We regularly work with financial institutions to navigate the challenges of implementing, maintaining, and using security procedures for commercial customers’ use of treasury management services. Security procedures are an integral part of the relationship between the financial institution and its commercial customers. Financial institutions offer (and frequently require) commercial customers to use the institution’s security procedures, which are agreed to be commercially reasonable, to originate payment orders (e.g., wire transfers and ACH Entries) from the customers’ accounts.
Issues often arise when one or more of a customer’s authorized users is not able to use his standard security procedures to access a financial institution’s physical or electronic payments systems to either originate or confirm a payment order. Due to the COVID-19 outbreak and concern over the implementation of preventative measures, including more companies asking or requiring employees to work remotely, financial institutions should consider which customers may need to update, amend or supplement the ways that its customers can make payments, whether this be through adding authorized users or implementing alternative methods to send payment orders.
Use of the Primary Security Procedures Working Remotely
Most commercial customers use a financial institution’s online system to originate and confirm payment orders, using the institution’s most sophisticated security procedures offered and available, including a dual authorization requirement (collectively, the “Primary Security Procedure”). Financial institutions require customers to use and agree upon the fact that these Primary Security Procedures are commercially reasonable for the customer’s payments needs in order to reduce unauthorized transfer risk and liability. With recent precautions taken in the workplace due to COVID-19, many employers are having people work remotely, and therefore Banks should verify with their customers that their authorized users have proper access to the online system if the user is working remotely.
There are several variables to consider:
- Will the user have the same access to the customer’s systems (including the user’s company phone/fax number and email account) and servers (including SWIFT terminals) if working remotely?
- Will the financial institution’s system reject instructions or deny access if a customer is using a different computer than the designated office desktop?
- Does the customer’s remote system have the current operating system and software needed to run the applications on the bank’s system?
- Also, the customer may want to consider adding authorized users in the event of the illness of those currently authorized, making them unable to carry out their respective assignments.
Financial institutions could offer to test the customer’s contingency plans for using the Primary Security Procedures before it becomes necessary.
Alternative Security Procedures
Many customers will require the use of an alternative security procedure if authorized users are either not available or unable to access the financial institution’s system remotely. Customers may ask that the bank accept an email, fax or simply a verbal instruction from the customer over the phone (an “Alternative Procedure”). If necessary, the financial institution should work to establish this Alternative Procedure if the institution already uses phone or other methods as a standard alternative for customers. The institution should also remember to obtain any necessary waivers from customers when establishing this Alternative Procedure. A waiver must be obtained from the customer if the customer will no longer be using the Primary Security Procedure, whether this means that the customer is (i) waiving the use of a Primary Security Procedure to originate or confirm a payment order, or (ii) waiving the use of Dual Authorization (i.e., one user originates a payment order and a second user confirms the payment order). Without a properly executed waiver by the customer, the financial institution assumes the risk of an unauthorized transfer even it was submitted using the Alternative Procedure.
While we are all concerned and making appropriate preparations for personal and family safety, business contingency plans should also consider the ability to make payments to suppliers and employees as needed. We encourage financial institutions to contact their customers to determine whether the Primary Security Procedure will work if the customer is working outside the office, and, where necessary, properly establish an Alternative Procedure where the Primary Security Procedure may not be an option.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.