Article 4A of the Uniform Commercial Code does not govern debit transactions or consumer transactions, but understanding Article 4A is crucial to understanding electronic transfers.
Why? Article 4A, which has been around for more than 40 years, is likely to receive increased attention since ACH utilization of same-day delivery of funds may create additional exposure for financial institutions since it reduces the time which historically has allowed many financial institutions to correct erroneous transfers or to catch unauthorized transfers caused by hacking or other systematic issues.
The allocation of liability under Article 4A is likely be an important factor in determining how ACH transfers are priced and ultimately may determine whether same-day delivery of good funds through ACH transfers expands into the space currently filled by wire transfers.
Financial institutions providing same-day delivery of good funds via ACH transfers more than ever will need to be vigilant to ensure that their systems protect their customers, are commercially reasonable and, most important, follow strictly the protocols the financial institution has agreed to with its customer. A deficiency in any of the three will result in unnecessary liability to the financial institution. Security protocols written prior to the advent of same-day delivery of funds through ACH transfers need to be revisited to determine their commercial reasonableness in today’s environment.
While an ACH transfer may seem similar to a wire transfer, the automation involved in an ACH transaction distinguishes it from a wire transfer. Electronic transfer of funds through an ACH transaction historically involved information being sent in a batch, which then was sent to the clearing house. Banks received their ACH transactions at one time, and processed those as a single transaction in a batch. The result of the batch methodology was that the process was bulky but automated, giving precedence to the bulk over individualized transactions.
Intuitively, one might predict that transfers through ACH would be quicker than wire transfers because of the automation. Instead, wire transfers, generally, have provided quicker delivery of good funds. Such transfers typically have involved transfers where both the initiating bank and receiving bank provide individualized service. Because of the individualized service in verifying the information from the initiating bank and on the receiving bank’s part, wire transfers historically have been viewed as more secure, and have generally been viewed as the vehicle of choice for transfers involving large transfers where same-day delivery of funds is important.
A 2017 rule issued by the National Automated Clearing House Association modified the ACH network to allow processing of ACH three times daily instead of just once. The process times are at 8:30 a.m., 1:00 p.m. and 5:00 p.m. (Eastern time). This means that for an ACH transaction, a transfer started by 1:00 p.m. Eastern Time can result in same-day delivery of good funds. Whether the availability of same-day delivery will mean ACH transfers will replace wire transfers remains to be seen.
Currently, National Automated Clearing House Association rules limit same-day ACH transfers to $25,000 or less per transaction, but discussion is underway to increase the amount to $100,000. If the cap is removed on same-day delivery of ACH transfers, it seems likely that financial institutions will face increased pressure to replace wire transfers with ACH transfers if same-day delivery services can be accomplished without materially increasing the exposure of the financial institution.
Both wire transfers and ACH transfers (for nonconsumer, nondebit transactions) are governed by Article 4A of the UCC. If same-day delivery of ACH transfers becomes more of the norm, one of the historical safeguards of the ACH system will be eliminated, namely the delayed delivery of good funds, which allowed many financial institutions time to correct erroneous transfers or to catch unauthorized transfers caused by hacking or other systematic issues.
So, how does Article 4A of the UCC allocate the liabilities for unauthorized electronic payment orders on a nonconsumer account? Section 4A-204(a) provides the basic framework that a bank is responsible for any such unauthorized electronic payment order. The risk of loss may be shifted back to the customer if the bank can establish that: 1) the bank and the customer agreed to a security procedure by which the authenticity of the payment order is verified; 2) the security procedure is commercially reasonable for protecting against unauthorized payments; and 3) the bank can prove it accepted the payment order in good faith and in compliance with the security procedure and any agreement with the customer restricting payment.
What is commercially reasonable is a flexible standard after considering "the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank … alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated."
The Comments to Official Text to Article 4A make clear that the technology and testing required to be commercially reasonable may differ from large money-center banks to small country banks. Simply stated, one shoe is not expected fit all sizes. Specifically, the Comments acknowledge that the individualized testing that takes place with a wire transfer may not feasible with respect to a transfer made by means of automated clearing house where many payment orders are incorporated into an electronic device such as a magnetic tape that is physically delivered. In such situations, the Comments suggest that a different kind of security procedure must be adopted to take into account the different mode of transmission.
In practice, customers and banks have developed security procedures that typically do not distinguish between modes of transmission. Instead, banks have developed security procedures that apply to ACH as well as wire transfers. In the cases where the payment was made but was not authorized, banks have attempted to shift the burden of the loss to the customer by showing that the bank offered a commercially reasonable security procedure which was rejected and waived by the customer, resulting in the customer being responsible for the unauthorized transaction.