A federal district court in New Jersey recently dismissed a complaint against a bank filed by a commercial customer duped by a business email compromise incident. The case involved four wire transfers totaling $1.4 million dollars. The court found that even though the customer was tricked by a fraudster into initiating the transfers, the wires were authorized by the customer’s account manager who approved and confirmed the transactions. The court concluded that the question of whether the bank complied with commercially reasonable security procedures under Uniform Commercial Code Section 4A-202(2) is not reached if the transfers are authorized.

In Harborview Capital Partners, LLC v. Cross River Bank, the email account of the CEO of Harborview was hacked. The fraudster, purporting to be the CEO, emailed Harborview’s account manager, instructing her to initiate four wires to various accounts at a financial institution in Hong Kong. The account manager complied, and upon receipt of each wire transfer order, the bank contacted the account manager to confirm the details of the transaction.

After the fraud was uncovered, Harborview sued the bank, asserting that it accepted unauthorized wire transfer orders and failed to maintain and/or adhere to commercially reasonable security procedures, seeking to hold the bank liable for the payment of the transfers under the UCC. Harborview further alleged that the bank knew that it did not engage in international business, and claimed that after the first wire transfer failed, the bank should have investigated the reason why. Harborview alleged that had the bank done so, the fraud would have been discovered.

Parsing through the language of Article 4A, the court found that the UCC “provides that a payment order sent by a sender’s representative is authorized and binding ‘if that person authorized the order or is otherwise bound by it under the laws of agency.'” Even though Harborview was tricked into authorizing the transfers by a hacker, the orders were still authorized by the account manager. The court noted that Harborview’s claims might have survived a motion to dismiss if the bank was not entitled to rely on instructions from the account manager, but “[n]o such contention is made here.” The court concluded that “[b]ecause Harborview’s agent, employee, and representative sent, signed, and confirmed the wire transfers — even if she did so because she was misled by a third-party hacker — Article 4 provides no cause of action for Harborview.”

In reaching this conclusion, the district court examined two out-of-jurisdiction opinions, addressing what constitutes an “authorized order” under Article 4A of the UCC — Wellton Int’l Express v. Bank of China (Hong Kong) and Berry v. Regions Bank. In both cases, the courts found that the customer had authorized the funds transfer and dismissed the Article 4A-202 UCC claims. Like the plaintiffs in Wellton and Berry, even though Harborview was tricked into authorizing the transfers, “the disputed wire transfers were undoubtedly authorized by Harborview.”

Although Harborview urged the court to consider whether the bank had commercially reasonable security procedures under UCC Section 4A-202(2), the court concluded that it could not reach the question because the transfers were authorized. The court found that the predicate inquiry under the UCC Section 4A-202(1) is whether the transfer was authorized. If authorized, the inquiry under Section 4A-202 ends. The court found that Section 202(2) “posits a second scenario under which the bank may safely execute a transfer order, even if it turns out to have not been actually authorized by the customer. Under 202(2), even if the transfer was not actually authorized by the customer, the bank may escape liability if it verified the transfer according to commercially reasonable procedures upon which the parties had agreed to beforehand.” The court further found that Harborview’s common law claims were preempted by Article 4A, finding that the allegations that the bank accepted unauthorized payment orders, did not adhere to commercially reasonable security procedures, and failed to take certain actions with respect to funds transfers constituted “the very subject matter covered by Article 4A.”

The facts here are common — especially in business email compromise situations involving a bank and its customer. The decision will be helpful to banks facing claims from customers alleging that the bank failed to verify transfers pursuant to commercially reasonable procedures. Rather than merging Sections 202(1) and 202(2) and evaluating compliance with both, the court did a good job of carefully reviewing relevant caselaw and parsing through the UCC to make clear that the statute entails a two-part inquiry where a customer brings a claim against its own bank for originating a wire transfer induced fraudulently by business email compromise. As the court noted, “whether a payment order is authorized is a threshold inquiry; if the order was authorized in fact by the person who is the designated signatory for the customer, the outcome does not thereafter depend on whether the bank also verified the payment order pursuant to commercially reasonable procedures.” Where the bank does nothing more than execute the wire transfer at the direction of an authorized representative of the customer, there is no liability for failing to detect the fraud pursuant to commercially reasonable procedures.

The Harborview decision should be in the arsenal and cited along with Wellton and Berry when the bank originating the fraudulently induced wire moves to dismiss claims brought under UCC Section 4A-202. The case should not proceed to discovery into the commercial reasonableness of the bank’s security procedures where the facts alleged make clear that the customer, although duped by a hacker via business email compromise, in fact authorized the wire transaction.