Posts

Banks may be liable for negligent transfer of hacked accounts

This column was originally published in The Journal Record on March 9, 2020.


Justin G. Bates is a litigation attorney who represents individuals and both privately-held and public companies in a wide range of civil litigation matters.

By Justin G. Bates, Phillips Murrah Attorney

When asked by a reporter why he robs banks, notorious criminal “Slick Willie” Sutton replied, “Because that’s where the money is.” While banks still have the money, the nature of the crime has evolved with technology. Today’s modern bank robber is often armed with nothing more than a mouse and keyboard, and the preferred tools and techniques of their trade are phishing and malware.

Hackers infiltrate businesses and individuals alike, typically using “social engineering” tactics to gain trust and access to an employee’s email account, to cite a common example, and re-route money from the rightful owner’s bank account to their own. While there are stiff penalties for a criminal caught in the act, it may come as a surprise that a bank that authorizes a wire transfer to a hacker’s account could be liable to the rightful owner.

Article 4A of the Uniform Commercial Code was enacted in response to the growth of electronic funds transfers and the crime that evolved in its wake. Under Article 4A, a bank is liable to a customer for the full amount of a negligently processed wire received by a hacker, including interest.

In the most basic terms, a bank is liable to its customer for a negligent wire transfer when (1) the customer did not authorize the transfer and (2) the transfer cannot be enforced against the customer because either (a) the transfer was not authorized by an employee of the customer or (b) a third party (outside hacker) initiated the transfer. At first glance, this may seem to be a slam-dunk trigger for liability to an aggrieved customer. But banks can take proper steps to insulate themselves from any liability under Article 4A.

To avoid liability, the bank must first prove three things: First, that it and the customer had an “agreed security procedure,” which are steps put in place, to which both the bank and customer agree by contract, to verify that a payment order or communication is between the bank and the customer. This is most commonly accomplished in the customer and bank’s initial account agreement.

Second, the bank must prove that it complied with the agreed security procedure and that such procedure is “commercially reasonable.” In other words, the procedures are to be in line with that which someone familiar with the industry would regard as sufficient and realistic. Examples of what constitutes “commercially reasonable” are explored below.

Finally, the bank must prove that it not only followed the security procedure, but that it initiated the wire transfer in “good faith.” In other words, the bank must prove that it acted with honesty in fact and observance of reasonable commercial standards of fair dealing.

So how does a bank best avoid liability?

In practice, cases under Article 4A often hinge on whether the bank’s security procedure is commercially reasonable. In order to meet this threshold, a bank is expected to have better than single-factor identification. The wire transfer should require the customer to input at least two of the following: (1) something the customer knows, such as a password; (2) something the customer has, such as an IP address; or (3) something the customer is, such as a fingerprint or voice scan.

With cybercrime on the rise, it is crucial for any bank to both protect its customers and insulate itself from potential liability. Requiring multi-factor identification is no guarantee for a bank to avoid liability under Section 4A, but it is one relatively easy way for a bank to better protect itself and its customers.

Justin G. Bates is a civil litigation attorney at the law firm of Phillips Murrah in Oklahoma City.

Phillips Murrah welcomes three new attorneys to legal team

Phillips Murrah is proud to welcome Justin G. Bates, Kara K. Laster, and Phoebe B. Mitchell to our Firm.

Phillips Murrah welcomed Justin and Phoebe to the Firm’s Litigation Practice Group as associate attorneys. Each represents individuals and both privately-held and public companies in a wide range of civil litigation matters.

Justin attended the University of Oklahoma College of Law where he earned American Jurisprudence Awards for Civil Procedure II and Torts. He served as a member of the American Indian Law Review and was a member of the Phi Delta Phi Legal Honor Society. Justin also had the privilege of arguing in the final rounds of both the 2017 1L moot court competition and the 2018 Calvert Competition before an esteemed panel of Oklahoma justices.

Justin was born and raised in the metro area, where he currently lives. In his free time, he enjoys traveling, watching college football, discussing what could have been for the Oklahoma City Thunder, and spending time with friends and family.

Phoebe attended the University of Oklahoma College of Law where she earned the American Jurisprudence award for Civil Procedure II and was on the Dean’s Honor Roll. She served as the Research Editor and Candidate Mentor on the Oklahoma Law Review and was a member of the Phi Delta Phi Legal Honor Society. Phoebe also served as a mentor on the Dean’s Leadership Council, was selected as a Dean’s Leadership Fellow, and was selected to serve on the Academic Appeals Board.

While in law school, Phoebe had the opportunity to clerk as a judicial intern for the Honorable Judge Rob Hudson of the Oklahoma Court of Criminal Appeals.

Phoebe was born and raised in Oklahoma City and received a Bachelor’s Degree from Vanderbilt University in Nashville, Tennessee. She enjoys Thunder basketball, OU football and cheering on her Vanderbilt Commodores in her spare time.

Kara has joined Phillips Murrah’s Transactional Practice Group as an associate attorney where she represents individuals and businesses in a broad range of transactional matters.

Kara was part of the dual degree program at the University of Oklahoma College of Law and Price College of Business, achieving both her J.D. and M.B.A. During her third and fourth years of school, Kara worked as a Graduate Assistant for the Editor-in-Chief of the Southern Law Journal and business law professor at both the undergraduate and graduate levels. She was a member of the Phi Delta Phi Legal Honor Society, received the Elkouri Scholarship, and graduated with honors.

Kara was born and raised in Shawnee, Oklahoma, and now lives in Oklahoma City. In her free time, she enjoys traveling, snow skiing, spending time at the lake with friends and family, and attending OSU sporting events.