332
QUARTERLY REPORT
Funds Transfers under UCC Article 4A:
What is a Commercially Reasonable
Security System?
By Stuart R. Hene
Stuart R. Hene graduated from Oklahoma City
University School of Law and was admitted to the
State Bar of Texas in 2009. He is an associate attorney with ˇlowers Davis, P.L.L.C., in Tyler, Texas
where he handles mostly oil and gas and insurance
defense matters. However, Mr. Hene has a varied
practice involving other areas of business law, oil
& gas law, personal injury defense and insurance
law. He is a member of: the State Bar of Texas; the
Oil, Gas, and Energy Resource Law Section of the
State Bar of Texas; the American Bar Association
(ABA); the ABA Section of Environment, Energy,
and Resources; the ABA Young Lawyers Division;
the Smith County Bar Association; and the Tyler
Young Lawyers Association. Mr. Hene serves
on the Board of Directors for the Smith County
Young Lawyers Association; and on “The Bridge
Campaign” for St. Paul’s Children ˇoundation.
Stuart completed his undergraduate studies
at Baylor University in Waco, Texas where he
earned a Bachelor of Arts in Political Science. After graduating from Baylor, he worked in Austin
for State Representative Rob Eissler and then later
as a campaign consultant for political campaigns
in East Texas. He then attended Oklahoma City
University School of Law where he received
his Juris Doctor and a Certificate in Business
Law—ˇinancial Services and Commercial Law
Concentration in May 2009. During law school,
Mr. Hene was: President of his class in 2006–2007;
a member of the Texas Legal Society; a member of
the ABA Law Student Division, where he served as
Lt. Governor of Legislative Affairs for the Tenth
Circuit from 2007–2008; and a member of the
Energy Law Society and the ˇederalist Society,
serving as President of the latter from 2007–2009.
[Ed. note: The Oklahoma Bar Association (OBA) ˇinancial Institutions
and Commercial Law Section, through
its Legislative Review Subcommittee, reviews prospective legislation in
Oklahoma to assess and better assure
its fit into other, related Oklahoma
law. The Section also participates in
writing, in conjunction with the OBA
Uniform Laws Committee, reports on
new legislation and “Oklahoma Comments” for publication in the Oklahoma
Statutes Annotated, once the legislation
passes, to explain the impact of the bill
on Oklahoma law and cases. See, e.g.,
ˇred H. Miller & Alvin C. Harrell, The
Work of the Oklahoma Bar Uniform Laws
Committee: Oklahoma Enacts UCC Article 3 and 4 and 4A Amendments, 63
Consumer ˇin. L.Q. Rep. 29 (2009).
The members of the Section are
among Oklahoma’s top specialists
in the field. To encourage new, and
younger, members, the Section also
sponsors a writing contest for law students at Oklahoma law schools. This
article is derived from a paper that won
the writing contest. It is presented as
a result of the work of the Section.]
I.
cash, but obviously coin and currency
are not practical in these circumstances.
Instead, a transfer of funds between
two bank accounts and probably two
different banks will be needed. Among
the basic alternatives are: (1) the use
of a negotiable instrument governed
by Uniform Commercial Code (UCC)
Articles 3 and 4; or (2) a funds transfer
governed by UCC Article 4A. Today,
the option chosen is increasingly likely
to be the latter. This article analyzes the
security system needs that should be
considered in order to ensure a safe and
non-fraudulent transfer of the funds from
one bank to another under Article 4A.
Article 4A funds transfers may be
originated in numerous ways; e.g., a
telephone call, a facsimile (ˇAX) message, or an internet transfer.1 Many of
these transfers are now originated over
the internet, and at the core of this information infrastructure is cyberspace:2
Cyberspace is [the] nervous system--the control system of our
country. Cyberspace is composed of
hundreds of thousands of interconnected computers, servers, routers,
switches, and fiber optic cables that
allow our critical infrastructures to
work. Thus, the healthy functioning
of cyberspace is essential to our
economy and our national security.3
Introduction
Suppose you are the owner of a multimillion dollar construction company and
you want to obtain a new fleet of construction equipment vehicles. The sales
price and other terms of the sales contract
have been duly negotiated. ˇinancing has
been arranged (as needed), and now it is
time for the sale to be completed. This
means it is time to transmit the payment
for the vehicles and equipment. At that
moment the buyer and seller face a choice
among alternative payment systems. The
seller wants to receive the equivalent of
1.
See UCC Article 4A § 4A-103(a)(1), and id. § 4A-104, Official
Comments 5 and 6. Section numbers cited herein reference
UCC Article 4A unless otherwise noted.
2.
See Executive Branch of the U.S. Government, The National
Strategy to Secure Cyberspace 6 (2003), available at http:
//www .dhs.gov/xlibrary/assets/Nationat Cyberspace_Strategy.
pdf.
3.
Id. at vii.
QUARTERLY REPORT
Because of the vast reliance on cyberspace for commerce in modern society,
security in the transmission of financial
information is a critical legal issue.4 In
many cases, “all of a company’s daily
transactions and all of its key records
are created, used, communicated, and
stored in electronic form using networked
computer technology.”5 Electronic communication of such information is also
essential to the functioning of electronic
payment systems. A payment system “is
a system that is used to transfer value
from one person to another in order
to pay for goods, services, real estate,
or other desired items. A functioning
payment system is a necessary component of economic development,” 6
as well as individual transactions.
A primary example of a modern, functioning electronic payment system is the
Article 4A funds transfer. Such transfers
can be used for multiple purposes and are
commonly relied on in commercial transactions. “A funds transfer should not be
confused with a ‘money transfer.’ [That
is ] where currency is exchanged from
one person to another. Instead, a funds
transfer is the transfer of bank credit.”7
During a funds transfer, each bank must
make decisions with regard to a series
of events within a short period of time.
Issues that each bank must consider include: whether the payment is an authentic order; whether there are any errors in
the payment order; and whether the bank
should accept or reject the payment order.8
To originate a funds transfer, an
instruction from the originator, called
4.
See THOMAS J. SMEDINGHOˇˇ, THE EMERGING LAW Oˇ DATA
SECURITY: A ˇOCUS ON THE KEY LEGAL TRENDS, at 13, 19 (PU
Patents, Copyrights, Trademarks, and Literary Property,
Course Handbook Series No. 14648, 2008).
a payment order, is given to a bank.9
The payment order will call for the bank
to transfer funds to a beneficiary.10 The
funds transfer is complete when the
beneficiary’s account receives a deposit
representing the payment order from the
beneficiary’s bank.11 More specifically,
[ˇ]unds transfers are “credit transfers” that work by “pushing” funds
from the bank account of an originator for credit to a beneficiary. They
differ from “debit transfers,” such
as checks, which authorize a payee
or holder to “pull” funds from the
drawer’s account by presenting
the check for payment or furnishing other evidence of authority to
cause an account to be debited.12
The Article 4A funds transfer system
has made it faster and easier for individuals and companies to quickly and safely
transfer large dollar amounts to a beneficiary’s account. However, a funds transfer
still poses multiple potential risks to the
parties involved in a payment transaction.
These risks include, but are not limited to: a credit risk; a risk of electronic
failures during the transactions; a risk that
mistakes could be made during the transactions; the risk of costs exceeding the
efficiency of the transactions; and a fraud
risk.13 This article focuses on the latter
risk--the risk of fraudulent transfers.
A risk of fraud can arise when a
“purported payor does not actually
have the right to push value from the
account in a particular transaction
or where the payee does not actually have the right to pull value from
the debit account.” 14 ˇor example:
9.
See §§ 4A-103(a)(1) and 4A-104(a), and Official Comments
thereto.
5.
Id.
10.
6.
Steven L. Harris, Reimagining Payment Systems: Allocation
of Risk for Unauthorized Payment Inception, 83 Chi.Kent L.
Rev. 561, 561-62 (2008).
See §§ 4A-103(a)(2) and 4A-104(c) and (d), and Official
Comments thereto.
11.
See supra notes 9 and 10; §§ 4A-103(a)(3) and 4A-105(a)(1)(3). See also Working Group on Electronic ˇinancial Services,
American Bar Association, Model ˇunds Transfer Services
Agreement and Commentary 2-3 (1994) [Model agreement].
12.
See Model Agreement, supra note 11, at 4.
13.
Harris, supra note 6, at 565-66.
14.
Id. at 566.
7.
8.
THOMAS C. BAXTER, JR. & STEPHANIE A. HELLER, THE ABCS Oˇ
THE UCC ARTICLE 4A: ˇUNDS TRANSˇERS 1 (1997). Compare
discussion of “debit” and “credit” transfers in UCC Article 4,
§ 4A-104, Official Comment 4.
Baxter & Heller, supra note 7, at 7. See also, e.g., UCC Article
4A Part 2 (“Issue and Acceptance of Payment Order”).
333
If recovery is unavailable for some
reason against the wrongdoer, then
one of the parties to the payment
transaction will bear that risk, even
if that party acted innocently and
with all due care. The risk of this
type of fraud could rest on the
payee, the payee’s bank, the purported payor, or the payor bank.15
The risk of a fraudulent transfer remains one of the greatest risks for parties
engaged in payment transactions. In an
effort to address the risks of unauthorized access and use, various laws and
regulations have been enacted or issued.16
However, “[m]any transactions in which
the payor’s instruction to its bank is made
through some mechanism other than a
check are governed by UCC Article 4A,
or [related] funds-transfer system rules.”17
II.
EFTA and the UCC
A.
Scope of the EFTA
The Electronic ˇund Transfer Act of
1978 (EˇTA)18 governs electronic funds
transfers to or from a consumer account.19
The EˇTA is implemented by Regulation E, as promulgated by the ˇederal
Reserve Board (ˇRB).20 The ˇRB also
prepares and updates an Official Staff
Commentary to Regulation E (the Commentary).21 This Commentary provides
essential guidance on application of
the complex requirements set forth in
15.
Id. at 566-67.
16.
ˇor example, Article 4A § 4A-108 recognizes and defers to the
federal Electronic ˇund Transfer Act, Pub. L. No. 95-630, 92
Stat. 3728 (codified at 15 U.S.C. §§ 1693 et seq.) “as amended
from time to time,” for “retail” electronic funds transfers. Thus,
retail or “point of sale” electronic fund transfers are governed
by federal law, not Article 4A, as noted below.
17.
Harris, supra note 6, at 564.
18.
See supra note 16.
19.
Id.
20.
See, e.g., DONALD L. BAKER & ROLAND E. BRANDEL, THE LAW
Oˇ ELECTRONIC ˇUND TRANSˇER SYSTEMS 12-23 (1988) (describing Regulation E, 12 CˇR pt. 205(1986)); Jeffrey P. Taft, An
Overview of the Electronic Fund Transfer Act and Regulation
E and Their Application to E-Commerce, 57 Consumer ˇin.
L.Q. Rep. 205 (2003). A full description of the EˇTA and
Regulation E is beyond the scope of this article. The reader is
referred to these sources for that purpose.
21.
See supra note 20.
334
the EˇTA. 22 Specifically, the EˇTA
defines an electronic fund transfer as:
any transfer of funds, other than
a transaction originated by check,
draft, or similar paper instrument, which is initiated through
an electronic terminal, telephonic
instrument, or computer or magnetic tape so as to order, instruct,
or authorize a financial institution to
debit or credit an account. Such term
includes, but is not limited to, pointof-sale transfers, automated teller
machine transactions, direct deposits or withdrawals of funds, and
transfers initiated by telephone.23
Because such transfers are excluded
from Article 4A,24 this EˇTA definition
is important to the scope of Article 4A.
There are two principal requirements
in this definition of electronic fund
transfer, as specified in the EˇTA, regarding an authorized electronic funds
transfer.25 “ˇirst, the transaction must
debit or credit an ‘account.’ Second,
there must be a transfer of funds initiated by the specified electronic means.”26
This may sound similar to the Article
4A concept of a “payment order,” as
defined at section 4A-103. However,
the EˇTA is essentially limited to “retail” funds transfers by consumers. 27
The EˇTA defines an unauthorized
electronic fund transfer as “an electronic fund transfer from a consumer’s
account initiated by a person other than
the consumer without actual authority
to initiate such transfer and from which
the consumer receives no benefit….”28
However, this definition of an unauthorized electronic funds transfer does not
include: (1) transfers initiated by the
QUARTERLY REPORT
consumer with fraudulent intent or any
person acting together with the consumer;
(2) a transfer initiated by anyone who
was given any means of access to the
consumer’s account; or (3) a transfer in
which there occurred an error on behalf
of the bank.29 So, what happens under the
EˇTA if a fraudulent transfer does occur?
In such a case, the burden of proof lies
with the bank to prove that the electronic
fund transfer was either authorized by the
consumer or, if unauthorized, meets the
requirements for consumer liability.30 If
it was unauthorized, the bank will be
liable for a failure to follow the terms
and conditions of the account in regards to the electronic funds transfer.31
B.
Scope of Article 4A
In comparison with the EˇTA (which
is limited largely to error resolution and
the allocation of liability for losses), UCC
Article 4A governs the basic elements of
an electronic fund transfer. However, as
noted, Article 4A does not apply to a “retail” funds transfer that is governed by the
EˇTA.32 In contrast, Article 4A governs:
(1) ˇedWire; (2) CHIPS; (3) SWIˇT; or
(4) telex; and (5) book transfers, which
are simply transfers of credit across a
single bank’s books from one account
to another.33 Thus, a fundamental distiction is that “retail” EˇTA transactions
are governed by private (e.g., contracual)
funds transfer rules and the EˇTA dispute
resolution rules, while Article 4A governs both the basic transactional elements
and the error or fraud resolution issues
in a “wholesale” Article 4A funds transfer (while being supplemented to some
extent by contractual and private rules).
As suggested above, Article 4A
funds transfer transactions are com-
22.
See Baker & Brandel, supra note 20, 12-23 and 12-24.
29.
Id.
23.
15 U.S.C. § 1693a(6).
30.
See id. § 1693g(b).
24.
See supra note 16.
31.
See id. § 1693h(a); supra note 20.
25.
See Baker & Brandel, supra note 20, at 12-25.
32.
See supra note 16;Baxter & Heller, supra note 7, at 5.
26.
Id.
33.
27.
Id.; EˇTA, 15 U.S.C. § 1693a(2), (6).
28.
15 U.S.C. § 1693a(11).
Baxter & Heller, supra note 7, at 6 (ˇedWire transfers are
covered by reason of the incorporation of Article 4A in
ˇRB Regulation J. See 12 CˇR pt. 210, Subpart B; 12 CˇR
§ 210.25(b). “CHIPS” and “SWIˇT” refer to other funds
transfer systems.).
monly referred to as a “wire transfer” or
a “wholesale funds transfer.”34 “The term
‘wholesale’ distinguishes the Article 4A
funds transfer from a [‘retail’] consumer
electronic funds transfer governed by
Regulation E and the EˇTA.”35 Article
4A defines the basic elements of a funds
transfer, as a series of offsetting transactions which begins with an originator’s
payment order and concludes with payment to the beneficiary of that order.36
C.
Addressing Fraud Risk
All payment systems have to contend with the risk of fraud, which in
the case of commercial payment orders
under Article 4A can be for very large
amounts. Addressing this problem is
critica1 to the usefulness of the Article
4A payment system.37 Therefore, in an
effort to address and curtail fraudulent
transfers, Article 4A includes a carefully-crafted commercially reasonable security procedure provision. 38
Article 4A requires a payment order
to be authorized in order for the funds
transfer to take place.39 “A payment order received by the receiving bank is the
authorized order of the person identified
as the sender if that person authorized
the order or is otherwise bound by it under the law of agency.”40 Thus, a funds
transfer will be effective whether or not
the order is authorized if the originator is
obligated under the rules governing vicarious or apparent authority. Often this
will depend on whether the originator’s
bank and the originator have agreed
on verification security procedures.41
“[T]he security procedure [must be]
34.
Baxter & Heller, supra note 7, at 2.
35.
Id.
36.
See § 4A-104(a); supra notes 1 and 9.
37.
See, e.g., ˇREDRICK H. MILLER, THE LAWYER’S GUIDE TO MODERN PAYMENT METHODS: ACH, CREDIT, DEBIT, AND MORE 19
(2007).
38.
See §§ 4A-201, 4A-202.
39.
See §§ 4A-103(a)(1), 4A-202, and 4A-203; UCC Article 4A
Prefatory Note.
40.
See § 4A-202(a).
41.
See § 4A-202(b).
QUARTERLY REPORT
a commercially reasonable method of
providing security against unauthorized
payment orders, and…the bank [must
prove] that it accepted the payment order in good faith and in compliance with
the security procedure.”42 A security
procedure is established by agreement
between the customer and the bank, in
order to verify that a payment order is
properly placed and is that customer’s
payment order, and to detect errors in
transmissions of payment orders.43 A
crucial point is the commercial reasonableness of the security procedure.
D.
Commercial Reasonableness
Commercial reasonableness is a
question of law. There are several factors in determining whether a security
procedure is commercially reasonable.
Article 4A specifies certain factors that
a court is to consider, namely whether:
(i) the security procedure was
chosen by the customer after the
bank offered, and the customer
refused, a security procedure that
was commercially reasonable for
that customer, and (ii) the customer expressly agreed in writing
to be bound by any payment order,
whether or not authorized, issued in
its name and accepted by the bank
in compliance with the security
procedure chosen by the customer.44
Along with these two factors, a court
may consider: whether the wishes of the
customer were expressed to the bank;
whether the circumstances of the customer were known to the bank, “including
the size, type, and frequency of payment
orders normally issued by the customer
to the bank;” whether alternative security
procedures were offered to the customer;
and the security procedures in use by
other banks in similar situations. 45
The foundational rule is that a bank
is liable for any unauthorized payment it
makes. However, it is the customer and
not the bank who is liable for the loss if a
commercially reasonable security system,
agreed to by the customer, was in place,
and the bank complied with it. Also, the
customer is liable if the customer fails
to notify the bank within one year of a
fraudulent or erroneous electronic funds
transaction.46 However, the bank can be
liable for the loss if it agrees in writing
to be liable for part of the loss or if the
bank and customer agreed to a security
procedure that was not commercially reasonable.47 In addition, “if the customer
is able to establish that an unauthorized
but effective order was not attributable to
any responsible person entrusted to act
for the customer or any access obtained
from the customer’s side,”48 then the
bank will be liable for the loss. These
limits on the customer’s liability reflect
a basic tenet that the bank is obligated
to take reasonable steps to guard against
fraud, critical risks, and security threats.49
Article 4A does not establish the specific parameters of a security procedure
that will be accepted among the courts,
recognizing that this is a matter for the
development of commercial practice.
However, Article 4A does state that “[a]
security procedure may require the use
of algorithms or other codes, identifying
words or numbers, encryption, callback
procedures, or similar security devices.”50
However, just because a bank uses
one of these permissive approaches
does not mean that a court will find that
the bank had a commercially reasonable
security system in place, or that another
bank was unreasonable in using another
approach. A commercially reasonable
security procedure could utilize all of
the elements, a portion of the elements,
or entirely different techniques than those
335
described in section 4A-201.51 In order to
facilitate the development of commercial
practice, Article 4A leaves courts to consider, as a question of law, whether the
procedures in place in a given case constitute a reasonable security procedure
as adapted to the specific situation.52
III. The Courts’ Determinations
of Commercially Reasonable
Standards
A.
Introduction
Reflecting this flexibility, the courts
have not specified a single standard for
determining whether a security system is
commercially reasonable. In one instance
a court may employ a specific set of factors; in another instance, the same court
may recognize a different approach. Also,
commercially reasonable security procedures may employ variations of different
techniques in different combinations.
One thing that is clear, however, is that
determining whether a security system is
commercially reasonable is a question of
law.53 Therefore, the courts must review
each scenario on a case-by-case basis
to determine if the security procedure
in question is commercially reasonable
in that context, and the other requirements for a recovery have been met.54
ˇor example, in Covina 2000 Ventures
Corp. v. Merrill Lynch, Pierce, Fenner
& Smith, Inc.,55 the court applied Article
4A’s foundational rule, which states that
a bank will bear the loss of any unauthorized funds transfer.56 The court noted
that the rule is subject to an “exception
when the bank and the customer agree
on a ‘security procedure’ to ensure that
payment orders received by the bank are
51.
See § 4A-203, Official Comments 3 and 4.
52.
See § 4A-201 - 4A-203, and Official Comments thereto.
53.
See § 4A-203, Official Comment 4.
46.
See Miller, supra note 37, at 20 (citing § 4A-505).
54.
See, e.g., id, and discussion below.
Id.
47.
Id. (citing § 4A-203).
55.
43.
See § 4A-201.
48.
Id.
Covina 2000 Ventures Corp. v. Merrill Lynch, Pierce, ˇenner
& Smith, Inc., No. 06 Civ. 15497(DLC), 2008 WL 1821738
at *6 (S.D.N.Y. 2008) (citing N.Y. UCC §§ 4A-202(2), 4A204(1)).
44.
See § 4A-202(c).
49.
Id.
56.
45.
Id.
50.
See § 4A-201.
Id. at *1 (see also UCC Article 4 § 4-203, Official Comment
1, and Article 4 Prefatory Note).
42.
336
authorized.”57 In Covina, Mr. Ma opened
a corporate account at Merrill Lynch for
two different companies.58 One of these
companies was Covina 2000 Ventures
Corporation. Between the months of
June 2002 and April 2004, $9 million
was transferred out of these accounts.59
Merrill Lynch and Mr. Ma did not
have an agreement referring to the
security procedure necessary to authenticate a funds transfer.60 Twenty-one of
the letters of authorization for the wire
transfers contained a notation indicating
confirmation from Mr. Ma and twentyfour of these authorizations also contained an apparent signature by Mr. Ma.61
In Corvina, Merrill Lynch (the bank)
did not argue the issue of a commercially
reasonable security procedure because
the bank argued that the customer (the
plaintiffs) were liable for the funds transfer on agency grounds. The bank also argued that the suit was brought more than
four years after the fraudulent transfers
occurred, contrary to the one-year requirement.62 The Covina court decided
the case based on the latter requirement,
i.e., that a customer of a bank cannot
bring a claim for a fraudulent Article 4A
transfer after one year.63 Thus, Covina
does little to define what constitutes a
reasonable security procedure. On this
issue, the court merely stated: “[O]nly
when a commercially reasonable security
procedure is in place (or has been offered
to the customer) may the bank disclaim
its liability for unauthorized transfers.”64
QUARTERLY REPORT
B.
The Regatos Case
In Regatos v. North Fork Bank,65 the
court took a further step in articulating
what constitutes a commercially reasonable security system. In Regatos, the
plaintiff (Mr. Regatos) had opened an
account with the Commercial Bank of
New York (the bank). When Mr. Regatos
opened this account he signed an Account
Information form. This agreement stated
that Mr. Regatos was allowed to make
wire transfers out of his account via payment orders, transmitted from his home in
Brazil.66 There was a specific procedure
to be followed each time by the bank and
Mr. Regatos to ensure valid transfers.
ˇirst, Mr. Regatos would sign a payment
order which would be faxed to the bank.67
Next, a confirmatory phone call would
either be placed by Mr. Regatos to
Ms. Abadi, a bank employee, or to
Mr. Regatos from Ms. Abadi.68 After
the confirmation of the amount, Ms.
Abadi would ˇAX the payment order
to New York where signature confirmation would take place by comparing
the payment order and the signature on
record.69 However, this security procedure lacked a password or algorithm
element of identification.70 During the
spring of 2001, two funds transfers
were initiated from Mr. Ragatos
account, both of which Mr. Ragatos
claimed he did not authorize or initiate.71
The Regatos court applied the
foundational rule of Article 4A, as in
Covina: That is, foundationally, “the
bank will bear the loss of any unauthorized funds transfer.” 72 However, the
Regatos court noted that an exception to
65.
See Regatos v. North ˇork Bank, 257 ˇ. Supp.2d 632, 635
(S.D.N.Y. 2003).
See id.
66.
See id. at 636.
59.
See id.
67.
Id.
60.
See id.
68.
Id.
61.
See id.
69.
Id.
62.
See § 4A-505.
70.
Id.
63.
Covina, 2008 WL 1821738, at *7.
71.
Id.
64.
Id. at *6 (quoting Regatos, 5 N.Y.3d at 403, discussed infra).
72.
Id. at 640 (citing N.Y. UCC §§ 4-A-202(l), 4-A-204(1)). See
also supra note 56.
57.
Id.
58.
this rule is triggered when the bank and
the customer agree to a security procedure that is commercially reasonable:73
A payment order accepted in good
faith pursuant to a commercially
reasonable security procedure is
said to be “effective” as the order
of the customer because it can be
properly verified. Such an order is
effective even if it is actually unauthorized, as in the case of a perfect
forgery. But where a payment
order is not effective—or where
a payment order is unauthorized
and there is no security procedure
in place the bank has an invariable
duty to refund the lost funds. 74
Therefore, the Regatos court noted
that it had to decide whether there was a
commercially reasonable security procedure in effect. ˇor every funds transfer,
the bank and Mr. Regatos adhered to the
same procedure.75 The court “[found] the
security procedure followed by the Sao
Paulo office, coupled with the signature
comparison done at the New York office, to be commercially reasonable.”76
The court specifically concluded that,
although comparison of a signature alone
is not sufficient, with the other elements
coupled to this procedure it was acceptable.77 The three-step process of a signed
order, confirmatory phone call, and signature comparison was sufficient to constitute a commercially reasonable security
procedure.78 Although the three-step procedure lacked recorded conversations and
passwords or algorithms, the confirmatory phone call to or from the same preidentified bank representative ensured a
commercially reasonable procedure.79
73.
See Regatos, 257 ˇ. Supp.2d at 636.
74.
Id. at 641 (citing N.Y. UCC §§ 4A-202(2), 4A-203).
75.
See id. at 646.
76.
Id. (citing N.Y. UCC § 4A-201).
77.
See id.
78.
Id.
79.
Id.
QUARTERLY REPORT
C.
The Braga Case
Applying the standards articulated
in Regatos, the court in Braga Filho v.
Interaudi Bank80 set forth an additional
example of commercial reasonableness.
In Braga Filho, the plaintiff (Braga)
opened an account at the lnteraudi Bank
in New York City (the bank) while
visiting New York on a trip from his
home in Brazil. When the account was
opened, Braga signed a Telecommunications Authorization agreement (the
agreement).81 The agreement provided
“that the Bank was authorized ‘to accept and immediately act upon instructions from [the customer] via telephone,
telegram, telefacsimile, untested telex,
electronic mail, or any other means of
telecommunications.”82 The agreement
also provided “that the Bank would ‘select security procedures for accepting
instructions that are commercially reasonable for [the bank].’”83 The security
procedures that the bank would adhere
to were printed on an internal document
not available to the bank’s customers,
entitled “ˇunds Transfer Policy and
Procedures.”84 This document contained
instructions and procedures to which
the bank’s staff was supposed to adhere.
ˇor all funds transfer requests (i.e.,
payment orders), the bank would verify
the customer’s signature on file with the
signature on the payment order, confirm
that the account contained sufficient
funds, obtain approval from an account
officer, and then forward the payment order to the bank’s Paying and Receiving
Department.85 In addition, for requests
made by email or fax, there were special
guidelines. These guidelines stated that
the customer had to be called before
the request would be forwarded to the
Paying and Receiving Department; the
customer had to answer security questions when contacted, and the confirmation contact call was to be recorded.86
Two years after the account was
opened, nearly one million dollars was
transferred out of the account, unbeknownst to the plaintiff/customer
(Braga). These funds transfers were based
on payment orders in the form of fax requests, and Braga later claimed there was
no confirmation telephone call for verification.87 Braga contacted the bank upon
realizing that the money was no longer
in his account. The woman with whom
he spoke at the bank informed Braga
that she had spoken with Braga several
times and therefore knew that he was
not Braga (even though he was Braga).88
Braga then brought an action to recover the funds from the fraudulent transfer.
The court noted “that when a customer
has agreed to a bank’s security procedure,
the customer will bear the risk of loss if
the security procedure was ‘commercially
reasonable’ and if the bank followed that
procedure.”89 The court then conducted
an analysis based on that set forth in
Regatos. The Braga court focused on the
fact that the parties agreed to a three-part
security procedure which consisted of a
signed order, confirmation phone call,
and a signature comparison.90 The court
again noted that a signature comparison
alone is not sufficient to establish commercial reasonableness. 91 However,
because the signature comparison was
coupled with the other two elements,
the Braga court found the procedure
in that case to be commercially reasonable. 92 In applying the holding from
Regatos, the Braga court reasoned that:
337
[b]y signing the Telecommunications Authorization, an “explicit
agreement,” [the] plaintiffs agreed
to the Bank’s security procedures,
so long as they are found to be
commercially reasonable. It does
not matter that [the] plaintiffs
did not know what the Bank’s
security procedures were because
[Article 4A] of the New York
UCC compels banks to use commercially reasonable procedures.93
The Braga court then noted that the
bank’s procedures in that case required a
three-step process to be followed regarding any funds transfer request.94 In addition to the mandatory signature comparison, the three-step procedure included a
confirmatory telephone call, an answer to
security questions, and a recording of the
confirmatory phone call.95 This security
procedure was similar to that upheld in
Regatos.96 However, in Regatos, the confirmatory phone call had to be placed with
a previously identified bank agent every
time.97 On the other hand, “in Regatos,
there were no challenge questions and no
telephone logs [or recordings] as there
were here.”98 Thus, although there was a
difference as compared to the procedure
in Regatos, the security challenge questions and the phone recordings in Braga
offset for the lack of a confirmatory
telephone call to or from a previously
identified bank agent.99 In the court’s
words, “the required challenge questions
and telephone logs [compensated] for the
loss of the voice-recognition procedure
93.
Id. at *4 (quoting Regatos, 257 ˇ.Supp.2d at 646) (citing
N.Y. UCC § 4A-201, Official Comment: “The definition of
security procedure limits the term to a procedure ‘established
by agreement of a customer and a receiving bank.’ The term
does not apply to procedures that the receiving bank may follow unilateral1y in processing payment orders.”).
86.
See id. at *2.
87.
See id. at *3.
94.
See id. at *4.
88.
See id.
95.
See id.
Id. (quoting the Telecommunications Authorization).
89.
Id. (citing N.Y. UCC § 4A-202(2)).
96.
See id. at *5.
Id.
90.
See id.
97.
See id.
84.
See id.
91.
See id. (citing N.Y. UCC § 4A-201).
98.
Id.
85.
See id.
92.
See id.
99.
See id.
80.
Braga ˇilho v. lnteraudi Bank, No. 03 Civ. 4795(SAS), 2008
WL 1752693 at *1 (S.D.N.Y. 2008).
81.
See id.
82.
83.
338
QUARTERLY REPORT
used in Regatos.”100 So, the confirmation telephone call, an answer to security
questions during that confirmatory phone
call, and a recording of the confirmatory
phone call constituted a valid and commercially reasonable security procedure.
orders, or non-orders. Because the telexes received were not the telexes sent
by the banks, Centre-Point argued that
a lack of a commercially reasonable
security procedure existed in the transaction and was responsible for the loss.
The Centre-Point court, applying
Article 4A, adopted a two-part inquiry.
The first part of the inquiry was whether
the particular security procedure was
commercially reasonable, and the second
part of the inquiry was whether AEBL
complied with the procedure.109 In applying this two-part inquiry, the court
adopted a more definitive standard than
those applied in Covina, Regatos and
Braga.110 When determining whether or
not a security system is commercially
reasonable, the Centre-Point court held
that: “[t]he standard is not whether the
security procedure is the best available.
Rather, it is whether the procedure is
reasonable for the particular customer
and the particular bank, which is a lower
standard.”111 ˇor example, if both parties
agreed on a procedure designed to eliminate fraud and adopted a security system
to protect each party’s interests, it is
likely to be commercially reasonable.112
Therefore, “[a] security procedure is not
[going to be] commercially unreasonable simply because another procedure
might have been better or because the
judge deciding the question would have
opted for a more stringent procedure.”113
ˇurthermore, to answer the question
of commercial reasonableness, the court
said it would analyze security procedures
in place in similar situations between
similar parties.114 Critiquing the system
used by AEBL with the standard adopted,
the Centre-Point court determined that
the telex test key code was a commercially reasonable security system. 115
Centre-Point admitted that it never objected to the security procedure in place,
and Centre-Point also admitted that all
banks in Nigeria used essentially the
same security procedure.116 In addressing
the second part of the inquiry as set forth
by the court, AEBL also confirmed that
all test key codes received were tested
properly and confirmed. Therefore, because AEBL received a valid test code,
even though the codes were not legitimate, AEBL sufficiently complied with
the security procedure agreed upon by
both parties. Because the test key code
was commonly used by all similar banks
in the area and there was valid compliance, the court found “that the telegraphic
test key [met] the ‘commercially reasonable’ standard required by the statute.”117
109. See id. at *4.
115. See id.
104. See id.
110. Covina, Regatos, and Braga are discussed supra at Parts III.B.,
C., and D., respectively.
116. See id.
105. Id.
111. Id. (see also UCC § 4A-203, Official Comment 4).
106. See id.
112. Id.
107. See id.
113. Id.
119. Grabowski v. Bank of Boston, 997 ˇ.Supp. 111, 115 (D. Mass.
1997).
108. See id.
114. See id. at. *5.
120. See id.
D.
The Centre-Point Case
In Centre-Point Merchant Bank LTD
v. American Express Bank LTD,101 the
court adopted a more specific two-part
analysis in determining whether the
bank’s actions and procedures were commercially reasonable. Centre-Point, a Nigerian Bank, and American Express Bank
LTD (AEBL), entered into a banking relationship. The two banks communicated
by telex and used a telegraphic key code
to conduct all transactions.102 ˇour years
after the account was opened, CentrePoint telexed AEBL to debit a large
sum from the account and invest that
sum in a fixed deposit.103 The following
day, AEBL replied via telex advising on
the interest rate; however, Centre-Point
never received this telex.104 “Instead,
[Centre-Point] received an altered telex
confirming that AEBL had followed its
instructions and debited the account.”105
At the same time, AEBL received a
cancellation telex from Centre-Point.106
AEBL then implemented the security
procedure and applied the test key code,
and this indicated that the key code was
valid.107 Unbeknownst to any of the parties involved, a Centre-Point employee
had altered the telexes that each bank
received. 108 Therefore, neither bank
was aware of the fraudulent payment
E.
The Grabowski Case
In contrast to the Regatos, Braga,
and Centre-Point cases,118 Grabowski v.
Bank of Boston119 illustrates an instance
in which a commercially reasonable
security system was not present. In
Grabowski, the plaintiffs entered into
various agreements with the Kinder
Company (Kinder), which operated an
investment program for buying and selling prime commercial debt instruments
and securities. Kinder proposed that the
plaintiffs open the accounts at the Bank
of Boston (the Bank) and execute powers of attorney granting Epstein, the
principal for Kinder, control over the
accounts.120 “Kinder’s agents told the
plaintiffs [that] this power of attorney
would protect their funds and the account would hold cash and securities,
100. Id.
101. Centre-Point Merchant Bank LTD v. American Express
Bank LTD, No. 95 Civ. 5000 LMM, 2000 WL 1772874 at *1
(S.D.N.Y 2000).
102. See id.
103. See id.
117. Id.
118. Discussed above at Parts III.C., D., and E., respectively.
QUARTERLY REPORT
which the Bank would authenticate.”121
ˇunds were eventually transferred
into the accounts and, simultaneously,
Epstein directed the bank to execute
funds transfers from these accounts.122
While directing the Bank to withdraw
funds from the accounts, Epstein failed
to replace “the funds with an equivalent
amount of prime bank instruments or invoices,”123 as the agreement between the
plaintiffs and Kinder required. Defending the commercial reasonableness of its
security procedure, the Bank argued that
it was not liable for the funds transfers.
Although the court found that the Bank
was not liable (because the transfers
were authorized), the court also determined that there was no commercially
reasonable security procedure in place.
Article 4A eliminates the liability of
a bank if the customer and the bank have
agreed to a security procedure for verifying the authenticity of any transfers.124
The Grabowski court concluded that:
“[t]he Commercial Deposit Account
Resolution [Account Resolution] relied
on by the Bank here is not an enforceable modification of the loss allocation
scheme set forth in Article 4A.” 125
The Account Resolution was not
an enforceable modification because it
contained only “a general modification
of liability under Article 4A without an
accompanying commercially reasonable security procedure.”126 No security
procedures, such as verification callbacks, recordings of the call, or secure
passwords existed in the Commercial
Deposit Account Resolution.127 Instead,
the Account Resolution provided only an
indemnity provision.128 Therefore, “because the Account Resolution [purports
121. Id.
to be] a modification of the baseline loss
allocation scheme of [A]rticle 4A and
not an agreement on a security procedure, the general indemnity provision
relating to unauthorized payment orders
is unenforceable under…[A]rticle 4A.”129
The Grabowski case makes clear that
an indemnity provision in a deposit account agreement, alone, will not suffice
to establish a commercially reasonable
security procedure. In the final analysis,
an agreement between the bank and the
customer needs to be reached, regarding
not only an indemnification provision
but a commercially reasonable security procedure as well. At a minimum,
features like the procedures upheld in
Regatos and Braga should be considered.
IV.
A.
So Exactly What is
Commercially Reasonable?
Introduction
As noted, there is no precise definition
or rule that lays out specific requirements
for a commercially reasonable security
procedure.130 On one hand, a commercially reasonable security procedure
might include several procedures lumped
together to create a commercially reasonable system.131 On the other hand, a commercially reasonable security procedure
could consist of one specific procedure
that is considered commercially adequate.132 However, there is a growing
trend concerning certain practices and
techniques that seem to be developing as
an industry standard and custom for what
constitutes a commercially reasonable
security procedure. Many businesses, in
addition to banks, are operating online
banking and funds transfers systems,
effectively operating the business in
cyberspace, and are implementing security procedures for these transactions.
339
B.
Wheatman
Recommendations
Many of these companies, including
banks and other financial institutions,
are adopting innovative procedures and
policies to ensure that they are complying with the requirements for a commercially reasonable security procedure. ˇor
instance, Vic Wheatman with the Gartner
Company, a provider of market research
covering the information technology
industry, has explained eight steps that
he believes are needed to define a commercially reasonable security system.
ˇirst, “[o]rganizations need to examine the status of commercially available
computer technology and, specifically,
information security technology.”133 In
this stage, banks and other financial
institutions need to be made aware of
the fact that there are different systems
to protect different types of information.
Of course, the larger and more complex
the financial institution, the more extensive and complex the system needed.
Secondly, “[o]rganizations always
need to assess the affordability of security technologies, procedures and
techniques.”134 Because larger and more
complex financial institutions will need
larger and more complex systems, these
systems will cost considerably more
than smaller systems. Small institutions
and small businesses need to carefully
weigh the costs against the potential
loss from fraudulent transfers and hackings before expanding into areas of
operation that will require implementing the most expensive security system.
Third, “[g]iven the growing list of
failures in systems, the likelihood of a
technological security failure should be
considered fairly high.”135 Technology is
not perfect and is always subject to glitches and malfunctions. Therefore, backup
122. See id. at 117.
123. Id.
124. See id. at 120 (and UCC Article 4A §§ 4A-201, 4A-202, and
4A-203).
125. Id.
129. Id. at 120.
126. Id.
130. See supra Part II.D.
133. Vic Wheatman, Management Update: Eight Steps Needed
to Define Reasonable Security, June 8, 2005, available at
http://www.solutions-me.com/DataiNesletters/CWP%20%20Gartner_8Steps _ To _ Security.pdf (last visited ˇeb. 2,
2009).
127. See id.
131. Id.; see also supra Parts III.B.-E.
134. Id.
128. See id. at 116.
132. Id.
135. Id.
340
systems and manual systems need to be
in place to ensure the authenticity and
validity of transfers and to decrease the
chances of fraudulent transfers occurring.
ˇourth, an institution must consider
the harm that can result from a security
failure.136 The potential harm to consider
has at least two fronts. One is the potential harm to a customer whose private information could be leaked on the internet
or who could be the victim of a fraudulent
transfer.137 The other potential harm is
the risk to the bank in a situation where
there is a breach or fraudulent transfer.
The financial institution could be subject
to liability for the amount of the transfer or for penalties assessed on it by a
court or a state or federal government.138
ˇifth, financial institutions and companies need to anticipate security threats.139
Obviously the internet is not always a safe
environment. Hackers are always trying
to get into secure systems. ˇurthermore,
dishonest employees must be kept at bay
and not tempted to steal personal information or induce fraudulent transfers.
Sixth, “[r]easonable security in the
absence of widely accepted standards
is difficult.”140 There isn’t a single security system that is the best or is the
most commercially reasonable security
system in all contexts. Different procedures, systems, and techniques may work
differently in different situations. A key
solution is to look to the industry custom
or at what other financial institutions in
the market are using as their commercially reasonable security procedure.
Seventh, an organization should look
at the best practices on the market.141 “An
organization should at least do what its
peers are doing.”142 ˇinally, Wheatman
recomends that a financial institution or
QUARTERLY REPORT
company implement routine audits.143 Security systems and technology are always
changing. As noted, hackers are always
finding ways around current security
systems. ˇurthermore, new systems are
being developed each day. “Self-assessment is a useful information-gathering
technique that can help determine the
degree to which a chosen standard is
being met….”144 Wheatman emphasizes
that having the right managerial procedures in place makes it more likely that
a commercially reasonable security system will be implemented and maintained.
C.
Password Systems
Currently, the most commonly used
security system for online transactions
requires a complex password containing
more than six keys and at least one number.
As noted below, however, over the past
few years at least two major internet sites
have been compromised, revealing all related passwords. Although neither of the
sites involved commercial transactions,
many other sites are following their lead
in changing their password requirements.
In 2007, the social networking site
of Myspace was compromised. This
“hacking” revealed 30,000 passwords
and usernames.145 More recently, the
site of phpbb.com was compromised
revealing 20,000 passwords.146 ˇollowing the hacking of this site, a study of
the type of passwords chosen was conducted by Robert Graham.147 Graham
determined that the common approach,
as to how people choose their password,
is to use an ordinary, easily identified
password if there were no password requirements. Among the leading choices
were people’s first names, patterns on
the keyboard, or variations of the word
“password.”148 Using a password that
matches the user’s first name constitutes
zero security protection. A password in
th form of the user’s first name is just
the username typed a second time. The
user’s name appears on the screen and
the hacker doesn’t even have to guess.
Similarly, people’s choices of patterns on the keyboard often provide zero
security protection. Common choices for
keyboard sequences include: “1234,”
“qwerty,” or “asdf.”149 Again, this takes
the probability of having a safe password
out of the equation. A hacker can easily
access any personal or financial information if a user employs a password of this
sort. Therefore, “[t]he widely-deployed
use[s] of user ID/password protection
schemes are no longer considered adequate protection for online information. Though user ID/PIN/password are
still the most common solution for online
authentication, there is significant interest in replacing passwords with more
robust multifactor authentication.”150
D.
Other Procedural
Safeguards
Although the use of user identification (ID), personal identification numbers
(PIN’s), and similar passwords is commercially reasonable under UCC Article
4A,151 there is a trend toward adoption
of more secure methods of commercially reasonable security procedures in
the banking industry, at least for large or
sophisticated transactions. ˇor example,
it has been recommended, in the use of
a call-back procedure to verify authentication, that three different employees be
used, in order to reduce the opportunities
for fraud.152 “One…employee receives
the information and prepares the transfer
148. See id.
136. See id.
137. See id.
143. See id.
149. Id.
138. See id.
144. Id.
150. http://www.umacha.org/pdf/webbriefcommerciaI041007.
pdf.
139. See id.
140. Id.
145. See PHPBB Password Analysis, http://www.darkreading.com/
blog/archives/2009/02/phpbb---’password.html (ˇeb. 6, 2009,
17:56).
151. See supra Parts II.D. and III.B.- E.
141. See id.
146. See id.
142. Id.
147. See id.
152. See Dana Turner, ˇunds Transfer Developing Commercially
Reasonable Security Procedures ˇor Your Bank, Part J, July
23, 2001, available at http://www.bankersonline.com/security/
funds.html (last visited ˇeb. 2, 2009).
QUARTERLY REPORT
instructions; [o]ne…employee validates
(determines that the information exists)
and verifies (tests the truthfulness or accuracy of the information); and [o]ne…
employee sends the transfer order.”153
Obviously, when more eyes are used
to ensure authenticity, it is harder for an
invalid transfer or fraudulent intent to
go unnoticed. But, importantly, no matter how many employees are involved,
the receiving employee must verify
the identity of the customer to ensure
the authenticity of the customer placing the order transfer.154 The receiving
employee should confirm the bank account number, PIN, and signature of the
customer with the payment order being
received. Also, the receiving employee,
when documenting the payment order,
should verify additional security information such as Social Security number, driver’s license number, signature
comparison, photo comparison, and/or
notarized statements.155 The bank will
have a better chance of ensuring a valid
funds transfer for each additional security
check or authentication implemented.
Next, the verification employee
should institute the security safeguard
of a call-back.156 In this call-back, the
verification employee double-checks
important information with the customer placing the payment order. The
verification employee will ask questions regarding the amount of the funds
transfer, the destination of the transfer,
the security code provided by the bank
to the customer placing the order,
and/or the destination account number.
ˇinally, the third employee, the
sending employee, will verify all of
the documentation filled out by the
previous two employees and then
will execute the payment order. 157
In this system, instead of one employee or one pair of eyes implement-
ing the entire security procedure, there
are three different employees verifying
various aspects of the customer’s security information and payment order
before the order is accepted and executed.158 Although this process might
be time-consuming, and not suitable for
every type of transaction, the liability
risks of the bank should be reduced.
E.
Encryption
The use of encryption or encoding in
user authentication ensures extra security
in the funds transfer. Encryption “protects data from unauthorized disclosure
[and] is a process in which the data is
‘scrambled or coded’ before it passes
through the network.”159 This process
uses a series of mathematical formulas
and steps to transform sensitive data
into a secured, encrypted form. Many
banks have now adopted the American
National Standards Institute (ANSI) and
the International Standards Organization (ISO) standards of encryption. The
“American National Standards Institute
sets standards for the banking industry
[and the] International Standards Organization…sets international standards.”160
The standards set by these institutions
include various types of data encryption
protections. ˇor example, a bank could
use data encryption, user authentication,
message authentication, or key management secret.161 Large banks and financial
institutions commonly use the ANSI
X9.17 standard which consists of the key
management secret.162 “With the rapid
adoption of…[these] systems by many
banks across the U.S., a standard for commercially reasonable security is emerging.”163 The adoption of data encryption,
158. See definitions of this Article 4A terminology at UCC
§§ 4A-104, 4A-105, 4A-209, and 4A-301.
341
in addition to other security procedures
commonly in place, decreases the likelihood of a fraudulent funds transfer taking
place. Therefore, some large banks and
other institutions are implementing data
encryptions systems in addition to the
use of passwords, user names, and PINs.
F.
Summary: Procedural
Safeguards
Nothing is fail-safe; however, the
more procedures the bank implements,
the greater the likelihood the security procedure will be considered commercially
reasonable. Security call-back procedures, recorded calls, multiple employees
screening the funds transfer request and
payment order, password/PIN/user name,
and data encryption, in some combination
coupled together, will greatly increase the
odds of the security procedure satisfying
the commercial reasonableness requirement of UCC Article 4A, compared
to any such feature standing alone. It
should be emphasized again, however,
that the law does not require any specific
procedure or feature in a given context.
V.
Conclusion
Because a commercially reasonable
security procedure can employ one or
more of several different types of security techniques, it is best to craft a commercially reasonable security procedure
“that corresponds to commonly accepted
commercial practices among commonly
situated Originators conducting similar
types of transactions.”164 Therefore, other
things being equal in a specific instance,
the bank or other company should employ
security procedures that are equivalent
to what other similarly-situated financial
institutions or companies are doing.165
In addition, although the use of a
password, PIN, or user name is still the
most common form of cyberspace security, other, multifactor authentication
153. Id.
159. Douglas Kozlay, The Importance of Security Standards, available at http://www.firstvpn.comlpapers/ire/Standards.pdf (last
visited ˇeb. 2, 2009).
154. See id.
160. Id.
155. See id.
161. See id.
156. See id.
162. See id.
164. http:www.umacha.org; Wheatman, supra note l33; Turner,
supra note 152.
157. See id.
163. Id.
165. See id.
342
QUARTERLY REPORT
systems are increasingly being utilized in
sophisticated transactions.166 These systems may include the use of a verification
of customer identity by various means,
including the use of a customer computer,
customer voice or fingerprint verification,
and customer geo-location verification.167
It should be emphasized again that the
laws governing commercially reasonable
security procedures can only be used as
guidelines.168 Commercially reasonable
security procedures have not been specifically limited or defined in the law.
This is an appropriate approach because:
[f]irst, prescribing solutions for
all cases is impossible, since the
circumstances are so varied that no
law could begin to anticipate them
all. Second, [information technology] changes so fast that what is
an adequate solution today could
be antiquated in just a year or two.
ˇurther, because the threat environment is changing, any definition of
“good enough” is only temporary.
Specificity has deliberately been
left out of most regulations to
accommodate such factors. 169
Thus, a standard for determining
exactly what constitutes a commercially
reasonable security procedure has not
been clearly established by the courts or
the industry. However, most financial institutions and other companies take reasonable measures to protect themselves
and their customers against fraudulent
funds transfers. “Banks literally spend
hundreds of thousands of dollars on their
security systems, and as between [the customer] and the bank, it is almost always
the case that it was the customer’s system
which was hacked….”170 A good strategy
entails balancing the costs generated by
alternative security procedures against
the intensity of the security needed.171
In determining an appropriate approach,
one should endeavor to ensure that the
security procedure meets the prevailing
banking standards and industry customs.
If the security procedure meets prevailing industry standards, the system will
have a greater chance of being held to
comply with the commercially reasonable requirements of UCC Article 4A.
170. William G. Compton, Fraudulent Wire Transfers: The
Russian Connection, August 28, 2008, available at http:
www.andrewskurth.comlpressroom-clientalerts-30.htm (last
visited ˇeb. 2, 2009).
166. See id.
167. See id.
168. See, e.g., Wheatman, supra note 133.
171. LARY LAWRENCE, AN INTRODUCTION TO PAYMENT SYSTEMS 454
(1997) (citing UCC § 4A-203, Official Comment 4).
169. Id.
Clarifications to Interim Rule…
(Continued from page 403)
implementation of changes in an index
value.13
The foregoing disclosure must be in a format
substantially similar to Model Clause H-4(I) in
Appendix H of Regulation Z and must be placed
in a box directly beneath the associated required
table.14 Model Clause H-4(I) reads as follows:
[Introductory Rate Notice
D.
Disclosures for Negative
Amortization Mortgages
With respect to a negative amortization mortgage,15 the creditor must disclose the following
items:
•
15. The term “negative amortization” means payment of periodic
payments that will result in an increase in the principal balance under the terms of the legal obligation and that the term
“negative amortization loan” means a loan, other than a reverse
mortgage subject to Regulation Z § 226.33, 12 CˇR § 226.33,
that provides for a minimum periodic payment that covers only
a portion of the accrued interest, resulting in negative amortization.
14. Presumably, the associated required table would be Table H4(ˇ).
the maximum interest rate that could
apply when the consumer must begin
making fully amortizing payments under the terms of the legal obligation;
•
if the minimum required payment will
increase before the consumer must begin making fully amortizing payments,
the maximum interest rate that could
apply at the time of the first payment
increase and the date the increase is
scheduled to occur; and
•
if a second increase in the minimum
required payment may occur before
the consumer must begin making fully
amortizing payments, the maximum
interest rate that could apply at the
time of the second payment increase
and the date the increase is scheduled
to occur.
the interest rate at consummation and,
if it will adjust after consummation, the
length of time until it will adjust, and the
label “introductory” or “intro”;
You have a discounted introductory rate of ___% that ends after (period).
In the (period in sequence), even if market rates
do not change, this rate will increase to ___%.]
13. ˇor example, if the contract specifies that rate changes are
based on the index value in effect 45 days before the change
date, creditors may use any index value in effect during the 45
days before consummation (or any earlier date of disclosure)
in calculating the fully-indexed rate to be disclosed.
•
The September Interim Rule previously stated that the term
“negative amortization” would mean payment of periodic
payments that will result in an increase in the principal balance under the terms of the legal obligation and that the term
“negative amortization loan” would mean a loan that permits
payments resulting in negative amortization, other than a reverse
mortgage.
The Commentary notes that the creditor must
assume that interest rates rise as quickly as possible after consummation, in accordance with any
interest rate caps under the legal obligation. ˇor
(Continued on page 330)