Like some of my posts, this one examines an opinion issued in a civil lawsuit rather than one issued in a criminal case. The civil suit, though, involves what I think are interesting issues involving computer security.
We’ll start with the facts. This, according to the opinion, is how the case arose:
In September of 2002, [Roger] Chavez opened a bank account at [Mercantil Commercebank's, N.A.] (`Mercantil’). His account was subject to a Funds Transfer Agreement (`FTA’) that implemented one of three security procedures. . . . [He] chose the first option contained within Annex 1 of the FTA, which requires the Bank only to verify the signature of written payment orders when delivered in person. Mercantil states that it also utilized additional security procedures for processing payment orders by following steps set forth in the Customer Services Manual (`CSM’), including a requirement to verify account and balance information, the existence of an FTA, and identification.
On February 4, 2008, Chavez, a resident of Venezuela, flew to Miami to visit the Bank's Doral branch because he had not been receiving his monthly bank statements and because he wanted to make a large cash deposit into the account. On February 5, 2008, Chavez returned to make another small cash deposit. On February 6, 2008, [he] returned his rental car to the rental car facility at the Miami airport at 6:40 AM, and then departed on a flight to Caracas, Venezuela.
On February 7, 2008, the Bank wire transferred $329,500 from Chavez's account to the account of a beneficiary in the Dominican Republic. This transfer was made pursuant to a payment order (`subject payment order’) dated February 6, 2008, that bore Chavez's signature and was delivered in person by a man purporting to be Chavez. No video footage inside or outside of the bank was available because the security cameras were either broken or their recordings were taped over.
The subject payment order was processed by Mercantil's employee Rossana Gutierrez, who was a `greeter’ that occasionally assumed the responsibilities of a Customer Service Representative (`CSR’). In processing the order, Gutierrez confirmed all the information on the subject payment order; the identity of the customer by requesting an identification document, e.g. a passport or Cedula; the sufficiency of funds by checking the account balance; the existence of an FTA; and the authenticity of the signature. Gutierrez then obtained written approval from two officers, Talia Pina and Lolita Peroza, that, in accordance with their habit and practice, took extra steps to verify the authenticity of the Payment Order and ensure that Gutierrez had completed her duties. Following this approval, Mercantil completed the order and transferred funds to a beneficiary in the Dominican Republic.
Chavez v. Mercantil Commercebank, N.A., 2011 WL 5285713 (U.S. District Court for the Southern District of Florida 2011). (According to Chavez’s complaint, Mercantil “is a national banking association doing business in Miami-Dade County, Florida.” Amended Complaint, Chavez v. Mercantil Commercebank, N.A., 2010 WL 4896668.
While he was in Venezuela “[o]n or about April 14, 2008,” Chavez “checked his account online and claims this is when he first learned that his balance was considerably lower than expected.” Chavez v. Mercantil Commercebank, N.A., supra. He contacted the bank, was told that $329,500 had been wire transferred from his account and, when his “demand that the funds be returned by the bank failed,” filed “this suit in order to retrieve the funds.” Chavez v. Mercantil Commercebank, N.A., supra.
Mercantil responded by filing a motion for summary judgment which, as Wikipedia notes, “is a judgment entered by a court for one party and against another summarily, i.e., without a” trial on the merits. As Wikipedia also explains, in the U.S. a judge can issue summary judgment for the moving party if he/she finds that “there are no disputed issues of `material’ requiring a trial to resolve” and “in applying the law to the undisputed facts, one party is clearly entitled to judgment.”
The legal issues involved in the motion for summary judgment concerned the security procedures implemented by the FTA. The first arose under Florida Statutes § 670.201, which “requires that a `security procedure’ be established by agreement of the customer and the bank.” Chavez argued that “Mercantil's security procedures do not fit within § 670.201’s definition of `security procedure’” and Mercantil of course argued the opposite. Chavez v. Mercantil Commercebank, N.A., supra. The judge agreed with Mercantil:
[§ 670.201] was satisfied when the parties, in their FTA, unambiguously assented to implement the security procedures in Annex 1 of the FTA, requiring all written payment orders to be signed and delivered by an authorized representative `in person or by mail, or by facsimile transmission.’ If the payment order was delivered by mail or fax, Mercantil would be required to complete a follow-up phone call for the purpose of verifying the authorized representative's identity.
In addition to these agreed-upon procedures, clause (iii) of the FTA permitted the bank to, `at its option,’ use other security procedures in addition to those selected by the client that would permit it to verify any payment order or related instruction. . . . [T]his means that, although Annex 1 of the FTA between Mercantil and Chavez did not explicitly state that a procedure for I.D. verification would be implemented, the use of this procedure was agreed upon according to clause (iii) of the FTA.
Chavez v. Mercantil Commercebank, N.A., supra.
The judge therefore found that “the security procedures at issue . . . were established by agreement between the customer and the bank for the purpose of verifying a payment order pursuant to § 670.201.” Chavez v. Mercantil Commercebank, N.A., supra. And he noted that Chavez’s claim that Mercantil’s security procedures did not fit within
§ 670.201’s definition of `security procedure’ fails. The Advisory Committee Notes of the statute explain that the requirement of `algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar devices’ is clearly only contemplated in instances where the fund transfer is not requested in person. Indeed, we have not identified, nor has [Chavez] cited, a single case where algorithms or encryptions were ever required by a customer that stood directly in front of the bank's employee and could simply provide identification.
Chavez v. Mercantil Commercebank, N.A., supra.
This meant the judge then had to decide if there was any factual dispute as to a second issue: “whether these security procedures are commercially reasonable for verifying payment orders delivered in person.” Chavez v. Mercantil Commercebank, N.A., supra. Florida Statutes § 670.202(3) states that the
commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank; the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank; alternative security procedures offered to the customer; and security procedures in general use by customers and receiving banks similarly situated.
As the opinion notes, the statute also
sets out the following factors to be analyzed when determining whether a security procedure is commercially reasonable:
the wishes of the customer expressed to the bank; the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank; alternative security procedures offered to the customer; and security procedures in general use by customers and receiving banks similarly situated.
Chavez v. Mercantil Commercebank, N.A., supra.
The judge began the process of analyzing this issue by noting that “the commercial reasonableness of security procedures used for in person wire transfers is largely one of first impression”, which meant he could not relay on case law for guidance. Chavez v. Mercantil Commercebank, N.A., supra. He therefore bean his opinion by pointing out that comment made by the drafters of the Uniform Commercial Code, which influenced the Florida Statutes, makes it clear that the primary purpose of the security procedures
is to `authenticate’ payment orders, i.e. to verify that the identity of the anonymous person on the other side of an electronic transmission is in fact the person who is authorized to make transfers to and from the account. Fla. Stat. § 670.201 Cmt. 1 (2011). A secondary purpose is to protect against erroneous or mistaken transfers, e.g. transfers that overdraft an account or multiple transmissions of the same payment order. For purposes of deciding [this case], this court should look only at the security procedures that go to establishing the authenticity of a payment order because this order was not a mistake; rather it was fraudulently filed by either Chavez or some other party purporting to be Chavez.
Chavez v. Mercantil Commercebank, N.A., supra.
The judge explained that he was not required to consider the procedures verifying
(i) that the payment order had all the necessary information, (iv) that the customer had an FTA on file, or (v) that the account balance was sufficient to cover the payment order. These `security procedures’ are essentially safeguards against mistaken or erroneous transfers and not measures that authenticate payment orders by verifying a customer's identity. Similarly, [this Court does not need to] consider the (vi) security procedure that requires two officers to verify that procedures (i-v) were taken by the customer service representative because, if the steps taken by the customer service representative were not commercially reasonable in the first place, the officers would simply be `rubber-stamping’ unsatisfactory procedures. Indeed, the officers sitting behind closed doors had no way of verifying the identity of the person purporting to be Chavez that day by simply reviewing the paperwork completed and submitted by their customer service representative.
The security procedures implemented by Mercantil that are meant to protect against the type of fraudulent transfers that Fla. Stat. § 670.202 is designed to prevent include (ii) an identification (`I.D.’) check and (iii) a signature comparison. Therefore, these are the two security procedures this Court must find to be commercially reasonable. Both protect against fraudulent transfers as opposed to mistaken or erroneous transfers. It is clear that signature comparison is an approved security procedure under § 670.202 because the statute states `[c]omparison of a signature on a payment order or communication with an authorized specimen signature of the customer is not by itself a security procedure.’ (emphasis added). If signature comparison was not an approved procedure, the statute would have plainly said so and would not have bothered to make this distinction.
Chavez v. Mercantil Commercebank, N.A., supra.
He found that “the final and most difficult question” was “ whether a request for a form of identification” to verify a customer’s identity “is a commercially reasonable security procedure that, when combined with a signature comparison, satisfies the requirements of § 670.202(2).” Chavez v. Mercantil Commercebank, N.A., supra. “Logically, it would seem there can be no better safeguard against the fraudulent submission of payment orders than by requiring the customer to present an I.D. that has the customer's picture on it and a name that matches both the name entered on the payment order and the name on the customer's account.” Chavez v. Mercantil Commercebank, N.A., supra.
He noted, though, that in “today’s technological world,” the creation of false identification
might be too easy. For example, . . . an impersonator could have copied [Chavez’s] identification while superimposing or replacing a picture of the impersonator over the [his] picture. . . . If a recording or copy of [his] I.D. was kept in the bank's computer system, the customer sales representative would easily be able to detect this type of fraud because the picture that was superimposed onto the legitimate . . . identification could be checked against the picture on file instead, for example, of having the customer service representative ensure that the names match up in all three places.
But because the statute does not require banks to keep a copy of a customer's I.D. on file, and because verifying a customer's identity by checking the customer's I.D. is commercially reasonable, outside of the single example discussed above, a reasonable juror could not find that a signature comparison combined with a request for a form of I.D. is not a commercially reasonable way of protecting the customer from fraudulent transfers, when the customer submits the payment order in person. This finding is further supported by the unrebutted opinion of Ms. McGuire, Mercantil's expert, who states that Mercantil's security procedures are the prevailing standards in banking. . . .’ See § 670.202(3) (commercial reasonableness is to be determined by considering, inter alia, the `security procedures in general use by customers and receiving banks similarly situated’).
Chavez v. Mercantil Commercebank, N.A., supra.
Finally, the judge pointed out that the bank offered “two alternative security procedures,” which would have “offered a higher level of security” but he rejected them. Chavez v. Mercantil Commercebank, N.A., supra. He therefore ended his opinion by holding that because there was
no genuine issue of fact or law that Mercantil's security procedures were within § 670.201's definition of `security procedure,’ commercially reasonable, and complied with in `good faith’. . . . the Court has no choice but to grant Mercantil's Motion for Summary Judgment in full.
Chavez v. Mercantil Commercebank, N.A., supra.
No comments:
Post a Comment