With hackers on the loose, and wire transfers as a place for them to gain unauthorized access to bank accounts, it is no wonder that when it comes to potentially intercepted wires, customers and banks are playing hot potato with who to blame. Typically, banks bear the risk of loss for unauthorized wire transfers. The Electronic Fund Transfer Act (“EFTA”) for consumer accounts and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts, are two entities that govern these transfers. Both have opposing interests considering that the EFTA attempts to shield customers from paying unauthorized charges whereas the UCC has a framework in place that protects the banks and shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and, (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.

Due to the flexibility of the UCC and the fact that “commercial reasonability” is a question of law, some factors that pertain to it have been interpreted differently by the judicial system. These interpretations have established divergent norms. Some factors that courts look to in their decision making are the customer’s instructions to the bank, the bank’s understanding of the customer’s situation, alternative security procedures offered to the customer, and security procedures in general that are typical of the industry.

With these criterions, courts have been able to judge bank security procedures and assess whether their efforts were adequate. For example, the Eighth Circuit found that where a customer refuses commercially reasonable security procedures such as “dual control,” which requires two independent authorized users to approve the wire transfer, the customer, in effect, assumed the risk of failure. The bank’s procedure was considered adequate because they had the security measures in place in order to protect against cyberattacks. Conversely, in a case heard in the First Circuit, Comerica was found to have failed to satisfy its burden because it did not discover that unusual activity was happening with multiple accounts when a bank dealing fairly with a customer “would have detected and/or stopped the fraudulent wire activity earlier.” The court notes some of the factors that led to this decision such as: the volume and frequency of the wire transfers when there had previously been very low activity, the fact that the destinations of the funds were in Russia, and that Comerica had knowledge of current and prior phishing attempts.

Even the most sophisticated security systems—typically found in banks—are vulnerable to hacking. With the divergence of opinions within the law about who should bear the risk when something goes wrong, customers and banks alike should make sure to take the proper precautions while making transactions of any sort.