By: Scott P. Fisher
The use of wire transfers for payment on construction projects is a common occurrence across these United States and their use is increasing each year primarily due to wire transfer’s ease of use and the immediate delivery of funds to the payee’s account. However, a wire transfer’s convenience and speed make it particularly vulnerable to “social engineering” which, in the context of information security, refers to the psychological manipulation of people into performing actions or divulging confidential information. All too often, this use of social engineering results in the fraudulent transfer of funds to an unintended recipient.
We’ve all been sent e-mails from the Nigerian prince claiming to be in need of assistance in moving funds out of the country and, in return, the sender is willing to compensate the receiver in some fashion, such as ten percent (10%) of the value transferred. Believe it or not, these emails work, at least some of the time. We wouldn’t continue to receive them if they didn’t. This example is social engineering at its core. In the context of construction payment schemes, it doesn’t take a wild imagination to believe a so-called “hacker” could gain access to an employee’s email account, discuss payment terms with a payor (whether a general contractor, subcontractor, escrow agent, etc.) and convince them to wire transfer funds to a foreign or unintended account. These funds are then transferred again, likely offshore, never to be seen again.
This scenario raises the question of who is responsible for the loss: the payor, the payee or the financial institution that handled the transfer? The Uniform Commercial Code (“UCC”) Article 4A sets forth a carefully chosen set of rules that allocate risk of loss among the participants in “funds transfers” involving payment orders (e.g. wire transfers). The Official Comments to Article 4A note that the rules were written to balance the “competing interests” of the banks that provide funds transfer services and the commercial and financial organizations that use those services. Under Article 4A, the “receiving bank,” the institution that receives an order to transfer funds, ordinarily bears the risk of loss of any unauthorized transfer. However, this risk of loss is shifted in two circumstances.
First, under Section 202(a), if the financial institution received instructions from an authorized agent of its customer, then the customer will bear any resulting loss. In essence, if the customer (or customer’s authorized agent) provides the bank wiring instructions and the bank follows those instructions, the risk of loss is on the customer even if the instructions were in error. As an example, a hacker could infiltrate the email account of a payee-subcontractor and request the payor-general contractor to wire payment funds to a fraudulent account. The general contractor then instructs the bank to wire such funds to the fraudulent account unbeknownst to the subcontractor. In this instance, the bank would have no liability under 202(a). This would make sense as the bank was simply following the instructions of the general contractor customer.
The other exception to a bank’s risk of loss is under Section 202(b), wherein the customer bears the risk of loss if the bank and its customer have agreed to “commercially reasonable” security procedures and the bank, in turn, follows those commercially reasonable security procedures. Whether a particular security procedure is commercially reasonable is a question of law to be determined by considering the customer’s stated expectations, the customer’s known needs, alternative security procedures and security procedures used by similarly situated banks and customers. In this instance, a hacker infiltrates the payor-general contractor and initiates payment to a fraudulent account. If the bank follows its procedures and those procedures are deemed to be commercially reasonable, then the risk of loss is upon the customer, not the bank. Such was the case in Envision Healthcare, Inc. v. Federal Deposit Insurance Corp., et al. 2014 WL 6819991. In Envision, Envision was a customer of First Chicago Bank & Trust. Envision claimed that a computer hacker stole the log-in information for one of Envision’s employees and used that employee’s ID and password to access the bank’s online banking system. The hacker then issued a wire transfer order in the employee’s name, authorizing payment to an unknown account, which the bank then processed. Envision sued the bank and, ultimately, lost because the bank was able to show that it had commercially reasonable security procedures in place and followed those procedures.
While the bank’s liability is governed by the UCC, the liability amongst the payor and the payee is governed by common law contract and tort theories. In Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 2018 WL 6181643, Don Hinds agreed to purchase twenty vehicles from Beau Townsend for about $736,000. When it came time to close the transaction, Beau Townsend’s employee asked, via email, that Don Hinds wire the funds to an out-of-state bank. Don Hinds agreed, wired the money and picked up the vehicles. However, it was not Beau Townsend’s employee who sent the wiring instructions. A hacker had infiltrated the email account of the Beau Townsend employee and sent Don Hinds the fraudulent instructions. Don Hinds had actually wired the funds to the hacker who drained the account, never to be heard from again. When Beau Townsend demanded return of the vehicles (or payment of the funds), Don Hinds refused. Although the Sixth Circuit Court of Appeals did not decide who was right due to certain procedural issues not relevant here, the Court did identify a framework for how to determine who bears the risk of loss. Ultimately, the Court stated that the risk of loss is on the person in the best position to avoid misfortune. Beau Townsend should have had a more secure email server and Don Hinds should have recognized the suspicious nature of the email—changing the wire instructions to send the money to an out-of-state bank.
With the above in mind, what can parties to a wire transaction do to better protect themselves to avoid losses in wire transactions? First, as Beau Townsend suggests, be aware of grammar, spelling and word usage in emails when you receive wire instructions. In the context of construction, the hackers are unlikely to understand particular trade usage whether because they are not in the construction industry or because they are often, but not always, from foreign countries. Second, a simple phone call to confirm the payment instructions can go a long way toward limiting your liability. Or consider a dual control policy where one person in the company originates the wire transfer request with a call back to another person within the company. Finally, have a working relationship with your counterpart. Relying on email communications exclusively to transact wire transfers only invites these problems.
While no one strategy is failsafe, the more procedures you implement as a party to wire transfers, the better protected you will be.