Pular para o conteúdo principal
Beancount.io LogoBeancount.io

Why Regulation E Won't Save Your Business From Wire Fraud: UCC Article 4A Liability Explained

8 min para lerMike ThriftMike Thrift
Why Regulation E Won't Save Your Business From Wire Fraud: UCC Article 4A Liability Explained

A bookkeeper at a 12-person architecture firm gets an email that looks exactly like it's from the managing partner: wire $47,000 to a new vendor account today, it's urgent, we're closing on the permit fees. She sends it. Twenty minutes later the real partner walks by her desk and asks why the permit fees haven't been paid yet. The money is gone, wired to an account in another state, converted to crypto within the hour. She calls the bank expecting the same kind of protection she'd get if her personal debit card were used fraudulently at a gas station. That protection doesn't exist for business wire transfers — and the legal reason why is one almost no small business owner has ever heard of.

Consumers have Regulation E, the federal rule implementing the Electronic Fund Transfer Act, which caps a consumer's liability for unauthorized transfers and requires banks to provisionally credit disputed amounts while they investigate. Businesses don't get that. Commercial wire transfers are governed by a different, older, and far less forgiving body of law: Article 4A of the Uniform Commercial Code. Understanding the gap between the two — and what it actually takes to shift liability back onto the bank — is the difference between recovering a fraudulent wire and eating the loss.

Why Regulation E Doesn't Apply Here

2026-07-09-regulation-e-ucc-article-4a-business-wire-fraud-liability-guide

Regulation E's protections are built entirely around one word: "consumer." The rule covers electronic fund transfers involving a consumer asset account — personal checking, personal savings, and similar accounts used primarily for personal, family, or household purposes. The moment an account is a business account, and the funds transfer is a wire, EFTA and Regulation E step aside entirely and UCC Article 4A governs instead.

Article 4A was written specifically for the commercial funds-transfer system — Fedwire, CHIPS, and the correspondent-bank network that moves trillions of dollars a day between businesses. It applies exclusively to commercial payment orders, and it was drafted with a deliberate policy tradeoff: because wire transfers move enormous sums almost instantaneously and finality matters enormously to the banking system, the law puts more of the fraud-prevention burden on the business customer than consumer law puts on individuals. There's no chargeback right. No mandatory provisional credit while a dispute is investigated. No regulatory cap on how much of an unauthorized transfer a business can be on the hook for.

The Rule That Decides Who Eats the Loss

Article 4A's core liability provision — often cited as UCC § 4A-202 — sounds neutral on paper and is brutal in practice. If a bank and its business customer agreed in advance to a security procedure for authorizing wire instructions, and that procedure is "commercially reasonable," and the bank actually followed it in good faith when it processed the fraudulent wire, the loss falls on the customer — even though the wire was never actually authorized by anyone at the company.

There is one way out: the customer can avoid liability by proving the fraud was committed by someone with no connection whatsoever to the customer's business — no compromised employee credentials, no insider involvement, nothing that originated from inside the company's own systems or personnel. In a business email compromise scam, that's usually impossible to prove, because the fraud specifically works by compromising or spoofing something inside the company (an employee's inbox, a vendor relationship, an executive's typical communication style). The law essentially assumes that if the bank did its job and the breach happened somewhere in the customer's orbit, the customer bears the loss.

What "Commercially Reasonable" Actually Means

This is the phrase every business owner fighting a wire-fraud loss needs to understand, because it's the entire fight. Courts don't ask whether the bank's security procedure was the best available technology — they ask whether it was reasonable given that specific customer's transaction patterns, the security options the bank actually offered, and what similarly situated banks and customers use.

The leading case, Patco Construction Co. v. People's United Bank (1st Cir. 2012), is worth knowing even in outline. A construction company's online banking credentials were compromised, and the bank's system — despite having tools that could have flagged the transactions as unusual — approved a series of fraudulent wires because it applied the same generic, low-friction security procedure to every customer regardless of that customer's typical transaction size or pattern. The First Circuit ruled the bank's procedures were not commercially reasonable specifically because a one-size-fits-all approach fails Article 4A's requirement that security be evaluated in light of the particular customer's circumstances — not just "was some authentication method used," but "was this the right level of friction for what this customer normally does."

The practical lesson cuts both ways. If your bank offered you stronger authentication — dual authorization, call-back verification, transaction-limit alerts, out-of-band confirmation for new payees — and you declined it for convenience, that decision weakens your position if you're later defrauded and try to argue the bank's procedures were inadequate. Businesses that accept every optional security layer their bank offers are building the record they'll need if they ever have to fight a 4A-202 dispute.

The Deadline That Kills Most Claims Before They're Filed

Even a legitimate, provable fraud claim can die on a technicality: Article 4A gives customers up to one year from notification to dispute a wire transfer, but that's a default the parties can shorten by agreement — and most bank wire agreements do, commonly to 30 or 60 days. Miss that window and the transaction becomes final regardless of how clearly unauthorized it was.

This is a bookkeeping and internal-process issue as much as a legal one. A business that reconciles its bank accounts monthly, rather than weekly or daily, can easily burn through a 30-day contractual notice window before anyone even notices the fraudulent wire on a statement. Reconciliation frequency is a fraud-liability control, not just an accuracy exercise — the faster a discrepancy surfaces, the more legal options remain available to recover it.

The Account-Number Trap Behind Most BEC Losses

One provision of Article 4A explains why business email compromise schemes are so effective and so hard to reverse. When a wire instruction lists both a beneficiary name and an account number, and the two don't actually match at the receiving end, the receiving bank is legally entitled to rely on the account number alone — it has no duty to verify that the name matches the account. Fraudsters exploit this constantly: a spoofed email gives the real vendor's name but a fraudulent account number, the wire goes out under the legitimate-looking name, and it lands in an account the attacker controls. Because the receiving bank did nothing wrong under the law, there's very little recourse against it, and the fight comes back to whether the sending bank's security procedures were commercially reasonable in the first place.

The FBI's Internet Crime Complaint Center logged 24,768 business email compromise complaints in 2025 with $3.05 billion in reported losses — up from $2.77 billion the year before — and 86% of those fraudulent payments moved via wire or ACH, meaning they passed every upstream banking control without triggering an alert. That volume exists precisely because the legal framework makes wire fraud recovery so difficult once the money has moved.

What This Means for How You Book and Control Wire Payments

Because the law puts so much weight on process, the internal controls around who can initiate a wire and how it gets verified aren't just an operations best practice — they're the evidence you'd need in a 4A-202 fight. A few practices matter more than most owners realize:

  • Use every authentication layer your bank offers, even the inconvenient ones. Declining stronger security for speed is the single fact pattern that most consistently undermines a later fraud claim.
  • Require dual authorization for any new payee or any change to existing payee banking details, verified through a channel other than email — a phone call to a known number, not one provided in the suspicious message itself.
  • Reconcile bank accounts weekly at minimum for any business that sends wires regularly. A 30-day contractual notice deadline is not a monthly-close problem; it's a mid-month problem if the fraud happens early in the cycle.
  • Keep a clean, dated record of every wire authorization decision — who approved it, through what channel, against what verification. If a dispute ever turns on "was the bank's procedure commercially reasonable and did you follow your own agreed process," a business with clear records has a case; a business with none doesn't.

Clean, well-tagged transaction records also matter for a more mundane reason: knowing exactly when a wire was sent, from which account, and reconciled against which invoice is what lets a bookkeeper spot the anomaly in days instead of weeks. Beancount.io's plain-text, version-controlled ledgers make every transaction — including outbound wires — a dated, auditable entry rather than a line lost in a monthly bank statement PDF, which is exactly the kind of visibility that shrinks the window between "the fraud happened" and "we caught it." Get started for free and keep your financial records precise enough to catch problems before a contractual notice deadline closes the door on fixing them.