To unpack this a bit: Returning readers will recall that last year, a hacker broke into Banco del Austro's computers. Once inside, the hacker sent bogus messages instructing the NY Fed to give away Banco del Austro's money, and the NY Fed honored what it thought was its customer's instructions. Now the two banks are fighting over who bears the loss.
Banco del Austro invoked the familiar rule that banks generally have to reimburse customers when they're duped into giving away the customers' money. That’s the usual law of wire transfers, embodied in UCC article 4-A. Wells Fargo's main defense is that Banco del Austro had already agreed that Wells Fargo should use a particular protocol to ensure that instructions are legit, so Banco del Austro can't turn around to argue that Wells Fargo should have done something else. (I discuss that argument in this blog post and this animation.) But another argument is that Banco del Austro also agreed to indemnify Wells Fargo for any losses resulting from Banco del Austro's failings. Wells Fargo alleges that Banco del Austro's losses arise from its own sub-par cybersecurity defenses, so even if Wells Fargo has to compensate Banco del Austro, Banco del Austro has to indemnify Wells Fargo and send the money straight back. The elephant-in-the-room question was whether this indemnification provision runs headlong into the part of UCC article 4-A that says you can’t agree to disregard UCC article 4-A.
So to return to my original point: Banco del Austro has now responded to Wells Fargo’s arguments and, to absolutely no one’s surprise, it contends that “Wells Fargo’s [argument] is barred because the allocation of loss set forth in Section 4-A-202, as adopted by the State of New York, may not be varied by contract.”
Of course, the judge already decided that he can't decide the case until there's been full discovery of the facts. So unless the parties find a way of getting this particular question before the court sooner (which doesn't strike me as completely implausible, since the question is basically one of law), we've got a long ways before we get clarity on how this aspect of UCC article 4-A works.
Previous posts in this series:
- Who pays for SWIFT hacks? No answer yet, but another question... (18 Nov. 2016)
- SDNY's Kaplan denies Wells Fargo's motion to dismiss in SWIFT hack case (19 Oct. 2016)
- What lawyers need to know about SWIFT hacks... in five minutes, max (11 Oct. 2016)
- NY Fed and Bangladesh Bank patching things up (pun intended) (29 July 2016)
- Who pays for SWIFT hacks? (3 June 2016)