On September 30, 2014, the Alabama Supreme Court issued an important decision regarding which financial institution will bear the burden of a check encoding error under the check-encoding warranty found in Alabama’s U.C.C. Article 4.  According to the Alabama Supreme Court, this case is truly a case of first impression as there are no reported cases from “any jurisdiction in the United States applying [the check encoding warranty in] UCC § 4-209.” 

In Troy Bank & Trust Co. v. The Citizens Bank, No. 1130040 (Ala. Sept. 30, 2014), the Alabama Supreme Court held that the check encoding warranty in Ala. Code § 7-4-209 shifted liability for a $99,000 encoding error from the payor bank, which it held became liable for the full amount of the check when it paid the under-encoded amount, to the depositary bank, which was responsible for encoding the amount of the check.  One of Troy Bank’s customers issued a check to a third-party in the amount of $100,000.  That third-party deposited the check into its account at Citizens Bank.  Being the depositary bank, Citizens Bank was responsible for encoding the check with certain information, including the amount of the check, using special magnetic ink.  Encoding is done manually by bank employees using special encoding machines.  Once a check is encoded, the magnetic ink can be read and processed electronically by other parties.   Here, Citizens Bank accidentally under-encoded the check at issue for $1,000, instead of $100,000, and presented the check to Troy Bank through the Federal Reserve Board for payment.  At the time Citizens Bank initially presented the check to Troy Bank, its customer’s account contained sufficient funds to cover the full amount of the check.  However, because of the encoding error, Troy Bank only paid Citizens Bank $1,000.  Citizens Bank discovered the mistake a month later and sent an adjustment notice through the Federal Reserve Bank for the remaining $99,000.  At the time the Federal Reserve Bank transferred the remaining $99,000 from Troy Bank to Citizens Bank, however, the Troy Bank customer’s account no longer had sufficient funds to pay the full amount of the check. 

Troy Bank sued Citizens Bank, claiming that the check encoding warranty in Ala. Code § 7-4-209 protected it from any damage resulting from Citizens Bank’s encoding error.  The check encoding warranty provides, among other things, that “[a] person who encodes information on or with respect to an item after issue warrants to any subsequent collecting bank and to the payor bank or other payor that the information is correctly encoded.”  Citizens Bank argued that Troy Bank had failed to mitigate its damages because it did not send written notice of dishonor or nonpayment of the adjustment notice before the midnight deadline in Ala. Code § 7-4-301.  The trial court agreed and granted summary judgment for Citizens Bank.  Troy Bank appealed.

The Alabama Supreme Court reversed, agreeing with Troy Bank that the encoding warranty shifted liability for the encoding error to Citizens Bank.  According to the Court, Troy Bank became liable for the full face amount of the check when it paid the under-encoded amount of the check pursuant the final payment rule in Ala. Code § 7-4-215 and did not dishonor the check by the midnight deadline set forth in Ala. Code § 7-4-301. Citizens Bank’s encoding error caused Troy Bank to incur damage based on the insufficient funds in the debited account at the time the $99,000 adjustment notice was paid.  As the Alabama Supreme Court noted, “had Citizens Bank properly encoded the check there would have been no damage” because the customer had sufficient funds at the time the check was initially presented to Troy Bank for payment.  The Court also rejected Citizens failure to mitigate argument, holding that Troy Bank’s payment of the adjustment notice from the Federal Reserve Bank was inconsequential because Troy Bank became liable for the full face amount of the check when it paid the under-encoded amount.    

We continue to see an increase in claims against financial institutions for fraudulent electronic payment orders.  Typically these claims involve large sums of money wired to overseas banks and quickly collected by unknown individuals.  Under U.C.C. Section 4A-204, a bank will be liable for such payment orders unless it falls within one of two exceptions.  A bank may shift liability for the fraudulent order to the customer if either (1) the customer is bound to the order under the law of agency, or (2) the bank and the customer agree to a commercially reasonable security procedure and the bank adhered to that procedure in good faith.

The most common issue arising in these situations is whether the bank’s security procedures are commercially reasonable.  This standard is constantly evolving in response to the changing nature of the schemes employed by cyber-criminals.  The most recent decision to discussing this issue, Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879 (8th Cir. June 11, 2014) (see opinion here), provides some guidance to the types of security procedures banks should consider offering to their customers at the present time to protect themselves against potential fraudulent wire transfer claims.

In BancorpSouth, a customer argued that its bank had failed to employ a commercially reasonable procedure when it honored a fraudulent request to transfer $440,000 from the company’s account to a bank in the Republic of Cypress.  The customer’s expert cited to U.C.C. Section 4A-202 to argue that BancorpSouth should have employed a “transactional analysis” that analyzed every payment order based on their “size, type, and frequency” to identify orders that are outside of the customer’s normal pattern.

The Eighth Circuit, applying Mississippi law, rejected this claim.  Section 4A-202(c) does instruct a bank to consider the “size, type, and frequency” of the wire transfers it issues.  As the court noted, however, a bank must consider this information only to the extent of determining whether the security procedures it employs are “commercially reasonable” for the type of orders it receives.  Section 4A-202 does not mandate that such an individualized analysis must become part of the security procedure itself.

The Eighth Circuit also strongly endorsed the bank’s offering of dual controls as a security procedure.  The court noted:

[D]ual control . . . dramatically reduces the possibility of such a breach.  With dual control in place, a customer’s account remains secure even if a third party manages to obtain an employee’s password and IP address; to issue a payment order, that third party would have to obtain a second, wholly independent set of identifying information.  Phishing scams work because one out of every few thousand recipients of a malicious email will clink on a link containing a virus, and the probability that two employees at the same company would fall for the same scam is quite low.

BancorpSouth, p. 23.

BancorpSouth follows three other notable decisions in recent years that provide helpful guidance to financial institutions in this developing area.  Braga Filho v. Interaudi Bank, No. 03 Civ. 4795 (S.D.N.Y. April 15, 2008) and Chavez v. Mercantil ComerceBank, N.A., 701 F.3d 896 (11th Cir. 2012) provide guidance as to the type of language financial institutions should incorporate into their customer agreements to make certain that all security procedures it provides are considered in a commercial reasonableness inquiry.  Under U.C.C. §7-402, only security procedures agreed to by a customer or security procedures that the customer declined to use in agreeing to other procedures may be considered in judging the bank’s reasonableness.

In Filho, the customer signed an agreement that expressly provided that the bank would select the security procedures for accepting wire instructions.  The court held that this language was sufficient to indicate the customer agreed to whatever procedures the bank selected  In Chavez, in contrast, the deposit agreement provided that the bank “may use” other security procedures other than those specified.  The court held that this language was insufficient to make the security procedures part of the agreement under Section 7-402.

In Patco Constr. Co. v. People’s United Bank, 684 F.3d 19 (1st Cir. 2012), the court held that the bank’s security procedures were not commercially reasonable because its primary protection was the use of a challenge question, which it employed on all payment order transactions.  The court held that reliance on this procedure alone was not commercially reasonable given the increasing availability of keyloggers or other malware that can capture such information for unauthorized users.  The court found that the bank’s procedure actually increased the risk of fraud for its customers who frequently used payment orders, since it increased the chances that the customer’s access information could be intercepted.

Synthesizing the holdings in these four important decisions, there are several steps that banks might consider to avoid being liable for this type of scheme.  First, financial institutions should review the language in their agreements to confirm that the customer has agreed to be bound by whatever commercially reasonable security procedure the bank has selected.  Otherwise, it will run the risk that procedures it actually followed will not be considered by a court in evaluating this issue.  Second, banks should consider whether they need to review and adapt their security procedures as new threats come to their attention.  Finally, in light of the strong endorsement in BancorpSouth, financial institutions should consider whether to make a dual control security procedure available to their customers if they do not already.

In recent years, a number of courts have held that the National Bank Act, 12 U.S.C. 21, et seq., (“NBA”), preempts application of state consumer protection laws against national banks where the state law “significantly impaired” the purpose of the federal act or its implementing regulations.  In Baptista v. J.P. Morgan Chase Bank, N.A., 640 F.3d 1194 (11th. Cir. 2011), for example, the 11th Circuit held that Florida’s “par value” statute, which prohibits a bank from charging a fee for cashing a check drawn on a depositor’s account, could not be enforced against nationally chartered banks because it conflicted with a federal regulation allowing national banks to charge customers “non-interest charges and fees, including deposit account service charges.”

The 11th Circuit has now concluded that this same preemption standard governs the application of host-state consumer protection statutes to out-of-state state-chartered banks.  In Pereira v. Regions Bank, Case No. 13-10458 (May 30, 2014), see attached opinion, plaintiffs asserted a putative class action against an Alabama bank based on the same Florida “par value” fee statute at issue in Baptista.  The district court held that the statute was preempted as to out-of-state state banks to the same extent as national banks, and the 11th Circuit affirmed.

The Court’s decision was based on subsection 12 U.S.C. §1831a(j) of the NBA, entitled “Activities of branches of out-of-state banks.”  It provides:

The laws of a host State. . .  shall apply to an branch in the host State of an out-of-State State bank to the same extent as such State laws apply to a branch in the host State of an out-of-State national bank.  To the extent host State law is inapplicable to a branch of an out-of-state State bank in such host State pursuant to the preceding sentence, home State law shall apply to such branch.

12 U.S.C. §1831a(j)(1). The 11th Circuit held that the plain language of the statute compelled this conclusion, giving little credence to plaintiffs’ attempt to distinguish Section 1831a(j) based on the use of the term “apply.”  It also cited to the legislative history of the provision, noting that when it was amended in 1997, members of Congress expressly stated that the goal was to change how states regulate out-of-state banks so that they were treated like out-of-state national banks instead of in-state state banks.

The Pereira decision helps ensure that out-of-state state banks are not at a disadvantage when competing against national banks in a host state.  When an out-of-state state bank is sued for alleged violation of host state consumer protection or fair lending statutes, bank counsel should carefully review NBA and its implementing regulations, to see whether that statute in question would materially interfere with the powers granted to national banks under those provisions.  Likewise, plaintiffs counsel should be mindful of this holding before challenging an out-of-state state bank based on host-state consumer statutes.