As technology evolves, many banks forget to take advantage of a 30-year-old UCC provision that protects them when they accept remote customer directions to send. In a commercial context (this law doesn’t apply to Regulation E transfers involving consumers), if a bank creates a commercially reasonable security procedure and requires the customer to follow that procedure in order to remotely authorize a transaction, and the customer agrees to the procedure, the risk of an unauthorized direction to pay money rests with the depositor. An excellent example is the ability of a customer to remotely authorize a wire transfer. If a bank requires customers to input an RSA token for double factor authentication to authorize a wire transfer, then when the RSA generator is not locked up and the bookkeeper uses it to embezzle money, the depositor bears the loss. Contrast this with the bookkeeper who steals a check and forges the signature. In most cases, that loss is on the bank.

Today’s Takeaway? This protection is effective only if the bank and its customer agree that the authenticity of payment orders will be verified pursuant to a specific security procedure. Check all of your wire transfer agreements, Internet banking agreements and similar agreements to make sure that they include an express agreement accepting your security procedures. Include an affirmative statement by the customer that the security procedures are a commercially reasonable method of providing security against unauthorized transactions.