Flow Chart Skyline

The Talent Challenge

A broad theme for NeuGroups in 2018 has been talent: fostering, cultivating, recognizing and most importantly, retaining it.

Lightbulb Skyline

ERP Specialist Broadens Its Horizons

Rebranded as Serrala Services, e5 sees the cloud opening up options for treasury.

iTreasurer logo 2016

Subscribe Now

Today is over. Subscribe to iTreasurer and
get ahead of the problems you will face tomorrow.

Risk Management

Who Pays for Fake SWIFT Transfers?

Share |
February 16, 2018

The answer isn’t clear after Wells Fargo, Banco del Austro settle dispute

Cyber crime smallIf a customer sends instructions to a bank to wire money back to the customer or to a vendor and those instructions turn out to be fake, who pays? The answer isn’t clear and now that two litigants in a recent case have settled a dispute over who is responsible for a fraudulent payment, it’s likely going to remain so.

The case involves an allegation by Banco del Austro of Ecuador that Wells Fargo should be liable for authorizing the transfer of $12 million in a fraudulent wire transfer in 2015. Wells has argued that according to the Uniform Commercial Code (UCC) 4A it was “commercially reasonable” to rely on SWIFT messaging, the global go-to bank-to-bank wire transfer agency, to honor the wire request. Therefore, they were not responsible.

However, Banco del Austro, citing another part of UCC 4A, says the transfer request was “unreasonable” because the payment – its size, type – was outside the norms of what the bank has asked of Wells in the past; thus, Wells is responsible.

Under the current law, they’re both right in a sense. Peter Jaffe, of the law firm Freshfields Bruckhaus Deringer LLP, says that according to the UCC’s sections on wire transfers, “if the victim previously agreed that its bank could use a particular security procedure, and if the bank actually applied that procedure in good faith, then the bank is generally off the hook—tough luck for the victim. But if the victim can show that the security procedures are commercially unreasonable, then the loss goes back to the bank. And banks generally can’t contract their way out of this.”

But now that the case has been settled and for now sealed, the winner of this dispute will never be known. “Which means no answer anytime soon to everyone's burning question: who pays for wire transfer hacks?” writes Mr. Jaffe. Going forward, “how will courts interpret UCC Article 4A, which generally governs bank-to-bank wire transfers? What responsibility does a victim bear for its own cybersecurity? What kinds of anti-fraud measures do banks need before honoring wire instructions? How and when are those determined? What if a correspondent banking contract contains indemnification clauses?”

For its part, following this cyber heist and one involving the central bank of Bangladesh, SWIFT in 2016 mandated that users of its systems must comply its new program of requiring higher levels of security. SWIFT created a set of “core security standards and an associated assurance framework for its customers,” which will require customers “to demonstrate their compliance annually against the specified controls set out in the assurance framework.” Any customer that does not comply will be shut out of the network.

Although there is a cost to compliance, Freshfields Bruckhaus Deringer says that cost is ultimately cheaper than “being shut out of the worldwide financial system.”

comments powered by Disqus