Your encrypted email isn't protecting you. Your callback verifications aren't either.
And when the next fraudulent wire transfer goes through, the legal question won't be whether fraud occurred. It will be whether your organization is liable for using security procedures that courts no longer consider adequate.
Most finance professionals believe their wire transfer security is solid. Everyone in the industry does it this way. Your bank seems satisfied. But here's the problem: the legal standard for "commercially reasonable" security has evolved, and for most, procedures haven't.
What seemed reasonable five years ago isn't cutting it anymore. And the legal framework that determines who pays when fraud hits, UCC Article 4A, has a built-in evolution mechanism that's putting traditional security procedures on shaky ground.
The $16.6 Billion Question
Let's start with context. According to the FBI's 2024 Internet Crime Report, total losses from cybercrime hit $16.6 billion last year. That's up from $12.5 billion in 2023, a 33% jump in a single year.
Business email compromise (BEC) sits at the heart of this surge. These attacks accounted for $2.8 billion in losses in 2024 alone, making it the second-costliest type of cybercrime reported. And that's just what gets reported.
The scary part? These aren't sophisticated technical hacks. They're social engineering attacks that exploit the exact verification methods we've been using for decades.
Understanding UCC Article 4A
For business wire transfers, UCC Article 4A is the code that helps courts determine where liability sits between banks and their customers. The concept is straightforward:
Under §4A-202, if a bank and customer agree to use a "commercially reasonable" security procedure to verify payment orders, and the bank follows that procedure in good faith, the bank may avoid liability.
The customer may absorb the loss.
But there's a critical catch in the fine print. The security procedure has to actually be commercially reasonable. Not just agreed upon. Not just traditional. Actually effective at detecting unauthorized transfers under current threat conditions.
And here's where it gets interesting: "commercially reasonable" is a legal question, not a business one. Courts decide it. And courts have been evolving their interpretation as the threat landscape changes.
What Makes a Security Procedure "Commercially Reasonable"?
According to §4A-202(c), courts may consider several factors:
- The circumstances of the customer known to the bank
- The size, type, and frequency of payment orders
- Alternative security procedures offered to the customer
- Security procedures in general use by similarly situated banks and customers
That last one is crucial. "Commercially reasonable" isn't static. It evolves with industry practices, known threats, and available technology.
Think about it this way: in 1990, requiring a written signature might have been commercially reasonable. In 2010, encrypted email seemed cutting-edge. But in 2025, with BEC attacks up and AI-generated phishing emails becoming the norm, are yesterday's controls still reasonable?
Courts are increasingly saying no.
When Traditional Controls Fail: The Case Law
The Patco Construction v. People's United Bank decision from the First Circuit changed how we think about commercial reasonableness. The bank used challenge questions ("What's your mother's maiden name?") to verify high-value transfers. Sounds familiar, right?
The court found this wasn't commercially reasonable. Here's why:
The questions were predictable. Answers were easily researched. The bank ignored recommendations from its own security vendor to use additional authentication methods. And critically, the Federal Financial Institutions Examination Council (FFIEC) guidance had already warned about these exact weaknesses.
The bank lost. The customer recovered its funds.
In Choice Escrow v. BancorpSouth Bank, the outcome flipped, but not for the reasons you might think. The bank won because it had offered a stronger dual-control option, and the customer declined it in favor of a less secure but more convenient method.
The pattern is clear: when stronger alternatives exist and are feasible, sticking with weaker traditional methods becomes harder to defend.
The Problem with Email and Callbacks
Let's be direct about what encrypted email and callbacks actually do (and don't do).
Encrypted email:
- ✓ Protects message content during transmission
- ✗ Doesn't verify the sender's identity
- ✗ Doesn't validate bank account ownership
- ✗ Can't detect compromised accounts
- ✗ Won't prevent impersonation
Callback verification:
- ✓ Confirms you spoke to someone
- ✗ Doesn't verify that person's identity
- ✗ Doesn't validate account control
- ✗ Can't detect phone number spoofing
- ✗ Fails against sophisticated impersonation (including AI deepfakes)
Here's the fundamental flaw: both methods assume the person with access to the communication channel is who they claim to be. But that's exactly what modern BEC attacks compromise.
When an attacker controls the email account, encryption only protects their fraudulent instructions. And when they can mimic the target’s voice — or no one actually knows it — callbacks offer false comfort while fraud goes through.
Regulators know this. The FBI has repeatedly warned that email isn't a secure channel and that callbacks rely on manipulable human behavior. The FFIEC guidance emphasizes layered controls that verify identity, not just channel access.
Real-World Consequences in 2025
This isn't theoretical. These cases are happening right now.
In November 2025, a Utah public financing district sued its paying agent alleging they should have known wire instructions from hackers were fraudulent. In March 2025, White Lake Township, Michigan lost funds when an unauthorized individual misdirected infrastructure bond proceeds.
These weren't technical breaches. These were transaction security failures, the exact scenario UCC Article 4A addresses.
And the municipal finance sector isn't alone. In August 2024, carbon manufacturer Orion S.A. lost $60 million to a BEC attack. Johnson County Schools in Tennessee lost $3.36 million to fraudulent banking detail changes. A Massachusetts workers' union was tricked out of $6.4 million by attackers posing as their investment manager.
The pattern repeats across industries: trusted communication channels, traditional verification methods, and millions in irreversible losses.
What "Commercially Reasonable" Could Mean Today
So what does meet the standard in 2025?
Based on regulatory guidance, case law, and the evolving threat landscape, truly commercially reasonable security procedures may need to include:
Identity Verification
Not voice recognition or email account access. Actual identity proofing using multi-factor authentication that verifies who someone is, not just what credentials they hold.
Account Validation
Proof that the recipient actually owns and controls the destination account. Methods like micro-deposits or instant verification that confirm the person receiving funds can access that account.
Comprehensive Audit Trails
Complete, timestamped verification records showing exactly what procedures were followed. Documentation that proves compliance if a dispute arises.
Appropriate Transaction Controls
Risk-based workflows that match security rigor to transaction size and risk. Higher-value or unusual transactions require stronger verification.
Notice what's not on this list: callbacks to numbers the sender provided. Encrypted emails to addresses that might be compromised. Challenge questions with answers found on social media.
Courts have held that once an organization knows its security procedures are ineffective, continuing to use them becomes even harder to defend. When you know that stronger, feasible alternatives exist—when you've read articles like this one, seen the FBI warnings, reviewed the regulatory guidance—can you still claim your traditional methods are commercially reasonable?
Moving Forward: A Question of Standards, Not Technology
The uncomfortable truth is that the regulatory framework already demands better:
- UCC Article 4A defines what's required.
- The FFIEC provides guidance on implementation.
- Court decisions clarify when traditional methods fall short.
We haven't lacked standards. We've lacked the will to implement them.
Your bank may accept encrypted email and callbacks. Your insurance might cover losses. But when litigation starts and courts examine whether your security procedures met the UCC Article 4A standard, the question won't be what your peers were doing. It will be what you knew was possible, and what you chose to do.
Basefund provides a modern alternative to historical money movement protections. With built-in ID verification, bank account validation, and integrated transaction insurance, it supports your efforts to maintain commercially reasonable protection.
The information in this article is for educational purposes only and does not constitute legal advice. Organizations should consult with legal counsel regarding their specific security procedures and liability exposure under UCC Article 4A.
