The United States has a fractured payments regulatory system. Your rights, if something goes wrong, differ depending upon the method of payment. Most of these rights belong to individual consumers. However, in the world of funds transfers, there is at least one way for a business to protect itself when something goes wrong.
A funds transfer is simply a way by which money in one person’s bank account gets to another person’s account, through a series of messages (payment orders) sent between one or more banks directing debits and credits from the accounts each holds with the other, until the funds can be credited to the ultimate recipient’s account.
But what if a funds transfer is fraudulent, and the business has not in fact authorized the transfer? News stories abound of companies’ computer systems being hacked and fraudsters sending unauthorized transfers. Usually in setting up a business bank account from which transfers will be credited and debited, the business provides to the bank a list of persons authorized to direct a transfer from the business account and the method by which the payment orders will be sent (e.g. telephone, electronically). But the fraudster can find that list of authorized persons and impersonate one of them in ordering funds to be sent. The funds may be sent to one bank initially, but the fraudster can keep transferring the funds to different banks in such a manner as to make the ultimate recipient difficult, or perhaps impossible, to determine.
Article 4A of the Uniform Commercial Code covers funds transfers for businesses, setting out the various responsibilities of those involved in the entire funds transfer process.
So what can a business do to protect itself? It can set up a predetermined verification security procedure between the business and its bank for any payment orders sent to the bank purporting to be from an authorized person at the business to transfer funds, or an order to amend or cancel such a transfer. A security procedure may require the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices. A procedure where the bank only compares a signature on a payment order with an authorized specimen signature of the customer is not itself a sufficient security procedure.
While Article 4A-202 is written in such a way as to highlight protection of the bank where the business account is located, it can provide protection for the business as well: in relevant part, it states that
(2) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (a) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (b) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer, or if notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.
What is commercially reasonable? Article 4A-202 further provides that:
(3) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.
If there is a written agreed-upon security procedure in place, it will determine the liabilities of the bank v. the customer. A written robust security procedure can protect both parties. Without a security procedure, setting the responsibilities of the parties could require protracted discussion and additional analysis, such as analyzing the transaction under the US law of agency.
What should a business keep in mind in establishing a security procedure?
The business first needs to review and perhaps revise its own internal procedures:
- Analyze your current funds transfer flow: Usual method of payment; how many transfers are sent per month; are there some which are regularly sent to the same person, such as a vendor; what is the usual amount of the transfers sent.
- Evaluate your current internal funds transfer procedure: Who prepares the payment order and what documentation should be prepared to accompany, internally, the request for a payment order (for example, an invoice for payment to a vendor); who is authorized to approve the payment order to the bank, who in the business is authorized to send the payment order to the bank. There should be written policies and procedures setting out people’s roles and responsibilities. Needless to say, these functions should not be the job of only one person; segregation of duties is important when it comes to a business’s cash flow.
- Consider the exception process for a payment order to be sent to the bank that varies from the usual funds transfer traffic: Is it in an amount significantly higher than usual?; is a new vendor being added?; is the usual method of transmitting the payment order changed?; is an invoice out of the ordinary in the timing of payment. Consider appointing someone outside the usual funds transfer approval chain to approve the exception in writing.
When the business has analyzed its own internal policies and procedures and determined them to be sufficient, it is time to speak to the bank:
- The business must enter into an agreement in writing with the bank, establishing a security procedure for the purpose of (1) verifying that the business is the party contacting the bank to issue, amend or cancel a payment order, or (2) detecting error in the transmission or the content of the payment order or communication.
- The security procedure should include the persons authorized at the business and the bank who are authorized to amend or alter the written security procedures.
- Once the business discusses proposed security procedures with the appropriate people at the bank, there should be an internal discussion with appropriate officers within the business, including risk management, to determine the suitability and practicality of a proposed procedure recommended by the bank.
- The business should designate the specified positions that may verify the business’s payment order under the security procedure with the bank (“verifier”). Neither the preparer nor the approver should be the verifier on a payment order that he or she prepared or approved.
The business should maintain at the bank a current list of firm personnel who are authorized to transfer funds on behalf of the firm and the authorized verifiers, and consider reviewing the list quarterly. If an authorized person leaves the business, the business should immediately contact the bank and withdraw that person’s name from the list of authorized persons and provide a new list of authorized persons to the bank. Whenever changes need to be made, a new list of authorized persons should be provided to the bank and the previous list returned and destroyed in order to prevent any confusion.
Businesses also should have arrangements with their vendors to identify who are the responsible people to deal with each other, and verification procedures on both sides if contact information (or other information that could lead to diversion of a transfer) changes.
Will such a security procedure offer complete protection from a fraudster determined to access your funds? No, but it should make it harder for the fraudster to succeed.