If a customer sends instructions to a bank to wire money back to the customer or to a vendor and those instructions turn out to be fake, who pays? The answer isn’t clear and now that two litigants in a recent case have settled a dispute over who is responsible for a fraudulent payment, it’s likely going to remain so.
The case involves an allegation by Banco del Austro of Ecuador that Wells Fargo should be liable for authorizing the transfer of $12 million in a fraudulent wire transfer in 2015. Wells has argued that according to the Uniform Commercial Code (UCC) 4A it was “commercially reasonable” to rely on SWIFT messaging, the global go-to bank-to-bank wire transfer agency, to honor the wire request. Therefore, they were not responsible.
However, Banco del Austro, citing another part of UCC 4A, says the transfer request was “unreasonable” because the payment – its size, type – was outside the norms of what the bank has asked of Wells in the past; thus, Wells is responsible.
Under the current law, they’re both right in a sense. Peter Jaffe, of the law firm Freshfields Bruckhaus Deringer LLP, says that according to the UCC’s sections on wire transfers, “if the victim previously agreed that its bank could use a particular security procedure, and if the bank actually applied that procedure in good faith, then the bank is generally off the hook—tough luck for the victim. But if the victim can show that the security procedures are commercially unreasonable, then the loss goes back to the bank. And banks generally can’t contract their way out of this.”
But now that the case has been settled and for now sealed, the winner of this dispute will never be known. “Which means no answer anytime soon to everyone’s burning question: who pays for wire transfer hacks?” writes Mr. Jaffe. Going forward, “how will courts interpret UCC Article 4A, which generally governs bank-to-bank wire transfers? What responsibility does a victim bear for its own cybersecurity? What kinds of anti-fraud measures do banks need before honoring wire instructions? How and when are those determined? What if a correspondent banking contract contains indemnification clauses?”
For its part, following this cyber heist and one involving the central bank of Bangladesh, SWIFT in 2016 mandated that users of its systems must comply its new program of requiring higher levels of security. SWIFT created a set of “core security standards and an associated assurance framework for its customers,” which will require customers “to demonstrate their compliance annually against the specified controls set out in the assurance framework.” Any customer that does not comply will be shut out of the network.
Although there is a cost to compliance, Freshfields Bruckhaus Deringer says that cost is ultimately cheaper than “being shut out of the worldwide financial system.”