IBA Compliance Connection

Your go to source for compliance!

Can we accept an electronic signature for a wire transfer request made by a business?

by

admin

Disclaimer: The Electronic Commerce Security Act (ECSA) was repealed and replaced with the Uniform Electronic Transaction Act (UETA), effective June 25, 2021. Please note that this change may affect the continued accuracy of this guidance as it pertains to the ECSA.

Yes, we believe you may accept an electronic signature on a wire transfer request if you follow a commercially reasonable security procedure to verify the electronic signature and the request. However, you may be subjecting your bank to heightened risk when accepting wire transfer requests in this manner.

Article 4A of the Uniform Commercial Code (UCC), which generally governs non-consumer electronic funds transfers, requires that banks may avoid liability for fraudulent transfers if they follow a security procedure agreed to by its customer to authenticate the customer’s payment orders— provided two conditions are met. First, the security procedure must be “a commercially reasonable method of providing security against unauthorized payment orders.” Second, the bank must prove that “it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.” Consequently, we recommend reviewing the security procedures agreed to by your customers before accepting electronic signatures on their wire transfer requests.

Regarding electronic signatures, both Illinois and federal law generally provide that an electronic signature may not be denied legal effect, validity, or enforceability solely because it is in electronic form.

The Illinois Electronic Commerce Security Act (ECSA) also provides that an electronic signature will be considered to be a “secure electronic signature” subject to a rebuttable presumption that it is authentic if “through the use of a qualified security procedure, it can be verified that an electronic signature is the signature of a specific person.” The ECSA outlines several requirements for a “qualified security procedure,” outlined in the resources below, and the procedure must be either agreed to by the parties or certified by the Secretary of State, if your bank wishes to take advantage of the ECSA’s presumption of authenticity.

Additionally, we note that FinCEN has issued an advisory on “e-mail compromise fraud” schemes in which criminals misappropriate funds by deceiving financial institutions and their customers into conducting wire transfers. According to the advisory, banks should use a multi-faceted transaction verification process to guard against this type of fraud, such as verifying “the authenticity of suspicious e-mailed transaction payment instructions by using multiple means of communication or by contacting others authorized to conduct the transactions.”

For resources related to our guidance, please see:

  • Illinois UCC, 810 ILCS 5/4A-202(b) (“If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.”)
  • Illinois UCC, 810 ILCS 5/4A-201 (“‘Security procedure’ means a procedure established by agreement of a customer and a receiving bank for the purpose of (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission or the content of the payment order or communication. A security procedure may require the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices. Comparison of a signature on a payment order or communication with an authorized specimen signature of the customer is not by itself a security procedure.”)
  • UCC § 5/4A-201 cmt. 1 (“A large percentage of payment orders and communications amending or cancelling payment orders are transmitted electronically and it is standard practice to use security procedures that are designed to assure the authenticity of the message. . . . Security procedures might also apply to communications that are transmitted by telephone or in writing. Section 4A-201 defines these security procedures. The definition of security procedure limits the term to a procedure ‘established by agreement of a customer and a receiving bank.’ The term does not apply to procedures that the receiving bank may follow unilaterally in processing payment orders. The question of whether loss that may result from the transmission of a spurious or erroneous payment order will be borne by the receiving bank or the sender or purported sender is affected by whether a security procedure was or was not in effect and whether there was or was not compliance with the procedure.”)
  • Illinois UCC, 810 ILCS 5/4A-202(c) (“Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated. A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.”)
  • Electronic Signatures in Global and National Commerce (ESIGN) Act, 15 USC 7001(a)(1) (“A signature, contract, or other record . . . may not be denied legal effect, validity, or enforceability solely because it is in electronic form.”)
  • Illinois Electronic Commerce Security Act, 5 ILCS 175/5-110 (“Information, records, and signatures shall not be denied legal effect, validity, or enforceability solely on the grounds that they are in electronic form.”)
  • Electronic Commerce Security Act, 5 ILCS 175/5-120(a) (“Where a rule of law requires a signature, or provides for certain consequences if a document is not signed, an electronic signature satisfies that rule of law.”)
  • Electronic Commerce Security Act, 5 ILCS 175/10-110(a) (“If, through the use of a qualified security procedure, it can be verified that an electronic signature is the signature of a specific person, then such electronic signature shall be considered to be a secure electronic signature at the time of verification, if the relying party establishes that the qualified security procedure was: (1) commercially reasonable under the circumstances; (2) applied by the relying party in a trustworthy manner; and (3) reasonably and in good faith relied upon by the relying party.”)
  • Electronic Commerce Security Act, 5 ILCS 175/10-115(a) (“The commercial reasonableness of a security procedure is a question of law to be determined in light of the purposes of the procedure and the commercial circumstances at the time the procedure was used, including the nature of the transaction, sophistication of the parties, volume of similar transactions engaged in by either or both of the parties, availability of alternatives offered to but rejected by either of the parties, cost of alternative procedures, and procedures in general use for similar types of transactions.”)
  • Electronic Commerce Security Act, 5 ILCS 175/10-110(b) (“A qualified security procedure for purposes of this Section is a security procedure for identifying a person that is:

(1) previously agreed to by the parties; or

(2) certified by the Secretary of State in accordance with Section 10-135 as being capable of creating, in a trustworthy manner, an electronic signature that:

  • (A) is unique to the signer within the context in which it is used;
  • (B) can be used to objectively identify the person signing the electronic record;
  • (C) was reliably created by such identified person, (e.g., because some aspect of the procedure involves the use of a signature device or other means or method that is under the sole control of such person), and that cannot be readily duplicated or compromised; and
  • (D) is created, and is linked to the electronic record to which it relates, in a manner such that if the record or the signature is intentionally or unintentionally changed after signing the electronic signature is invalidated.”)
  • Electronic Commerce Security Act, 5 ILCS 175/10-115(b) (“Whether reliance on a security procedure was reasonable and in good faith is to be determined in light of all the circumstances known to the relying party at the time of the reliance, having due regard to:

(1) the information that the relying party knew or should have known of at the time of reliance that would suggest that reliance was or was not reasonable;

(2) the value or importance of the electronic record, if known;

(3) any course of dealing between the relying party and the purported sender and the available indicia of reliability or unreliability apart from the security procedure;

(4) any usage of trade, particularly trade conducted by trustworthy systems or other computer-based means; and

(5) whether the verification was performed with the assistance of an independent third party.”)

  • FinCEN, Advisory to Financial Institutions on E-Mail Compromise Fraud Schemes (September 6, 2016) (“The Financial Crimes Enforcement Network (FinCEN) is issuing this advisory to help financial institutions guard against a growing number of e-mail fraud schemes in which criminals misappropriate funds by deceiving financial institutions and their customers into conducting wire transfers. . . . E-mail Compromise Fraud: Schemes in which criminals compromise the e-mail accounts of victims to send fraudulent wire transfer instructions to financial institutions in order to misappropriate funds. The main types of e-mail compromise fraud include: Business E-mail Compromise (BEC): Targets a financial institution’s commercial customers. E-mail Account Compromise (EAC): Targets a victim’s personal accounts.”)
  • FinCEN, Advisory to Financial Institutions on E-Mail Compromise Fraud Schemes (September 6, 2016) (“A multi-faceted transaction verification process can help financial institutions guard against BEC and EAC fraud. For instance, financial institutions may verify the authenticity of suspicious e-mailed transaction payment instructions by using multiple means of communication or by contacting others authorized to conduct the transactions. The success of BEC and EAC schemes depends on criminals prompting financial institutions to execute seemingly legitimate but unauthorized transactions. Such transactions are often irrevocable, which renders financial institutions and their customers unable to cancel payment or recall the funds. Identifying fraudulent transaction payment instructions before payments are issued is therefore essential to preventing and reducing unauthorized transactions.”)