In a new decision in an ongoing account takeover case involving fraudulent ACH transactions, the district court, after denying cross-motions for summary judgment, ruled that should the bank lose at trial, it could set off any damages with defense costs. Federal Ins. Co. v. Benchmark Bank, 2020 U.S. Dist. LEXIS 23315, *32 (S.D. Ohio Feb. 11, 2020).
Previously, the court dismissed all non-UCC Article 4A counts, including breach of contract and violation of federal banking statutes. Federal Ins. Co. v. Benchmark Bank, 2018 U.S. Dist. LEXIS 11152 (S.D. Ohio Jan. 24, 2018). Addressing the contract claim, the court found the account holders were not parties to any relevant electronic banking agreement with the bank; rather, the agreements were between their related entity and the bank. Id. at *13-15. Apparently not raised in that earlier decision was the settled rule that in the absence of an applicable agreement identifying an agreed security procedure, the bank would bear strict liability for any unauthorized payments. See UCC §§ 4A-202(b), 4A-204(a).
Now on summary judgment, the court concluded the bank’s security procedures were commercially reasonable as a matter of law under UCC § 4A-202(b), though it did not use common multifactor authentication (i.e., the use of two of: something the user knows, something the user has, and something the user is). 2020 U.S. Dist. LEXIS 23315, at *32. The court held nonetheless that the bank’s use of “layered security by utilizing unique usernames and passwords, security challenge questions triggered by a risk algorithm, account lockout after three unsuccessful login attempts, IP blacklisting, and dual authorization” satisfied banking agency guidelines, relying primarily on dual authorization. Id. at *25-29.
In considering Article 4A’s good faith requirement, the court initially indicated the bank “acted according to the reasonable expectations of the parties,” where the customer understood it was “not checking whether a receiving entity had a relationship to or prior history” with the customer, “whether a recipient’s name was of Eastern European origin, or where an originating IP address was located,” because the ACH agreement provided the “purpose of the security procedures in place was ‘for verification of authenticity and not to detect an error in the transmission or content of an Entry.’” Id. at *34-35. The court nowhere took into account customary industry practices in considering whether the bank should have applied fraud detection to the transactions, including if the customer previously sent transfers to such recipients. The court concluded, however, there were genuine issues of material fact on whether the bank accepted the transfers in good faith and in compliance the ACH agreement and customer instructions, noting numerous transfers exceeded the agreement’s $50,000 limit per ACH transfer, and a dispute over whether the customer’s employee had authority to conduct transactions on certain accounts. Id. at *36-40.
In a remarkable coda, the court upheld the bank’s setoff defense for attorney’s fees based on an indemnification provision in the customer agreement. The court concluded that indemnification was not inconsistent with UCC Article 4A, allowing the bank to set off its attorneys’ fees and costs against a plaintiff’s damages claims, 2020 U.S. Dist. LEXIS 23315, at *46-49, misciting Choice Escrow and Land Title, LLC v. BankcorpSouth Bank, 754 F.3d 611, 625 (8th Cir. 2014), where the bank was the prevailing party. In contrast, Benchmark Bank sought to invoke the provision even if it were found to be the responsible, non-prevailing party. The court’s holding adopting that notion is inconsistent with the objectives of UCC Article 4A, if not the contractual indemnification language irtself, which the court did not construe. Apparently no motion for reconsideration was filed, and shortly after the decision issued, the case settled.
For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.