Roger Chavez is a customer of Mercantil Commercebank, N.A. ("the bank"). This case involves an allegedly fraudulent payment order that resulted in the bank's transfer of $329,500 from his account to someone in the Dominican Republic. Chavez sued the bank to recover the $329,500. In response to Chavez's complaint, the bank asserted, inter alia, an affirmative defense premised upon Fla. Stat. § 670.202(2), which relieves a bank of liability for fraudulent payment orders in certain situations. The district court granted the bank's motion for summary judgment and denied Chavez's motion for partial summary judgment on this defense. Chavez appeals.
Generally speaking, under Florida's version of the Uniform Commercial Code ("UCC"), if a bank and its customer agree upon a "security procedure," as that phrase is defined by Fla. Stat. § 670.201, and the procedure is commercially reasonable, a bank is absolved of liability for a fraudulent transfer of the customer's funds if the bank, when processing an order to transfer the customer's funds, follows the security procedure in good faith. See FLA. STAT. §§ 670.201 & 670.202(2). We conclude that the parties' agreed-upon security procedure does not satisfy § 670.201 and consequently § 670.202(2) does not apply. Accordingly, we reverse.
In September 2002, Chavez, a resident of Venezuela, opened an account with the bank, which is located in Miami, Florida. Chavez contends that when he opened his account, the bank created and maintained an electronic file that had a copy of his passport and that included his address and phone number.
Chavez's account was subject to the bank's funds transfer agreement ("FTA"). Relevant to the current dispute is § 5 of the FTA, which details the security procedure for the account. In general, a security procedure is a procedure that the bank uses when processing payment orders in order to verify the authenticity of the order and to detect any errors in their transmission or content. FLA. STAT. § 670.201. Section 5 of the FTA provides in pertinent part:
As indicated above, § 5(i) incorporates by reference a document entitled Annex 1, which lists three different options for security procedures that the bank will use when processing a customer's payment orders. Depending on the option, customers can select one option and at most two options.
Chavez selected only the first option, "Written Payment Orders." It provides:
For Chavez's account, he was the only authorized representative. Thus, for written payment orders delivered in person, Chavez had to sign the payment order.
On February 4, 2008, Chavez flew to Miami and visited the bank's Doral branch. He inquired about why he had not been receiving monthly statements, and he made a large cash deposit. The next day, he returned and made a smaller cash deposit. On February 6, he returned his rental car to the Miami airport around 6:40 a.m. and flew back to Venezuela.
On February 6, someone purporting to be Chavez went to the Doral branch with a written payment order for $329,500. Chavez contends that he had already departed for Venezuela at the time the payment order was delivered to the bank. The order was processed by bank employee Rossana Gutierrez, who was a greeter at the bank, but she occasionally performed the responsibilities of a customer service representative, the type of employee who would typically process a payment order.
According to the district court, Gutierrez confirmed (1) the information on the payment order, (2) the customer's identity via an identification document provided by the customer, (3) the sufficiency of funds in the account, (4) the existence of an FTA for the account, and (5) the authenticity of the signature on the payment order. She then obtained written approval from two branch officers, Talia Pina and Lolita Peroza, who then performed additional steps
The bank's security cameras were not working on the day the payment order was delivered, and Gutierrez did not make a copy of the ID she was shown. As a result, the identity of the person allegedly impersonating Chavez cannot be determined. The bank does not concede that the person presenting the payment order was not in fact Chavez or someone acting on his behalf.
On April 14, 2008, over two months after the payment order was processed, Chavez checked his account online from Venezuela. He claims that this is when he first learned that his balance was considerably lower than expected. He called the bank and allegedly learned for the first time of the February 7 payment order and transfer of the $329,500.
On August 6, 2010, Chavez filed this action against the bank in state court, seeking to recover the $329,500 transferred from his account. The bank timely removed the action to the U.S. District Court for the Southern District of Florida.
The bank filed a motion for summary judgment in which it argued that its third affirmative defense, premised upon the safe-harbor provision in § 202, shifted the risk of loss to Chavez. Chavez filed a motion for partial summary judgment in which he contended that the bank's safe-harbor defense failed as a matter of law.
The district court entered an order granting the bank's motion and denying Chavez's. The district court ruled that the safe-harbor provision in § 202(2) shifted the risk of loss from the bank to Chavez because the parties' agreed-upon security procedure satisfied the statutory definition of a "security procedure" contained in § 201, the bank's security procedure was commercially reasonable, and the bank complied with its security procedure in good faith.
We review de novo a district court's rulings on cross-motions for summary judgment, Owen v. I.C. Sys., Inc., 629 F.3d 1263, 1270 (11th Cir.2011), and the facts are viewed in the light most favorable to the non-moving party on each motion, Am. Bankers Ins. Grp. v. United States, 408 F.3d 1328, 1331 (11th Cir.2005). Summary judgment is appropriate when "there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." FED. R. CIV. P. 56(a).
We divide our discussion into three parts. We begin with a brief overview of Article 4A of the UCC, which has been adopted in Florida. We then address the safe-harbor defense and what the bank must show to shift the risk of loss from the bank to Chavez. Lastly, we address what the parties' agreed-upon security procedure actually was and whether that procedure satisfied § 201.
As this case involves a payment order, Article 4A of the UCC applies. Given the oftentimes confusing nature of UCC provisions and case law applying them, we give a brief overview of the article.
Article 4A, as adopted in Florida, "governs a specialized method of payment referred to in the Article as a funds transfer
The statutes at issue here are Fla. Stat. §§ 670.201 & 670.202. Section 201 defines "security procedure." Section 202 addresses when a bank can shift the risk of loss to the customer, i.e., the safe-harbor provision.
Ordinarily, the bank receiving a payment order bears the risk of loss of any unauthorized funds transfer. FLA. STAT. § 670.204. However, pursuant to § 202 the bank may shift the risk of loss to the customer by showing one of two things: (1) the "payment order received ... is the authorized order of the person identified as sender if that person authorized the order or is otherwise bound by it under the law of agency," id. § 670.202(1), or (2) the parties agreed to a security procedure that is commercially reasonable and that the bank followed in good faith, id. § 670.202(2).
Section 202(1) is not before us, as the bank did not rely upon it when filing its motion for summary judgment. The bank moved for summary judgment pursuant to only § 202(2), which provides in pertinent part,
Thus, § 202(2) imposes three requirements: (1) the bank and the customer must have agreed on a security procedure for verifying payment orders; (2) the agreed-upon security procedure must be a "commercially reasonable method of providing security against unauthorized payment orders"; and (3) the bank must have accepted the payment order in good faith and in compliance with the security procedure and any relevant written agreement or customer instruction. With respect to the first requirement, the agreed-upon security procedure must satisfy the definition of that term in § 201. With respect to the second requirement, the commercial reasonableness of a security procedure is a question of law for the court. Id. § 670.202(3).
The bank based its third affirmative defense on § 202(2), asserting that the parties' agreed-upon security procedure was commercially reasonable, it accepted the payment order in good faith, and consequently the safe-harbor provision shifted the risk of loss to Chavez. The district court agreed and granted the bank summary judgment based on this defense.
As stated above, the first element of § 202(2) requires the bank to show that it and Chavez agreed upon a security procedure and that the procedure satisfies the definition of that term in § 201. Consequently, this is where we begin our analysis. It is undisputed that the parties agreed to a security procedure for verifying payment orders. However, the parties
Chavez contends that the district court misinterpreted the FTA and the security procedure identified therein. He asserts that § 5 of the FTA "expressly provides that the sole agreed security procedure is set forth in Annex 1 and shall remain exclusively so unless and until amended by a writing signed by the bank and made a part of the contract." Chavez argues that no such writing exists, and as a result the security procedure is limited to the annex option selected by Chavez, i.e., a written payment order signed and delivered by an authorized representative.
The bank responds that Chavez misconstrues the FTA by ignoring § 5(iii), which provides in part, "At its option, the Bank may use, in addition to the Security Procedure selected by the Client, any other means to verify any Payment Order or related instruction." The bank contends that this language allows it to add additional procedures — which it actually used — and which, when coupled with the security procedure set forth in the annex, combine to provide for a security procedure that satisfies §§ 201 & 202. In other words, the bank asserts that the agreed-upon security procedure included both the procedure in the annex and the "other means" referenced in § 5(iii).
The district court accepted the bank's position, citing Filho v. Interaudi Bank, No. 03 Civ. 4795(SAS), 2008 WL 1752693, at *4 (S.D.N.Y. Apr. 16, 2008), and held that the agreed-upon security procedure was (1) the procedure in the annex and (2) certain procedures (but not all) the bank, at its option, used when it processed a payment order.
Section 201 defines a security procedure as a "procedure established by agreement of a customer and a receiving bank for the purpose of: (1) Verifying that a payment order or communication amending or canceling a payment order is that of the customer; or (2) Detecting error in the transmission or the content of the payment order or communication." Thus, the security procedure must be one established by agreement of the parties. To determine what Chavez and the bank agreed to, we turn to the FTA and the annex.
Section 5(i) of the FTA provides, "The parties shall comply with the security procedure selected on Annex 1 to the Agreement (the `Security Procedure')." Thus, the FTA makes the phrase "Security Procedure" a defined term, and through Chavez's selection of option one on the annex, limits its meaning to a written payment order delivered and signed by an authorized representative. The remainder of § 5 refers solely to "the Security Procedure," which further shows that the parties consistently used the limited term in its defined sense. In addition, § 5(ii) states that "the use of the Security Procedure in the manner set forth in this Agreement shall be the sole security procedure required with respect to any Order." (Emphasis added.) This unambiguous language shows that the parties agreed upon only the security procedure selected by Chavez in the annex.
The district court's holding that the parties agreed in § 5(iii) that the bank could use other procedures, in addition to the one selected by Chavez, to satisfy § 201 was error. Section 5(iii) provides that the bank "may use ... any other means to verify any Payment Order or related instruction."
As discussed above, §§ 5(i) & (ii) of the FTA explicitly limit the agreed-upon security procedure to the procedure selected by Chavez. Section 5(iii) does not change that. It provides that the bank "may use, in addition to the Security Procedure selected by the Client, any other means" to verify payment orders. This language does not show that the "any other means" is a security procedure. In fact, it shows just the opposite, as § 5(iii) intentionally sets "any other means" apart from the defined "Security Procedure." In addition, the bank — which drafted the FTA and therefore will have any ambiguities construed against it — defined "the Security Procedure" in § 5(i) and chose not to include within that definition the language in § 5(iii). Consequently, "any other means" is not synonymous with "additional security procedures agreed upon by the parties," as the district court held.
Filho, upon which the district court relied, is inapposite. There, the plaintiffs signed an agreement that explicitly provided that their bank would "select security procedures for accepting instructions that are commercially reasonable," 2008 WL 1752693, at *4, and the court understandably held that in so doing the plaintiffs had agreed that they would be bound by whatever commercially reasonable security procedure the bank selected. The court reasoned that as long as the selected procedure was commercially reasonable, the plaintiffs could not complain about what the bank selected. What was important was that the agreement, signed by the plaintiffs, explicitly granted to the bank the right to select the security procedure.
Section 5(iii) does not do this. Its language that the bank may use "any other means to verify any Payment Order" does not constitute an agreement by Chavez that the bank had the power, at its sole discretion, to select any security procedure as long as the procedure was commercially reasonable. It appears that the bank drafted § 5(iii) to enable but not require it to use other means when processing payment orders, and Chavez could not be heard to complain if the bank failed to employ those additional security procedures — because the parties never agreed that the bank would use such additional security procedures.
The procedure for adding or changing "the Security Procedure" further supports
The bank contends that § 5(ii) applies only to changes to the annex, not to the additional security procedures it could add through § 5(iii). However, even assuming that § 5(iii) actually allows the bank to add additional security procedures, § 5(ii) does not contain any language that supports the limitation the bank proposes. Quite plainly, § 5(ii) provides that it applies to additional and different procedures, and there is nothing therein to suggest that this language excludes the procedures in § 5(iii). In fact, there is nothing in the FTA that exempts § 5(iii) from the amendment process; consequently, if we were to accept the bank's contention that Chavez agreed that the bank could add additional security procedures through § 5(iii) without having to comply with § 5(ii), we would have to negate the amendment process entirely. This is contrary to the basic rules of contract construction.
The official comment to § 201 also shows that the parties did not agree in § 5(iii) that the bank could at its sole discretion use additional security procedures. The comment explains that the "definition of security procedure limits the term to a procedure `established by agreement of a customer and a receiving bank.' The term does not apply to procedures that the receiving bank may follow unilaterally in processing payment orders." Section 5(iii)'s language that the bank may use "any other means to verify any Payment Order" is akin to the procedures a bank follows in processing payment orders, not procedures established by agreement, as required by § 201. And, adopting this interpretation gives effect to both the amendment process in § 5(ii) and the language in § 5(iii).
In sum, the parties did not agree in § 5(iii) that the bank could add additional procedures at its discretion; consequently, the only agreed-upon security procedure is the one Chavez selected in the annex. The district court erroneously concluded that the security procedure agreed to by the parties included the procedure selected by Chavez in the annex and the other procedures the bank purportedly added through § 5(iii). However, this conclusion does not end our analysis of whether the bank has satisfied the first element of § 202(2). We must next determine whether the agreed-upon procedure satisfies the definition of "security procedure" in § 201.
The security procedure selected by Chavez requires only that payment orders delivered in person be in writing and delivered and signed by Chavez. Chavez asserts that this procedure does not satisfy § 201's definition of a security procedure because § 201 explicitly disavows the adequacy of the parties' agreed-upon security procedure. We agree.
Section 201 states that "[c]omparison of a signature on a payment order or communication with an authorized specimen signature of the customer is not by itself a security procedure." Consequently, the parties' agreed-upon procedure must have at least this and one other step in order to qualify as a § 201 "security procedure."
Here, the agreed-upon security procedure does not even require a signature comparison. In fact, the security procedure
For the foregoing reasons, we hold that the bank and Chavez did not have an agreed-upon security procedure as that term is defined in § 201. Consequently, § 202(2) does not apply to this case, and the bank was not entitled to summary judgment on its affirmative defense premised thereon. The district court's order granting the bank summary judgment and denying Chavez summary judgment is
PRYOR, Circuit Judge, dissenting:
I respectfully dissent. The majority opinion concludes that Chavez and Mercantil Commercebank agreed only to the security procedure defined in section 5(i) of the Funds Transfer Agreement and that section 5(iii) of the Agreement, which permits the Bank also to use "any other means" to verify payment orders, is not part of the parties' agreed upon security procedure. Majority Opinion at 901-02. But that conclusion reflects a strained reading of the Agreement and related provisions of Florida law. Because the Agreement encompassed both the required and discretionary security procedures, which together here were commercially reasonable, and the Bank acted in good faith when it accepted the payment order, I would affirm the judgment in favor of the Bank.
Under Florida law, Chavez bears the risk of loss for the allegedly fraudulent payment order if he agreed to a commercially reasonable security procedure, and the Bank relied on that procedure in good faith when it accepted the payment order. Florida law defines a "security procedure" in relevant part as "a procedure established by agreement of a customer and a receiving bank for the purpose of ... [v]erifying that a payment order or communication amending or canceling a payment order is that of the customer." Fla. Stat. § 670.201. The "security procedure" under Florida law is not limited to what the parties expressly define as the "security procedure," but incorporates all procedures agreed upon by the parties to serve that purpose.
These parties agreed to two procedures for verifying the authenticity of payment orders. Section 5(i) provides that "[t]he parties shall comply with the security procedure selected on Annex 1 to this Agreement." And Section 5(iii) provides that "[a]t its option, the Bank may use, in addition to the Security Procedure selected by the Client, any other means to verify any Payment Order or related instruction." These provisions, when read together, establish that Chavez agreed to the use of
The majority contends that "any other means" is not synonymous with "additional security procedures agreed upon by the parties" because the Agreement had already defined "Security Procedure" in a more limited manner, Majority Opinion at 901-02, but that argument both misreads the Agreement and Florida law. Section 5(iii) provides that, "[a]t its option, the Bank may use, in addition to the Security Procedure selected by the Client, any other means to verify any Payment Order or related instruction." Section 5(iii) reflects that the Bank must use the security procedure selected by the customer in Annex 1 and that the Bank, at its option, may also employ additional security procedures. The use of the words "in addition" and "any other means" clarify that the additional means envisioned are additional security procedures, as does the location of this provision in section 5, which is titled "Security Procedure." And Florida law defines "Security Procedure" in section 670.201 in language that tracks the text of section 5(iii) of the Agreement. Section 670.201 defines a security procedure as "a procedure established by agreement ... for the purpose of ... [v]erifying ... a payment order," Fla. Stat. § 670.201, and section 5(iii) permits the Bank to use "any other means to verify any Payment Order."
The majority also misreads section 5(ii) of the Agreement. Section 5(ii) provides, in relevant part, that "unless and until any additional or different procedures are specified in a writing that is signed by the Bank and made a part of this Agreement, the use of the Security Procedure in the manner set forth in this Agreement shall be the sole security procedure required with respect to any Order." According to the majority, this language "shows that the parties agreed upon only the security procedure selected by Chavez in the annex." Majority Opinion at 901. But the majority reaches this conclusion by relying on the word "sole" at the expense of the rest of the provision. See id. The text clarifies that the security procedure selected in Annex 1 was the "sole security procedure required with respect to any Order." But that provision does not undermine the discretionary authority granted to the Bank in section 5(iii) to adopt additional security procedures to verify payment orders. When section 5(ii) is read in the light of section 5(iii), the meaning of the Agreement is evident. Chavez could not require the Bank to adopt "any other means" under the Agreement, but he could also not object to the adoption by the Bank of any other means because he had agreed to that exercise of discretion by the Bank. Contrary to the majority's suggestion, see id. at 903, the amendment process is still meaningful under this reading because Chavez could not gain greater rights to security under the Agreement without the consent of the Bank.
The majority attempts to distinguish Filho v. Interaudi Bank, No. 03 Civ. 4795(SAS), 2008 WL 1752693 (S.D.N.Y. Apr. 16, 2008), on the ground that the agreement in that case "explicitly granted to the bank the right to select the security procedure," Majority Opinion at 902, but the Agreement in this appeal too explicitly granted the bank the right to select an additional security procedure. The only difference between this case and Filho is that the Agreement in this case also established a minimum level of security selected by Chavez that the Bank had to provide to him. The creation of that minimum baseline of security does not override the additional grant of authority to the Bank to use additional means to verify the authenticity
Although section 5(iii) of the Agreement allowed the Bank to adopt additional security procedures, those procedures had to be commercially reasonable for Chavez to bear the risk of loss under section 202. The Bank performed several security procedures to determine the authenticity of the allegedly fraudulent order: the Bank employee checked the presenter's identification, compared the signature on the written order to the signature on file, verified the accuracy of the account number provided on the order, reviewed the availability of sufficient funds to process the requested order, and confirmed that Chavez had a funds transfer agreement in place for the account.
The security procedures adopted by the Bank for payment orders on Chavez's account were commercially reasonable. The Florida statute instructs us to consider several factors to determine commercial reasonableness:
Fla. Stat. § 670.202(3). All of these factors weigh in favor of a finding of commercial reasonableness. The Bank complied with Chavez's requested security procedure and adopted additional procedures for Chavez's protection. Chavez had certified in the Agreement that "the Security Procedure is sufficient to protect the interests of the Client in light of the Client's needs, and no special circumstances exist with respect to the Client that would require any other security procedure." The Bank offered, and Chavez rejected, two different security procedures that would have utilized individual passcodes and test keys. And an expert for the Bank presented undisputed testimony that the security procedures used by the Bank satisfied the prevailing standards in the banking industry.
The final requirement for the application of the safe harbor provision of section 202 is that the Bank acted in good faith and in compliance with the agreed-upon security procedures when it accepted the payment order. See Fla. Stat. § 670.202(2). The district court held that "Mercantil acted in good faith in accepting and processing the subject payment order." Chavez did not challenge this holding on appeal. Chavez waived any argument that the Bank did not act in good faith and in compliance with its security procedures when it accepted the order. See United States v. Nealy, 232 F.3d 825, 830 (11th Cir.2000).
For the foregoing reasons, I respectfully dissent. I would affirm the judgment in favor of the Bank.
