Destination: BLJAug2004

08/25/2004 Buffalo Law Journal: For Banks, proving compliance with UCC rules is tricky

For Banks, proving compliance with UCC rules is tricky

Prior to 1989, the law lacked any comprehensive framework setting forth the rights and obligations arising from wire transfers. After 1989 and with the promulgation of Article 4-A of the Uniform Commercial Code that void was filled. As consumers move away from the brick and mortar securities associated with banks and feel more comfortable banking either on line or by other rapidly expending technology, there are new risks that should be considered and old risks that should not forgotten. Wire transfers, for example, are becoming more pervasive in the banking industry due to the desire for immediacy in transactions. In an age of increasing identity theft, the risks associated with wire transfers, which pertains to a single transfer of funds among and between financial institutions, require that banks and individual revisit what basic and necessary precautions should be taken to minimize risk and increase the benefits associated with wire transfers of funds.

Regatos v. North Fork Bank, (257 F. Supp. 2d 632 (S.D.N.Y. 2003)), decided in March, 2003, reviews fundamental issues concerning Article 4-A and issues that may arise in the international transfer of funds. In Regatos, Mr. Tomaz Mendes Regatos, a Brazilian citizen, had an account with a Brazilian branch of the New Commercial Bank of New York ("Bank"). Pursuant to their account agreement, the Bank was required to send Mr. Regatos’ bank statements unless Mr. Regatos directed otherwise. Mr. Regatos, who signed each page of the account agreement, was required (consistent with the language of section 4-406(1)) to:

exercise reasonable care and promptness in examining [bank] statements and items to discover any irregularity including, but not limited to, any unauthorized signature or alteration and . . . notify the Bank promptly in writing of any such discovery, and in no event more than fifteen (15) calendar days subsequent to the time that such statement and items were first mailed or available to the depositor.

(257 F. Supp.2d at 632). The account agreement further provided that if Mr. Regatos "authorized the Bank to hold his correspondence, this section shall apply as if [he had] received such statements on the date shown on the statement." (Id.). The court found that Mr. Regatos’ account was in fact a "hold mail" account, authorizing the Bank to hold his correspondence.

Pursuant to the account agreement, Mr. Regatos was permitted to make wire transfers out of his New York account from his Brazilian home without ever having to dealing directly with the New York office. To wire funds, Mr. Regatos would first sign a payment order, then fax that order to the Bank’s Brazilian office, and finally telephone a representative of the Brazilian office confirming that his payment order was duly received. If Mr. Regatos did not immediately place a telephone call with the representative of the Brazilian office, the representative would call Mr. Regatos on his cell phone. No password or algorithm was implemented to effectuate any wire transfer. After receiving verbal confirmation, the Brazilian office would fax the payment order to its New York office, where the payment order was processed by comparing the faxed signature on the payment order with the signature of Mr. Regatos on file with the Bank. Apparently, Mr. Regatos’ signature was only on file with the New York branch.

On August 9, 2001, after having received, in hand, the bank statements for the first time, Mr. Regatos alerted the Bank of two wire transfers out of his account totaling $600,000.00 that were not authorized. When the Bank refused to recredit Mr. Regatos’ account for $600,000.00, he sued.

The Bank filed a summary judgment motion arguing that Mr. Regatos was estopped from asserting the transfers were unauthorized because he failed to object within 15 days of the issuance of the account statement. The Bank’s lawyers argued that Article 4-A, governing commercial fund transfers, should apply, while Mr. Regatos’ lawyers argued that the Electronic Funds Transfer Act of 1978, (15 USC § 1693 et seq.) governing consumer fund transfers, should apply.

Therefore, the threshold question became the scope of Article 4-A. Although 4-A-108 excludes consumer transactions governed by the EFTA (part of the Consumer Credit Protection Act as amended), the district court found that Article 4-A applied to Mr. Regatos’ funds transfers. Article 4-A applies to "funds transferred defined in Section 4-A-104." (UCC § 4-A-104). Section 4-A-108 excludes "a funds transfer any part of which is govern by the Electronic Fund Transfer Act. . . ." (UCC § 4-A-108). Unlike EFTA transfers, an Article 4-A "funds transfer" can be initiated either orally or by written payment order. The Regatos Court properly applied Article 4-A.

Another important aspect of Article 4-A considered in Regatos is Article 4-A’s statute of repose. Under section 4-A-505, a customer is precluded from contesting an unauthorized transfer from the customer’s account "unless the customer notifies the bank of the customer’s objection to the payment within one year after the notification was received by the customer." (UCC § 4-A-505). In Regatos, the parties significantly shortened the "one year period" to 15 days. At issue was whether the parties can vary section 4-A-505 by agreement.

In general, section 4-A-501(1) states that "the rights and obligations of a party to a funds transfer may be varied by agreement of the affected party." Consequently, Article 4-A expressly incorporates the freedom to contract, which is found at common law and encouraged by section 1-102(3). Certain provisions in Article 4-A, however, cannot be varied by agreement. For example, the authentication provisions of Article 4-A specifically provide that the parties are not permitted to vary by agreement. As illustrated by Regatos, significantly shortening the one-year deadline of 4-A-505 will effectively carve out the customer’s rights under Article 4-A. While the customer’s rights to authentication cannot be varied expressly, such rights can be restricted by implication when varying Section 4-A-505.

In Regatos, the district court, applying Article 4-A, ruled that Mr. Regatos’ objection was timely, but employed a questionable rationale. While concluding that the one-year statute of repose for unauthorized transfer cannot be shortened by agreement, the court ruled that only "rights and obligations" can be varied under section 4-A-501(1), leaving inalterable the statute of repose as neither a right nor obligation.

Thankfully, the district court offered an alternative rationale for its decisions. The court stated that

[a]lthough I have held that the one year notice provision of section 4-A-505 may not be varied by agreement, even if it were variable, a fifteen day notice provision is demonstrably unreasonable and effectively guts the invariable rights of the customer under section 4-A-202 and 4-A-204. This is especially true in light of the fact that Regatos’ account statements were held by the Bank and only provided to him upon request.

(257 F. Supp.2d at 645). While such practical thinking may favor bank customers, it impinges on the protections the Bank sought by agreement.

Section 4-A-505 contemplates that "the customer received notification," which the court found to require "actual notice," a material distinction because Mr. Regatos had received only constructive (not actual) notice.

Another critical issue raised in Regatos was whether there was a commercially reasonable security procedure in place. Section 4-A-201 provides that "[c]omparison of a signature on a payment order or communication with an authorized specimen signature of the customer is not by itself a security procedure." There was a security procedure in Regatos because more than just a comparison of a signature was required. The court recognized three elements to the security procedure: "a signed order, a confirmatory phone call (always between Regatos and the [Bank], and a signature comparison."

The governing law at issue in Regatos provided that a customer is obligated to pay for a payment order that is executed provided the customer authorized the payment order. Article 4-A further provides that the customer is obligated to pay a payment order if the customer and bank previously agreed upon a commercially reasonable security procedure to verify the authenticity of the payment order, and the Bank "proves that it accepted the payment order in good faith and in compliance with the security procedure."

Surprisingly in this age of increasing identity theft, the district court found the existence of an agreed upon and commercially reasonable security procedure despite the absence of passwords or the like. The court stated that "the use of a confirmatory phone call to the same [bank] representative, who presumably could recognize Regatos’ voice, sufficiently ensured that payment orders faxed by Regatos were in fact authorized by him." (257 F. Supp. 2d at 645).

After Regatos, banks should be more inclined to follow section 4-A-202(3) which provides that:

[a] security procedure is deemed to be commercially reasonable if (a) the security procedure chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (b) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.

(257 F. Supp. 2d at 645). Banks should, nevertheless, memorialize agreements with their customers for security procedures that the bank can uniformly document, and prove at trial, if necessary.

After the Bank’s summary judgment motion was denied because the district court found that there were material issues of fact as to whether the Bank complied with its own security procedures, the case proceeded to trial. At trial, a jury found that the Bank failed to prove that it accepted the payment order in good faith and in compliance with its own security procedures. Having been unable to prove that it made the telephone call to Regatos, the Bank should have chosen a security procedure on which it could easily prove its own compliance. Ultimately, Regatos’ account was recredited the $600,000.00 based upon Article 4-A despite the fact that Regatos commenced this action taking the position that Article 4-A did not apply. The case is now on appeal.