(L to R) Lee Teichner and Kevin C. Paule of Holland & Knight. (Photo: Courtesy Photo)

In the 2002 film, "Catch Me if You Can," Leonardo DiCaprio stars as a conman who commits check fraud across the United States entering banks, posing as a pilot, lawyer and doctor, to dupe unsuspecting victims out of millions of dollars. In today's world, real life fraudsters have a new con—defrauding customers of financial institutions using technical schemes from remote locations to initiate wire transfers to anonymous and far away bank accounts, with the wired money typically never to be seen by its rightful owners again.

With the increase of the internet and online banking, hackers have devised ways to access people's personal information, and to send emails to banks or others, posing as the true bank account holders, making wire transfer requests from what appears to be the customer's or other legitimate email addresses. The scheme does not even require the fraudster to set foot inside the bank (or to even set foot inside the United States). Thus, rather than wearing a disguise, modern fraudsters disguise themselves as the true bank account holders or as other legitimate recipients of funds, by transmitting electronic communications to initiate the wire transfers. When the scheme is eventually uncovered, it is too late, and the money has vanished to some far away country and into the fraudsters' pockets.

Fortunately for financial institutions acting in good faith on what are or what appear to be valid requests for wire transfers, Florida statutory safe harbor provisions exist to shield the financial institutions from liability stemming from making the wire transfers.

Florida, along with many other states, has codified the Uniform Commercial Code for Funds Transfers. Specifically, Article 4A of the UCC: Funds Transfers has been codified at Florida Statute Section 670.202. This statute states that "If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer."

Stated differently, if a bank or other financial institution receives a wire transfer request that is, or appears to be, an authorized wire transfer request by the account holder, including a wire transfer request that has been sent from the email address on file for the account holder, but the request ultimately turns out not to have been authorized, or is even a fraudulent wire transfer request, the bank or financial institution is immune from liability if the security procedures in place were commercially reasonable and the bank followed those procedures.

According to this statute, a procedure is commercially reasonable if: the procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer; and the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, that was issued in the customer's name and accepted by the bank in compliance with the security procedure chosen by the customer.

Thus, when a bank customer wishes to establish a protocol for wire transfers, including a protocol or procedure that permits the customer to authorize wire transfers electronically, the bank should set forth the protocol in writing that the bank will follow, and have the customer acknowledge that the customer accepts this procedure as commercially reasonable, and is forgoing other, potentially more reliable security protocols. Customers may prefer the convenience of being able to initiate and request wire transfers via email, but in doing so, the customers should be aware that there are more reliable (and more secure) procedures, but that they have accepted the bank foregoing such additional procedures for the customer's own desired convenience.

In Florida, causes of action based on unauthorized wire transfers are limited to those brought under Article 4A of the UCC. Florida courts have regularly held that Florida Statute Section 670.202 provides the exclusive remedy and standard of care for addressing claims stemming from unauthorized wire transfers, and that common law causes of action such as claims for negligence and breach of contract are not allowed. See List Industries v. Wells Fargo Bank, No. 17-cv-61204, 2018 WL 4334876, at *5 (S.D. Fla. Sept. 11, 2018) (stating that Article 4A (and Fla. Stat. Section 670.202) preempts common law negligence claims predicated on a bank's purported lack of care in handling wire transfer requests); Capten Trading v. Banco Santander International, No. 17-20264, 2018 WL 1558272, at *4 (S.D. Fla. Mar. 29, 2018).

In one case outside of Florida, Choice Escrow and Land Title v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the court affirmed summary judgment for the bank and found that the security procedures in place by the bank were commercially reasonable because, among other things, the procedures comported with the bank customer's reasonable expectations. The Choice Escrow court noted that the good faith requirement imposed on bank's by Article 4A does not require "a process whereby a human being manually reviews every payment order submitted to the bank to ensure that no irregularities exist."

In conclusion, banks and other financial institutions may be deemed immune from liability for wire transfers—even those where the bank's customer did not authorize the wire transfer— where the bank or financial institution has in place security procedures that are commercially reasonable, and agreed upon between the customer as commercially reasonable, and the bank followed such procedures in good faith, even if the wire transfer request turns out to be a fraud from a con man, computer hacker sitting in his bunker anonymously, somewhere across the world.

Lee P. Teichner and Kevin Paule are litigation attorneys in Holland & Knight's Miami office. Both attorneys, as part of their practice, represent banking and financial institutions in litigation  matters in Florida courts.