Court of Appeals decision in favor of BankSouth bodes well for financial institutions who understand their obligations under UCC Article 4A and take those obligations seriously. Unlike consumer customers, who are pretty much protected against unauthorized funds transfers by Regulation E if they examine their monthly bank statements and promptly inform their banks of any unauthorized transactions, business customers whose bank accounts are compromised by cybercrooks have much less protection. As the 8th Circuit points out, the inquiry in such instances is focused on whether the bank and customer had agreed upon commercially reasonable security procedures that the bank would use to determine whether or not a purported funds transfer was authorized by the customer and, if so, whether or not the bank employed those security procedures in good faith. If the bank meets that two-pronged test, the business customer is stuck with liability for any unauthorized transfer.
The controversy usually arises when an employee of the business customer has fallen for a "phishing" scheme, clicking on link in an email that causes malware to be downloaded that allows the crooks to learn the user name and password that the employee uses to log in to the online banking system of the bank. In the BancSouth case, that apparently occurred. However, regardless of how access to the password and user name was obtained, the focus of the court was, as it should have been, whether the agreed upon security procedures used by the bank were commercially reasonable and employed by the bank in good faith. In this instance, the court (and the trial court) found that they were.
While the customer's attorneys argued that the use of a user name and password was "one-factor authentication" that is contrary to FFIEC guidance that advises that "multi-factor authentication" processes should be used, the court countered that argument by finding that the bank offered "dual controls" for wire transfer (separate persons must authorize the initial funds transfer request and the confirmation of that transfer order), the customer opted not to use such a procedure on the grounds that it was "inconvenient." More cautious banks not only offer dual controls, they require it unless the customer signs a separate agreement or waiver under which it indemnifies the bank from any claims, loss, or liability arising out of unauthorized transfers from the account under a single-control authorization process. BancSouth had such a waiver and the customer signed it.
BancSouth's online banking agreement also contained an indemnification provision that is common in online banking agreements in one form or another, pursuant to which the customer agreed to indemnify and hold the bank harmless from claims, losses, liabilities, costs and expenses, including reasonable attorneys' fees, arising out of the bank's provision of services, as long as the bank fulfilled its obligations. The appellate court ruled that this provision provided a sufficient basis for the bank to pursue a claim against its customer for payment of attorneys' fees, and overturned the trial court's denial of a counterclaim by the bank for such fees. Again, well-drafted online banking agreements ought to contain a similar provision.
Dan Mitchell, an attorney who has been involved in other high-profile litigation on this subject, and another commenter, had some cogent observations on the implications of this decision.
Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm.
"The bank had asserted a counterclaim that the customer should pay the bank’s legal fees," said Mitchell, who battled similar claims in which Patco — a Maine construction firm — successfully sued its bank over a $588,000 cyberheist. "There’s no other federal circuit court case other than Patco that has gotten up to that level. The appeals court said the bank can now pursue its legal fees against the customer. And that may end up being the important part of this opinion in the long run if [plaintiffs are] looking at not only have to pay their lawyers to pursue a loss but also those of the bank."
Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said the appeals court decision means that indemnification is now the ‘law of the land’ in the 8th Circuit.
Castagnoli said she expects two results from this decision: that banks which don’t already have these clauses in their online banking agreements will add them; and that cyberheist victims will think more cautiously about bringing a lawsuit.
"This is the first time a court has ruled on fee shifting, and that will certainly have a chilling effect on litigation," Castagnoli said.
The opinion contains other nuances that are worth considering. The linked article from Brian Krebs' excellent blog contains a link to the opinion.