Wire fraud litigation: Understanding the loss allocation rules for Article 4A

The fact patterns are familiar: A fraudster spoofs a trusted vendor and sends a fraudulent invoice to a business with wiring instructions to an account controlled by the fraudster. Or the “boss” emails an employee requesting an urgent wire transfer.

Although some schemes rely on sophisticated technological tools, in my experience representing banks, low-tech tactics like social engineering, impersonation and forged documents are just as common — and just as effective.

Occasionally the ruse succeeds, and a business authorizes a wire transfer, only to discover later that the funds, and the fraudster, have vanished. When that happens, the business often turns to its bank, seeking reimbursement.

Who bears the loss? In many states, allocation of losses resulting from wire transfer fraud is governed not by familiar common law concepts such as negligence, fault or even fairness, but rather by the predefined loss allocation rules of Article 4A of the Uniform Commercial Code.

Article 4A governs the procedures, rights and liabilities arising from certain kinds of electronic funds transfers, most commonly wire transfers. Concluding that existing law did not adequately address such transfers, the drafters created Article 4A as a comprehensive framework governing the wire transfer process and defining the rights and obligations of every participant — from the person who orders the wire to the ultimate beneficiary, and every financial institution in between.

Given the enormous volume and speed of modern funds transfers, the drafters sought to achieve uniformity, clarity and predictability sufficient to allow participants to allocate and insure against risk with confidence.

In short, Article 4A was designed not to determine who was more careful in any particular transaction, but to determine in advance who would bear the loss.

Article 4A is therefore not a negligence regime. It is a statutory framework for allocating risk. Under the statute, a bank receiving a payment order ordinarily bears the risk of loss only if the order was not authorized by its customer. But in many fraud schemes, the payment order does originate with the customer.

Setting aside rarer instances of sophisticated hacking, wire transfer fraud is usually just a modern variation of the classic confidence game, in which a fraudster leverages the victim’s trust to induce a transfer of funds. In those circumstances, the payment order is not “unauthorized” within the meaning of Article 4A — even if the customer was deceived into initiating the transfer. If the wire transfer was authorized, the bank has no obligation to refund the funds. Thus, where a customer authorizes a payment order, even if the customer was fraudulently induced to do so, the statutory scheme typically places the loss on the customer.

Even if a payment order is not authorized, it may still be treated as effective under G.L.c. 106, § 4A-202(b), if the bank accepted the order in good faith and in compliance with a “commercially reasonable” security procedure. If those conditions are satisfied, then the payment order is deemed authorized, and the loss generally remains with the customer.

Whether a security procedure is commercially reasonable is a question of law that turns on factors such as the customer’s sophistication, the size and nature of its business, and the characteristics of its typical payment orders.

Article 4A also permits banks and their customers to modify certain loss-allocation rules by agreement. For example, if a bank offers a commercially reasonable security procedure but the customer rejects it in favor of a less secure alternative, a payment order verified under that agreed procedure will be deemed authorized if the bank executes it in good faith. See § 4A-202(b).

Conversely, a bank may agree by contract to limit its ability to charge the customer’s account for fraudulent transfers, in which case the customer’s liability cannot exceed the agreed limit. See § 4A-203(a)(1).

Under § 4A-203(a)(2), a customer can still try to shift liability back to a bank that satisfied the commercially reasonable security procedure requirement, but the customer’s burden is substantial. The customer must prove not only that the payment order was issued as a result of fraud, but that the compromise enabling the fraud was not attributable to anyone within its control structure. This includes misuse of authority, credential sharing, or weaknesses in the customer’s own security environment.

As a practical matter, that burden often shifts the litigation focus to technical and forensic questions concerning the customer’s cybersecurity practices and internal controls.

Article 4A not only establishes a loss-allocation framework, it intentionally displaces competing legal theories. Because the statute reflects what the drafters described in their accompanying comments as a “careful and delicate balancing” of competing interests, it was intended to serve as the “exclusive means of determining the rights, duties, and liabilities of the affected parties” in any situation falling within Article 4A’s purview.

Common law claims related to a bank’s execution of a wire transfer, therefore, are unlikely to survive.

For litigants, the practical implication is clear: Reframing an Article 4A dispute through common law concepts will rarely alter the outcome when the alleged misconduct arises from the execution of the transfer itself.

To victims of wire transfer fraud, the results of Article 4A’s loss-allocation regime can appear harsh. But those outcomes reflect a legislative judgment designed to promote uniformity, certainty and efficiency in commercial payments systems. They also reflect the drafters’ determination that customers are often in a better position than banks to prevent losses caused by confidence-based fraud.

For commercial litigators, the implications are significant. Claims arising from induced wire transfer fraud require more than showing that the fraud was foreseeable or that the bank might have acted differently.

Instead, successful claims typically turn on whether the bank deviated from agreed security procedures or relied on procedures that were not commercially reasonable. Absent those defects, Article 4A sharply narrows the path to recovery.

In short, Article 4A was designed not to determine who was more careful in any particular transaction, but to determine in advance who would bear the loss.

Matthew A. Kane is Smith Kane’s managing partner and a member of the Boston firm’s management team. He represents banks, financial institutions, businesses and individuals as a member of the firm’s business litigation practice.