Wire transfer fraud continues to be a major source of loss for both banks and businesses. Though the schemes vary, they typically result in unauthorized transfers being initiated through an online banking portal. Fraudsters have become skilled at exploiting both human vulnerabilities and system weaknesses to move funds.

The risks of unauthorized wire transfers have been amplified by the recent release of the latest Mythos artificial intelligence (“AI”) platform. The reported capabilities of the newest Mythos platform should concern risk and security professionals of all kinds:

Anthropic said Mythos could identify and exploit “zero-day” flaws in every important IT operating system and web browser – if a user asked it to do so.

(The Guardian, What is Mythos AI and why could it be a threat to global cybersecurity?). In other words, Mythos, and other AI engines, will soon turbocharge fraudsters’ ability to breach protected systems.

One of the major risks for organizations is that AI will make it even harder to protect against unauthorized wire transfers. Understanding how liability is allocated between banks and their customers is therefore essential.

Liability allocation is governed by Uniform Commercial Code (“UCC”) Article 4A. Courts have consistently held that Article 4A provides the exclusive means of recovering an unauthorized payment order, which generally bars customers from bringing negligence claims against their banks.

So, what does Article 4A require? In short, banks that agree with their customers to validate wire transfers using a commercially reasonable security procedure—and follow that procedure in good faith—will generally avoid liability for transfers that later turn out to be unauthorized. The critical questions become: (1) did the bank and customer agree on a commercially reasonable security procedure, and (2) did the bank follow it in good faith?

The release of Mythos and other advanced AI models threatens to upend what counts as “commercially reasonable.” The UCC’s drafters were intentionally vague when drafting the security standard because they intended it to evolve with technology. As AI models capable of cracking bank security proliferate, the standard for security procedures will inevitably shift.

In the wake of a significant wire transfer loss, parties should focus first on recovering funds from the receiving bank. If those funds are no longer available and insurance does not cover the loss, the bank and customer may be left to litigate whether the security procedures were commercially reasonable.