We regularly work with financial institutions to navigate the challenges of implementing, maintaining, and using security procedures for commercial customers’ use of treasury management services. Security procedures are an integral part of the relationship between the financial institution and its commercial customers. Financial institutions offer (and frequently require) commercial customers to use the institution’s security procedures, which are agreed to be commercially reasonable, to originate payment orders (e.g., wire transfers and ACH Entries) from the customers’ accounts.

Issues often arise when one or more of a customer’s authorized users is not able to use his standard security procedures to access a financial institution’s physical or electronic payments systems to either originate or confirm a payment order. Due to the COVID-19 outbreak and concern over the implementation of preventative measures, including more companies asking or requiring employees to work remotely, financial institutions should consider which customers may need to update, amend or supplement the ways that its customers can make payments, whether this be through adding authorized users or implementing alternative methods to send payment orders.

Use of the Primary Security Procedures Working Remotely

Most commercial customers use a financial institution’s online system to originate and confirm payment orders, using the institution’s most sophisticated security procedures offered and available, including a dual authorization requirement (collectively, the “Primary Security Procedure”). Financial institutions require customers to use and agree upon the fact that these Primary Security Procedures are commercially reasonable for the customer’s payments needs in order to reduce unauthorized transfer risk and liability. With recent precautions taken in the workplace due to COVID-19, many employers are having people work remotely, and therefore Banks should verify with their customers that their authorized users have proper access to the online system if the user is working remotely.

There are several variables to consider:

  • Will the user have the same access to the customer’s systems (including the user’s company phone/fax number and email account) and servers (including SWIFT terminals) if working remotely?
  • Will the financial institution’s system reject instructions or deny access if a customer is using a different computer than the designated office desktop?
  • Does the customer’s remote system have the current operating system and software needed to run the applications on the bank’s system?
  • Also, the customer may want to consider adding authorized users in the event of the illness of those currently authorized, making them unable to carry out their respective assignments.

Financial institutions could offer to test the customer’s contingency plans for using the Primary Security Procedures before it becomes necessary.

Alternative Security Procedures

Many customers will require the use of an alternative security procedure if authorized users are either not available or unable to access the financial institution’s system remotely. Customers may ask that the bank accept an email, fax or simply a verbal instruction from the customer over the phone (an “Alternative Procedure”). If necessary, the financial institution should work to establish this Alternative Procedure if the institution already uses phone or other methods as a standard alternative for customers. The institution should also remember to obtain any necessary waivers from customers when establishing this Alternative Procedure. A waiver must be obtained from the customer if the customer will no longer be using the Primary Security Procedure, whether this means that the customer is (i) waiving the use of a Primary Security Procedure to originate or confirm a payment order, or (ii) waiving the use of Dual Authorization (i.e., one user originates a payment order and a second user confirms the payment order). Without a properly executed waiver by the customer, the financial institution assumes the risk of an unauthorized transfer even it was submitted using the Alternative Procedure.

While we are all concerned and making appropriate preparations for personal and family safety, business contingency plans should also consider the ability to make payments to suppliers and employees as needed. We encourage financial institutions to contact their customers to determine whether the Primary Security Procedure will work if the customer is working outside the office, and, where necessary, properly establish an Alternative Procedure where the Primary Security Procedure may not be an option.

For more information regarding this article, please contact Scott Fryzel, Lindsay Henry and Lauren Quigley.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Scott R. Fryzel Scott R. Fryzel

Scott Fryzel is a member of the firm’s Financial Industry Group. He represents national and state-chartered banks, foreign banks, credit unions, fintech companies and other financial institutions in a broad array of issues from core banking services to innovative financial products and alternative…

Scott Fryzel is a member of the firm’s Financial Industry Group. He represents national and state-chartered banks, foreign banks, credit unions, fintech companies and other financial institutions in a broad array of issues from core banking services to innovative financial products and alternative delivery channels. Mr. Fryzel is distinguished in the industry for specializing in fintech initiatives such as loan programs and payment processing, treasury management services, regulatory, outsourcing, vendor and client services agreements, and trade services transactions and processing. He advises clients on regulatory compliance with respect to institutional and policy matters, including guidance on issues for directors and senior officers, and the consumer regulations of the CFPB, OCC, FDIC, and the Federal Reserve. He regularly drafts agreements for commercial and consumer deposit products, card programs, and structured deposits as well as outsourcing projects and white-label programs.

Photo of Lindsay S. Henry Lindsay S. Henry

Lindsay Henry is a senior counsel in Dykema’s Financial Industry Group. Her experience includes counseling state and national banks, fintech companies and a variety of other financial institutions and financial services providers on regulatory issues and compliance, consumer credit transactions, deposit products, bank…

Lindsay Henry is a senior counsel in Dykema’s Financial Industry Group. Her experience includes counseling state and national banks, fintech companies and a variety of other financial institutions and financial services providers on regulatory issues and compliance, consumer credit transactions, deposit products, bank mergers and acquisitions, licensing, regulatory applications, technology contracting, payment processing, fair lending and privacy matters, digital banking, mortgage lending and servicing, stored value products and marketplace lending arrangements.

Photo of Lauren E. Quigley Lauren E. Quigley

Lauren Quigley is a senior counsel in Dykema’s Chicago office. Lauren represents financial institutions (including banks, credit unions, and fintech companies) in a variety of commercial and consumer services and products, including consumer loans and deposit products, payment products and services, online banking…

Lauren Quigley is a senior counsel in Dykema’s Chicago office. Lauren represents financial institutions (including banks, credit unions, and fintech companies) in a variety of commercial and consumer services and products, including consumer loans and deposit products, payment products and services, online banking and electronic delivery channels and the legal and regulatory compliance requirements for those services.

Lauren works with clients to draft and structure consumer loan deposit documentation and disclosures, including compliance with applicable regulations (Regulation E, ESIGN compliance, NACHA Operating Rules and Guidelines, Regulation Z). Lauren has experience reviewing and drafting policies and procedures related to payment processing and various card and account products.