On June 13, 2011, the United States District Court for the Eastern District of Michigan in Experi-Metal, Inc. v. Comerica Bank, No. 09-14890 (E.D. Mich. June 13, 2011) held Comerica Bank liable for unrecovered funds fraudulently transferred from Experi-Metal’s accounts via the bank’s online wire transfer service. The court found that the bank did not carry its burden of proving that it had acted in “good faith” (as required under UCC Article 4A) in accepting and processing the fraudulent payment orders submitted to the bank, even though the fraudulent transfers were initiated using valid customer credentials.
The fraudulent payment orders at issue were the result of a phishing-related fraud perpetrated on a corporate customer of the bank. As a result of the phishing attack, the fraudster obtained the customer credentials necessary to initiate wire transfers from the customer’s accounts. During a six hour period following the fraudster’s receipt of the customer’s credentials, the fraudster initiated ninety-three fraudulent payment orders transferring more than $1.9 million. Although the Court accepted that the bank’s employees had acted honestly and without knowledge of the fraud when processing the transfers, the Court nevertheless held that the bank had not proven that its employee’s acted in accordance with reasonable commercial standards of fair dealing in processing the fraudulent transactions – a necessary element of proving “good faith.”