Choice Escrow & Land Title, LLC v. BancorpSouth Bank

United States Court of Appeals For the Eighth Circuit ___________________________ No. 13-1879 ___________________________ Choice Escrow and Land Title, LLC lllllllllllllllllllll Plaintiff - Appellant v. BancorpSouth Bank lllllllllllllllllllll Defendant - Appellee ___________________________ No. 13-1931 ___________________________ Choice Escrow and Land Title, LLC lllllllllllllllllllll Plaintiff - Appellee v. BancorpSouth Bank lllllllllllllllllllll Defendant - Appellant ____________ Appeal from United States District Court for the Western District of Missouri - Springfield ____________ Submitted: March 11, 2014 Filed: June 11, 2014 ____________ Before WOLLMAN, MURPHY, and GRUENDER, Circuit Judges. WOLLMAN, Circuit Judge. Internet fraudsters stole $440,000 from a bank account that Choice Escrow and Land Title, LLC (Choice), maintained at BancorpSouth Bank (BancorpSouth). Choice sued BancorpSouth for the lost funds, and BancorpSouth counterclaimed for attorney’s fees. The questions presented in this case are thus (1) who should bear the loss of the funds from Choice’s account, and (2) who should pay BancorpSouth’s attorney’s fees. The district court, interpreting Article 4A of the Uniform Commercial Code (U.C.C.), held that Choice should bear the loss of the funds from its account and that BancorpSouth should pay its own attorney’s fees. We affirm the district court’s loss-of-funds ruling, reverse its dismissal of BancorpSouth’s counterclaim, and remand for further proceedings. I. This litigation began after an unknown third party accessed Choice’s online bank account at BancorpSouth and instructed BancorpSouth to “wire” a large sum of money from Choice’s account to a bank account in the Republic of Cypress. To wire money is to transfer it electronically, so named because it was once done via telegram. In a typical wire transfer, a bank’s customer transmits instructions to the bank to transfer money from the customer’s account to the account of a beneficiary; these instructions are called a payment order. Because the customer is not physically present at the bank, the bank uses security procedures, such as passwords and electronic tokens, to verify that the person sending the payment order is actually the customer. In this case, we confront what happens when those security procedures fail. -2- Choice is a Missouri company that provides real estate escrow services. When parties to a real estate transaction need a third party to hold money in escrow until closing, they give it to Choice for safekeeping. In 2009, Choice opened a trust account at BancorpSouth for this purpose: when a buyer entrusted funds to Choice, Choice deposited the funds in its account at BancorpSouth and then wired the money to the seller at closing. Choice’s employees performed these tasks over the Internet using an online banking platform called InView. BancorpSouth provided Choice with four security measures designed to ensure that Choice’s employees, and only Choice’s employees, would be able to access Choice’s account. First, BancorpSouth required each InView user to register a unique user id and password. Whenever an employee of one of BancorpSouth’s institutional customers wished to access the customer’s online bank account, the employee would be prompted to enter this information. Without it, access to the account was impossible. Second, BancorpSouth installed device authentication software called PassMark. When a customer’s employee first registered for InView, PassMark recorded the IP address1 of the employee’s computer as well as information about the computer itself—information relating to, for instance, the computer’s operating system, central processing unit, browser, screen, time zone settings, and language settings. Whenever any subsequent user attempted to access InView using that employee’s user id and password, PassMark verified that the characteristics of that user’s computer were consistent with the information PassMark had recorded about the employee’s computer. In this way, PassMark verified that each InView user was accessing InView from a recognized computer. If a user attempted to access InView from an unrecognized computer, the user would be prompted to answer “challenge questions” to verify the user’s identity. If the user answered these questions correctly, 1 IP stands for Internet Protocol. An IP address is a series of numbers that identifies a computer or other device on a network. -3- the new computer would be added to the list of recognized computers, and the user would be able to access InView. Third, BancorpSouth allowed its customers to place dollar limits on the daily volume of wire transfer activity from their accounts. For instance, a customer could limit the daily volume of wire transfers to $10,000 per day, in which case any attempt to transfer more than $10,000 in a single day would be automatically denied. Choice declined to place daily transfer limits on its account. Fourth, BancorpSouth offered its customers a security measure called “dual control.” Under this system, when an InView user submitted a payment order, InView would not send the order to the bank immediately; rather, the request would create a “pending” payment order that would appear in a separate queue in InView. To send a pending payment order to the bank, a second authorized user, using a unique user id and password, would have to log in to InView and separately approve the pending payment order. If a customer declined the use of dual control, BancorpSouth required that customer to sign a waiver acknowledging that it was waiving dual control and that it understood the risks associated with using a single- control (i.e., single-user) security system. Choice declined the use of dual control and signed the requisite waiver. Thus, Choice’s account at BancorpSouth was protected only by (1) the user id’s and passwords of its employees, and (2) PassMark. Choice authorized two of its employees, Cara Thulin and Brooke Black, to use InView, and it issued each employee a unique user id and password for this purpose. With these security measures in place, Choice could issue a payment order by taking the following steps: First, either Thulin or Black would access BancorpSouth’s website and log in to InView using her user id and password. Second, PassMark would verify that Thulin or Black was accessing InView from a -4- recognized computer by checking the IP address and other specifications of the computer. If the user was accessing InView from an unrecognized computer, she would be prompted to answer challenge questions. Once the user cleared PassMark, either by using a recognized computer or by correctly answering the challenge questions, she would gain access to Choice’s bank account via InView. From there, the user could issue payment orders to BancorpSouth and, as long as Choice had enough funds in its account, those orders would be sent to one of six BancorpSouth employees responsible for routing Choice’s payment orders. That employee would then execute the payment order based on the information contained therein, and BancorpSouth would debit the funds from Choice’s account and send Choice a fax confirmation of the wire transfer. In November 2009, Choice received an e-mail from one of its underwriters describing a “phishing” scam in which an unscrupulous person tricks an unsuspecting Internet user into downloading a computer virus, uses the virus to collect the victim’s user id’s and passwords, and then uses that information to issue fraudulent payment orders to the victim’s bank, transferring money from the victim’s account to overseas banks beyond the reach of U.S. authorities.2 Jim Payne, the Director of Business Development at Choice, forwarded the e-mail to BancorpSouth on November 11, 2009, with the following note: 2 As another court has explained: Phishing involves an attempt to acquire information such as usernames, passwords, or financial data by a perpetrator masquerading as a legitimate enterprise. Typically, the perpetrator will provide an e-mail or link that directs the victim to enter or update personal information at a phony website that mimics an established, legitimate website which the victim either has used before or perceives to be a safe place to enter information. Patco Constr. Co. v. People’s United Bank, 684 F.3d 197, 204 (1st Cir. 2012). -5- Please read the email forwarded from one of our underwriters. They suggest a plan of action that included limiting wires to foreign banks. Can we implement this and to what extent would our liability be if fraudulent wire transfers were to occur? Ashley Kester of BancorpSouth responded two days later: Hi Jim, sorry to just now be responding. I had to do some research to find out if this was possible. We are unable to stop just foreign wires, the solution is dual control. We always recommend dual control on wires. We discussed this when we setup InView and you decided to waive the dual control. Would you like to consider adding it now? This is the best solution, that way if someone in the company is compromised then the hacker would not be able to initiate a wire with just the one user’s information. After Kester described the mechanics of dual control to Payne, Payne e-mailed Kester once again declining the use of dual control: Actually I don’t think that would be a good procedure for us—lots of times Paige [Payne] is here by herself and that would be really tough unless we all shared pass words. Sometime after this exchange, a Choice employee fell prey to a phishing attack and contracted a computer virus. This virus gave an unknown third party access to the employee’s username and password and allowed the third party to mimic the computer’s IP address and other characteristics, rendering InView’s password prompts and PassMark’s device authentication procedures ineffectual. On March 17, 2010, this third party accessed Choice’s online bank account and issued a payment order instructing BancorpSouth to transfer $440,000 from Choice’s account to a banking institution in the Republic of Cypress. BancorpSouth accepted and executed the payment order. After attempts to recover the funds failed, Choice sued -6- BancorpSouth for the lost funds, and BancorpSouth counterclaimed for attorney’s fees based on an indemnification agreement that it had executed with Choice. The district court granted summary judgment to BancorpSouth after concluding that Article 4A of the U.C.C. allocated the risk of loss from the fraudulent payment order to Choice. The court then dismissed BancorpSouth’s counterclaim for attorney’s fees on the pleadings after concluding that the indemnification agreement at issue conflicted with the provisions of Article 4A and was thus unenforceable. II. We review the district court’s grant of summary judgment to BancorpSouth de novo, viewing the evidence in the light most favorable to Choice. Hill v. Walker, 737 F.3d 1209, 1216 (8th Cir. 2013). Summary judgment is appropriate when there is “no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Fed. R. Civ. P. 56(a). The parties agree that Article 4A, which Mississippi enacted in its entirety in 1991, see Miss. Code Ann. § 75-4A-101 et seq., governs this dispute.3 Article 4A was drafted in 1989 to account for a dramatic increase in wire transfers between financial institutions and other commercial entities, commonly called wholesale wire transfers to differentiate them from wire transfers by consumers, which are governed by a separate federal statute, see 15 U.S.C. § 1693. 3 The parties specified in their contracts, and they agree now, that Mississippi law governs this lawsuit. In this opinion, we refer to the relevant section of the Mississippi code rather than the relevant section of the U.C.C. In enacting Article 4A, the Mississippi legislature kept the same numerical identifiers for each provision, except that each identifier is proceeded by a “75-”. So, for example, U.C.C. § 4A- 202(a) becomes Miss. Code Ann. § 75-4A-202(a). Interested readers may therefore derive the relevant U.C.C. provision by looking at the latter two numerical groupings. -7- At the time Article 4A was drafted, the total volume of these wholesale transfers exceeded one trillion dollars per day, see U.C.C. Art. 4A Refs. & Annos. prefatory note, yet “there was no comprehensive body of law—statutory or judicial—that defined the juridical nature of a funds transfer or the rights and obligations flowing from payment orders[,]” Miss. Code Ann. § 75-4A-102 cmt. The drafters of Article 4A sought to create a legal framework that balanced these rights and obligations between the bank and its institutional customer. As the Official Comments note: Funds transfers involve competing interests—those of the banks that provide funds transfer services and the commercial and financial organizations that use the services, as well as the public interest. These competing interests were represented in the drafting process and they were thoroughly considered. The rules that emerged represent a careful and delicate balancing of those interests and are intended to be the exclusive means of determining the rights, duties and liabilities of the affected parties in any situation covered by particular provisions of the Article. Id. One of the liabilities balanced by Article 4A is the risk that a third party will steal a customer’s identity and issue a fraudulent payment order to the bank. Generally, the bank bears this risk.4 Miss. Code Ann. § 75-4A-204. In two circumstances, however, the bank may shift the risk of a fraudulent payment order to the customer. The first is the rare circumstance in which the bank can prove that the customer “authorized the order or is otherwise bound by it under the law of agency.” Miss. Code Ann. § 75-4A-202(a). This circumstance is rare because ordinarily the bank has “no way of determining the identity or the authority of the person who 4 For a more thorough discussion of the different ways in which Article 4A allocates this risk, see Patco Construction Co. v. People’s United Bank, 684 F.3d 197, 207-10 (1st Cir. 2012). -8- caused the message to be sent,” and thus “[c]ommon law concepts of authority of agent to bind principal are not helpful” in determining whether a customer is bound by a payment order issued in its name. Miss. Code Ann. § 75-4A-203 cmt. 1. Because of this inadequacy, Article 4A contemplates a second circumstance in which a customer will bear the risk of a fraudulent payment order. If a bank and its customer agree to implement a security procedure designed to protect themselves against fraud, then the customer will bear the risk of a fraudulent payment order if: (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. Miss. Code Ann. § 75-4A-202(b). Article 4A thus permits the bank to take steps to protect itself from liability by implementing commercially reasonable security procedures. If the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer will bear the risk of loss from a fraudulent payment order. Choice concedes that BancorpSouth complied with its security procedures in accepting the March 17 payment order. Thus, BancorpSouth is entitled to summary judgment if the undisputed facts show (1) that BancorpSouth’s security procedures were commercially reasonable, (2) that BancorpSouth accepted the payment order in good faith, and (3) that BancorpSouth accepted the payment order in compliance with Choice’s written instructions. -9- A. We first consider whether BancorpSouth’s security procedures were commercially reasonable. We conclude that they were. 1. A “security procedure” is a “procedure established by agreement of a customer and a receiving bank for the purpose of . . . verifying that a payment order . . . is that of the customer.” Miss. Code Ann. § 75-4A-201. As this definition makes clear, only security measures “established by agreement” are considered “security procedures” for purposes of Article 4A; security measures implemented unilaterally by the bank are irrelevant. See Miss. Code Ann. § 75-4A-201 cmt. There is one exception to the “established by agreement” rule. If a bank offers its customer a security procedure, and the customer declines to use that procedure and agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order if the declined procedure was commercially reasonable. Miss. Code Ann. § 75-4A-202(c). To synthesize the rule and its exception: in assessing commercial reasonableness, courts consider (1) security measures that the bank and customer agree to implement, and (2) security measures that the bank offers to the customer but the customer declines, as long as the customer agrees in writing to be bound by payment orders issued in its name in and accepted by the bank in accordance with another procedure. Our first task is determining which of BancorpSouth’s security measures fit this definition. Choice does not dispute that BancorpSouth’s password prompts, daily transfer limits, and dual control system are security procedures that we may consider under Article 4A, but it asserts that PassMark does not qualify as a security procedure -10- because BancorpSouth did not mention PassMark in any of its written contracts with Choice or formally offer Choice the option to use the software. Notwithstanding the absence of any explicit reference to PassMark in the parties’ written contracts, however, there is ample evidence that the parties agreed to implement PassMark. An agreement under the U.C.C. need not be a written contract; rather, an “‘[a]greement,’ as distinguished from ‘contract,’ means the bargain of the parties in fact, as found in their language or inferred from other circumstances[.]” Miss. Code Ann. § 75-1-201. All BancorpSouth customers were required to register for PassMark when they signed up for InView. It was thus impossible for any InView user not to know that they were also using PassMark, and any customer that declined to register for PassMark would be unable to use InView. Additionally, the addendum to the Business Services Agreement between Choice and BancorpSouth states that Choice “assumes full responsibility and risk of loss for all transactions made by BancorpSouth . . . in accordance with . . . the procedures set forth in the InView User Manual(s) and Help screens.” BancorpSouth posted a digital manual entitled “PassMark Login Security” on the InView portal, so PassMark was incorporated at least implicitly into the parties’ written contracts. In light of these facts, we are satisfied that PassMark was “established by agreement” between Choice and BancorpSouth. We thus consider all four of BancorpSouth’s security measures—password protection, daily transfer limits, PassMark, and dual control—in determining whether BancorpSouth’s security procedures were commercially reasonable. 2. In making this determination, we consider: the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency -11- of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated. Miss. Code Ann. § 75-4A-202. The commercial reasonableness standard is designed “to encourage banks to institute reasonable safeguards against fraud but not to make them insurers against fraud.” Miss. Code Ann. § 75-4A-203 cmt. 4. Thus, “[t]he standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank, which is a lower standard.” Id. At the threshold, we reject Choice’s argument that a commercially reasonable security procedure must include a process whereby a human being manually reviews every payment order submitted to the bank to ensure that no irregularities exist—what Choice calls “transactional analysis.” Article 4A never mentions transactional analysis, but Choice argues that because commercial reasonableness depends on the “size, type, and frequency” of a customer’s payment orders, a commercially reasonable security procedure must differentiate between payment orders based on these factors. Choice further asserts that transactional analysis is the only way to achieve this differentiation. This argument misunderstands Article 4A’s intended audience. Article 4A does not instruct the bank to consider the “size, type, and frequency” of each payment order it receives in determining if those payment orders are potentially fraudulent; it instructs the court to consider these factors in determining if a bank’s security procedure is commercially reasonable—in other words, that the commercial reasonableness of a bank’s security procedure depends on whether that procedure is adequate to screen payment orders of the size, type, and frequency normally issued to the bank. Such a procedure might involve “algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security devices,” -12- Miss. Code Ann. § 75-4A-201, none of which differentiate between payment orders based on their “size, type, [or] frequency.” Yet notwithstanding that “[t]he concept of what is commercially reasonable in each case is flexible,” Miss. Code Ann. § 75- 4A-203 cmt. 4, Choice argues that even all of these procedures combined would be commercially unreasonable, as none of them involve transactional analysis. This attempt to graft a rigid, foreign standard onto the commercial reasonableness inquiry is at odds with essentially all of Article 4A, and we reject it. Nor does the record evidence establish that BancorpSouth was required to perform transactional analysis under these specific circumstances. The only person who mentioned transactional analysis was Choice’s expert, who stated in his report that transactional analysis “could be a very effective aid in deterring fraudulent payment order transactions” and “would . . . be in line with Article 4A 202 (c).” Neither statement indicates that BancorpSouth’s failure to use transactional analysis was commercially unreasonable, and at any rate Choice’s expert admitted in his deposition that, under the circumstances of this case, dual control could be a commercially reasonable security procedure. BancorpSouth’s Senior Vice President further testified that BancorpSouth conducts tens of thousands of wire transfers on behalf of its roughly 400,000 checking account customers and that reviewing each one of these transactions would be impracticable. Choice has presented no evidence to contradict this testimony and, indeed, has failed to present any evidence tending to show that a genuine question of fact exists as to whether BancorpSouth was required to perform transactional analysis. Having determined that BancorpSouth was not required to perform transactional analysis, we turn to what it was required to do. We begin at the broadest level of generality, by considering “security procedures in general use by customers and receiving banks similarly situated[,]” Miss. Code Ann. § 75-4A-202. Our primary authority in this endeavor is a 2005 report published by the Federal Financial -13- Institutions Examination Council (FFIEC)5 called “Authentication in an Internet Banking Environment,” (the Guidance), see Fed. Fin. Insts. Examination Council, Authentication in an Internet Banking Environment (Oct. 12, 2005), available at https://www.ffiec.gov/pdf/authentication_guidance.pdf. The parties agree that the Guidance provides applicable standards of commercial reasonableness in this case. The Guidance draws a basic distinction between single-factor and multifactor authentication. As the Guidance explains, most modern security procedures involve one or more of the following three factors: (1) Something the user knows, like a password or PIN; (2) Something the user has, like an ATM card or smart card; and (3) Something the user is, like a person with a unique fingerprint or biometric characteristic. Id. at 3. Security procedures that involve only one of the above three factors, according to the Guidance, are inadequate to safeguard against modern Internet fraud. Accordingly, the Guidance recommends that financial institutions implement security procedures that use two or more of the above factors in combination. An ATM, for instance, uses a multifactor security procedure that requires the user to provide something the user has (an ATM card) as well as something the user knows (a PIN) to use the machine. BancorpSouth’s security procedures also used multifactor 5 The FFIEC is a federal interagency council empowered to “prescribe uniform principles and standards for the Federal examination of financial institutions by the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Federal Home Loan Bank Board, and the National Credit Union Administration and make recommendations to promote uniformity in the supervision of these financial institutions.” 12 U.S.C. § 3301. -14- authentication: to access InView, a BancorpSouth customer had to enter the correct password (something the user knows) and use a recognized computer (something the user has). Of course, cyber-crime evolves rapidly, and guidance issued in 2005 may become obsolete in subsequent years. The Guidance thus states that banks should “[a]djust, as appropriate, their information security program[s] in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information.” Id. As BancorpSouth’s expert acknowledged, during 2009 and 2010, cyber-criminals began using more sophisticated software that could “take on the identity and internet configuration of the victim organization’s personnel that were involved in the wire transfer process,” emulating the computer’s IP address and using the employee’s passwords to bypass even multifactor security procedures. This testimony suggests that multifactor authentication alone may have been an inadequate safeguard against Internet fraud perpetrated in 2010. BancorpSouth responded to this new threat by offering its customers dual control, which dramatically reduces the possibility of such a breach. With dual control in place, a customer’s account remains secure even if a third party manages to obtain an employee’s password and IP address; to issue a payment order, that third party would have to obtain a second, wholly independent set of identifying information. Phishing scams work because one out of every few thousand recipients of a malicious email will click on a link containing a virus, and the probability that two employees at the same company would fall for the same scam is quite low. Moreover, without a second user’s information, any attempt by a third party to issue a payment order would alert the customer to the security breach by creating a pending payment order that no one at the company had authorized. Accordingly, because BancorpSouth comported with the 2005 Guidance and expanded its security procedures to address security threats that arose after 2005, we -15- conclude that BancorpSouth’s security procedures comported with the standards set by “security procedures in general use by customers and receiving banks similarly situated.” This does not end the inquiry, however: we must also consider whether BancorpSouth’s security procedures were suitable for Choice given “the wishes of the customer expressed to the bank” and “the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank.” Miss. Code Ann. § 75-4A-202. Contrary to Choice’s assertion, this does not mean that a bank must always use a different security procedure for each customer. The Official Comment to § 75-4A-203 states that “[a] receiving bank might have several security procedures that are designed to meet the varying needs of different customers” (emphasis added), but it does not make this a requirement. If a bank develops a single effective and versatile security procedure, it is not commercially unreasonable for the bank to use that security procedure for the majority of its customers and depart from the procedure only when necessary. Choice asserts that such a departure was necessary in this case because Choice did not have enough employees on hand to use dual control effectively—in other words, that dual control was commercially unreasonable given the “circumstances of the customer known to the bank” and the “wishes of the customer expressed to the bank.” As set forth above, when BancorpSouth offered Choice dual control for the second time, on November 13, 2009, Jim Payne of Choice responded, “Actually, I don’t think that would be a good procedure for us—lots of times Paige [Payne] is here by herself and that would be really tough unless we all shared pass words.” Assuming that this statement is true, it does not mean that dual control was any less suitable for Choice than the single-control option Choice ultimately chose to -16- implement. Paige Payne was not an authorized InView user, and if she was in the office by herself, she would have been unable to issue payment orders regardless of whether Choice had implemented single or dual control. Perhaps Jim Payne intended in his e-mail to refer to either Thulin or Black, the two Choice employees authorized to use InView, instead of Paige Payne. But both Thulin and Black were full-time employees who were typically in the office during normal business hours. To the extent that Choice needed to issue payment orders outside of these hours, dual control would have been no less suitable for Choice than single control, since neither Black nor Thulin would have been in the office at that time. Even if only one authorized InView user was in the office at certain times, dual control would not have been a major hindrance on Choice’s ability to issue payment orders. Simultaneous approval of a payment order is not required under dual control; one employee may create a pending payment order in the morning, and a second employee may come into the office in the afternoon and confirm the pending payment order. Choice has not argued that it needed to be able to wire money at a moment’s notice; indeed, the nature of its business suggests that Choice generally knew beforehand when it needed to wire money to beneficiaries (namely, the date of a real estate closing) and that it could plan accordingly. And even if a quick response time was necessary in some circumstances, Choice could have solved this problem by authorizing employees besides Black and Thulin to use InView. In short, no genuine dispute of fact exists as to whether BancorpSouth’s security procedures were commercially reasonable. Rather, this appears to be a case where “an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper[,]” in which case “the customer has voluntarily assumed the risk of failure of the procedure and cannot shift the loss to -17- the bank.” See Miss. Code Ann. § 75-4A-203 cmt. 4. Choice knew that dual control provided a reliable safeguard against Internet fraud, and it explicitly assumed the risks of a lesser procedure notwithstanding the relative ease with which it could have implemented dual control. Accordingly, we conclude that BancorpSouth’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable. B. The risk of a fraudulent payment order remains with BancorpSouth, however, unless BancorpSouth also “proves that it accepted the [March 17] payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.” Miss. Code Ann. § 75-4A-202(b). Choice asserts that BancorpSouth did not accept the payment order in good faith and that it violated Choice’s written instructions in doing so. We disagree. 1. Good faith “means honesty in fact and the observance of reasonable commercial standards of fair dealing.” Miss. Code Ann. § 75-1-201(b)(20). This two-pronged definition has both a subjective component—honesty in fact—and an objective component—the observance of reasonable commercial standards of fair dealing. In re Nieves, 648 F.3d 232, 239 (3d Cir. 2011). We are concerned with the latter prong in this case: Choice concedes that BancorpSouth accepted the payment order honestly, but it asserts that BancorpSouth did not observe reasonable commercial standards of fair dealing in doing so. -18- The U.C.C.’s requirement that parties to a contract abide by reasonable commercial standards of fair dealing—and the good faith doctrine generally—is designed to ensure that each party to the contract performs its contractual duties in a way that reflects the reasonable expectations of the other party. As the Permanent Editorial Board Commentary explains: The principal author of the Code, Karl Llewellyn, recognized that parties develop expectations over time against the background of commercial practices and that if commercial law fails to account for those practices, it will cut against the parties’ actual expectations. . . . [T]he doctrine of good faith . . . [thus] serves as a directive to protect the reasonable expectations of the contracting parties. U.C.C. App. II Commentary 10; see also Restatement (Second) of Contracts § 205 cmt. a (“Good faith performance or enforcement of a contract emphasizes faithfulness to an agreed common purpose and consistency with the justified expectations of the other party.”). One of the challenges in applying the good faith doctrine in the Article 4A context is the apparent overlap between a bank’s compliance with “commercial standards of fair dealing” and its compliance with “commercially reasonable” security procedures. It may appear at first glance that these inquiries are redundant, and some courts have suggested (although not in the Article 4A context) that this is indeed the case. See Watson Coatings, Inc. v. Am. Exp. Travel Related Servs., Inc., 436 F.3d 1036, 1042 (8th Cir. 2006); DBI Architects, P.C. v. Am. Express Travel-Related Servs. Co., 388 F.3d 886, 895 (D.C. Cir. 2004). But while there may be some evidentiary overlap between the commercial reasonableness of a bank’s security procedures and its compliance with reasonable commercial standards of fair dealing, we do not believe that the two inquiries are coextensive. While the commercial reasonableness inquiry concerns the adequacy of a bank’s security procedures, the objective good faith inquiry concerns a bank’s acceptance of payment orders in accordance with those security procedures. In other -19- words, technical compliance with a security procedure is not enough under Article 4A; instead, as the above-quoted materials indicate, the bank must abide by its procedures in a way that reflects the parties’ reasonable expectations as to how those procedures will operate. Thus, the focus of our good faith inquiry is on the aspects of wire transfer that are left to the bank’s discretion. See Milford-Bennington R. Co., Inc. v. Pan Am Railways, Inc., 695 F.3d 175, 179 (1st Cir. 2012) (“The good-faith obligation limits the parties’ discretion in contractual performance.”). Where, as here, a bank’s security procedures do not depend on the judgment or discretion of its employees, the scope of the good-faith inquiry under Article 4A is correspondingly narrow. The automation of agreed-upon procedures generally ensures that those procedures will operate in a way that is consistent with the customer’s expectations, as long as the procedures do not “unreasonably vary from general banking usage”—in other words, as long as they are commercially reasonable. Watson Coatings, 436 F.3d at 1042. We have already determined that BancorpSouth’s security procedures were commercially reasonable, and we need not revisit that determination here. Rather, to establish that it acted in good faith, BancorpSouth must establish that its employees accepted and executed the March 17 payment order in a way that comported with Choice’s reasonable expectations, as established by reasonable commercial standards of fair dealing.6 6 The litigants propose a test for fair dealing first articulated by the Supreme Judicial Court of Maine in Maine Family Federal Credit Union v. Sun Life Assurance Co. of Canada, 727 A.2d 335, 342-43 (Me. 1999). For several reasons, we do not believe the application of the Maine Family test in this case would be appropriate. For one, the Maine Family test has been criticized for conflating fair dealing with due care. See Travelers Cas. & Sur. Co. of Am. v. Wells Fargo Bank N.A., 374 F.3d 521, 527 (7th Cir. 2004); White, Summers, & Hillman, Uniform Commercial Code § 1:10 (6th ed.). For another, the Maine Family test seems tailored to the context of that case, which concerned a holder in due course, and its application in the Article 4A context would distort the balance of rights and obligations that Article 4A attempts to strike between the bank and its institutional customer. -20- We are satisfied that BancorpSouth has met this burden. Choice was well aware that the only time BancorpSouth employees saw its payment orders was after those orders had already cleared BancorpSouth’s security procedures. Choice was also aware that the role of those employees was not to check for any irregularities but to route these payment orders to the correct beneficiaries. Jeff Jaggers, a senior vice president at BancorpSouth, testified that in his thirty years of banking experience it was “normal banking practice” for a bank’s employees to route payment orders submitted in compliance with a security procedure without conducting any further review to determine if those payment orders were somehow suspicious.7 And even if BancorpSouth’s employees should have been expected to conduct some common- sense manual review of payment orders—for instance, by flagging a payment order for $10,000,000 from a customer with only $10,000 in its account—the March 17 payment order was not so unusual that it should have raised eyebrows. BancorpSouth provided evidence that the March 17 payment order was not the largest order that Choice had ever submitted and that Choice’s wire transfers followed no general pattern and varied in size from a few thousand dollars to a few hundred thousand dollars. In response, Choice asserts that the memo line of the March 17 payment order, which read “invoice:equipment,” was inconsistent with Choice’s business and with its past practice in issuing payment orders. Choice, of course, is a real estate escrow company with little use for equipment, and the memo line had been filled out in only 13% of Choice’s previous payment orders. But the memo line’s two-word description does not make the March 17 payment order so suspicious that BancorpSouth acted in bad faith by failing to notice it; if BancorpSouth’s employees had to remember the business of each of BancorpSouth’s 400,000 clients to ensure that 7 Choice asserts that, under Federal Rule of Evidence 702, expert testimony is necessary to establish reasonable commercial standards of fair dealing in an industry. But Rule 702 has nothing to do with issues of proof; it merely explains the conditions under which an expert witness may testify. Expert testimony is one way to establish reasonable commercial standards of fair dealing, but it is not the only way. See, e.g., Nanakuli Paving & Rock Co. v. Shell Oil Co., 664 F.2d 772, 784-85 (9th Cir. 1981). -21- the memo line of each payment order made sense, BancorpSouth would not be in business long. This is not a case where a bank “allow[ed] overdrafts totaling $5 million from a single account that usually ha[d] a zero balance.” Experi-Metal, Inc. v. Comerica Bank, 2011 WL 2433383, at *14 (E. D. Mich. June 13, 2011). This is a case where a bank promptly executed a payment order that had cleared the bank’s commercially reasonable security procedures and that the bank had no independent reason to suspect was fraudulent. Accordingly, we conclude that BancorpSouth has met its burden of establishing beyond genuine factual dispute that it accepted the March 17 payment order in good faith. 2. The last element BancorpSouth must prove to shift the loss from the March 17 payment order to Choice is that BancorpSouth accepted the payment order in compliance with Choice’s instructions. Choice attempts to shortcut the issue by arguing that BancorpSouth admitted in its answer that it had violated Choice’s instructions by “Admit[ting]” the following allegation in Choice’s complaint: 61. Choice by email on or about November 11, 2009, from Jim Payne to Ashley Kester, expressed to BancorpSouth its wish, requirement and/or instruction that BancorpSouth limit transfers to foreign banks. According to Choice, BancorpSouth’s response of “Admit” to this paragraph amounts to an admission that BancorpSouth violated Choice’s “wish, requirement, and/or instruction” to limit foreign wire transfers. The merit of this argument depends on how one interprets “and/or.” Choice asserts that “and/or” means “and,” which is incorrect: “and/or” is an ambiguous phrase that usually means “one or the other or both.” See Bryan A. Garner, Garner’s Modern American Usage 45 (3d ed. 2009). The natural reading of BancorpSouth’s admission is thus that Choice had expressed to -22- BancorpSouth its “wish, requirement, or instruction, or some combination of the three” that BancorpSouth stop foreign wires. A judicial admission must be deliberate, clear, and unambiguous, see MacDonald v. Gen. Motors Corp., 110 F.3d 337, 340 (6th Cir. 1997); Rowe Int’l, Inc. v. J-B Enterprises, Inc., 647 F.2d 830, 836 (8th Cir. 1981), and Choice’s use of the phrase “and/or” in its complaint renders BancorpSouth’s subsequent concession anything but. Turning to the substance of this dispute, we conclude that BancorpSouth did not violate any of Choice’s instructions by accepting the March 17 payment order. The only evidence of an instruction is the November 11 e-mail from Jim Payne to Ashley Kester asking if it would be possible to stop foreign wire transfers. Payne himself agreed in his deposition that the e-mail was properly characterized as an “inquir[y],” and when BancorpSouth replied that it was “unable to stop just foreign wires,” Choice did not press the issue further. This exchange does not constitute an instruction. In sum, because BancorpSouth’s security procedures were commercially reasonable, because BancorpSouth complied with its security procedures and with Choice’s instructions, and because BancorpSouth accepted the March 17 payment order in good faith, the loss of funds from Choice’s account falls on Choice. III. Finally, we turn to whether BancorpSouth is entitled to attorney’s fees based on an indemnification agreement it executed with Choice. The district court dismissed BancorpSouth’s counterclaim for attorney’s fees on the pleadings after concluding that the indemnification provision in question conflicted with the provisions of Article 4A and was thus unenforceable. We review the dismissal of this counterclaim de novo. Levy v. OHL, 477 F.3d 988, 991 (8th Cir. 2007). -23- The indemnification provision states as follows: As long as BancorpSouth has performed as provided in Section 8 above, the Customer shall indemnify and hold BancorpSouth harmless from any and all claims, damages, losses, liabilities, and costs and expenses, including reasonable attorney’s fees, which relate in any manner to the Services performed under this Agreement. “Unless displaced by the particular provisions of the Uniform Commercial Code, the principles of law and equity . . . supplement” the provisions of Article 4A. Miss. Code Ann. § 75-1-103. But Article 4A preempts common law causes of action “in two specific areas: (1) where the common law claims would create rights, duties, or liability inconsistent with [Article 4A]; and (2) where the circumstances giving rise to the common law claims are specifically covered by [Article 4A].” Zengen, Inc. v. Comerica Bank, 158 P.3d 800, 808 (Cal. 2007). The district court, acknowledging that the issue was a “close call,” held that the above-quoted indemnification provision would create rights and liabilities that were inconsistent with Article 4A because the provision “could effectively require Choice to pay back to [BancorpSouth] those amounts that [BancorpSouth] might owe to Choice under [Article 4A].” D. Ct. Order of Aug. 30, 2012, at 3. In other words, by requiring Choice to indemnify BancorpSouth for all “damages, losses, [and] liabilities” stemming from a fraudulent payment order, the indemnification provision would frustrate Article 4A’s attempts to balance this risk between the bank and its customer. But the section of the indemnification provision dealing with “damages, losses, [and] liabilities” is not at issue in BancorpSouth’s counterclaim. BancorpSouth’s counterclaim seeks attorney’s fees, not damages stemming from the fraudulent payment order, and Article 4A contains no provision allocating attorney’s fees between the bank and its customer in the event of litigation. Although awarding attorney’s fees to a bank under an indemnification agreement might reduce a customer’s overall recovery against that bank, it would do so for reasons extrinsic to -24- Article 4A’s attempts to balance the risk of loss due to a fraudulent payment order. We thus conclude that the portion of the indemnification provision relating to attorney’s fees is not inconsistent with Article 4A and that BancorpSouth may seek attorney’s fees from Choice under this provision.8 IV. We affirm the district court’s grant of summary judgment to BancorpSouth, reverse the district court’s dismissal of BancorpSouth’s counterclaim on the pleadings, and remand for further proceedings consistent with this opinion. ______________________ 8 We have considered, and we now deny, Choice’s motion to strike portions of BancorpSouth’s appellate brief relating to attorney’s fees. -25-