Submitted, March 11, 2014
Appeal from United States District Court for the Western District of Missouri - Springfield.
For Choice Escrow and Land Title, LLC, Plaintiff - Appellant: Leland L. Gannaway, GANNAWAY & CUMMINGS, Springfield, MO; Bruce McCurry, Jeff McCurry, CHANEY & MCCURRY, Springfield, MO.
For BancorpSouth Bank, Defendant - Appellee: Richard B. Maltby, Rodney H. Nichols, John Edmund Price, CARNAHAN & EVANS, Springfield, MO.
Before WOLLMAN, MURPHY, and GRUENDER, Circuit Judges.
WOLLMAN, Circuit Judge.
Internet fraudsters stole $440,000 from a bank account that Choice Escrow and Land Title, LLC (Choice), maintained at BancorpSouth Bank (BancorpSouth). Choice sued BancorpSouth for the lost funds, and BancorpSouth counterclaimed for attorney's fees. The questions presented in this case are thus (1) who should bear the loss of the funds from Choice's account, and (2) who should pay BancorpSouth's attorney's fees. The district court, interpreting Article 4A of the Uniform Commercial Code (U.C.C.), held that Choice should bear the loss of the funds from its account and that BancorpSouth should pay its own attorney's fees. We affirm the district court's loss-of-funds ruling, reverse its dismissal of BancorpSouth's counterclaim, and remand for further proceedings.
This litigation began after an unknown third party accessed Choice's online bank account at BancorpSouth and instructed BancorpSouth to " wire" a large sum of money from Choice's account to a bank account in the Republic of Cypress. To wire money is to transfer it electronically, so named because it was once done via telegram. In a typical wire transfer, a bank's customer transmits instructions to the bank to transfer money from the customer's account to the account of a beneficiary; these instructions are called a payment order. Because the customer is not physically present at the bank, the bank uses security procedures, such as passwords and electronic tokens, to verify that the person sending the payment order is actually the customer. In this case, we confront what happens when those security procedures fail.
Choice is a Missouri company that provides real estate escrow services. When parties to a real estate transaction need a third party to hold money in escrow until closing, they give it to Choice for safekeeping. In 2009, Choice opened a trust account at BancorpSouth for this purpose: when a buyer entrusted funds to Choice, Choice deposited the funds in its account at BancorpSouth and then wired the money to the seller at closing. Choice's employees performed these tasks over the Internet using an online banking platform called InView. BancorpSouth provided Choice with four security measures designed to ensure that Choice's employees, and only Choice's employees, would be able to access Choice's account.
First, BancorpSouth required each InView user to register a unique user id and password. Whenever an employee of one of BancorpSouth's institutional customers
wished to access the customer's online bank account, the employee would be prompted to enter this information. Without it, access to the account was impossible.
Second, BancorpSouth installed device authentication software called PassMark. When a customer's employee first registered for InView, PassMark recorded the IP address of the employee's computer as well as information about the computer itself--information relating to, for instance, the computer's operating system, central processing unit, browser, screen, time zone settings, and language settings. Whenever any subsequent user attempted to access InView using that employee's user id and password, PassMark verified that the characteristics of that user's computer were consistent with the information PassMark had recorded about the employee's computer. In this way, PassMark verified that each InView user was accessing InView from a recognized computer. If a user attempted to access InView from an unrecognized computer, the user would be prompted to answer " challenge questions" to verify the user's identity. If the user answered these questions correctly, the new computer would be added to the list of recognized computers, and the user would be able to access InView.
Third, BancorpSouth allowed its customers to place dollar limits on the daily volume of wire transfer activity from their accounts. For instance, a customer could limit the daily volume of wire transfers to $10,000 per day, in which case any attempt to transfer more than $10,000 in a single day would be automatically denied. Choice declined to place daily transfer limits on its account.
Fourth, BancorpSouth offered its customers a security measure called " dual control." Under this system, when an InView user submitted a payment order, InView would not send the order to the bank immediately; rather, the request would create a " pending" payment order that would appear in a separate queue in InView. To send a pending payment order to the bank, a second authorized user, using a unique user id and password, would have to log in to InView and separately approve the pending payment order. If a customer declined the use of dual control, BancorpSouth required that customer to sign a waiver acknowledging that it was waiving dual control and that it understood the risks associated with using a single-control (i.e., single-user) security system.
Choice declined the use of dual control and signed the requisite waiver. Thus, Choice's account at BancorpSouth was protected only by (1) the user id's and passwords of its employees, and (2) PassMark. Choice authorized two of its employees, Cara Thulin and Brooke Black, to use InView, and it issued each employee a unique user id and password for this purpose.
With these security measures in place, Choice could issue a payment order by taking the following steps: First, either Thulin or Black would access BancorpSouth's website and log in to InView using her user id and password. Second, PassMark would verify that Thulin or Black was accessing InView from a recognized computer by checking the IP address and other specifications of the computer. If the user was accessing InView from an unrecognized computer, she would be prompted to answer challenge questions.
Once the user cleared PassMark, either by using a recognized computer or by correctly answering the challenge questions, she would gain access to Choice's bank account via InView. From there, the user could issue payment orders to BancorpSouth and, as long as Choice had enough funds in its account, those orders would be sent to one of six BancorpSouth employees responsible for routing Choice's payment orders. That employee would then execute the payment order based on the information contained therein, and BancorpSouth would debit the funds from Choice's account and send Choice a fax confirmation of the wire transfer.
In November 2009, Choice received an e-mail from one of its underwriters describing a " phishing" scam in which an unscrupulous person tricks an unsuspecting Internet user into downloading a computer virus, uses the virus to collect the victim's user id's and passwords, and then uses that information to issue fraudulent payment orders to the victim's bank, transferring money from the victim's account to overseas banks beyond the reach of U.S. authorities. Jim Payne, the Director of Business Development at Choice, forwarded the e-mail to BancorpSouth on November 11, 2009, with the following note:
Please read the email forwarded from one of our underwriters. They suggest a plan of action that included limiting wires to foreign banks. Can we implement this and to what extent would our liability be if fraudulent wire transfers were to occur?
Ashley Kester of BancorpSouth responded two days later:
Hi Jim, sorry to just now be responding. I had to do some research to find out if this was possible. We are unable to stop just foreign wires, the solution is dual control. We always recommend dual control on wires. We discussed this when we setup InView and you decided to waive the dual control. Would you like to consider adding it now? This is the best solution, that way if someone in the company is compromised then the hacker would not be able to initiate a wire with just the one user's information.
After Kester described the mechanics of dual control to Payne, Payne e-mailed Kester once again declining the use of dual control:
Actually I don't think that would be a good procedure for us--lots of times Paige [Payne] is here by herself and that would be really tough unless we all shared pass words.
Sometime after this exchange, a Choice employee fell prey to a phishing attack and contracted a computer virus. This virus gave an unknown third party access to the employee's username and password and allowed the third party to mimic the computer's IP address and other characteristics, rendering InView's password prompts and PassMark's device authentication procedures ineffectual. On March 17, 2010, this third party accessed Choice's online bank account and issued a payment order instructing BancorpSouth to transfer $440,000 from Choice's account to a banking
institution in the Republic of Cypress. BancorpSouth accepted and executed the payment order. After attempts to recover the funds failed, Choice sued BancorpSouth for the lost funds, and BancorpSouth counterclaimed for attorney's fees based on an indemnification agreement that it had executed with Choice.
The district court granted summary judgment to BancorpSouth after concluding that Article 4A of the U.C.C. allocated the risk of loss from the fraudulent payment order to Choice. The court then dismissed BancorpSouth's counterclaim for attorney's fees on the pleadings after concluding that the indemnification agreement at issue conflicted with the provisions of Article 4A and was thus unenforceable.
We review the district court's grant of summary judgment to BancorpSouth de novo, viewing the evidence in the light most favorable to Choice.
Hill v. Walker,737 F.3d 1209, 1216 (8th Cir. 2013). Summary judgment is appropriate when there is " no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(a). The parties agree that Article 4A, which ...