1. Some person will always be identified as the sender of a payment order. Acceptance of the order by the receiving bank is based on a belief by the bank that the order was authorized by the person identified as the sender. If the receiving bank is the beneficiary's bank, acceptance means that the receiving bank is obliged to pay the beneficiary. If the receiving bank is not the beneficiary's bank, acceptance means that the receiving bank has executed the sender's order and is obliged to pay the bank that accepted the order issued in execution of the sender's order. In either case the receiving bank may suffer a loss unless it is entitled to enforce payment of the payment order that it accepted. If the person identified as the sender of the order refuses to pay on the ground that the order was not authorized by that person, what are the rights of the receiving bank? In the absence of a statute or agreement that specifically addresses the issue, the question usually will be resolved by the law of agency. In some cases, the law of agency works well. For example, suppose the receiving bank executes a payment order given by means of a letter apparently written by a corporation that is a customer of the bank and apparently signed by an officer of the corporation. If the receiving bank acts solely on the basis of the letter, the corporation is not bound as the sender of the payment order unless the signature was that of the officer and the officer was authorized to act for the corporation in the issuance of payment orders, or some other agency doctrine such as apparent authority or estoppel causes the corporation to be bound. Estoppel can be illustrated by the following example. Suppose P is aware that A, who is unauthorized to act for P, has fraudulently misrepresented to T that A is authorized to act for P. T believes A and is about to rely on the misrepresentation. If P does not notify T of the true facts although P could easily do so, P may be estopped from denying A's lack of authority. A similar result could follow if the failure to notify T is the result of negligence rather than a deliberate decision. Restatement, Second, Agency, section 8B. Other equitable principles such as subrogation or restitution might also allow a receiving bank to recover with respect to an unauthorized payment order that it accepted. In Gatoil (U.S.A.), Inc. v. Forest Hill State Bank, 1 U.C.C. Rep. Serv. 2d 171 (D.Md. 1986), a joint venturer not authorized to order payments from the account of the joint venture, ordered a funds transfer from the account. The transfer paid a bona fide debt of the joint venture. Although the transfer was unauthorized the court refused to require recredit of the account because the joint venture suffered no loss. The result can be rationalized on the basis of subrogation of the receiving bank to the right of the beneficiary of the funds transfer to receive the payment from the joint venture.
But in most cases these legal principles give the receiving bank very little protection in the case of an authorized payment order. Cases like those just discussed are not typical of the way that most payment orders are transmitted and accepted, and such cases are likely to become even less common. Given the large amount of the typical payment order, a prudent receiving bank will be unwilling to accept a payment order unless it has assurance that the order is what it purports to be. This assurance is normally provided by security procedures described in section 4A-201.
In a very large percentage of cases covered by article 4A, transmission of the payment order is made electronically. The receiving bank may be required to act on the basis of a message that appears on a computer screen. Common law concepts of authority of agent to bind principal are not helpful. There is no way of determining the identity or the authority of the person who caused the message to be sent. The receiving bank is not relying on the authority of any particular person to act for the purported sender. The case is not comparable to payment of a check by the drawee bank on the basis of a signature that is forged. Rather, the receiving bank relies on a security procedure pursuant to which the authenticity of the message can be "tested" by various devices which are designed to provide certainty that the message is that of the sender identified in the payment order. In the wire transfer business the concept of "authorized" is different from that found in agency law. In that business a payment order is treated as the order of the person in whose name it is issued if it is properly tested pursuant to a security procedure and the order passes the test.
Section 4A-202 reflects the reality of the wire transfer business. A person in whose name a payment order is issued is considered to be the sender of the order if the order is "authorized" as stated in subsection (a) or if the order is "verified" pursuant to a security procedure in compliance with subsection (b). If subsection (b) does not apply, the question of whether the customer is responsible for the order is determined by the law of agency. The issue is one of actual or apparent authority of the person who caused the order to be issued in the name of the customer. In some cases the law of agency might allow the customer to be bound by an unauthorized order if conduct of the customer can be used to find an estoppel against the customer to deny that the order was unauthorized. If the customer is bound by the order under any of these agency doctrines, subsection (a) treats the order as authorized and thus the customer is deemed to be the sender of the order. In most cases, however, subsection (b) will apply. In that event there is no need to make an agency law analysis to determine authority. Under section 4A-202, the issue of liability of the purported sender of the payment order will be determined by agency law only if the receiving bank did not comply with subsection (b).
2. The scope of section 4A-202 can be illustrated by the following cases. Case #1. A payment order purporting to be that of Customer is received by Receiving Bank but the order was fraudulently transmitted by a person who had no authority to act for Customer. Case #2. An authentic payment order was sent by Customer, but before the order was received by Receiving Bank the order was fraudulently altered by an unauthorized person to change the beneficiary. Case #3. An authentic payment order was received by Receiving Bank, but before the order was executed by Receiving Bank a person who had no authority to act for Customer fraudulently sent a communication purporting to amend the order by changing the beneficiary. In each case Receiving Bank acted on the fraudulent communication by accepting the payment order. These cases are all essentially similar and they are treated identically by section 4A-202. In each case Receiving Bank acted on a communication that it thought was authorized by Customer when in fact the communication was fraudulent. No distinction is made between Case #1 in which Customer took no part at all in the transaction and Case #2 and Case #3 in which an authentic order was fraudulently altered or amended by an unauthorized person. If subsection (b) does not apply, each case is governed by subsection (a). If there are no additional facts on which an estoppel might be found, Customer is not responsible in Case #1 for the fraudulently issued payment order, in Case #2 for the fraudulent alteration, or in Case #3 for the fraudulent amendment. Thus, in each case Customer is not liable to pay the order and Receiving Bank takes the loss. The only remedy of Receiving Bank is to seek recovery from the person who received payment as beneficiary of the fraudulent order. If there was verification in compliance with subsection (b), Customer will take the loss unless section 4A-203 applies.
3. Subsection (b) of section 4A-202 is based on the assumption that losses due to fraudulent payment orders can best be avoided by the use of commercially reasonable security procedures, and that the use of such procedures should be encouraged. The subsection is designed to protect both the customer and the receiving bank. A receiving bank needs to be able to rely on objective criteria to determine whether it can safely act on a payment order. Employees of the bank can be trained to "test" a payment order according to the various steps specified in the security procedure. The bank is responsible for the acts of these employees. Subsection (b)(ii) requires the bank to prove that it accepted the payment order in good faith and "in compliance with the security procedure". If the fraud was not detected because the bank's employee did not perform the acts required by the security procedure, the bank has not complied. Subsection (b)(ii) also requires the bank to prove that it complied with any agreement or instruction that restricts acceptance of payment orders issued in the name of the customer. A customer may want to protect itself by imposing limitations on acceptance of payment orders by the bank. For example, the customer may prohibit the bank from accepting a payment order that is not payable from an authorized account, that exceeds the credit balance in specified accounts of the customer, or that exceeds some other amount. Another limitation may relate to the beneficiary. The customer may provide the bank with a list of authorized beneficiaries and prohibit acceptance of any payment order to a beneficiary not appearing on the list. Such limitations may be incorporated into the security procedure itself or they may be covered by a separate agreement or instruction. In either case, the bank must comply with the limitations if the conditions stated in subsection (b) are met. Normally limitations on acceptance would be incorporated into an agreement between the customer and the receiving bank, but in some cases the instruction might be unilaterally given by the customer. If standing instructions or an agreement state limitations on the ability of the receiving bank to act, provision must be made for later modification of the limitations. Normally this would be done by an agreement that specifies particular procedures to be followed. Thus, subsection (b) states that the receiving bank is not required to follow an instruction that violates a written agreement. The receiving bank is not bound by an instruction unless it has adequate notice of it. Subsections (25), (26), and (27) of section 1-201 apply.
Subsection (b)(i) assures that the interests of the customer will be protected by providing an incentive to a bank to make available to the customer a security procedure that is commercially reasonable. If a commercially reasonable security procedure is not made available to the customer, subsection (b) does not apply. The result is that subsection (a) applies and the bank acts at its peril in accepting a payment order that may be unauthorized. Prudent banking practice may require that security procedures be utilized in virtually all cases except for those in which personal contact between the customer and the bank eliminates the possibility of an unauthorized order. The burden of making available commercially reasonable security procedures is imposed on receiving banks because they generally determine what security procedures can be used and are in the best position to evaluate the efficacy of procedures offered to customers to combat fraud. The burden on the customer is to supervise its employees to assure compliance with the security procedure and to safeguard confidential security information and access to transmitting facilities so that the security procedure cannot be breached.
4. The principal issue that is likely to arise in litigation involving subsection (b) is whether the security procedure in effect when a fraudulent payment order was accepted was commercially reasonable. The concept of what is commercially reasonable in a given case is flexible. Verification entails labor and equipment costs that can vary greatly depending upon the degree of security that is sought. A customer that transmits very large numbers of payment orders in very large amounts may desire and may reasonably expect to be provided with state-of-the-art procedures that provide maximum security. But the expense involved may make use of a state-of-the-art procedure infeasible for a customer that normally transmits payment orders infrequently or in relatively low amounts. Another variable is the type of receiving bank. It is reasonable to require large money-center banks to make available state-of-the-art security procedures. On the other hand, the same requirement may not be reasonable for a small country bank. A receiving bank might have several security procedures that are designed to meet the varying needs of different customers. The type of payment order is another variable. For example, in a wholesale wire transfer, each payment order is normally transmitted electronically and individually. A testing procedure will be individually applied to each payment order. In funds transfers to be made by means of an automated clearinghouse many payment orders are incorporated into an electronic device such as a magnetic tape that is physically delivered. Testing of the individual payment orders is not feasible. Thus, a different kind of security procedure must be adopted to take into account the different mode of transmission.
The issue of whether a particular security procedure is commercially reasonable is a question of law. Whether the receiving bank complied with the procedure is a question of fact. It is appropriate to make the finding concerning commercial reasonability a matter of law because security procedures are likely to be standardized in the banking industry and a question of law standard leads to more predictability concerning the level of security that a bank must offer to its customers. The purpose of subsection (b) is to encourage banks to institute reasonable safeguards against fraud but not to make them insurers against fraud. A security procedure is not commercially unreasonable simply because another procedure might have been better or because the judge deciding the question would have opted for a more stringent procedure. The standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank, which is a lower standard. On the other hand, a security procedure that fails to meet prevailing standards of good banking practice applicable to the particular bank should not be held to be commercially reasonable. Subsection (c) states factors to be considered by the judge in making the determination of commercial reasonableness. Sometimes an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper. In that case, under the last sentence of subsection (c), the customer has voluntarily assumed the risk of failure of the procedure and cannot shift the loss to the bank. But this result follows only if the customer expressly agrees in writing to assume that risk. It is implicit in the last sentence of subsection (c) that a bank that accedes to the wishes of its customer in this regard is not acting in bad faith by so doing so long as the customer is made aware of the risk. In all cases, however, a receiving bank cannot get the benefit of subsection (b) unless it has made available to the customer a security procedure that is commercially reasonable and suitable for use by that customer. In most cases, the mutual interest of bank and customer to protect against fraud should lead to agreement to a security procedure which is commercially reasonable.
5. The effect of section 4A-202(b) is to place the risk of loss on the customer if an unauthorized payment order is accepted by the receiving bank after verification by the bank in compliance with a commercially reasonable security procedure. An exception to this result is provided by section 4A-203(a)(2). The customer may avoid the loss resulting from such a payment order if the customer can prove that the fraud was not committed by a person described in that subsection. Breach of a commercially reasonable security procedure requires that the person committing the fraud have knowledge of how the procedure works and knowledge of codes, identifying devices, and the like. That person may also need access to transmitting facilities through an access device or other software in order to breach the security procedure. This confidential information must be obtained either from a source controlled by the customer or from a source controlled by the receiving bank. If the customer can prove that the person committing the fraud did not obtain the confidential information from an agent or former agent of the customer or from a source controlled by the customer, the loss is shifted to the bank. "Prove" is defined in section 4A-105(a)(7). Because of bank regulation requirements, in this kind of case there will always be a criminal investigation as well as an internal investigation of the bank to determine the probable explanation for the breach of security. Because a funds-transfer fraud usually will involve a very large amount of money, both the criminal investigation and the internal investigation are likely to be thorough. In some cases there may be an investigation by bank examiners as well. Frequently, these investigations will develop evidence of who is at fault and the cause of the loss. The customer will have access to evidence developed in these investigations and that evidence can be used by the customer in meeting its burden of proof.
6. The effect of section 4A-202(b) may also be changed by an agreement meeting the requirements of section 4A-203(a)(1). Some customers may be unwilling to take all or part of the risk of loss with respect to unauthorized payment orders even if all of the requirements of section 4A-202(b) are met. By virtue of section 4A-203(a)(1), a receiving bank may assume all of the risk of loss with respect to unauthorized payment orders or the customer and bank may agree that losses from unauthorized payment orders are to be divided as provided in the agreement.
7. In a large majority of cases the sender of a payment order is a bank. In many cases in which there is a bank sender, both the sender and the receiving bank will be members of a funds-transfer system over which the payment order is transmitted. Since section 4A-202(f) does not prohibit a funds-transfer system rule from varying rights and obligations under section 4A-202, a rule of the funds-transfer system can determine how loss due to an unauthorized payment order from a participating bank to another participating bank is to be allocated. A funds-transfer system rule, however, cannot change the rights of a customer that is not a participating bank. Section 4A-501(b). Section 4A-202(f) also prevents variation by agreement except to the extent stated.