Article courtesy of Kevin P. Braun of Morgan, Lewis & Bockius LLP
Connecticut Superior Court finds bank liable under Article 4A of the UCC for processing a fraudulent wire transfer request from email address impersonating a customer’s authorized representative due to bank’s failure to comply in good faith with its existing security protocols.
Precision Computer Servs., Inc. v. Newtown Sav. Bank, No. AANCV186029468S, 2021 WL 5370456 (Conn. Super. Ct. Oct. 26, 2021)
In March 2017, the defendant, Newtown Savings Bank, a Connecticut bank (the “Bank”) entered into a written Wire Transfer Agreement (the “Agreement”) with Precision Computer Services, Inc. (the “Company”), a customer of the Bank. The Agreement was executed by Michael FitzSimons and Irene FitzSimons, co-owners of the Company, and Ryan Storms, then-assistant vice president and branch manager of the Bank. The Agreement provided that the Bank was “authorized to debit the account or accounts designated by [the Company] for payment of transfer requests,” id. at *1, including the transfer of funds from any account to a third party. Pursuant to the Agreement, there were no restrictions or limitations on the amounts that may be transferred or the location of the beneficiary. The Agreement named three individuals authorized to issue payment orders pursuant to the Agreement: Michael FitzSimons, Irene FitzSimons and Jennifer Atkinson. The Agreement also listed the same three individuals as authorized to confirm payment requests. To confirm a transfer request, the Bank may call any authorized individual, other than the one that originated the request.
On June 14, 2017, Storms received an email from “firstname.lastname@example.org”, impersonating Michael FitzSimons, on which Atkinson was copied, attaching an invoice from a Hungarian company for $67,560 for advisory and legal services, asking Storms to process the attached wire request. Atkinson responded to the email confirming that she would have Storms initiate the wire, noting that Michael FitzSimons would need to authorize as well. The person purporting to be Michael FitzSimons responded to the email directing Storm to initiate the wire and to call Atkinson with any questions. The Bank then processed the fraudulent wire transfer request for the full amount. Michael FitzSimon’s actual email address is “email@example.com”. The fraudster misled Storms and Atkinson by replacing the letter “g” with the letter “q” in the fraudulent email address.
The Company sued the Bank and ultimately moved for summary judgment as to the Bank’s liability under Article 4A of the UCC, which governs wire transfers. The Bank responded with a cross-motion for summary judgment.
The Superior Court of Connecticut noted that Connecticut has adopted Article 4A of the UCC which provides that “a bank receiving a payment order ordinarily bears the risk of loss of any unauthorized funds transfer”, id. at *6, but a bank may shift that risk by providing commercially reasonable security procedures and by applying such procedures in good faith and a commercially reasonable manner. The Court determined that the Bank had not sufficiently shifted such risk, noting that the Bank violated its own security procedure by processing a payment that did not originate from an authorized individual and did not comply in good faith with the existing security protocol. The Court highlighted Storm’s failure to call Michael FitzSimons to verify the request and reliance on Atkinson’s confirmation alone to process the request, the conspicuousness of the swapped letter in the fraudulent email address, the Bank’s lack of security programs that would have detected the fraudulent domain, the prevalence of multifactor authentication and these types of scams in the industry, and the Bank’s monitoring of industry advisories relating to identifying scams swapping letters in email addresses and directing transfers to foreign countries. Therefore, the Court granted the Company’s motion for summary judgment and denied the Bank’s cross-motion for summary judgment.