Posts

Banks may be liable for negligent transfer of hacked accounts

This column was originally published in The Journal Record on March 9, 2020.


Justin G. Bates is a litigation attorney who represents individuals and both privately-held and public companies in a wide range of civil litigation matters.

By Justin G. Bates, Phillips Murrah Attorney

When asked by a reporter why he robs banks, notorious criminal “Slick Willie” Sutton replied, “Because that’s where the money is.” While banks still have the money, the nature of the crime has evolved with technology. Today’s modern bank robber is often armed with nothing more than a mouse and keyboard, and the preferred tools and techniques of their trade are phishing and malware.

Hackers infiltrate businesses and individuals alike, typically using “social engineering” tactics to gain trust and access to an employee’s email account, to cite a common example, and re-route money from the rightful owner’s bank account to their own. While there are stiff penalties for a criminal caught in the act, it may come as a surprise that a bank that authorizes a wire transfer to a hacker’s account could be liable to the rightful owner.

Article 4A of the Uniform Commercial Code was enacted in response to the growth of electronic funds transfers and the crime that evolved in its wake. Under Article 4A, a bank is liable to a customer for the full amount of a negligently processed wire received by a hacker, including interest.

In the most basic terms, a bank is liable to its customer for a negligent wire transfer when (1) the customer did not authorize the transfer and (2) the transfer cannot be enforced against the customer because either (a) the transfer was not authorized by an employee of the customer or (b) a third party (outside hacker) initiated the transfer. At first glance, this may seem to be a slam-dunk trigger for liability to an aggrieved customer. But banks can take proper steps to insulate themselves from any liability under Article 4A.

To avoid liability, the bank must first prove three things: First, that it and the customer had an “agreed security procedure,” which are steps put in place, to which both the bank and customer agree by contract, to verify that a payment order or communication is between the bank and the customer. This is most commonly accomplished in the customer and bank’s initial account agreement.

Second, the bank must prove that it complied with the agreed security procedure and that such procedure is “commercially reasonable.” In other words, the procedures are to be in line with that which someone familiar with the industry would regard as sufficient and realistic. Examples of what constitutes “commercially reasonable” are explored below.

Finally, the bank must prove that it not only followed the security procedure, but that it initiated the wire transfer in “good faith.” In other words, the bank must prove that it acted with honesty in fact and observance of reasonable commercial standards of fair dealing.

So how does a bank best avoid liability?

In practice, cases under Article 4A often hinge on whether the bank’s security procedure is commercially reasonable. In order to meet this threshold, a bank is expected to have better than single-factor identification. The wire transfer should require the customer to input at least two of the following: (1) something the customer knows, such as a password; (2) something the customer has, such as an IP address; or (3) something the customer is, such as a fingerprint or voice scan.

With cybercrime on the rise, it is crucial for any bank to both protect its customers and insulate itself from potential liability. Requiring multi-factor identification is no guarantee for a bank to avoid liability under Section 4A, but it is one relatively easy way for a bank to better protect itself and its customers.

Justin G. Bates is a civil litigation attorney at the law firm of Phillips Murrah in Oklahoma City.

SQ 788 also opens path for new medical marijuana businesses

In this article, Director Jason M. Kreth discusses requirements and allowances for medical marijuana distributors and businesses since Oklahoma voters approved State Question 788.

Jason M. Kreth

Jason M. Kreth is a Director and a commercial litigator who represents financial institutions, handling matters such as foreclosures, bankruptcy and lender liability litigation. He also represents clients in a range of real property disputes.

Q: What type of new business opportunities exist now that SQ 788 has passed?

A: The approval of SQ 788 enacted a series of new statutes that take effect July 26. Aside from provisions related to the acquisition of a medical marijuana license for individual use, the statutes also provide a framework for the approval of new medical marijuana businesses. These businesses are: retailers or dispensaries of medical marijuana; commercial growers of medical marijuana; processors of medical marijuana into concentrated, edible or other forms; and medical marijuana researchers. In addition, the Oklahoma State Department of Health has published its draft proposed Medical Marijuana Control Program regulations which, if implemented in their current form, would provide for the licensure of laboratories to test and approve various medical marijuana products. However, both the statutes implemented by SQ 788 and the regulations proposed by Department of Health are still subject to change.

Q: What are the main requirements that must be met in order to obtain a license as a dispensary, commercial grower, processor or researcher?

A: In each case, an individual or entity wishing to obtain a license to operate as a dispensary, commercial grower, or processor, must submit an application to the Oklahoma State Department of Health along with a $2,500 fee. The application must establish that the applicant: is 25 or older; is an Oklahoma resident, in the case of entities, that all members, managers and board members are Oklahoma residents and that no more than 25 percent of its ownership is out-of-state; is registered to conduct business in Oklahoma; and isn’t incarcerated and doesn’t have either a nonviolent felony conviction in the last two years or any other felony conviction in the last five years. In addition, the Department of Health’s proposed regulations also would require submission of a criminal background screening as well as proof of a $50,000 bond made payable to the Oklahoma State Department of Health.

Q: Where can these new medical marijuana businesses operate?

A: Virtually any location as other businesses. The only direct exception is a dispensary can’t operate within 1,000 feet of a school. To ensure this freedom to operate these businesses, the statutes specifically prohibit a city or municipality from restricting zoning for the purpose of preventing the opening of medical marijuana establishments, and landlords are prevented from refusing to execute a lease with such businesses unless, by doing so, they would lose a licensing or monetary benefit under federal law. However, the proposed regulations of the Department of Health would create several practical limitations on where these businesses could be located. For instance, a dispensary may not be housed in the same location as a physician who can prescribe medical marijuana and the location where medical marijuana may be grown or processed is subject to more exacting security and privacy standards than those of a simple dispensary, which may limit the options for potential locations.

Q: When can these businesses obtain their licenses?

A: The statutes set an ambitious timetable of applications being made available within 30 days of the passage of SQ 788 and the establishment of a regulatory office for processing these applications within 60 days of passage. Furthermore, the statutes require that all applications must be processed within two weeks. However, these timetables are subject to alteration by the legislature and may be extended.

 

Published: 7/3/18; by Paula Burkes
Original article: https://newsok.com/article/5600093/sq-788-also-opens-path-for-new-medical-marijuana-businesses

LIBOR phase out means some mortgage, business loans need updating

Some mortgage, business loans may need updating with looming LIBOR bank rate phaseout.

Kendra M. Norman represents individuals and businesses in a broad range of transactional matters.

Q: What is LIBOR?

A: The London Interbank Offered Rate (LIBOR) is the daily calculation of an average of estimated interest rates that a panel of around 20 banks calculate they’d be charged to borrow from other banks. LIBOR serves as the primary reference interest rate that’s overwhelmingly used by lenders to set their own interest rates including mortgage and student loan lenders, as well as credit card companies. It’s been used since 1986 for this purpose. LIBOR hasn’t been without its scandals, and in 2012, media outlets began to allege that LIBOR was being manipulated by the very banks that set the rate, leading to fines levied against financial institutions and prison sentences for individuals involved in the rate manipulation as well as regulatory backlash. The Financial Conduct Authority is the regulatory agency for LIBOR, and on July 27, in an apparent effort to replace rather than reform LIBOR, Chief Executive Andrew Bailey announced the recommendation that LIBOR phaseout at the end of 2021 due to a lack of confidence in the calculation as well as unwillingness among banks to use it.

Q: What’s the future of LIBOR and how could it affect consumers?

A: LIBOR has been used pervasively as a benchmark rate for loans for over 30 years. Most consumers have at least one agreement in effect that references LIBOR, whether it be a mortgage or business loan. Many of these contracts are long-term and won’t expire before 2021 when LIBOR will be phased out. Some of these loan contracts based upon LIBOR contain a fallback provision and reference an equivalent or alternative interest rate to be used in place of LIBOR, laying the foundation for those instruments to be governed by LIBOR’s eventual successor. However, lenders and borrowers should review existing loan documents, especially those continuing after 2021, to ascertain whether they’re LIBOR-based loans and then whether they reference an alternative rate in the event that LIBOR is no longer published. Those documents without fallback provisions or an alternative rate should be amended and updated so that they reference a substitute or new rate to avoid legal uncertainty once LIBOR is replaced.

Q: What will replace LIBOR?

A: LIBOR’s administrator will continue to produce LIBOR until 2021 and possibly after that time if banks continue to contribute to the benchmark rate, so there’s still time to figure out what will replace LIBOR, but there’s currently no go-to replacement. Lenders and borrowers should consider use of fallback provisions and flexible amendment provisions due to the unavailability of LIBOR in the future.

From NewsOK / by Paula Burkes
Published: November 16, 2017
Click to see Kendra M. Norman’s attorney profile