UCC HOT TOPICS: SECURED LENDING AND PAYMENT SYSTEMS …
66
UCC HOT TOPICS: SECURED LENDING AND PAYMENT SYSTEMS Barkley Clark Stinson Morrison Hecker LLP 2011 LBA Bank Counsel Conference December 15, 2011 The Ritz Carlton, New Orleans
Transcript of UCC HOT TOPICS: SECURED LENDING AND PAYMENT SYSTEMS …
UCC HOT TOPICS: SECURED
LENDING AND PAYMENT SYSTEMS
Barkley Clark
Stinson Morrison Hecker LLP
2011 LBA Bank Counsel Conference
December 15, 2011
The Ritz Carlton, New Orleans
2
TABLE OF CONTENTS
3
HOT TOPIC #1: OVERDRAFTS AND POSTING ORDER
Background of Recent Reform
*The growth of automated overdraft programs beginning in the late 1990s
*The related movement to high-to-low debit posting (particularly for big banks)
*The heavy use of vendors in this area
*Increasing number of overdrafts arising from debit cards and ATMs
*Use of a single bucket for debits on a given day
*A big boost to fee income
*2005 Joint Guidance of the bank regulators focuses on safety and soundness, legal risks,
and best practices
*2008 FDIC empirical study of automated overdraft programs identifies problems: the
$40 cup of coffee at Starbucks
4
Opt-In Amendments to Reg. E (2009)
*Numerous bills introduced in Congress, but never enacted:
*Requiring the consumer to "opt-in" to any program
*Requiring the bank to give advance "warning" on the ATM or POS screen
*Treating overdraft fees as finance charges subject to TILA
*Outlawing HTL debit posting
*Requiring that overdraft fees be "proportional" to the debits that trigger them
*Limiting the number of overdraft fees imposed on any one day
*FRB amends Reg. E to prohibit a bank from assessing an overdraft fee for paying ATM
or debit card transactions that overdraw a customer's account, unless the customer consents. (12
CFR § 205.17)
*Checks and ACH debits are excluded
*No limits on overdraft fees if the consumer has opted-in
*The surprisingly strong opt-in numbers show strong consumer interest in the
automated overdraft product
*Fee income probably cut by 35%, but still well over $20 billion nationwide
FDIC Guidance (2010)
*Effective July 1, 2011
*Applies to all banks for which the FDIC is the primary federal regulator
5
*Overdraft programs will be reviewed at each exam from now on
*The FDIC Guidance goes way beyond opt-in
*Requires board of director involvement
*Biggest compliance challenge: monitoring overdraft programs for "excessive or
chronic" customer use
*If customer overdraws his or her account more than six times where a fee is charged in a
rolling 12-month period, the bank is obligated to undertake "meaningful and effective" follow-up
action, including contacting the customer to discuss less costly alternatives
*Instituting "appropriate daily limits" on fees: norms used by banks today are 3-10
transactions per day or $100-$300 daily limit on fees
*Other compliance requirements include better disclosure of terms and conditions of
overdraft programs and greater consistency in a bank's application of waivers of overdraft fees
*The proposed OCC Guidance generally follows the lead of the FDIC
Posting Order
*The movement toward commingling checks and electronic transactions into a single
bucket, then posting everything HTO
*At first, the order of posting was considered a bank prerogative, protected by the UCC
(at least for checks), case law, and federal preemption
6
*In recent years, we have witnessed massive (and increasingly successful) attacks on
HTL posting as a deceptive practice
*In Gutierrez v. Wells Fargo Bank, N.A., 2010 WL 3155934, 730 F.Supp. 2d (N.D. Cal.
2010), a California federal district court hit Wells Fargo with a $203 million penalty for its HTL
posting of debit cards
*The multi-district class action litigation in Florida: In re Checking Account Overdraft
Litigation, 694 F. Supp.2d 1302, 71 UCC Rep.2d 431 (S.D. Fla. 2010)
*The new FDIC Guidance on overdrafts requires banks to "review check-clearing
procedures to ensure they operate in a manner that avoids maximizing customer overdrafts and
related fees through the clearing order."
*Examples of "appropriate" procedures include clearing items in the order received or by
check number
*With a stroke of the regulatory pen, the language seems to outlaw HTL debit posting
*The OCC appears to be following suit in its proposed Guidance for national banks,
where it includes as a "practice of concern" any "payment processing intended to maximize
overdrafts and related fees"
Will the New Consumer Financial Protection Bureau Have the Last Say?
[For more information, see newsletter story, p. 22]
7
HOT TOPIC #2: CORPORATE ACCOUNT TAKEOVER
How It Happens
*Hacker's use of malware to steal business customer's online credentials
*Leads to outgoing ACH or wire transfers
Who Bears the Loss under the UCC?
*Bank must refund any unauthorized payment order (UCC 4A-204)
*Exception: one-year reporting window (UCC 4A-505), with possibility of contractual
cutdown; Regatos v. North Fork Bank, 2005 WL 2664712, 57 UCC Rep. 2d 791 (N.Y.
2005)(contractual cutdown of the statutory one-year deadline not allowed)
*Exception: Use of "commercially reasonable security procedure" to verify authenticity
of payment order, and bank good faith (UCC 4A-203)
*Security procedure must be established by agreement
*Examples are algorithms, codes, passwords, encryption, callback procedures, etc.
*By itself, signature comparison is not a security procedure
8
*Commercial reasonableness is a question of law, based on customer wishes expressed to
bank; customer's circumstances known to bank such as expected size, type and frequency;
alternative offered to customer; and security procedures used by similarly situated parties
*Two conflicting judicial decisions: Compare Experi-Metal, Inc. v. Comerica Bank, 2011
WL 2433383, 74 UCC Rep. 2d 899 (E.D. Mich. 2011)(although bank's use of ID passwords
coupled with "secure token technology" was commercially reasonable dual-factor authentication,
bank was in "bad faith" by allowing out-of-pattern outgoing wires), with Patco Construction Co.,
Inc. v. People's United Bank d/b/a Ocean Bank, 2011 WL 2174507 (D. Maine 2011)(bank's two-
factor authentication process was commercially reasonable even though not perfect; no challenge
of bank's good faith).
Best Bank Practices (According to NACHA)
*Use multi-factor and multi-channel authentication
*Require payments to be initiated under dual control
*Enable out-of-bank confirmation of payment initiation or for certain types of payments
*Provide out-of-bank or "red flag" alerts
*Establish and monitor exposure limits
Best Customer Practices (According to NACHA)
*Initiate payments under dual control
9
*Use robust and up-to-date anti-virus and security software and other mechanisms*Use a
dedicated, non-networked computer to initiate payments
*Monitor and reconcile accounts on a daily basis
*Use routine and "red flag" reporting
*Banks must educate their customers
Updated FFIEC Guidance
*June 2011 Guidance supplements original 2005 Guidance
*Authentication is broad—not just at login, but also watch for out-of-pattern outgoing
payments
*Requires a system of layered security
*Requires periodic risk assessments and adjustments to authentication controls
*Recommends multi-factor authentication for business customers
*Emphasizes fraud detection/monitoring and evaluates certain authentication methods
*Exams to begin in January 2012
[For more information, see newsletter stories, pp. 29 and 36]
10
HOT TOPIC #3: CONSUMER ARBITRATION AGREEMENTS
A Plague of Consumer Class Actions Against Banks
*Examples include high-to-low debit posting, check-cashing fees, and failure to post
notice of fees on ATM machines as required by Reg. E
Recent Supreme Court Decision
*AT&T Mobility LLC v. Concepcion, 131 Sup. Ct. 1740 (2011), 2011 WL 1561956(class
action waivers are enforceable under the Federal Arbitration Act, which preempts California's
judicial rule that such waivers are unconscionable as a matter of state contract law)
*Cell phone contracts promised that phones would be "without charge" for the two-year
term of the service agreement. However, AT&T charged $30.22 sales tax on the hardware. The
service agreement included a mandatory arbitration clause/class action waiver.
*Lower courts had found that the class action waiver was both "procedurally" and
"substantively" unconscionable under California contract law.
*Language, purpose and history of the FAA mandates federal preemption of California
contract law. Justice Scalia emphasizes that California's unconsionability rule interferes with
arbitration and thus conflicts with the FAA. Court blasts class arbitration as undercutting the
informality and smaller expense of arbitration.
*Strong language in the decision supporting the enforceability of form contracts in
consumer transactions.
*In most recent chapter of multi-district litigation in Florida dealing with high-to-low
debit posting, trial court finds unconscionability in addition to the class action waiver, thereby
sidestepping the Supreme Court decision. The court focuses on fee-shifting provision and banks'
right of setoff. The court rejects the renewed motions of BB&T, M&T, Regions and SunTrust to
compel arbitration. In re Checking Account Overdraft Litigation, __ Fed. 2d__, 2011 WL
4454913 (S.D. Fla. 2011).
*Federal Consumer Financial Protection Bureau will have the final say on consumer
arbitration clauses, based on the mandate of Section 1028 of Dodd-Frank.
[For more information, see newsletter story, p. 40]
11
HOT TOPIC #4: DOES YOUR DEPOSIT AGREEMENT INCLUDE THESE
IMPORTANT PROVISIONS?
Check Legends
*The deposit agreement should contain a provision that allows the bank to ignore
information on the check other than what is found in the MICR line.
*This should help the bank avoid liability in situations where the check contains a
legend such as "Not Valid if Drawn for More than $500". Such a check is not properly payable
under UCC 4-401, subject to freedom of contract under UCC 4-103.
Digital Deposits as "Items"
*Increasing significance of remote deposit capture
*Need to make it clear, by contract, that a digital image of a check sent to the
bank by its customer for deposit is considered and "item" under the UCC.
*Otherwise, it is open to question as to whether such a deposit would carry a
warranty protecting the bank against forged endorsements or material alterations.
No Sight Review of Drawer Signatures
*The deposit agreement should make it clear why the bank does not sight-review drawer
signatures.
*The use of amount thresholds
Attorney's Fees
Arbitration Clauses/Class Action Waivers
Cutdown of Reporting Deadlines, from one year under UCC 4-406 to 30 days, as authorized by
cases like Peak v. Tuscaloosa Commerce Bank, 707 So.2d 59, 36 UCC Rep.2d 1116 (La. Ct.
App. 1997).
12
Overdrafts and Posting Order: Need to make disclosures regarding automated overdraft
programs, in line with 2005 Interagency Joint Guidance and 2010 FDIC Guidance
Overdrafts in Joint Accounts: the deposit agreement should clarify that the bank can pursue
either joint account holder for an overdraft, even if one of them did not sign the check that
created the overdraft or otherwise benefitted from the payment. Contractual modification of
UCC 4-401.
Enhancing the Bank's Right of Charge-back by allowing the bank to exercise that right even
if the check has been returned after the payor bank's midnight deadline. In Lema v. Bank of
America, N.A., 826 A.2d 504, 50 UCC Rep. 2d 955 (Md. Ct. App. 2003), the court gave effect to
a contractual reversal of the rule found in UCC 4-214.
Consensual Security Interest
State-of-the-Art Defense
*In a significant decision from Minnesota, a company that had been offered a positive-
pay product by its bank but rejected the offer was liable when the bank later paid a big check
with an altered payee that would have been caught by a positive-pay fraud filter. Cincinnati Ins.
Co. v. Wachovia Bank, N.A., 2010 WL 2777478, 72 UCC Rep.2d 744 (D. Minn. 2010).
*The bank won the case because of language contained in the deposit agreement that
shifted the risk of fraud loss to the customer in such a situation.
13
HOT TOPIC #5: THE 2010 AMENDMENTS TO ARTICLE 9: FOUR
REASONS TO ADOPT ALTERNATIVE A FOR INDIVIDUAL DEBTOR
NAMES
Current Status of the 2010 Amendments
The Problem of Individual Debtor Names
*Amendment spurred by cases like Peoples Bank v. Bryan Brothers Cattle Co., 504 F.3d
549, 64 UCC Rep.2d 113 (5th
Cir. 2004)(Fifth Circuit upholds a filer's use of debtor's nickname
(Louie Dickerson) rather than his legal name (Brooks L. Dickerson)
*In amendment to UCC 9-503, legislators have choice between Alternative A (the
debtor's name on a financing statement is sufficient "only if" it is the name reflected on the
debtor's driver's license) and Alternative B (the debtor's driver's license name is sufficient, i.e. a
"safe harbor" to protect against the trustee in bankruptcy, but other variations of the name may
also be sufficient)
Reason #1 to support Alternative A: It gives more certainty to filers and searchers. Banks
need certainty as to priority, not just perfection. A typical scenario
Reason #2: The only-if approach is consistent with the UCC rules governing entity debtors,
which have worked well over the years.
Reason #3: The drafters of the 2010 amendments have eliminated most of the problems that
raised concern about relying of a driver's license name
*No current driver's license
*Two driver's licenses
*Expired license
*The secured creditor will continue to have a second bite at the apple, i.e. the old name is
okay if it would be found by a search under the new name, using the filing office's standard
search logic
*Problems with filing office incompatibility because of character sets, field lengths, etc.
Reason #4: Those who deal with secured lending on a daily basis strongly support Alternative
A. The Texas experience. This is not a consumer protection issue, nor a big-bank v. small-bank
issue. The need for uniformity.
[For more information, see newsletter story, p. 45]
14
HOT TOPIC #6: NEW YORK BANKRUPTCY COURT UPHOLDS
SECURITY INTEREST IN FCC LICENSE
The FCC Prohibition Against Assignment of a Broadcast License
*The anti-assignment rule is codified at 47 U.S.C. § 310(d)
*The policy behind the rule: regulatory protection of the public airwaves
*What about a security interest in an FCC broadcast license, which would be a "general
intangible"?
The New York Case
*In re TerreStar Networks, Inc., 457 B.R. 254, 2011 WL 3654543 (Bankr. S.D.N.Y.
2011)
*Broad security agreement language:
[Such] security interest does not include at any time any FCC
license to the extent (but only to the extent) that at such time the
Collateral Agent may not validly possess a security interest
directly in the FCC License pursuant to applicable federal law,
including the Communications Act of 1934…but such security
interest does include at all times all proceeds of the FCC Licenses,
and the right to receive all monies, consideration and proceeds
derived or in connection with the sale, assignment, transfer, or
other disposition of the FCC licenses…
*Proper UCC filing
*Sprint, an unsecured creditor of the bankrupt licensee to the tune of $104 million,
challenges the noteholders' security interest in the FCC license.
*A perfected security interest exists in the "economic value" of the FCC license, even
though not in the license itself.
*The "public piece"/"private piece" distinction
*New York court rejects recent decision from Colorado, In re Tracy Broadcasting Corp.,
438 B.R. 323 (D. Colo. 2010)(since debtor didn't have rights in FCC license itself, it could not
15
grant an enforceable pre-petition security interest under UCC 9-203; because no lien could be
placed on the license itself, the security interest in the proceeds could only arise post-petition,
which violated Section 552 of the Bankruptcy Code).
*The Colorado decision is inconsistent with present FCC decisions on the point; these
decisions recognize the public/private distinction.
[For more information, see newsletter story, p. 48]
16
HOT TOPIC #7: WILL A SECURITY INTEREST IN A TAX REFUND
STAND UP IN BANKRUPTCY?
The Florida Case
*In re Tousa, Inc., 406 B.R. 421 (Bankr. S.D. Fla. 2009)
*Article 9 covers tax refunds as "general intangibles"
*Florida homebuilder paid $220 million in federal income taxes in "go and blow" 2005
and 2006. The bottom drops out in 2007, resulting in a net operating loss of $643 million.
Debtor files Chapter 11 on January 29, 2008. Biggest intangible asset of the estate is a $207
million tax refund for the net operating loss. Secured lenders, with two syndicated term loans
totaling $500 million, claim priority to the tax refund over the claims of unsecured creditors.
Lenders had properly filed a financing statement describing the collateral as "all general
intangibles, now owned or hereafter acquired by Debtor."
*The preference attack mounted by the unsecured creditors, based on the theory that the
debtor could not "acquire rights" in the tax refund for 2007 until the end of its 2007 taxable year,
which was December 31, 2007. Until that time, the debtor's right to the refund remained
contingent and the banks' security interest could not attach. Since December 21, 2007 was
within 90 days of the bankruptcy filing, the transfer was voidable as a preference under Section
547(e)(3) of the Bankruptcy Code (transfer can't occur until the debtor has "acquired rights in
the property transferred"). To the same effect is In re TMCI Electronics, 279 B.R. 552 (Bankr.
N.D. Calif. 1999).
*The Florida court bought the unsecured creditors' argument, though there is a good
argument to the contrary, based on the idea that, from the time the secured creditors filed their
financing statement against general intangibles, no lien creditor could have gained priority over
them. Moreover, in Segal v. Rochelle, 382 U.S. 375 (1966), the Supreme Court held that an
operating loss carryback refund claim constituted "property of the estate" as of the time of the
bankruptcy petition, even though the petition was filed before the end of the taxable year and the
debtor's didn't yet have any right to the tax refund.
[For more information, see newsletter story, p. 52]
17
HOT TOPIC #8: ALABAMA COURT RULES THAT "TRAC"
EQUIPMENT LEASE IS NOT A DISGUISED SECURED TRANSACTION
Is the Transaction a "True Lease" or a Disguised Secured Transaction?
*The distinction is important because it determines whether the lessor has a duty to file a
UCC financing statement, and whether a debtor-in-possession can exercise cramdown against the
lessor.
*TRAC provisions in equipment leases: If the sale of the equipment to a third party at the
end of the lease term generates less than the estimated residual value of the equipment (as
determined at the inception of the lease), the lessee is required to pay the lessor the deficiency as
a "rental adjustment"; if the sale generates more than the estimated residual value, the lessor is
required to pay the surplus to the lessee.
*The recent Alabama case: In re HB Logistics, LLC, __ B.R. __, 2011 WL 4625198
(Bankr. N.D. Ala. 2011), where the court refuses to re-characterize an equipment lease as a
disguised security interest.
The Debtor's Argument
*The TRAC feature shifts all the economic risk and reward of "owning" the equipment
from the lessor to the lessee.
*Analogy to nominal purchase options under UCC 1-203
The Lessor's Argument
*The Alabama TRAC statute is controlling. That statute provides that , notwithstanding
any other provision of law, a transaction does not create a sale or security interest "merely
because the transaction provides that the rental price is permitted or required to be adjusted under
the agreement either upward or downward by reference to the amount realized upon sale or other
disposition of the motor vehicle."
*An earlier Alabama case rejects the argument that lessee "equity" justifies re-
characterization: Sharer v. Creative Leasing, Inc., 612 So.2d 1191, 21 UCC Rep.2d 865 (Ala.
18
1993)(transaction was a true lease because there was no nominal purchase option and because
the lessee's 'reward and risk' at the end of the lease term is not a form of "equity".
*A re-characterization is not required by the factors listed in UCC 1-203.
A Profusion of TRAC Statutes
*49 out of the 50 states now have TRAC statutes. Most of these statutes date from the
early 1990s.
*The Louisiana statute is found at LRS, § 9-3317. This statute, which dates from 1985,
does not seem to prohibit re-characterization in the same way the Alabama statute does. There
are apparently no cases construing the Louisiana statute.
[For more information, see newsletter story, p. 56]
19
HOT TOPIC #9: PREEMPTION
A Sampling of Recent Preemption Cases
*Baptista v. JP Morgan Chase Bank, N.A., 640 F.3d 1194, 2011 WL 1772657 (11th
Cir.
2011) (Eleventh Circuit upholds check-cashing fee that is unlawful under Florida "par
settlement" law. Court relies primarily upon 12 CFR § 7.4002, which gives national banks great
latitude in charging customers for "non-interest charges and fees, including deposit account
service fees.") Contra: Gutierrez v. Wells Fargo Bank, N.A., 2010 WL 3155934 (N.D. Cal.
2010)(when it shifted from LTH to HTL posting, Wells Fargo didn't consider the four factors
listed in the OCC regulation).
*Aguayo v. U.S. Bank, 653 F.3d 912, 2011 WL 3250465 (9th
Cir. 2011)(state laws
requiring special post-repo notice prior to a foreclosure sale are not preempted by OCC
regulations because "savings clause" found at 12 CFR § 7.4008(e) saves state law dealing with
"debt collection"). Contra: Epps v. JPMorgan Chase Bank N.A., 2010 WL 4809130 (D. Md.
2010)(special Maryland statute imposing post-repo notice requirement that goes beyond what is
required by Article 9 of the UCC is preempted by 12 CFR § 7.4008(d); this case is currently
before the Fourth Circuit, which should be ruling soon).
[For more information, see newsletter story, p. 61]
20
HOT TOPIC #10: NEGATIVE EQUITY
What is the Negative Equity Litigation All About?
*Negative equity in the setting of vehicle financing
*The fighting issue: Is negative equity a "purchase-money obligation" under Article 9?
*If it is not, that slice of the debt is subject to cramdown in a Chapter 13 bankruptcy
How the Courts Have Ruled Over the Last Five years
*Eight courts of appeals have protected negative equity, while the Ninth Circuit recently
held that it was not a "purchase-money obligation", but unprotected "antecedent debt". The
Supreme Court denied review of the Ninth Circuit case, presumably on the ground that the issue
was one of state law (the UCC) rather than federal law. The First and Third Circuits have not yet
ruled on the issue.
*In the Fifth Circuit, negative equity is protected from cramdown: In re Dale, 582 F.3d
568 (5th
Cir. 2009).
21
THE FOLLOWING MATERIALS CONSIST OF
STORIES FROM CLARKS' SECURED TRANSACTIONS
MONTHLY, AND CLARKS' BANK DEPOSITS AND
PAYMENTS MONTHLY, MONTHLY NEWSLETTERS
PUBLISHED BY A. S. PRATT AND REPRODUCED
HERE WITH THE PERMISSION OF THE PUBLISHER
22
OVERDRAFTS AND POSTING ORDER: WHERE ARE WE NOW
AND HOW DID WE GET THERE?
Over the past several years, this newsletter has reported on the enormous changes that have taken
place in the world of overdraft banking and the related issue of posting order. Now that the OCC
is poised to issue its final "Guidance" on these topics, it seems a good time to take stock. The
bottom line is that overdraft banking as a consumer financial product has been greatly curtailed,
fee income has been severely limited, and high-to-low posting seems dead.
The pre-2005 landscape. In the beginning, overdrafts were frowned upon, though they
were allowed on an ad hoc basis, within the discretion of a bank officer. Banks recognized that
overdrafts are a form of short-term unsecured credit. Often banks tried to steer their customers
to alternative products such as linked transfer accounts and formal lines of credit governed by
Truth in Lending.
Then, in the late 1990s, banks began to implement automated overdraft programs using
standardized procedures with an underwriting matrix to determine whether a particular overdraft
qualified for payment. In this way, bank officer discretion and ad hoc treatment were eliminated.
Automated overdraft programs emerged as a new financial services product. These initiatives
were often described as "overdraft protection" programs. This was an area where third-party
vendors were very active in offering software. With overdraft fees of $30 and higher, these
programs became a source of huge fee income.
At the same time, the movement from paper checks to electronic payments was
proceeding apace. Consumer use of debit cards and ATM machines was exploding. Banks began
to include in their automated programs not only overdrafts from paper check transactions, but
also overdrafts from point-of-sale debit card purchases and ATM withdrawals. From a consumer
protection perspective, overdraft fees began to emerge as a bigger problem because of the
disproportionate size of the fee compared with the size of the point-of-sale purchase. Anecdotes
began to circulate about $40 cups of coffee at Starbucks--$5 for the coffee and $35 for the debit
card overdraft fee.
One of the most important features of automated overdraft programs, particularly for
larger banks, was a movement to aggregate different types of debits (checks, ATM withdrawals,
debit cards, ACH and online transactions) into a single bucket on a daily basis, then order the
debits on a high-to-low basis. That shift in posting order had the effect of maximizing overdraft
fees because larger debits would put the account into an overdraft position earlier, though each
smaller overdraft would be subject to the same fee amount on an item-by-item basis.
The 2005 Joint Guidance on overdraft protection programs. The first regulatory
entry onto the automated overdraft scene occurred in 2005, when the bank regulators issued a
"Joint Guidance" on these programs. 70 Fed. Reg. 9127-9132 (2/24/05). The regulators noted
that the programs usually contain the following features: (1) bank promotion of the service; (2)
an aggregate dollar limit of $100 to $500; (3) automatic coverage for consumers who meet the
bank's criteria; and (4) little underwriting, other than whether the account has been open for a
minimum time and whether deposits are made regularly to the account. The regulators voiced
23
concern that the programs encourage consumers to overdraw their account and fail to disclose all
the terms and conditions of the service.
The 2005 Joint Guidance recognizes that overdrafts are a form of unsecured credit and
thus present safety and soundness concerns. The regulators urged that depository institutions
incorporate "prudent risk management practices" such as suspending the service when the
consumer no longer meets the eligibility criteria, e.g. by filing bankruptcy or defaulting on
another loan to the bank. Overdraft balances should generally be charged off no later than 60
days from the date of the first overdraft.
The regulators also noted various compliance risks, including state usury laws, deceptive
trade practice laws, the FTC Act on deceptive advertising, and Truth in Lending for disclosure.
(The Joint Guidance did not, however, suggest a change in Reg. Z, which excludes overdrafts
from the definition of "finance charges" subject to APR disclosures. 12 CFR § 226.4(c)(3)). The
regulators did stress that the Equal Credit Opportunity Act applies to overdraft protection
programs, as does Reg. E with respect to ATM withdrawals and POS debit card transactions.
Finally, the 2005 Joint Guidance listed a number of "best practices" in administering
overdraft protection programs:
*Avoid promoting poor account management
*Fairly represent the program and alternatives
*Train staff to explain program features
*Clearly explain bank discretion in refusing to pay an overdraft
*Distinguish overdraft protection services from "free" account services
*Clearly disclose program fees
*Clarify that fees count against the disclosed overdraft limits
*Disclose how multiple fees may be charged
*Explain the impact of transaction-clearing policies such as high-to-low debit posting
*Allow customer opt-out of the service
*Alert the consumer before a transaction generates a fee, particularly at point-of-sale
*Prominently distinguish balances from overdraft protection funds availability
*Promptly notify the consumer of each program usage
*Consider daily limits on overdraft fees
*Monitor program usage
Banks should review their compliance with these "best practices", even today.
The 2008 FDIC empirical study. In November 2008, the FDIC released an empirical
study of overdraft protection programs. Looking at the 2008 study from the perspective of 2011,
it is clear that it had a big impact in bringing about more stringent regulatory limits on these
programs. The data suggested to the FDIC that a "significant share" of consumer transaction
accounts were now operating under automated overdraft programs, though the penetration was
higher for larger banks than community banks. Almost 70 percent of banks initiated their
programs after 2001. More than 75 percent of banks automatically enrolled their customers into
an automated overdraft program, though consumers usually had a right to opt-out. The study
showed that a large majority of banks allowed overdrafts to take place at ATM machines and
24
point-of-sale, although most banks notified their customers of the overdraft (and fee) only after
the transaction had been completed.
The FDIC study also showed that 54 percent of large banks and 25 percent of all banks
batch-processed all types of debits in a single bucket and sorted them high-to-low. More than
half the banks with automated overdraft programs reported that they relied on a third-party
vendor to implement or manage the program; small banks were more likely to use a vendor.
Most banks using vendors reported that the vendor was paid a percentage of the additional fees
generated by the program. Consumer complaints about the programs were received by 12.5% of
banks that operated them.
The FDIC also reported that overdraft fees were generated disproportionately from a
small percentage of recurrent users. Customers in low-income areas were more likely to incur
overdraft fees. Overdrafts triggered by use of a debit card were more frequent (41%) than those
triggered by check(30.2 %) or ATM withdrawal (7.8 %). Debit card overdrafts were not only the
most frequent, but also the smallest in individual amount, with a median dollar value of $20,
compared with ATM ($60) and checks ($66). To consumer advocates and bank regulators, these
numbers were revealing.
The FDIC study also raised the specter of overdraft fees being treated as finance charges
subject to Truth in Lending. The FDIC gave an example of a $27 overdraft fee (the survey
medium at the time). If the fee was generated by a $60 ATM withdrawal that was repaid within
two weeks, the APR on the transaction would be a whopping 1,173 %. In spite of the FDIC's
highlighting of the issue, the Federal Reserve Board has never moved to amend Reg. Z to treat
overdraft fees as finance charges. Instead, Reg. DD (Truth in Savings) was amended to require
financial institutions to disclose aggregate overdraft fees on consumer periodic statements,
whether or not the institution advertises its program. Consumer advocates consider this an
example of regulation lite.
Bills introduced in Congress. Beginning in 2005, bills were introduced in Congress
every year that would regulate overdraft programs in a variety of ways by:
*Requiring the consumer to "opt in" to any program
*Requiring the bank to give an advance "overdraft warning" on the ATM or POS screen
*Treating overdraft fees as finance charges subject to TILA
*Outlawing high-to-low debit posting
*Requiring that overdraft fees be "proportional" to the debits that cause them
*Limiting the number of overdraft fees that could be charged in any one day
None of these bills was ever enacted. Instead, Congress focused on the lending side of the bank
ledger, enacting the Credit Card Act of 2009. Still, the bills that were repeatedly introduced in
Congress regarding overdraft banking clearly served as a catalyst to the bank regulators,
beginning in 2009.
The 2009 opt-in amendments to Reg. E. In November 2009, the Fed amended Reg. E
to prohibit a financial institution from assessing an overdraft fee for paying ATM or debit card
25
transactions that overdraw a consumer's account, unless the consumer affirmatively consents to
the overdrafts. 12 CFR § 205.17. This new rule was in sharp contrast to the Fed's earlier
position supporting a consumer opt-out approach. Compliance with the new opt-in rule became
mandatory on July 1, 2010. The new regulation does not impose any limits on overdraft fees if
the consumer has opted-in.
Prior to the compliance deadline of July 1, 2010, punsters everywhere predicted that an
overwhelming majority of consumers would refuse to opt-in to automated overdraft programs.
These predictions were based on the high costs to consumers of multiple overdraft fees (at an
average of $33 apiece), coupled with horror anecdotes such as the $40 cup of coffee at
Starbucks. Some banks, like Bank of America, opted-out of overdraft programs altogether.
Many banks assumed that a sharp reduction in overdraft fee income would have to be
compensated for by imposing some other types of fees or eliminating products such as "free
checking."
But these dire predictions have not panned out. The American Banker reported on
September 30, 2010 that new empirical studies indicate a "surprisingly strong opt-in for
overdraft protection." Apparently both the banking industry and consumer advocates
underestimated consumer demand for overdraft protection products, in spite of the fees.
Empirical studies described in the American Banker article indicate that between 60% and 80%
of consumers (including nearly all "frequent overdrafters" with ten or more overdrafts per year)
have chosen to opt-in. One report predicts that overdraft revenue for 2010 will come in at $35.4
billion, only $2 billion below its 2009 peak, and that 2011 income will reach a new high for the
industry. Apparently most consumers would rather pay the fees than be rebuffed at the store
counter. In short, the Fed could have dealt with the overdraft fee issue more harshly, but instead
they used a "disclosure/consent" model that turned out to be quite effective.
The 2010 FDIC "Guidance": a heavier regulatory hand. The FDIC's new Guidance
on Automated Overdraft Payment Programs, published on November 24, 2010 and effective on
July 1, 2011, takes a much more restrictive approach to overdraft protection programs than the
FRB. It seeks to remedy some of the problems it identified in its 2008 study. The Guidance
only applies to depository institutions for which the FDIC is the primary federal regulator. From
now on, overdraft programs will be reviewed for compliance with each examination. The key
features of the FDIC Guidance are as follows:
*Monitoring for excessive overdrafts and following up with customers. The FDIC
"expects" its supervised institutions to monitor overdraft protection programs "for excessive or
chronic customer use". If a customer overdrafts his or her account on more than six occasions in
a rolling 12-month period, the bank must contact the customer to discuss less expensive
alternatives. This type of intense monitoring of customers is viewed by community banks as
their biggest compliance challenge.
*Caps on overdraft fees. The FDIC Guidance does not put a specific cap on overdraft
fees such as $20, but it takes a giant step beyond the FRB approach by requiring banks to
"institute appropriate daily limits on customer costs by, for example, limiting the number of
transactions that will be subject to a fee or providing a dollar limit on the total fees that will be
26
imposed per day." In addition, covered banks must "consider eliminating overdraft fees for
transactions that overdraw an account by a de minimus amount." And in a rule parallel to what
now exists for credit cards, overdraft fees should be "reasonable and proportional" to the amount
of the overdraft.
*Elimination of high-to-low posting. The FDIC Guidance requires banks to "review
check-clearing procedures to ensure they operate in a manner that avoids maximizing customer
overdrafts and related fees through the clearing order. Examples of appropriate procedures
include clearing items in the order received or by check number." With a stroke of the
regulatory pen, the FDIC appears to have outlawed the practice of high-to-low debit posting—a
position that the Fed considered and rejected in 2009. Although the Guidance only refers to
check posting, it is hard to see why it wouldn't also extend to the posting of all overdrafts,
regardless of the method of accessing the account. The Guidance clearly rejects judicial
decisions that okay high-to-low posting so long as the practice and its consequences are clearly
disclosed to the consumer. Hassler v. Sovereign Bank, 374 Fed. Appx. 341, 2010 WL 893134
(3d Cir. 2010). It is also a far cry from the disclosure approach taken by the regulators in their
2005 Guidance.
*Board of directors involvement. The Guidance requires bank boards of directors to
exercise oversight of the features of the bank's overdraft protection program.
*Improved transparency. The Guidance requires that banks review their marketing,
disclosure and implementation of automated overdraft programs to "minimize consumer
confusion". In a related rule that reflects recent amendments to Reg. DD, banks must
"prominently distinguish account balances from any available overdraft coverage amounts."
*Alerting customers to the risk of overdraft fees. The FDIC Guidance requires that banks
"consider employing cost effective, existing technology, as appropriate (e.g., text message,
email, telephone or cell phone) to alert customers when their account balance is at risk of
generating fee for nonsufficient funds."
The 2011 Proposed OCC Guidance. On June 8, 2011, the OCC proposed its own
Guidance for national banks on overdraft protection programs. 76 Fed. Reg. 33409-33413. The
comment period closed on July 2, 2011. In general these guidelines parallel those established
earlier by the FDIC. Insofar as it levels the playing field, this development should please
community banks. The Proposed Guidance starts off by noting that the landscape has changed
substantially since publication of the Joint Guidance in 2005. New operational and credit risks
have surfaced. In particular, the OCC is concerned about several practices that have developed
since 2005:
*Excessive reliance on fee income from overdraft protection programs
*Failure to impose responsible limits on customer costs
*Imposition of fees that cumulatively exceed a customer's overdraft credit limit
*Failure to assess a customer's ability to manage and repay
*Failure to monitor overdraft protection usage to identify excessive usage and credit
risks, and to take steps to address credit risks
27
*Failure to charge off overdrafts in a timely manner
*Failure to ensure adequate risk management of overdraft programs, with appropriate
internal audits and compliance reviews
*Failure to monitor and control promotional and sales practices for potentially misleading
statements
*Use of payment processing intended to maximize overdrafts and related fees
In order to address these concerns, the OCC emphasizes that consumers need better
disclosures to make an informed choice about the product's costs, risks and limitations. National
banks should establish "prudent programmatic limitations on the amount of credit that may be
extended under an overdraft protection program, the number of overdrafts and the total amount
of fees that may be imposed per day and per month, and any transaction amount below which an
overdraft fee will not be imposed. These limitations should be established taking into account
general ability to repay and safety and soundness considerations and the order in which the bank
process transactions. These limitations should be clearly disclosed to customers at the time the
product is offered."
Perhaps most important, the OCC pretty much mirrors the FDIC in outlawing high-to-
low debit posting: "The order in which transactions will be processed also should be subject to
standards to ensure that transaction processing is not solely designed or generally operated to
maximize overdraft fee income. For example, such standards may provide for processing
individual or batched items in the order received, by check or serial number sequence, or in
random order."
The OCC requires that accounts be subject to "monitoring and segmentation by customer
usage to detect indications of excessive overdrafts (and related overdraft protection fees) and/or
potential changes to repayment capacity with respect to the overdraft product." Each account
should be monitored to determine whether the account has exceeded the daily and monthly
maximum number of overdraft transactions and fees, and whether the customer "is exhibiting
excessive usage of other credit products connected to the account." If red flags are flying, the
bank must determine whether the account is still viable, or whether credit and aggregate fee
limits need to be reduced. The customer should also be notified of alternatives to overdraft
protection such as linked accounts or other lines of credit. If the account continues to
demonstrate excessive overdrafts, overdraft privileges should be terminated and, if appropriate,
the account should be closed. Like the FDIC, the OCC establishes a 60-day charge-off period.
Unlike the FDIC, the OCC does not offer a definition of "excessive overdrafts", nor does it
mandate direct contact with customers who exhibit excessive use.
Regarding management oversight, the OCC Proposed Guidance states:
Bank management should receive regular reports on overdraft
volume, profitability, and credit performance. These reports
should segment accounts by level of overdrafts to identify
excessive overdraft protection usage. Management should also
receive reports that describe the status and outcome of internal
28
reviews and evaluations of accounts identified as demonstrating
excessive usage.
Some final thoughts.
*As we have seen, times have changed dramatically for overdraft banking since 2005.
The Joint Guidance published by the bank regulators that year set the stage by identifying
overdraft protection as a separate consumer financial services product, noting the rapid growth of
the product, and establishing regulatory norms through a list of "best practices". By quantifying
elements of the product and its use, the 2008 FDIC study subjected it to greater scrutiny. In
2009, the opt-in amendment to Reg. E imposed the first real substantive limit on overdraft
protection; the strength of the consumer opt-in made it clear that the product is favored by a large
number of bank customers. But a down economy and anti-bank sentiment were forces pushing
for greater regulation of the product. The 2010 FDIC Guidance, coupled with the 2011 OCC
Proposed Guidance, impose a number of new limits that will apply from here on. It seems likely
that the product will continue to exist, but not as the fee generator it once was.
*The regulatory history of overdraft protection over the last six years reflects substantial
interplay among the FDIC, the Federal Reserve Board, the OCC, and Congress. We suspect that
the new Consumer Financial Protection Bureau may ultimately weigh in with uniform rules for
all providers of the product.
*During the last decade, one of the most important elements of overdraft protection has
been the posting of debits on a high-to-low basis. This practice has generated substantial
litigation around the country, some of which is ongoing. The new Guidance of the FDIC and the
OCC appears to outlaw the practice, though the impact on current litigation is still uncertain. We
suspect that in five years automated overdraft programs will continue, but there will be few
banks that post high-to-low.
29
TWO CONFLICTING JUDICIAL DECISIONS COME DOWN ON
HACKER THEFT OF CUSTOMER'S ONLINE CREDENTIALS
Within the last few weeks, courts in Michigan and Maine have delivered significant decisions
regarding bank liability for unauthorized withdrawal of funds from a corporate deposit account
after a hacker has gotten access to the on-line credentials of its customer.
In the Michigan decision, the court rendered a final judgment that the bank was liable for
the unauthorized withdrawals because it had acted in "bad faith". In the Maine decision, by
contrast, the court threw the fraud loss on the customer based on the fact that the customer had
agreed to a commercially reasonable security procedure used by the bank, even though that
procedure did not catch the fraud. In both cases, the court relied on Article 4A of the UCC as the
governing law. It is hard to reconcile the two cases.
THE MICHIGAN CASE. In Experi-Metal, Inc. v. Comerica Bank, 2011 WL 2433383
(E.D. Mich. 6/13/11), the customer entered into a Treasury Management agreement to use the
bank's "NetVision" Internet banking service. The authorized users of the service were its
president, Valiena Allison, and its controller, Keith Maslowski. In 2008, the bank notified its
Treasury Management customers that it was deploying a "secure token technology" as its
security procedure to protect customers from hacker theft of their online banking credentials.
Under the new program, each authorized user accessed the bank's website by (1) entering his or
her ID and PIN and (2) using a six-digit code from a secure token. The code displayed on the
token was a randomly generated number that changed every 60 seconds.
On January 22, 2009, Mr. Maslowski was authorized to initiate wire transfers on behalf
of Experi-Metal via the upgraded NetVision program. On that date, Maskowski received a
"phishing" email, purportedly from Comerica, targeting the bank's customers. He clicked on the
link in the phishing email and was directed to a webpage where he was asked to enter his user
information. He entered his and his company's confidential Customer ID and password, and
utilized the token, not realizing that he was giving the fraudster the online key to his company's
deposit account. He had been hooked and caught in the fraudster's net. Over the next several
hours, the fraudster initiated a large number of wire transfers from the company's "sweep"
account, totaling more than $1.9 million. The beneficiaries of these wires were located in Russia,
Estonia, Scotland, Finland, and China. The bank was able to retrieve most of these funds by
reversing the payment orders, but $560,000 was never recovered. When Experi-Metal sought
recovery of the stolen funds, the bank declined. Unhappy with this response, the company sued
the bank.
UCC Article 4A governs the case. Because it was unauthorized wire transfers that
caused the customer's loss, both parties and the Michigan court agreed that Article 4A of the
UCC was the governing law. UCC 4A-202 provides that outgoing wires are effective as the
payment orders of the customer, even though the customer didn't authorize them, if (1) the bank
and the customer agreed that the authenticity of payment orders would be verified pursuant to
security procedure, (2) the security procedure is "commercially reasonable", and (3) the bank
30
proves that it accepted the payment orders in good faith and in compliance with the security
procedure.
The court noted that, even if these three conditions are satisfied, the risk of loss may shift
to the bank if the fraudster did not obtain the confidential information from the customer or the
customer's agent, i.e. the fraudster was a bank insider. UCC 4A-203. In the present case, there
was no dispute that the fraudster obtained the confidential online credentials from Maslowski, an
employee of the customer. Therefore, the "insider" rule couldn't be used against the bank.
At an earlier stage of the litigation, the Michigan court concluded that the security
procedure used by the bank for outgoing wires was "commercially reasonable" as a matter of
law. By signing the Treasury Management documents, Experi-Metal had agreed that the token
technology employed by Comerica beginning in 2008 was commercially reasonable. Moreover,
though the Michigan court never mentioned the point, the use of ID/passwords plus secure
tokens is what the bank regulators call "dual-factor authentication." In its 2005 Guidance
entitled "Authentication in an Internet Banking Environment", the Federal Financial Institutions
Examination Council (FFIEC) warns banks against using single-factor identification (e.g.
ID/passwords alone). The clear implication of the FFIEC Guidance is that dual-factor
authentication (e.g. ID/passwords plus secure tokens) is commercially reasonable for purposes
of loss allocation under Article 4A, at least in most cases.
Court finds that Comerica acted in bad faith. After ruling that Comerica had used a
commercially reasonable security procedure, the Michigan court did an abrupt about-face. In its
June 13, 2011 opinion following a bench trial, the court concluded that the bank had failed to
meet its burden of proving, under UCC 4-202, that "it accepted the payment orders in good
faith." The court noted that the term "good faith" is defined as "honesty in fact and the
observance of reasonable commercial standards of fair dealing." UCC 1-201, 3-103 (emphasis
added). The "honesty in fact" prong of the definition is subjective—pure heart, empty head—
and there was no suggestion in the record that Comerica's employees acted dishonestly in
accepting the fraudulent wire transfers. The key issue was whether they acted in "observance of
reasonable standards of fair dealing."
Relying on a Maine supreme court decision (Maine Family Federal Credit Union v. Sun
Life Assurance Co. of Canada, 727 A.2d 335, 37 UCC Rep.2d 875 (Maine 1999)), the Michigan
court ruled that the "fair dealing" test was "objective". It then concluded as follows:
There are a number of considerations relevant to whether
Comerica acted in good faith with respect to this incident: the
volume and frequency of the payment orders and the book
transfers that enabled the criminal to fund those orders; the $5
million overdraft created by those book transfers in what is
regularly a zero balance account; Experi-Metal's limited prior wire
activity; the destinations and beneficiaries of the funds; and
Comerica's knowledge of prior and current phishing attempts.
This trier of fact is inclined to find that a bank dealing fairly with
its customer under these circumstances would have detected and/or
31
stopped the fraudulent wire activity earlier. Comerica fails to
present evidence from which this court can find otherwise.
Therefore, because it failed to prove that it acted in "good faith" on the morning of January 22,
2009, and because contributory negligence is not relevant, the entire loss fell on Comerica.
Critique of the Michigan decision. We think the Michigan court unduly "objectified"
the good faith standard under the UCC. The court cited the Official Comment to UCC 1-201:
Although fair dealing is a broad term that must be defined in
context, it is clear that it is concerned with the fairness of conduct
rather than the care with which an act is performed. Failure to
exercise ordinary care in conducting a transaction is an entirely
different concept than failure to deal fairly in conducting the
transaction.
Yet the court seems to be ignoring this Comment by listing factors that go to the bank's failure to
exercise ordinary care in conducting a series of transactions on the morning of January 22, not to
the "unfairness" of acts performed by the bank on that morning. By slapping an "unfair" label
on conduct that appears at most to be negligent, the Michigan court is expanding the term "bad
faith" beyond what the drafters of the UCC intended.
A bank is not dealing with its customer in an "unfair" manner just because it is negligent.
The Michigan court seems to be drawing a distinction between the commercial reasonableness of
Comerica's security procedure in general, and the commercial unreasonableness of the way it
handled the wire transfers at issue on the morning of January 22. Yet the UCC definition of
"good faith" does not draw such a distinction. The court also seems to be saying that it was
"unfair" for the bank to ignore various red flags on the morning of January 22, but there was no
showing that the bank was doing so in an "unfair" manner, e.g. by taking advantage of, or
discriminating against, its customer.
Finally, the Maine supreme court decision on which the Michigan court relied has been
sharply criticized. In that case, the court held that a credit union acted in "bad faith" when it
gave its customer immediate availability on three checks totaling $120,000 instead of clamping a
hold on the account, as it could have done under Reg. CC. It made no difference to the court that
the Reg. CC rules on funds availability don't forbid banks from giving quicker availability for the
benefit of their customer. It is very hard to see the "unfairness" of such a policy, yet the Maine
supreme court allowed a jury to find that the bank acted in "bad faith" so that it could not attain
holder in due course status on the three checks. The Maine case, like the Michigan case, is
simply wrong in the way it distorts the meaning of "bad faith" in the UCC.
THE MAINE CASE. In sharp contrast to the Michigan case, the court in a recent
corporate takeover decision from Maine never got into the issue of bank bad faith because the
corporate customer who had gotten scammed by a fraudulent phisherman never even made that
argument. In Patco Construction Co., Inc. v. People's United Bank d/b/a Ocean Bank, 2011 WL
2174507 (D. Maine 5/27/11), the bottom-line issue was whether the bank's security procedure
32
was commercially reasonable under Article 4A. The customer, Patco, was a family-owned
business that constructed buildings. Ocean Bank permitted its commercial customers to make
electronic fund transfers via online banking, referred to as "eBanking". The transfers could be
handled by ACH (for payroll payments) or by wires. These transactions were always initiated
from one of several computers housed at Patco's offices in Sanford, Maine.
In 2004, Ocean Bank began using Jack Henry & Associates to provide its core online
banking platform, known as "NetTeller." Jack Henry provides security for the systems its sells,
including software patches, firewalls, anti-virus and other security measures. These security
systems are regularly audited by federal authorities for compliance with regulatory mandates. In
2005, when the bank regulators (FFIEC) published their Guidance entitled "Authentication in an
Internet Banking Environment", Jack Henry quickly moved to comply with the new guidelines,
particularly the emphasis on dual-factor authentication. Jack Henry marketed its multi-factor
program to its customers as "the most robust and effective solution available" in 2006. Jack
Henry made two multi-factor authentication products available to its customers to meet the
FFIEC guidance: (1) a "Basic" package and (2) a "Premium" package.
With both the Basic and Premium products, when a customer logged into online banking,
it entered a company ID and password and then an ID and password specific to each user. In
addition to the IDs and passwords, the Premium product included development of a customer
risk profile, challenge/response questions, invisible "device cookie" authentication, user-selected
picture, IT Geo location, transaction monitoring, scoring engine for transactions, eFraud
Network subscription, and reporting. The Premium product also permitted banks to set a dollar
threshold amount above which a transaction would trigger the challenge questions even if the
user ID, password, and device cookie were all valid. Though it cost more than the Basic
package, Ocean Bank signed on to the Premium package. The court reviewed all the evidence
and concluded that the parties had agreed to the Premium package, and that Patco had never,
prior to the phishing episode, voiced any concern about its various elements.
Patco sets a $1 threshold for challenge questions. Jack Henry allowed its customers to
modify the threshold dollar amount that would trigger three challenge questions. Originally
Ocean Bank set the threshold at $100,000 to ensure that its customers were not inconvenienced
by frequent prompts for challenge questions. In June 2008, Ocean Bank intentionally lowered
the threshold from $100,000 to one dollar. After that, Patco was prompted to answer challenge
questions every time it initiated an ACH transaction.
The bank contended that lowering the threshold increased the security of online banking
for customers because it added a layer of security every time a customer initiated an ACH debit
or wire transfer. In response, Patco contended that setting challenge questions to be asked on
very transaction greatly increases the risk that a fraudster equipped with a keylogger will be able
to compromise the answers because it increases the frequency with which such information
enters through a user's keyboard.
The 2009 phishing episode. Beginning May 7, 2009 and ending on May 13, a series of
unauthorized withdrawals was made from Patco's deposit account by unknown third parties.
The bank authenticated these transfers with Patco's company ID and password and the Patco
33
employee's proper credentials, including her ID and password, and answers to challenge
questions. Whoever initiated the transaction submitted correct IDs, passwords, and answers to
the three challenge questions. The withdrawals totaled $588,851; of this amount, the bank was
able to block $243,406 of the transfers.
The transfers were directed to the accounts of numerous individuals, none of whom had
ever been sent money by Patco. The fraudsters logged in from a device unrecognized by the
bank's system, and from an IP address that Patco had never before used. The risk-scoring engine
generated a very his risk score for these transactions, and they were in amounts higher than Patco
had ever made, but the bank still batched and processed the transactions as usual. Some of the
transfers were returned to the bank because the beneficiary's account number was invalid. These
return notices were sent to the home of Mark Patterson, one of Patco's principals, via U.S. mail.
After receiving the first notice, Patco called the bank to inform it that the transactions were not
authorized. Patco did not monitor its eBanking accounts on a daily basis. When the bank
refused to recredit its customer's deposit account, Patco sued.
The bank's security procedure was commercially reasonable. After reviewing all the
evidence, the Maine court concluded that Ocean Bank's security procedure was commercially
reasonable, so that it wasn't required to recredit its customer's account. Patco argued strenuously
that setting the dollar threshold at one dollar effectively meant that the bank's didn't really
employ a "two-factor" authentication process, as mandated by the FFIEC. Instead of enhancing
security, the nominal threshold undermined the effectiveness of the challenge questions as a
security procedure because the frequent asking of such questions increased the risk that a
fraudster using "keylogger" malicious software could intercept answers to such questions. The
court rejected this argument on the ground that Jack Henry permitted its bank customers to adjust
the threshold to any level, including as low as one dollar. Moreover, even if the threshold had
been set at $1000, or $16,000, Patco would still have been prompted on most of its ACH
transfers to answer challenge questions. Patco never presented evidence that comparable banks
were aware in May 2009 that setting low thresholds increased the opportunity for keylogging
malware fraud.
Other relevant factors. In ruling that the bank had a commercially reasonable security
procedure in place when the phishing episode occurred in May 2009, the court considered a
number of other factors:
*Security options not implemented. Although Ocean Bank did not use one-time
passwords (secure "tokens") as an element of its security procedure, the court noted that a token-
based solution was not available from JackHenry until January 2009. By May, only 2 percent of
Jack Henry's customers offered tokens to some or all of its customers, and even today only 25
percent use tokens. In 2009, banks that were using tokens were still experiencing ACH fraud,
primarily due to security weaknesses on the customer's personal computer; as a result, fraudsters
were able to compromise a token within seconds of a user entering the token into the bank's web
page. In short, tokens weren't required to make a system "commercially reasonable."
*No manual review of out-of-pattern transactions. Perhaps most important, the bank did
not monitor the risk-scoring reports received as part of the Premium Product package, nor did the
34
bank conduct any manual review of transactions that generated high-risk scores, such as occurred
in the May 2009 phishing episode. The bank could have done this through its transaction-
profiling and risk-scoring system, but didn't. Nor did the bank call a customer if it detected
fraudulent activity. Later in 2009 the bank introduced a new policy of calling the customer if its
automated systems detected out-of-pattern transactions. The Maine court concluded that this
omission did not make the whole system commercially unreasonable.
The customer's contributory negligence. In weighing the commercial reasonableness of
the bank's security procedures, the court considered the customer's own negligence. In
particular, Patco failed to monitor its customer's commercial accounts on a daily basis, and it
failed to isolate its computers or forensically preserve the hard drives as evidence of precisely
how the fraud occurred.
Commercial reasonableness does not require the very best system. The Maine court
concluded that the UCC standard does not require that the bank have adopted the very best
security procedures available at the time of the fraud. In hindsight, it is apparent that the bank's
procedures in May 2009 were not optimal:
The bank would have more effectively harnessed the power of its
risk-profiling system if it had conducted manual reviews in
response to red-flag information instead of merely causing the
system to trigger challenge questions. Indeed, it commenced
manual reviews in the wake of the transactions at issue here. The
use of other systems, such as tokens and out-of-band
authentication, also would have improved the security of the bank's
system and might have minimized the loss that occurred in May
2009.
In spite of these shortcomings, the bank used Jack Henry's Premium Product, which was
crafted directly in response to the 2005 FFIEC Guidance. The use of challenge questions meant
that the bank had true "multi-factor authentication", in spite of the customer's arguments to the
contrary. All in all, the system was commercially reasonable at the time. As a result, the risk of
the fraud loss was on the customer rather than the bank.
Based on this analysis, the magistrate judge recommended summary judgment for the
bank on the plaintiff's UCC Article 4A count. In addition, each of the customer's common law
claims (negligence, breach of contract, breach of fiduciary duty, unjust enrichment and
conversion) were preempted by Article 4A, based on the strong "displacement" language of the
Official Comment to UCC 4A-102.
A final thought.
The Michigan and Maine courts take two very different approaches to loss allocation for
hacker theft of customer online credentials. In the Michigan case, the court ruled that the bank's
failure to catch out-of-pattern transactions was "bad faith" even though the bank had a
commercially reasonable security procedure in place. In the Maine case, the bank's failure to
35
monitor out-of-pattern electronic transactions was not even close to "bad faith", and in fact did
not render the overall security procedure commercially unreasonable. We think that the Maine
court does a much better job of applying the rules of the UCC as they are actually written.
36
FEDERAL BANK REGULATORS ISSUE SUPPLEMENTAL GUIDANCE
ON AUTHENTICATION OF CUSTOMER ONLINE CREDENTIALS
On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) released a
supplement to its 2005 guidance regarding Authentication in an Internet Banking Environment.
The purpose of the supplement is to "reinforce the risk-management framework described in the
original guidance and update the FFIEC…supervisory expectations regarding customer
identification, layered security, and other controls in the increasingly hostile online
environment." The supplement stresses the need for performing risk assessments, implementing
effective strategies for mitigating identified risks, and raising customer awareness of potential
risks, but it doesn't endorse any specific technology. Depository institutions need to begin
compliance efforts immediately, because the FFIEC has directed examiners to include
compliance with the supplement guidelines beginning in January 2012. Moreover, these new
guidelines are certain to be used in litigation, just as the 2005 version was used in the cases
described in our prior story. Let's take a look at the key points.
Regulators describe increasingly hostile online environment. The new supplement
describes the need for more robust authentication programs to avoid "corporate takeover" of
business deposit accounts:
Since 2005, there have been significant changes in the threat
landscape. Fraudsters have continued to develop and deploy more
sophisticated, effective, and malicious methods to compromise
authentication mechanisms and gain unauthorized access to
customers' online accounts. Rapidly growing organized criminal
groups have become more specialized in financial fraud and have
been successful in compromising an increasing array of controls.
Various complicated types of attack tools have been developed and
automated into downloadable kits, increasing availability and
permitting their use by less experienced fraudsters. Rootkit-based
malware surreptitiously installed on a personal computer (PC) can
monitor a customer's activities and facilitate the theft and misuse
of their login credentials. Such malware can compromise some of
the most robust online authentication techniques, including some
forms of multi-factor authentication. Cyber crime complaints have
risen substantially each year since 2005, particularly with respect
to commercial accounts. Fraudsters are responsible for losses of
hundreds of millions of dollars resulting from account takeovers
and unauthorized funds transfers.
The need for updated risk assessment. The regulators warn that, since virtually every
authentication technique can be compromised, "financial institutions should not rely solely on
any single control for authorizing high risk transactions, but rather institute a system of layered
security." The regulators stress that financial institutions should perform periodic risk
assessments and "adjust their customer authentication controls as appropriate in response to new
37
threats to customers' online accounts." Updated risk assessments should include the following
factors:
*Changes in the internal and external threat environment;
*Changes in the customer base adopting electronic banking;
*Changes in the customer functionality offered through electronic banking; and
*Actual incidents of security breaches, identify theft, or fraud experienced by the institution or
the industry
The regulators stress that not every online transaction poses the same level of risk. The key is to
implement more "robust controls" as the risk level of the transaction increases.
Online business transactions general involve ACH file origination and frequent interbank
wire transfers. Financial institutions should utilize controls consistent with the increased level of
risk for covered business transactions. Of great importance, the regulators recommend that
depository institutions offer multi-factor authentication to their business customers. (This was a
big issue in the Michigan and Maine decisions described in the prior story.)
The importance of layered security. The supplement describes "layered security" as
"the use of different controls at different points in a transaction process so that a weakness in one
control is generally compensated for the by strength of a different control." Effective controls
that may be included in a layered security program include:
*Fraud detection and monitoring systems that include consideration of customer history and
behavior and enable a timely and effective bank response;
*The use of dual customer authorization through different access devices;
*The use of out-of-band verification for transactions (e.g. the transaction is initiated over the
internet but verified by phone);
*The use of "positive pay," debit blocks, and other techniques to appropriately limit the
transactional use of the account;
*Enhanced controls over account activities such as transaction value thresholds, payment
recipients, number of transactions allowed per day, and allowable payment windows (e.g. days
and times);
*Internet protocol reputation-based tools to block connection to banking servers from IP
addresses known or suspected to be associated with fraudulent activities;
*Policies and practices for addressing customer devices identified as potentially compromised
and customers who may be facilitating fraud;
38
*Enhanced control over changes to account maintenance activities performed by customers
either online or through customer service channels; and
*Enhanced customer education to increase awareness of the fraud risk and effective techniques
customers can use to mitigate the risk
The regulators stress that layered controls should include processes designed to detect
anomalous (i.e. out-of-pattern) activity involving (1) initial login and (2) initiation of ACH debits
and outgoing wire transfers. Based on the incidents they have reviewed, the bank regulators
conclude that "manual or automated transaction monitoring or anomaly detection and response
could have prevented many of the frauds since the ACH/wire transfers being originated by the
fraudsters were anomalous when compared with the customer's established patterns of behavior."
In the Michigan and Maine cases, for example, the outgoing ACH debits or wire transfers
initiated by the fraudsters could have been detected based on the unusual size of the transactions,
or the unusual destination of the beneficiaries. This is the "red flag" idea.
Effectiveness of PC identification and challenge questions. The FFIEC supplement
urges banks to strengthen techniques for identifying the PC which initiates the transfers, and for
asking more sophisticated challenge questions. The simplest form of PC identification is to use a
"cookie" loaded on the customer's PC to confirm that it is the same machine that was enrolled by
the customer and matches the logon ID and password that is being provided. Unfortunately,
experience has shown that this simple type of cookie may be copied and moved to a fraudster's
PC, allowing the fraudster to impersonate the legitimate user. A more sophisticated form of
protection is the use of "one-time" cookies, which create a more complex digital "fingerprint" by
looking at a number of characteristics including PC configuration, Internet protocol address, geo-
location, and other factors. The regulators conclude: "Although no device authentication method
can mitigate all threats, the Agencies consider complex device identification to be more secure
and preferable to simple device identification. Institutions should no longer consider simple
device identification, as a primary control, to be an effective risk mitigation technique."
The regulators use similar reasoning in evaluating challenge questions (if those are part
of the bank's security procedure), such as the ones used by Ocean Bank in the Maine case. The
FFIEC supplement stresses that challenge questions can be implemented more effectively using
more sophisticated questions: "These are commonly referred to as 'out of wallet' questions, that
do not rely on information that is often publicly available. They are much more difficult for an
impostor to answer correctly….Solutions that use multiple challenge questions, without exposing
all the questions in one session, are more effective." In short, the use of sophisticated questions
can be an effective component of a layered security program.
Customer awareness and education. The regulators also identify a number of elements
that depository institutions should use in customer awareness and education programs:
*An explanation of protections provided, and not provided, to accountholders relative to
electronic fund transfers under Reg. E, and a related explanation of the applicability of Reg. E to
the types of accounts with Internet access;
39
*An explanation of under what, if any, circumstances and through what means the institution
may contact a customer on an unsolicited basis and request the customer's provision of electronic
banking credentials:
*A suggestion that online banking customers periodically perform a related risk assessment and
controls evaluation;
*A listing of alternative risk control mechanisms that customers may consider implementing to
mitigate their own risk, or alternatively, a listing of available resources where such information
can be found; and
*A listing of institutional contacts for customers' discretionary use in the event they notice
suspicious account activity or experience customer information security-related events.
Bottom line. As we have seen in reviewing the recent case law in this area, the FFIEC
guidance plays a critical role in the burgeoning private litigation between a defrauded
commercial customer and its bank. It sets a federal standard for what constitutes a
"commercially reasonable security procedure" under Article 4A of the UCC. The new
supplement provides a number of important guidelines, including the necessity of dual-factor
authentication; the growing importance of "layered" security programs that include monitoring of
outgoing ACH and wire transactions for out-of-pattern characteristics; and the use of more
robust IP "cookies" and challenge questions. With mandatory compliance right around the
corner, banks need to closely consider all aspects of the FFIEC supplement.
40
SUPREME COURT UPHOLDS VALIDITY OF CONSUMER
ARBITRATION AGREEMENTS CONTAINING CLASS ACTION WAIVERS
In the world of consumer financial services, few issues have generated more controversy than the
validity of arbitration agreements that contain a waiver of the right to bring a class action. On
April 27, the United States Supreme Court finally ruled on the issue. In a 5-4 decision, written
by Justice Scalia, the High Court held that class action waivers are enforceable under the Federal
Arbitration Act, which preempts California's judicial rule that such waivers are unconscionable
as a matter of state contract law.
The Supreme Court decision strikes a strong blow for the enforceability of consumer
adhesion contracts; gives a broad reading to the preemptive effect of the FAA; and stresses the
advantages of individual arbitration over class arbitration. In the realms of both consumer
protection and federal preemption, the significance of the new decision is great. The big open
question is what the new Consumer Financial Protection Bureau will do about the issue when it
begins its work in earnest on July 21, 2011.
The AT&T case. In AT&T Mobility LLC v. Concepction, 2011 WL 1461957 (U.S.),
Vincent and Liza Concepcion signed a Wireless Service Agreement with AT&T Mobility in
2002. The contract provided for phone service and the purchase of two new cell phones. The
Concepcions received the phones themselves "without charge" because they agreed to a two-year
service term. However, AT&T charged $30.22 sales tax on the hardware, calculated as 7.75% of
the full retail value of both phones.
The Wireless Service Agreement included a clause requiring any disputes to be submitted
to arbitration, coupled with language requiring any dispute between the parties to be brought in
an individual capacity and not as a class action. In 2006, AT&T revised the arbitration
agreement to add a new "premium payment clause" under which AT&T would pay a customer
$7,500 if the arbitrator issued an award in favor of a California customer that was greater than
AT&T's last written settlement offer made before the arbitrator was selected.
Before the premium payment clause was added, the Concepcions filed a complaint in the
California federal district court alleging that the practice of charging sales tax on a cell phone
advertised as "free" was fraudulent under California deceptive trade practice laws. The
Concepcions joined with other plaintiffs in a consumer class action. After the premium payment
clause was added to the contract, AT&T filed a motion to compel individual arbitration, as
mandated by the revised contract. The federal district court denied AT&T's motion, holding that
the class action waiver provision of the arbitration agreement was unconscionable under
California law, and that California law was not preempted by the Federal Arbitration Act.
Unconscionability, California style. The Ninth Circuit affirmed the lower court's ruling
that the AT&T class action waiver was unconscionable under California law and therefore
unenforceable. In order to be found unconscionable, a contract provision must be both
"procedurally" and "substantively" unconscionable. Procedural unconscionability generally
takes the form of a contract of adhesion, i.e. a contract drafted by a party of superior bargaining
41
strength and imposed on the other without any opportunity to negotiate terms. Substantive
unconscionability focuses on overly harsh or one-sided contract terms. Both elements of
unconscionability need not be present to the same degree; California courts use a sliding scale—
the more substantively unconscionable the contract term, the less procedural unconscionability
needs to be shown, and vice versa.
The Ninth Circuit then turned to the California supreme court decision that specifically
addresses the unconscionability of class action waivers in consumer arbitration agreements. In
Discover Bank v. Sup. Ct., 113 P.3d 1100 (Cal. 2005), the California high court ruled that class
action waivers are at least sometimes unconscionable under California law. The court stressed
that class actions serve the important policy function of deterring and redressing wrongdoing,
particularly when a company defrauds large numbers of consumers out of individually small
sums of money. Class action waivers pose a problem because "small recoveries do not provide
the incentive for any individual to bring a solo action prosecuting his or her rights." When the
potential for individual gain is small, very few consumer plaintiffs will pursue individual
arbitration or litigation, which greatly reduces the aggregate liability a company faces when it
has exacted small sums from millions of consumers.
The Ninth Circuit interpreted Discover Bank as creating a three-part test: (1) is the
agreement a contract of adhesion; (2) are disputes between the contracting parties likely to
involve small amounts of damages; and (3) is it alleged that the party with superior bargaining
power has carried out a scheme deliberately to cheat large numbers of consumers out of
individually small sums of money?
The Ninth Circuit concluded that the AT&T class action waiver satisfied all three parts of
the California test:
*First, the Concepcions were given the standardized Wireless Service Agreement without
any opportunity to negotiate the terms. This was a classic contract of adhesion.
*Second, the damages were a measly $30.22 for the sales tax charged on cell phones
AT&T advertised as "free".
*Third, the Ninth Circuit concluded that AT&T carried out a scheme "deliberately to
cheat large numbers of consumers out of small sums of money."
The "premium payment" provision didn't negate unconscionability. AT&T argued
that the potential for the premium payment overcame the problem of "predictably small
damages" identified by the California supreme court. AT&T contended that an award of $7,500
should provide individual consumers with an adequate incentive to pursue initially small damage
claims with higher potential, against the company.
The Ninth Circuit rejected this argument on the ground that the premium payment
provision did not transform a $30.22 case into a predictable $7,500 case. The premium payment
was available only if AT&T didn't make a settlement offer to the aggrieved customer in a sum
equal to or higher than it ultimately awarded in arbitration, and before an arbitrator was selected.
42
If a customer filed for arbitration, predictably AT&T would simply pay the face value of the
claim before the selection of an arbitrator to avoid potentially paying $7,500. "Thus, the
maximum gain to a customer for the hassle of arbitrating a $30.22 dispute is still just $30.22."
Ninth Circuit: the FAA does not preempt California unconscionability law. AT&T
argued that the Federal Arbitration Act both expressly and implicitly preempts state law such as
the unconscionability doctrine as applied in California. The Ninth Circuit also rejected this
argument. The FAA provides that arbitration clauses "shall be valid, irrevocable, and
enforceable, save upon such grounds as exist at law or in equity for the revocation of any
contract." 9 U.S.C. § 2. If a state-law ground to revoke an arbitration clause is not also
applicable to a defense to revoke a contract in general, that state-law principle is preempted by
the federal statute. However, "because unconscionability is a generally applicable contract
defense, it may be applied to invalidate an arbitration agreement" without violating the FAA.
Nor does the FAA preempt state law on the ground that the unconscionability doctrine
stands as an obstacle to the purposes behind the federal law. The Ninth Circuit noted two key
purposes of the FAA: (1) to reverse judicial hostility to arbitration agreements by placing them
on the same footing as any other contract, and (2) to promote the efficient and expeditious
resolution of claims. The Ninth Circuit concluded that California unconscionability law did not
stand in the way of either purpose. Arbitration agreements with class action waivers are on the
exact same footing as contracts that bar class action litigation outside the context of arbitration.
Nor will class actions reduce the efficiency of arbitration in general.
Supreme Court reverses Ninth Circuit. The Ninth Circuit decision represented a major
victory for advocates of both consumer protection and states' rights. But the victory was only
temporary. AT&T appealed the decision to the Supreme Court and the High Court accepted
review. Then, on April 27, it reversed the Ninth Circuit. In his majority opinion, Justice Scalia
was joined by Chief Justice Roberts and Justices Alito, Kennedy, and Thomas (who wrote a
concurring opinion). Justice Breyer wrote a dissenting opinion, in which he was joined by
Justices Kagan, Ginsburg and Sotomayor.
The bottom line for the majority was that the language, purpose and history of the Federal
Arbitration Act preempted the California judicial doctrine of unconscionability under the
Supremacy Clause. The majority concluded that the California state law stood as an obstacle to
the purposes of Congress in enacting the FAA, which include ensuring the enforcement of
arbitration agreements according to their terms so as to facilitate streamlined dispute resolution.
In so concluding, the Supreme Court wiped out the Discover Bank rule.
The Supreme Court's negative view of class arbitration is nicely summed up in the
syllabus of the decision:
Class arbitration, to the extent it is manufactured by Discover Bank
rather than consensual, interferes with fundamental attributes of
arbitration. The switch from bilateral to class arbitration sacrifices
arbitration's informality and makes the process slower, more
costly, and more likely to generate procedural morass than final
43
judgment. And class arbitration greatly increases risks to
defendants. The absence of multilayered review makes it more
likely that errors will go uncorrected. That risk of error may
become unacceptable when damages allegedly owed to thousands
of claimants are aggregated and decided at once. Arbitration is
poorly suited to these higher stakes. In litigation, a defendant may
appeal a certification decision and a final judgment, but [the FAA]
limits the grounds on which courts can vacate arbitral awards.
In short, California's Discover Bank rule interferes with arbitration and thus conflicts with the
FAA. The rule is limited to adhesion contracts, "but the times in which consumer contracts were
anything other than adhesive are long past." Some consumers may resolve their disputes on a
bilateral basis under Discover Bank, "but there is little incentive for lawyers to arbitrate on behalf
of individuals when they may do so for a class and reap far higher fees in the process. And faced
with inevitable class arbitration, companies would have less incentive to continue resolving
potentially duplicative claims on an individual basis."
In response to the argument that class arbitration is necessary because individual
plaintiffs otherwise would have no incentive to seek recovery of small amounts of damages such
as $30, the majority opinion points out that AT&T would pay claimants a minimum of $7,500
and twice their attorney's fees if they obtained an arbitration award greater than AT&T's last
settlement offer. Justice Scalia noted that the California district court concluded that the
Concepcions were better off under their arbitration agreement with AT&T than they would have
been as participants in a class action, which "could take months, if not years, and which may
merely yield an opportunity to submit a claim for recovery of a small percentage of a few
dollars."
The concurrence and the dissent. Justice Thomas wrote a concurring opinion focusing
on the savings clause in the FAA. He opined that the federal statute requires that an arbitration
agreement be enforced as written "unless a party successfully asserts a defense concerning the
formation of the agreement to arbitrate, such as fraud, duress, or mutual mistake." The policy-
oriented defense of unconscionability is not covered by the savings clause because it doesn't go
to the formation of the contract.
The dissenting opinion, written by Justice Breyer, also focuses on the language of the
FAA, which says that an arbitration agreement "shall be valid, irrevocable, and enforceable, save
upon such grounds as exist at law or in equity for the revocation of any contract." In Justice
Breyer's view, the Discover Bank rule is consistent with the language of the FAA because it
"applies equally to class litigation waivers in contracts without arbitration agreements as it does
to class arbitration waivers in contracts with such agreements." In other words, the Discover
Bank rule is consistent with the FAA because agreements to arbitrate are put on the same footing
as agreements to litigate. This point was heavily emphasized in questioning by the Court during
oral argument. The majority opinion simply shifts the focus from this statutory
"evenhandedness" to the underlying purpose of the statute, which is to require the enforcement of
arbitration agreements as written, unless it can be shown that no agreement was formed in the
first place.
44
The new Consumer Financial Protection Bureau will have the final say—or will it?
Even though the Supreme Court has now upheld the enforceability of class action waivers in
consumer arbitration agreements, the battle is not over. Instead, the scene shifts from the judicial
to the regulatory forum.
Section 1028 of the Dodd-Frank Financial Reform and Consumer Protection Act gives
the new Consumer Financial Protection Bureau the authority to prohibit or impose conditions or
limits on the use of class action waivers in consumer arbitration agreements if it finds such a rule
to be "in the public interest and for the protection of consumers." Before issuing a rule, however,
the CFPB must conduct a study and provide a comprehensive report to Congress. Any
rulemaking by the CFPB must be consistent with study findings.
In light of this Congressional mandate, sometime after the CFPB begins work on July 31,
2011, we can expect to see a complete study of this important subject. Will the end-result be a
CFPB rule outlawing class action waivers? Severely regulating them? Will the Supreme Court
decision have an impact on any rulemaking? Only time will tell. The one thing that seems
certain is that the rulemaking will then be followed by another round of litigation. In the
meantime, consumer financial services contracts may continue to include arbitration agreements
that include class action waivers.
In the April 2010 issue of this newsletter, we reported on a huge multi-district
consumer class action in Florida federal district court challenging the practice of
high-to-low debit posting. Recently, Bank of America settled with the plaintiffs
for $410 million. Some of the other banks remaining in the litigation, including
Regions, SunTrust and BB&T, have deposit agreements with arbitration
clauses/class action waivers. Can those banks now take advantage of the
Concepcion decision in order to compel individual arbitration and get out of the
class action? That is sure to be a big issue in the Florida litigation. Stay tuned.
45
FOUR REASONS TO ADOPT ALTERNATIVE A FOR INDIVIDUAL DEBTOR NAMES
Many state legislatures are now in the process of considering the 2010 amendments to Article 9
of the UCC. Only one of these amendments has generated any controversy. That is the
amendment to UCC 9-503 dealing with individual debtor names. For example, if a bank makes a
secured commercial loan to a small business operated as a sole proprietorship, what name does it
put on the UCC financing statement? Unfortunately, there are often variations on individual
names. Under current law, both filers and searchers must consider these alternatives as part of
their due diligence. This is time-consuming and costly, and it doesn't remove all the uncertainty.
The judicial decisions reflect the problems. For example, in In re Kinderknecht, 308 BR
71, 53 UCC Rep.2d 167 (10th
Cir. BAP 2004), it was undisputed that the debtor's "legal name"
was Terrance Joseph Kinderknecht, but that he was informally known by the nickname "Terry".
When he obtained an agricultural loan to buy two new farm implements, the secured creditor
filed its financing statement under the name "Terry J. Kinderknecht". The court held that this
name was "seriously misleading" under Article 9, and that the secured creditor must list an
individual debtor by legal name, not nickname. By contrast, in Peoples Bank v. Bryan Brothers
Cattle Co., 504 F3d 549, 64 UCC Rep.2d 113 (5th
Cir. 2007), the Fifth Circuit upheld a filer's use
of the debtor's nickname (Louie Dickerson) rather than the legal name (Brooks L. Dickerson),
which left a later searcher high and dry.
In response to such decisions, the drafters of the 2010 amendments have given the state
legislatures two options for amending UCC 9-503. Both options focus on the debtor's name as it
appears on his or her driver's license. Alternative A provides that the security interest is perfected
"only if" that name is used; Alternative B provides that the driver's license name sufficient to
perfect the security interest, but leaves other possibilities open to the courts. We favor
Alternative A because of its certainty. Here are our four reasons:
Reason #1: Alternative A gives more certainty to filers and searchers. Alternative A
in the 2010 amendments to UCC 9-503 is called the "only-if" approach. It provides that a UCC
financing statement properly designates the name of an individual debtor only if it indicates the
name that appears on the debtor's driver's license. If the debtor has a current driver's license, use
of any other name means that the security interest is unperfected. The great advantage of this
bright-line rule is that it reduces compliance costs, the cost of credit, and litigation.
By contrast, the "safe-harbor" approach (Alternative B) continues the uncertainty that
exists under current law because a variety of debtor names might be allowed by the courts.
Under the safe-harbor approach, a court could find that a financing statement was sufficient, for
example, if it contained the debtor's name as reflected on his or her (1) birth certificate, (2)
driver's license, (3) passport, (4) tax return, (5) social security card or (6) bankruptcy petition.
That's a lot of ships crowding into the "safe harbor". As a result, secured lenders must search
under a variety of names to be sure they aren't trumped by an earlier filing under a different
name—and even then, there's no certainty.
46
A typical example. As an example of problems created by the safe-harbor approach,
consider this real-life scenario that arose in Texas about a year ago: Secured Creditor #2 files
under the debtor's driver's license name and does a search under that name that reveals no prior
security interest. Secured Creditor #2 is perfected because Texas has enacted a nonuniform
amendment to Article 9 which adopts the safe-harbor approach. But perfection only protects
Secured Creditor #2 from the debtor's trustee in bankruptcy; it doesn't assure priority. In the
Texas case, a competing secured creditor (Secured Creditor #1) had filed earlier, using the name
that appeared on the debtor's birth certificate. During its search, Secured Creditor #2 didn't pick
up #1's security interest.
A court could easily rule that the birth certificate name was a proper name for the
financing statement, so that Secured Creditor #1 would prevail under the first-to-file rule. The
bottom-line problem is that multiple debtor names could pass muster under Article 9. The Texas
case was settled short of litigation, but it nicely illustrates the uncertainty brought by the safe-
harbor approach. The harbor was not really so safe after all for Secured Creditor #2. The
problems created by allowing multiple debtor names are eliminated by the only-if approach.
Reason #2: An only-if approach for individual debtors is consistent with the UCC
rules governing entity debtors, which have worked well over the years. Under Article 9, a
financing statement filed against a debtor organized as a corporation, LLC, LLP, or limited
partnership perfects a security interest only if it uses the name that appears on the public organic
record that gives birth to the entity as a legal person. That only-if standard was put into Article 9
in order to bring more certainty for filers and searchers. It has worked well. The same model
should be used for individual debtors.
Reason #3: The drafters of the 2010 amendments to Article 9 have eliminated most
of the problems that raised concern about relying on driver's licenses. During the drafting
process for the 2010 amendments, the Joint Review Committee took great pains to resolve
concerns raised regarding the use of a driver's license standard, particularly under an only-if
approach:
*If the debtor doesn't have a current driver's license, then it is sufficient to use the
debtor's surname and first personal name.
*If for some reason the debtor holds two driver's licenses, the most recently-issued
license controls.
*If the driver's license expires, or the debtor gets a new license with a different name, the
normal UCC rules governing change-in-name come into play and give the secured party a four-
month grace period to refile the financing statement in the new name (with no deadline for
presently-owned fixed assets like equipment)
*The secured creditor will continue to have a second bite at the apple, i.e. the old name is
okay if it would be found by a search under the new name, using the filing office's standard
search logic.
*In response to concerns that some driver's license names could not be entered into the
financing statement database because of incompatible character sets, field lengths and the like,
47
the 2010 amendments include a "Legislative Note" urging the state legislatures to verify whether
there are any compatibility problems of this sort; if there are, the delayed effective date of July 1,
2013 leaves plenty of time to make any necessary system adjustments. So far, no big problems
of compatibility have surfaced. In short, Alternative A isn't perfect, but the drafters have done a
good job of anticipating issues and resolving them.
Reason #4: Those who deal with secured lending on a daily basis strongly support
Alternative A. The banking industry, under the auspices of the American Bankers Association,
worked with the Joint Review Committee throughout its deliberations. Based on the hands-on
experience of secured loan officers and other personnel around the country, the industry strongly
supports Alternative A because of its efficiency, certainty and lower cost. Secured lenders
around the country routinely use the debtor's driver's license as the baseline to comply with the
"Know Your Customer" principle and the Patriot Act. For both UCC filing and searching
purposes, they need a definitive source of debtor-name information, which is what the debtor's
driver's license provides.
Because of frustration over the lack of certainty regarding individual debtor names and recurrent
litigation, institutional secured lenders have pushed for nonuniform amendments to Article 9 that
focus on the driver's license name. To date, four states—Texas, Virginia, Tennessee and
Nebraska—have passed nonuniform amendments to Article 9 in response to the problem. Texas,
which has the highest number of UCC filings, has been a leader in this effort. For several years,
it has been working with a "safe harbor" standard similar to Alternative B. Now bankers from
Texas are among the strongest voices urging a shift from safe-harbor to only-if.
Since most secured consumer lending transactions involve purchase-money security interests that
are automatically perfected, or are perfected by noting a lien on a certificate of title, this is not a
"consumer protection" issue. It is a secured lender issue, and the parties most strongly affected
urge the only-if approach because of its certainty, simplicity and lower cost. The philosophy of
the UCC from its beginning has been to recognize, codify and encourage industry practice,
which is what Alternative A does. The more states that enact Alternative A, the more "uniform"
the Uniform Commercial Code will be.
Bottom line. It is very helpful that the drafters of the 2010 amendments to Article 9
made it a priority to resolve the individual debtor name. Neither Alternative A nor Alternative B
is perfect, but we think that Alternative A should be enacted because the benefits outweigh the
concerns.
48
NEW YORK BANKRUPTCY COURT UPHOLDS
SECURITY INTEREST IN FCC LICENSE
In order to grant a broadcast license or approve its transfer, the FCC must determine that the
transfer will serve the public interest; thus, the right to use the airwaves is a public right granted
by the FCC to a licensee that may not be assigned without express FCC permission. 47
U.S.C.§ 310(d). That language clearly means that a licensee can't sell the license outright to a
third party without FCC approval. But does it also mean that a licensee can't grant a pre-
bankruptcy security interest in the license that will allow the secured party to collect the
proceeds of a post-bankruptcy sale of the license (worth billions) to an FCC-approved party?
That issue has been the subject of intense litigation over the past two decades. A recent
bankruptcy decision from New York upholds such a security interest, to the great relief of
telecom financers everywhere. We think the decision hits the target in the middle.
The TerreStar Networks case. The New York decision is In re TerreStar Networks, Inc.,
2011 WL 3654543, ___B.R.___ (Bankr. S.D.N.Y. 8/19/11). TerreStar is a mobile satellite
services provider whose business required an FCC license to use a particular bandwidth.
TerreStar filed Chapter 11 bankruptcy in 2010. The debtor's primary asset was the broadcast
license.
In 2008, TerreStar had issued $500 million in 15% notes with a maturity date of 2014.
U.S. Bank, as indenture trustee and collateral agent for the noteholders, had taken a security
interest in the proceeds of any sale of the license, though not the license itself:
[S]uch security interest does not include at any time any FCC
license to the extent (but only to the extent) that at such time the
Collateral Agent may not validly possess a security interest
directly in the FCC License pursuant to applicable federal law,
including the Communications Act of 1934…but such security
interest does include at all times all proceeds of the FCC Licenses,
and the right to receive all monies, consideration and proceeds
derived or in connection with the sale, assignment, transfer, or
other disposition of the FCC Licenses….
The bank's security agreement also identified as collateral all "general intangibles" as
defined in Article 9 of the UCC. Consistent with the security agreement, the Offering
Memorandum for the 15% notes recognized that the lien could not cover the license itself
because the FCC retains the authority to determine who may hold a license. The bank perfected
its security interest by filing a financing statement with the Delaware secretary of state; it also
filed the relevant agreements with the SEC.
Sprint tries to invalidate the noteholders' security interest. After TerreStar filed
bankruptcy, Sprint Nextel, a wireless communications carrier, filed a $104 million unsecured
claim against the debtor for the debtor's share of Sprint's costs to clear the bandwidth that
TerreStar had obtained for its license. In an adversary proceeding, Sprint contended that the
49
noteholders' security interest should either be declared invalid or subordinated to Sprint's claim
because the FCC recognized the validity of the debtor's reimbursement obligation. Not
surprisingly, the debtors' Unsecured Creditors Committee aligned itself with Sprint in the
adversary proceeding.
In Count I of its complaint, Sprint maintained that the noteholders' lien could not attach
to the FCC license itself and therefore could not attach to any postpetition proceeds of a non-
existent asset. In Count II Sprint argued that even if the lien might be permissible as to the
economic value associated with the license, it was not effective in this case because (1) it
couldn't attach under Article 9 of the UCC until after a sale of the license assets occurred, and (2)
Section 552 of the Bankruptcy Code prohibited liens on property acquired after the bankruptcy
filing.
In July 2011, TerreStar sold substantially all its assets, including the FCC license, to Dish
Network for $1.375 billion. The license transfer was subject to FCC approval. Since the total
obligation owing to the noteholders was $1.5 billion, they would almost come out whole if the
court validated the security interest.
A perfected security interest existed in the "economic value" of the FCC license.
The New York court ruled that the noteholders' security interest in the FCC license was
enforceable, to the extent of the proceeds generated by the post-bankruptcy sale. In reaching this
result, the court looked to the evolution of the law regarding whether, and to what extent, a lien
may be placed on an FCC license or any value associated with it. The court concluded that,
while a lien can't exist on the license itself, a security interest may attach to the economic value
of the license.
Prior to 1992, the FCC took the position that a lien could not be placed on an FCC license
in any manner:
[A] broadcast license, as distinguished from the station's plant or
physical assets, is not an owned asset or vested property interest so
as to be subject to a mortgage, lien, pledge, attachment, seizure, or
similar property right….[S]uch hypothecation endangers the
independence of the licensee who is and who should be at all times
responsible and accountable to the Commission in the exercise of
the broadcasting trust.
In re Merkley, 94 F.C.C. 2d 829, 1983 WL 182883. Then, in 1992, a Maryland bankruptcy court
upheld a bank's security interest in the proceeds of a post-bankruptcy sale of an FCC license. In
validating the bank's security interest, the court distinguished between a debtor's "private" right
to receive economic value generates by sale of the license, as opposed to the FCC's "public" right
to allocate FCC licenses. In re Ridgely Communications, Inc., 139 B.R. 374, 17 UCC Rep.2d
877 (Bankr. D. Md. 1992). Concluding that the perfection of a creditor's security interest in the
economic value of the license did not disrupt the FCC's public right to regulate the license, the
court held that "a creditor may perfect a security interest in a debtor's F.C.C. broadcasting
50
license, limited to the extent of the licensee's proprietary rights in the license vis-à-vis private
third parties."
In sharp contrast to Ridgely, a Wisconsin decision, affirmed by the Seventh Circuit, ruled
that a security interest in an FCC license was a nullity because "the FCC has consistently and
unequivocally refused to recognize such interests." In re Tak Communications, Inc., 138 B.R.
568, 17 UCC Rep.2d 218 (W.D. Wis. 1992), aff'd 985 F.2d 916 (7th
Cir. 1993). To resolve the
conflict between the two decisions, the FCC issued a declaratory ruling in 1994 that adopted
Ridgely and rejected Tak. In re Cheskey, 9 FCC Rcd. 986, 1194 WL 54752. The FCC embraced
the public/private distinction articulated in Ridgely: "If a security interest holder were to
foreclose on the collateral license, by operation of law the license could transfer hands without
the prior approval of the Commission. In contrast, giving a security interest in the proceeds of
the sale of a license does not raise the same concerns."
The New York court noted that, since the FCC's ruling in Cheskey in 1994, it has been
"settled law" that a creditor may perfect a lien in the private economic value of an FCC license to
the extent that such lien does not violate the FCC's public right to regulate license transfers. See,
e.g., MLQ Investors, L.P. v. Pacific Quadracasting, 146 F.3d 746, 36 UCC Rep.2d 199 (9th
Cir.
1998); In re Ion Media Networks, Inc.419 B.R. 585 (Bankr. S.D.N.Y. 2009)("FCC Licenses…are
subject to an enforceable dedication of their economic value…."); In re Beach Television
Partners, 38 F.3d 535, 25 UCC Rep.2d 227 (11th
Cir. 1994)(holding that "[a] security interest in
the proceeds of an FCC-approved sale of a broadcast license in no manner interferes with the
FCC's authority and mandate under the Act to regulate the use of broadcast frequencies."). The
New York court also cited Clark & Clark, The Law of Secured Transactions under the Uniform
Commercial Code ¶ 2.04(3)(2010).
New York court rejects recent Colorado decision. Sprint relied heavily on one recent
decision from Colorado that goes the other way. In re Tracy Broadcasting Corp., 438 B.R. 323
(D. Colo. 2010). In that case, the court held that the debtor did not have rights in the FCC
license itself, and thus could not grant an enforceable prepetition security interest under UCC 9-
203. Because no lien could be placed on the license itself, the security interest in the proceeds
could only arise postpetition, which violated Section 552 of the Bankruptcy Code.
The New York court rejected this reasoning on several grounds. First, the Colorado court
reached its conclusion based on the faulty assumption that there has been no definitive ruling by
the FCC itself. In its 1994 Cheskey decision, the FCC unequivocally reversed its prior decisions
and ruled that a secured creditor could obtain an enforceable prepetition lien on the economic
value of the FCC license (the "private" piece), though not on the "public" piece. Second, the
Colorado court was weak on its UCC analysis. The economic value of the license qualifies as a
prepetition "general intangible" under Article 9 of the UCC, which gives rise to postpetition
proceeds in the form of money generated by an FCC-approved sale. This is consistent with the
broad definition of "proceeds" in Article 9 and with Section 552 of the Bankruptcy Code. Third,
UCC 9-408 invalidates attempts to restrict the assignment of a general intangible such as a
license, at least if the assignment does not interfere with the issuer. In short, the noteholders' lien
on the economic value of the FCC license (a "general intangible") attached prepetition and was
51
not barred by Section 552. (The Colorado decision is criticized in the April 2011 issue of this
newsletter.)
Good language in the security agreement. The New York court also noted that the
collateral description in the noteholders' security agreement carefully avoided any language that
would suggest an assignment of the license itself; instead, the collateral was limited to the right
to receive money generated by an FCC-approved sale of the license. In other words, the security
agreement incorporated the "public/private" distinction that is so central to the case law.
The New York court also recognized the strong public policy in favor of allowing a
security interest in the economic value of an FCC license, so long as the security interest does
not interfere with the FCC's regulatory function to control outright transfers. Why shouldn't
lenders be able to take a security interest in the most valuable asset of a telecom company? In
such a case, the lender is taking the fruit of the tree but not seizing control of the tree itself.
Denying such a limited security interest unduly limits financing for telecom companies and gives
a windfall to unsecured creditors.
Two final issues. After ruling that that the noteholders' security interest in the FCC
license was enforceable, the New York court resolved two final issues raised by the parties.
In Count III of its adversary complaint, Sprint argued that it conferred a special benefit on
TerreStar by incurring expenses in clearing the bandwidth that TerreStar obtained. Sprint argued
that the expenses for which it sought reimbursement made it possible for the collateral to come
into existence. Therefore, the bondholders' security interest should be invalidated or subordinated
to Sprint's reimbursement claim under Section 552(b)(1), which gives a bankruptcy court power
to set aside all or part of the postpetition proceeds generated from a prepetition security interest
"based on the equities of the case." The noteholders moved to dismiss Count III on the ground
that the "equities of the case" rule only applies where the debtor uses unencumbered assets to
increase the value of the collateral. The court denied the motion to dismiss on the ground that
the factual record was not complete on this issue.
In Count IV of its complaint, Sprint sought a ruling that the noteholders' security interest
should be subordinated to Sprint's reimbursement claim under Article 9 because the license was
"conditioned" on clearing the bandwidth. The court rejected Sprint's argument on the ground
that clearing the bandwidth created an unsecured reimbursement "obligation", but did not
"condition" the collateral such that Sprint should be paid before the bondholders.
Bottom line. The New York decision is well-reasoned in every respect. It reaffirms the
important principle that a lender may perfect a prepetition security interest in the economic value
of an FCC license. The recent Colorado decision is dead wrong. The collateral is a "general
intangible". When the license is sold to an FCC-approved third party following the licensee's
bankruptcy, the security interest in the general intangible carries over to the proceeds of sale
under Section 552 of the Bankruptcy Code. End of story.
52
WILL A SECURITY INTEREST IN A TAX REFUND STAND UP IN BANKRUPTCY?
In a bad economy, net operating losses happen. The good news is that these losses can in some
measure be recaptured by filing for a tax refund under the carryback provisions of the Internal
Revenue Code. This procedure allows the taxpayer to obtain a refund of taxes paid in the prior
two years, to set off against the losses incurred in the present year. For corporate debtors, these
refunds can be very large and valuable assets.
What happens if a lender, prior to the taxpayer's bankruptcy, has retained a security
interest in "all general intangibles, now owned or hereafter acquired"? As a UCC category, the
term "general intangibles" has consistently been held to include tax refunds. As between the
secured creditor and the bankrupt debtor, who gets the big tax refund? In a recent bankruptcy
court decision from Florida, the court ruled that the security interest of the creditor was voidable
as a preference because it did not attach until the last day of the debtor's tax year, which occurred
within 90 days of the bankruptcy filing. As a result, the whopping $207 million tax refund went
to the debtor's estate and its unsecured creditors.
The Florida bankruptcy case. In In re TOUSA, Inc., 406 B.R. 421 (Bankr. S.D. Fla.
2009), the debtor and its subsidiaries were involved in the homebuilding business in Florida.
Because of the sharp downturn, the debtor filed Chapter 11 on January 29, 2008. On July 31,
2007, the debtor had borrowed $500 million in two syndicated term loans, agented by Citibank
(first lien agent) and Wells Fargo (second lien agent). The loans were both secured by various
assets of the debtor, including "All General Intangibles, Now Owned or Hereafter Acquired".
Proper financing statements were filed on August 1, 2007.
For the taxable year 2005, the debtor had paid $117 million in federal income taxes, and
for taxable year 2006 it paid $103 million. The financial situation of the debtor dramatically
deteriorated in 2007, resulting in a net operating loss of $643 million for 2007. After filing
bankruptcy, the debtor filed for a tax refund to write off the $2007 losses against the 2005 and
2006 taxes that had been paid. This resulted in a $207 million tax refund paid by the IRS to the
bankruptcy estate on April 23, 2008. Not surprisingly, the banks claimed priority to the refund,
based on their perfected security interest in the tax refund as a "general intangible."
The unsecured creditors sought to avoid the banks' security interests as preferences.
Relying on Section 547(e)(3) of the Bankruptcy Code, they argued that the debtor could not
"acquire rights" in the tax refund until the end of its 2007 taxable year, which was December 31,
2007. Until that time, the debtor's right to the refund remained contingent and the banks' security
interests could not attach. Since December 31, 2007 was within 90 days of the bankruptcy filing,
the security interests were voidable preferences.
The court's analysis. The Florida bankruptcy court agreed with the unsecured creditors.
It concluded that the "transfer" of collateral did not occur until December 31, 2007. Section
547(e)(1) provides that a transfer of personal property for preference purposes "is perfected when
a creditor on a simple contract cannot acquire a judicial lien that is superior to the transferee".
By that test, the transfer would have taken place back on August 1, 2007, when the banks filed
53
their financing statement. At that point, no lien creditor could gain priority to the tax refund over
the banks. Yet, under Section 547(e)(3), the transfer could not occur until the debtor had
"acquired rights in the property transferred", and that didn't happen under federal law until the
debtor's tax year was completed on December 31. Until that moment, the debtor had no right to
a tax refund under Section 172 of the Internal Revenue Code. The right to a net operating loss
carryback and a corresponding refund is tied to a specific "taxable year". A taxpayer is not
authorized to carry back mid-year or part-year losses. The court concluded: "Under these
provisions, a net operating loss for any period less than the taxable year is a complete nullity and
has no legal significance."
The court elaborated on the policy issues:
[A] mid-year claim to a federal tax refund necessarily entails
speculation and forecasting about the course of a debtor's business
from the date the supposed mid-year right arises until the end of its
tax year, meaning that any interest in a tax refund prior to the end
of the tax year necessarily would be uncertain and contingent.
Perhaps more to the point, Congress has defined the right to a net
operating loss carryback as a function of complete and not partial
tax years.
Legislative history. In relying primarily on Section 547(e)(3) of the Bankruptcy Code,
with its rule that the transfer of property rights from a debtor to a secured creditor can't take place
until the debtor "has acquired rights in the property transferred", the Florida court looked at the
legislative history of that provision. It was enacted in 1978 specifically to overrule cases like
DuBay v. Williams, 417 F.2d 1277, 6 UCC Rep. 885 (9th
Cir. 1969) and Grain Merchants of
Indiana, Inc. v. Union Bank and Savings Co., 408 F.2d 209, 6 UCC Rep.1 (7th
Cir. 1969), cert.
den. 396 U.S. 827 (1969). Those cases held that a "floating lien" that attached to receivables
collected during the preference period was protected from avoidance if the secured creditor had
perfected its security interest with respect in both present and future receivables.
As part of the same package of amendments, Congress enacted Section 547(c)(5), which
protects the UCC floating lien on inventory, accounts and proceeds that are constantly turning
over unless the secured creditor "improves its position" during the 90 days prior to bankruptcy.
The rule adopts a two-point test that requires determination of the creditor's position (1) 90 days
prior to bankruptcy and (2) on the date of bankruptcy. The trustee measures the value of the
collateral and the amount of the debt at both times. If the creditor's "insufficiency" (i.e. the
amount by which the debt exceeds the value of the collateral) is less at the time of bankruptcy
than it was 90 days prior, only this "improvement in position" is voidable as a preference. On
the other hand, if new receivables arise that are not substitutions for the old ones in the "floating
mass", they are not protected.
Although it is not crystal-clear from the opinion, the Florida court appears to be saying
that (1) the $207 million tax refund was not a "receivable" within the scope of the two-point test
of Section 547(c)(5) or (2) even if it was, it was not a replacement of a prior receivable so that
there was indeed an improvement in position to the tune of the full $207 million. Either way, the
54
court was left with the general rule of Section 547(e)(3) that the debtor had not acquired rights in
the collateral until December 31, 2007.
Critique of the Florida decision. The Florida decision is supported by other case law.
See, e.g., In re TMCI Electronics, 279 B.R. 552 (Bankr. N.D. Calif. 1999)(bank's security
interest in general intangibles didn't extend to tax refund because the debtor did not acquire
rights in the refund until the end of its taxable year, which occurred after the bankruptcy filing; at
time of filing, tax refund was mere "expectancy", so that security interest never attached under
UCC 9-203; instead, the refund was a post-bankruptcy asset under Section 552 of the
Bankruptcy Code).
In spite of this authority, we think there are some good arguments in favor of the secured
creditor:
*In Segal v. Rochelle, 382 U.S. 375 (1966), the Supreme Court held that an operating loss
carryback refund claim constituted "property of the estate" as of the time of the bankruptcy
petition, even though the petition was filed before the end of the taxable year and the debtors did
not then have a right to a tax refund. The expectancy of a tax refund was considered "property"
that was "transferable" by the debtor on the date of the petition, so that it passed to the trustee as
"property of the estate." The Supreme Court, speaking through Justice Harlan, concluded that the
term "property" must be "construed most generously and an interest is not outside its reach
because it is novel or contingent or because enjoyment must be postponed."
*If a loss carryback tax refund is "property of the estate" even though the bankruptcy
filing predates the end of the tax year, why shouldn't it be considered "rights in the collateral"
subject to attachment under UCC 9-203 if the secured transaction predates the end of the debtor's
tax year? If the Supreme Court views such an interest as "transferable" by the debtor, why
shouldn't it be treated the same way for attachment purposes under Article 9? The law books are
full of cases holding that contingent claims like lawsuits prior to judgment are attachable and
perfectible under Article 9. The reach of the Article 9 security interest is broad, just as is the
reach of "property of the estate" for purposes of Section 541 of the Bankruptcy Code.
*The term "receivable" is broadly defined in Section 547(a)(3) as a "right to payment
whether or not such right has been earned by performance." That could include a tax refund. If
so, why couldn't the court use the two-point test? The asset at issue in the Florida case was not
like a receivable newly acquired by the debtor, so that it depleted the assets of the estate shortly
before bankruptcy. Instead, it seems likely that the potential tax refund for 2007 had substantial
value by September 1, 2007, when the banks filed their financing statements. It was an
identifiable and lienable asset, properly described as a "general intangible" in the security
agreements and financing statements. Given the housing market in late 2007, that value would
be even greater by the end of October, 90 days before the bankruptcy petition was filed. To the
extent there was an "improvement in position" between the end of October and the filing date of
January 29, 2008, based on the increasing value of the tax refund, that amount could be avoided,
but the amount would be dependent on expert testimony.
55
Bottom line. Given the horrible economy and the increased importance of loss carryback
tax refunds, we expect to see more case law in this area. Secured creditors should not give up.
56
ALABAMA COURT: "TRAC" EQUIPMENT LEASE
IS NOT A DISGUISED SECURED TRANSACTION
Over the years, we have seen much litigation on whether a transaction that is labeled an
"equipment lease" is in fact a disguised secured transaction. The proper characterization of the
transaction is crucial for at least two purposes: (1) If a true lease is involved, the lessor need not
file a UCC financing statement and (2) if the debtor files bankruptcy, the trustee must assume or
reject a lease, without any cramdown. In recent years, most of the litigation has occurred in the
bankruptcy courts, with a focus on the right of the purported lessor to recover the equipment
unless the trustee assumes the lease obligations in full under Section 365 of the Bankruptcy
Code. In a significant recent decision, an Alabama bankruptcy court was unwilling to
recharacterize a "TRAC" equipment lease as a disguised secured transaction for purposes of
Section 365.
The Alabama case. In In re HB Logistics, LLC, 2011WL4625198 (Bankr. N.D. Ala.
9/29/11), the Chapter 11 debtor was a trucking company that had entered into a number of
"lease" transactions involving trucks and trailers. The equipment lessors sought relief from the
stay and demanded that the debtor-in-possession (DIP) either assume or reject the leases. The
DIP sought to re-characterize the "lease" transactions as secured transactions subject to
cramdown, based on the fact that each lease contained a "terminal rental adjustment clause"
(TRAC) which required an adjustment at lease termination based on the amount realized by the
lessor upon sale of the leased equipment to a third party.
Under a TRAC provision, if the sale of the equipment at the end of the lease generates
less than the estimated residual value of the equipment (as determined at the inception of the
lease), the lessee is required to pay the lessor the deficiency as a "rental adjustment"; if the sale
generates more than the estimated residual value, the lessor is required to pay the surplus to the
lessee. By use of this formula, the lessor is guaranteed a return of its original investment in the
equipment, plus a profit.
The debtor's argument. The DIP argued that the TRAC feature shifted all the economic
risk and reward of "owning" the equipment from the lessor to the lessee. Under this "economic
reality" standard, the lessee had an "equity" stake and the lessor was in the position of a secured
lender. The DIP emphasized that each lease also placed on the debtor
*all responsibility for selection, delivery, maintenance and warranties of the equipment
*all risk of loss for damage to the equipment
*all responsibility for insuring and paying taxes on the equipment
The equipment leases contained all the provisions you would expect to see in a loan agreement.
In fact, although each transaction was labeled as an "equipment lease" with the lessor as
"owner", each lease included the grant of a security interest in favor of the lessor and the filing of
a "protective" UCC financing statement. The leases also contained cross-collateral provisions.
57
In short, in spite of the labels, the economic substance of each equipment lease was that
the debtor bear 100 percent of the risk of ownership. Although the lessor bore the risk that the
debtor might default on payments under each lease, including default on the TRAC payment at
the end, that was a credit risk inherent in any lease or loan relationship, not an ownership risk.
The DIP contended that the lessors bore the burden of proving that the "leases" were in
fact true leases rather than disguised secured financing transactions. On this point, the DIP cited
a number of cases holding that, in characterizing transactions, form should not prevail over
substance. The DIP also argued that, for purposes of construing a federal statute like Section
365 of the Bankruptcy Code, state law characterizations must take a back seat to the general
federal law principle that substance trumps form. On this point, the DIP cited United Airlines,
Inc. v. HSBC Bank USA, N.A., 416 F.3d 609, 612, 2005 WL 1743787 (7th
Cir. 2005)("It is
unlikely that the [Bankruptcy] Code makes big economic effects turn on the parties' language
rather than the substance of their transaction; why bother to distinguish transactions if these
distinctions can be obliterated at the drafters' will?")
Nominal purchase option cases. In the DIP's view, the most relevant state law on point
is UCC 1-203, which seeks to draw a line between true leases and disguised secured transactions,
not based on the "intent" of the parties but on more objective criteria evidencing the economic
substance of the transaction. For example, it is now clear that, if the lessee can purchase the
equipment at the end of the lease term for a nominal consideration, and the equipment still has
some economic life left in it, the transaction must be re-characterized as a secured loan. As
White & Summers put it in their treatise: "If only a fool would fail to exercise the option, then
the economic reality must be a [secured transaction] notwithstanding the lease and option."
White & Summers, Uniform Commercial Code, Practitioners' Edition, Vol. 4, § 30-3 (2010). In
the present case, some of the equipment leases gave the lessee an option to purchase the
equipment at the end of the term for $1 or $100.
The DIP argued that the TRAC feature, like the nominal purchase-option feature, should
force a re-characterization under the UCC, based on the "economic reality" of the transaction.
Courts around the country are split on the issue. The DIP cited a number of judicial decisions
that re-characterize a TRAC lease as a disguised secured transaction. In re Lash, 73 UCC
Rep.2d 292, 2010 WL 5141760 (Bankr. M.D.N.C. 2010); In re Brankle Brokerage & Leasing,
Inc., 394 B.R. 906, 2008 WL 4470061 (Bankr. N.D. Ind. 2008); In re Grubbs Construction Co.,
319 B.R. 698, 55 UCC Rep. 2d 501 (Bankr. M.D. Fla. 2005), In re Zerkle Trucking Co., 132
B.R. 316 (Bankr. S.D.W.Va. 1991).
Alabama court refuses to re-characterize the transaction. In the most recent decision
to consider the issue, the Alabama bankruptcy court rejected the DIP's arguments and refused to
treat the TRAC lease as a disguised secured loan. First, the court ruled that the party contending
that the subject lease agreements "are something other than what they purport to be" has the
burden of proof on the issue. Second, the Supreme Court has ruled that "property interests" are
determined by state law rather than federal law. Stern v. Marshall, 131 S. Ct. 2594 (6/30/11),
2011 WL 2472792; Butner v. United States, 440 U.S. 48 (1979). Therefore, the proper
characterization of an equipment lease must be determined by state law, not bankruptcy law.
58
In the present case, the debtor was an Alabama corporation which had its principal place
of business in that state. In one group of TRAC leases, the lessor (REFCO) and the debtor used
an Alabama choice-of-law provision. For leases where the lessor was GE Capital, the parties
used a Texas choice-of-law provision. For agreements between the debtor and Wells Fargo, the
parties had a Minnesota choice-of-law provision. And for transactions where the lessor was BEF
Corp., the parties chose the law of Mississippi.
The court began with a consideration of Alabama law. Like most states around the
country, Alabama has enacted a "TRAC statute" that provides:
In the case of motor vehicles…notwithstanding any other provision
of law, a transaction does not create a sale or security interest
merely because the transaction provides that the rental price is
permitted or required to be adjusted under the agreement either
upward or downward by reference to the amount realized upon sale
or other disposition of the motor vehicle.
The Alabama court reasoned that, while this statute does not automatically protect equipment
leases from re-characterization if they include a TRAC provision, it does not require the finding
of a security interest "merely because" the lease contains such a clause. The Alabama court
called the statute "TRAC neutral".
The court noted that, in all the cases cited by the debtor that require re-characterization,
the court found that the TRAC provision gave the lessee "equity" in the equipment. The
Alabama supreme court has expressly rejected the argument that lessee "equity" justifies re-
characterization. In Sharer v. Creative Leasing, Inc., 612 So.2d 1191, 21 UCC Rep.2d 865
(Ala. 1993), the court found that the transaction was a true lease because it contained no nominal
purchase-option and because the lessee's "reward and risk" at the end of the lease term is not a
form of "equity".
UCC "bright-line" rule does not require re-characterization. The Alabama court
then turned to UCC 1-203, which distinguishes leases from security interests. Whether a
transaction in the form of a lease creates a lease or security interest is determined by the facts of
each case. The statute provides that a transaction in the form of a lease "creates a security
interest" if it is terminable by the lessee and meets one of the following four tests:
*the original term of the lease is equal to or greater than the remaining economic life of
the goods;
*the lessee is bound to renew the lease for the remaining economic life of the goods or is
bound to become the owner of the goods;
*the lessee has an option to renew the lease for the remaining economic life of the goods
for no additional consideration or for nominal additional consideration upon compliance with the
lease agreement; or
59
*the lessee has an option to become the owner of the goods for no additional
consideration or for nominal additional consideration upon compliance with the lease agreement.
UCC 1-203(b).
Although the TRAC leases couldn't be terminated by the debtor, the Alabama court found
that none of the other four requirements was present under the terms of the leases. As to the first
requirement, the parties stipulated that each of the leases involved trucking equipment that had
substantial "remaining economic life" at the end of the lease term. As to the second and third
requirements, the TRAC leases did not have mandatory or optional renewal provisions. As to
the fourth requirement, the lessee did not have the option to become the owner of the trucks for
"no additional consideration or for nominal consideration" at the end of the lease term; instead, it
had an option to purchase the trucks for their fair market value.
After finding that REFCO was a lessor because it "retained a reversionary interest in the
subject equipment", and that the debtor didn't have any "equity" in the equipment, the Alabama
court concluded that the purported lease agreements were "true leases" under Alabama law. As a
result, the DIP was required to assume or reject the leases. The court came to the same
conclusion regarding the leases governed by Texas, Minnesota and Mississippi law. With
respect to the transactions governed by Mississippi law, the court found that they were true
leases based on the UCC provision alone, even though Mississippi is one of the few states that
does not have a TRAC statute.
Some parting thoughts:
*The case law on this important issue is sufficiently conflicting from one jurisdiction to
another that we can expect substantial litigation in other states.
*Although some courts call TRAC statutes "neutral" (see, e.g., In re HP Distribution,
LLP, 436 B.R. 679 (Bankr. D. Kan. 2010)), these statutes cut strongly against re-characterization
in the eyes of some courts because they weaken the argument that the shift in risk from lessor to
lessee is the most important factor.
*Although the Alabama court generally upheld the validity of the TRAC provisions, it
did re-characterize those leases that contained an option for the lessee to purchase trucks for
nominal consideration.
*In the early days, the lease/secured transaction was important because the lessor had not
filed a financing statement. In more recent years, lessors have filed "protective" financing
statements as a matter of course, and the litigation focus has shifted to assumption/rejection
under Section 365 of the Bankruptcy Code. Similarly, in the old days, most of the cases
involved options to purchase the equipment; more recently, they involve leases without any
nominal purchase option but with TRAC clauses instead.
60
*The Alabama court focused its analysis on the "TRAC neutral" statute and the "bright-
line test" of UCC 1-203(b). The court failed, however, to address the arguments of the DIP
under UCC 1-203(a) that re-characterization was proper based on an examination of "the facts of
each case." This omission gave disproportionate weight to the "TRAC neutral" statue and TRAC
language in the leases relative to other provisions.
*Note: One of the editors of this newsletter, Barkley Clark, is a partner in the firm of
Stinson Morrison Hecker, LLP, which represented the debtor in the Alabama litigation.
61
NINTH CIRCUIT: STATE LAWS REQUIRING SPECIAL POST-REPO NOTICE
ARE NOT PREEMPTED BY OCC REGULATIONS FOR NATIONAL BANKS
One of the biggest legal issues in the financial services area is the extent to which federal
preemption shields national banks from state consumer protection laws that affect both secured
and unsecured lending. This issue often surfaces in consumer class actions. In a significant
recent decision, the Ninth Circuit has ruled that a California law requiring special post-
repossession notice governs the foreclosure by a national bank on a secured auto loan. Federal
preemption, based on OCC regulations, didn't protect the national bank that bought the dealer
paper. As a result, the court refused to dismiss a consumer class action based on the faulty
notice. The decision is a major setback for secured auto lenders.
The California case. In Aguayo v. U.S. Bank, 2011 WL 3250465 (9th
Cir. 8/1/11), Jose
Aguayo purchased a Ford Expedition from a Ford dealership in Glendale, California. Aguayo
financed the purchase through the dealership by signing a retail installment contract; the dealer
assigned the paper to U.S. Bank. A few years later, Aguayo fell behind on his car payments and
the bank repossessed the car. After the car was repossessed, the bank sent Aguayo a "Notice of
Our Plan to Sell Property", which stated that the car would be sold at a private foreclosure sale
"sometime after September 3, 2007."
Enclosed with the Notice were two other documents. The first was a "Request for
Extension" by which Aguayo could request a ten-day extension of the deadline to redeem the
car; the second was a "California Redemption Letter with Extension Agreement." The Letter
provided details about the amount of Aguayo's overdue payments and the total amount required
to either redeem the car or reinstate the contract. The Letter also contained a conspicuous notice
stating that Aguayo could be subject to suit and liability for any deficiency if the bank's
foreclosure sale was not sufficient to satisfy the unpaid balance, plus expenses. The language of
the letter, while closely tracking with requirements of California's Rees-Levering Act, did not
strictly comply with the special statutory warning requirements.
After sending the notice, the bank eventually sold the car when Aguayo did not redeem.
That left a deficiency that the bank sought from Aguayo. In response to the bank's demand for
the deficiency, Aguayo hired a lawyer and filed a class action suit on behalf of himself and all
similarly situated California consumers. Using the California Unfair Competition Law (UCL) as
a procedural vehicle, Aguayo alleged that the bank's noncompliance was an "unfair practice" that
wiped out any deficiency claim against himself and other class members for the last four years.
U.S. Bank moved to dismiss the case, arguing that OCC regulations, particularly 12 CFR
§ 7.4008, preempted the special Rees-Levering notice requirements.
The bank's preemption argument. The Ninth Circuit reversed the trial court's decision,
which had upheld the bank's preemption argument. The appellate court noted that there are three
types of preemption: (1) express preemption, where a federal statute explicitly describes an area
where state law has no effect; (2) field preemption, which is inferred when federal regulation in a
particular area is so pervasive as to leave no room for a state to supplement it; and (3) conflict
preemption, where compliance with both state and federal at the same time is impossible, or
62
when state law "stands as an obstacle to the accomplishment and execution of the full purposes
and objectives of Congress." See Barnett Bank of Marion County, N.A. v. Nelson, 517 U.S. 25
(1996).
In ruling for the bank, the lower court had relied on express preemption, holding that the
post-repo notice requirements imposed by Rees-Levering were explicitly preempted by the OCC
regulation governing "[d]isclosure and advertising, including laws requiring specific statements,
information or other content to be included in credit application forms, credit solicitations,
billing statements, credit contracts or other credit-related documents." 12 CFR
§ 7.4008(d)(2)(viii). The lower court found that the Rees-Levering post-repo notice requirements
were "disclosures" found in "credit-related documents" within the meaning of the OCC
preemption regulation. The lower court acknowledged, but refused to apply, the "savings
clause" in the OCC regulation (12 CFR § 7.4008(e)) that explicitly lists categories of state laws
that are not preempted, including state laws pertaining to "rights to collect debts." The bank had
argued, and the lower court agreed, that it was unnecessary to consider the savings clause when
the state law fit within one of the expressly preempted categories such as "notices" found in
"credit-related documents."
Weighing the entire OCC regulation, the Ninth Circuit finds no preemption. The
Ninth Circuit reviewed the entirety of the regulation, including the savings clause. In doing so, it
distinguished a decision from Ohio where the court had found that the express preemption
regulation of the Office of Thrift Supervision (OTS) preempted Ohio law that imposed a special
post-repo notice requirement. Crespo v. WFS Financial, Inc., 580 F. Supp.2d 614, 66 UCC
Rep.2d 1021 (N.D. Ohio 2008). The Ninth Circuit concluded that the OCC regulation did not
purport to occupy the field as completely as the OTS regulation. In fact, the OTS regulation had
stunningly broad language: "OTS hereby occupies the entire field of lending regulation for
federal savings associations."
By contrast, the Ninth Circuit concluded that the OCC has "explicitly avoided full field
preemption in its rulemaking and has not been granted full field preemption by Congress." The
court felt that "the better course of action with the OCC [regulation] is to employ the standard
canon of construction that requires a reviewing court to read a statute or regulation in its entirety
when performing a preemption analysis." In the present case, the court felt it should consider the
language of the savings clause.
The Ninth Circuit focused on the language in the OCC regulation that explicitly saves
state laws regarding "rights to collect debts." The court stressed that debt collection, including
the right to repossess collateral that is the subject of a secured transaction, "has deep roots in
common law and remains a fixture of state, not federal, law." U.S. Bank did not dispute that its
security interest enforcement procedures were subject to the uniform rules of Article 9 of the
UCC. In fact, it cited an interpretive letter where the OCC makes it clear that Article 9 is not
preempted because it provides "the basic legal infrastructure" that supports national bank secured
lending and is "a uniform law of general applicability on which parties rely in their daily secured
transactions." OCC Inter. Letter No. 1005 (June 10, 2004). The bank contended, however, that
when a state steps beyond the uniform version of the UCC and imposes expanded notice post-
63
repo notice requirements, as in California's Rees-Levering law, federal preemption comes back
into play.
The Ninth Circuit rejected the bank's argument: "Tellingly, U.S. Bank fails to identify
what law applies with respect to repossessions and the notices due a borrower after a
repossession when a state chooses to adopt a nonuniform version of the UCC." The court felt
that the OCC was "vague" in its use of the term "credit-related documents" in the express
preemption subsection. By contrast, the Rees-Levering notice requirements clearly involved the
creditor's "right to collect debts" as that term is used in the savings clause, 12 CFR
§ 7.4008(e)(4). Compliance with the notice requirement was a condition of recovering a
deficiency. While it is true that the post-repo notice requirement affects banks in some ways, the
Ninth Circuit found that it did no more than 'incidentally affect" the bank's lending operation.
The court also concluded that the post-repo notice was not a "disclosure" found in loan
solicitations, billing statements, and agreements (which would be preempted), but a "notice" after
the loan had gone sour (which was protected by the savings clause). The court summed up its
ruling as follows:
Reading the express preemption and savings clauses together, we
conclude that the Rees-Levering post-repossession notices are not
preempted under the regulation's vague terms "disclosure" and
"other credit-related documents" in light of the savings clause that
clearly exempts a [creditor's] rights to collect debts.
Some thoughts about the Ninth Circuit decision:
*The decision is significant in the limits it imposes on federal preemption under the OCC
regulations, particularly in the strength it gives to the savings clause of those regulations.
*The issue of nonuniform post-repo notice requirements imposed by state law will soon
be decided by the Fourth Circuit. Epps v. JPMorgan Chase Bank N.A., 2010 WL 4809130 (D.
Md. 2010)(special Maryland statute preempted by OCC regulation, 12 CFR § 7.4008(d)). This
federal district court decision is now on appeal to the Fourth Circuit, which should be handing
down a decision before the end of the year. For further analysis of this case, see the June 2011
issue of this newsletter. If the Fourth Circuit comes out in favor of preemption, the Supreme
Court may have to resolve the conflict in the circuits.
*The Ohio case discussed by the Ninth Circuit involved the very expansive OTS
preemption regs, which disappeared after the OTS was merged into the OCC, effective July 21,
2011, in line with the mandate of the Dodd-Frank Act.
*The teaching of the Ninth Circuit decision is that secured lenders should take care to
follow special foreclosure rules found in nonuniform amendments of the UCC, or in separate
consumer protection legislation in a particular state, at least if federal preemption is not
reasonably certain. U.S. Bank drew an expensive class action because of its failure to comply
with the Rees-Levering post-repo notice requirements in California. Even though the violation
was technical in nature, failure to comply left the secured creditor without any deficiency claim.
64
The effect of the violation was multiplied because it was part of a form used in multiple
enforcements of security interests.
65
66
