Unauthorized Payment Transactions and Who Should Bear the Losses
29 Pages Posted: 22 Mar 2019
Date Written: April 1, 2008
This article is concerned with how losses should be allocated between account holders that are implicated in payment systems and the financial institutions that participate in those payment systems by acting as intermediaries between account holders. It does not consider how losses should be allocated among the various financial institutions. (It is, of course, possible that a financial institution may be the account holder.) Although such an approach is often seen as one focusing on the concerns of individual consumers, the account holders that are discussed in this article are not limited to individual consumers. At times, of course, the nature of the account holder is relevant and, at those points, this article will distinguish between the types of account holders. When a distinction is important, this article will refer to individual and small business account holders as "small account holders."
This article examines how an unauthorized transaction can be prevented and what this suggests about who should bear the loss of such a transaction. In doing so, this article looks at two moments at which an unauthorized payment transaction might be prevented: before the first unauthorized transaction, and after the first unauthorized transaction. An authorized transaction, of course, can be converted, while it is being executed, to an unauthorized one. The classic example is the check that is stolen after it is completed by the account holder by some third party who alters the payee or amount payable. But this article will focus only on the period before the first unauthorized transaction is executed and the period after it is executed.
As many commentators have pointed out, the rules involving payment systems show a wide range of divergent approaches. In the period before a transaction is executed, some payment systems take the possible negligence of an account holder into account in allocating losses for unauthorized payment transactions. The checking system is the classic case. In contrast, the Truth-in-Lending Act (TILA) and the Electronic Fund Transfer Act (EFTA) both ignore the negligence of an account holder prior to the unauthorized transaction.
Article 4A of the Uniform Commercial Code, dealing with wire transfers, adopts a third approach. It includes a strict liability standard for the account holder if the receiving bank has created a commercially reasonable security procedure pursuant to which the transaction is executed.
Professor Gillette focused on the discrepancy between Articles 3 and 4 on the one hand, and the TILA and the EFTA on the other, and concluded that, based on this discrepancy, "[t]he law of payments, therefore, contains a puzzle. Why should regulations that govern functionally equivalent payment devices--checks and cards-vary in both form and substance?” He analyzed three possible explanations: a public choice explanation, a historical explanation, and a third explanation that "identifies discrete differences in the characteristics of checks and cards, and examines whether those characteristics justify the differences in the form and substance of legal regulation.” Professor Gillette's conclusion was that "[e]ach of the proffered explanations - public choice, inertia, and selection of an optimal degree of precision - fails to provide a complete understanding of how the current system evolved.”
This article asks a question that is implied in Professor Gillette's earlier article but that is not directly addressed or answered. Given the discrepancy between the negligence concepts embedded in the checking system, the rejection of these concepts in the TILA and the EFTA (at least in the pre-unauthorized payment transaction context), and the strict liability approach of Article 4A, should we be considering the adoption of one of these approaches for all payment systems?
Subsequent to the unauthorized transaction, most payment systems (other than credit cards) rely upon the account holder reporting the unauthorized transaction to the financial institution at which the account is held. If the account holder acts promptly, the loss from the first and subsequent unauthorized transactions falls, either by operation of law or contract, upon the other system participants. Who bears the final loss as between these participants is also governed by a web of statutory and contract provisions. If the account holder delays, various levels of loss, depending upon the amount of delay, the type of loss, and the particular payment system, are allocated to the account holder. Finally, all payment systems in which small account holders normally participate (other than credit cards) have some version of a statement rule that either limits or cuts off any recovery of unauthorized losses after some extended period of time. And even the credit card system is beginning to acquire a version of the statement rule through case law.
As prior commentators on unauthorized payment transactions have thought about allocation of losses for unauthorized transactions, they have always come back to the concept that any loss-allocation rule should provide incentives to the party best able to prevent the unauthorized payment transaction at the lowest cost. "Where multiple parties (i.e., either customers or financial institutions) could take such precautions [against loss], regulations should, therefore, place the obligation on the party who can avoid the loss at the lowest cost.”
Professors Cooter and Rubin answer, based on the application of the three economic principles of loss spreading, loss reduction, and loss imposition, that "[w]hen an invalid instrument is paid ... the principles favor strict liability for the financial institution if it alone can reduce the loss. But if both parties can take precaution, and thus reduce the loss, the principles suggest strict and divided liability, with a relatively low limit on the consumer portion.” By "strict," Professors Cooter and Rubin meant that there should be no place for negligence principles in allocating losses. In their view, "the great majority of payment losses" should be strictly allocated between both consumers and financial institutions, not solely to financial institutions-an approach that they labeled “complex.”
Professor Mann, writing almost two decades after Professors Cooter and Rubin and almost one decade after Professor Gillette, has suggested that who bears the risk of unauthorized transactions "often should be resolved based on the nature of the underlying technology." In Professor Mann's view, losses are in fact imposed "almost complete[ly]" on system operators because of "an implicit premise that losses in technology-driven systems are most effectively reduced by technological and system-design initiatives that are exclusively within the control of the system operator.” He still saw a need to motivate the account holder to take precautions:
The premise of those rules [allocating losses to system operators] is that even a complete allocation of loss to the network operator will leave the consumer a sufficient incentive to attend to contract provisions that resolve the legal questions summarized above. That could be true because of the hassle of reversing unauthorized charges, because of doubts that financial institutions readily will fulfill their obligations in such a situation, or even because of ignorance of the legal protections for unauthorized transactions.
While Professor Mann's overall summary is true as to unauthorized transactions that could not be prevented by an account holder's due diligence in examining statements (with the notable exceptions of checks, presumably not one of the modern payment systems he is discussing, and Article 4A wire transfers), it is not true of unauthorized transactions that could be prevented by an account holder's paying attention to her account and its associated statements.
In addition, the different rules underlying checks and credit cards have allowed the courts to engage in some creative lawyering. Negligence has begun to migrate from the bank statement rule in Article 4 of the U.C.C. to the TILA, particularly in the Second Circuit.
This article examines five of the most common payment systems - checks, debit cards, ACH debits, wire transfers, and credit cards-and their general rules for allocating losses prior to and after execution of a payment transaction. The final section of this article considers recent developments in society and technology, notably the problems of Internet security and identity theft. This article asks whether the divergent approaches taken to the problem of unauthorized payment transactions should be unified. This article concludes by advocating, at least for small account holders, an approach based upon principles developed from the credit card system, even though these principles were not implicit in the minds of the drafters of the TILA.
The first step in the analysis is to briefly consider what the loss allocation rules are for each of the five payment systems for pre- and post-transaction activities. This discussion is not meant to be exhaustive, but rather to highlight the differences in approach between the different payment systems.
Suggested Citation: Suggested Citation