         Case: 11-15804   Date Filed: 11/27/2012   Page: 1 of 26

                                                          [PUBLISH]

          IN THE UNITED STATES COURT OF APPEALS

                   FOR THE ELEVENTH CIRCUIT
                     ________________________

                           No. 11-15804
                     ________________________

                 D.C. Docket No. 1:10-cv-23244-EGT


ROGER CHAVEZ,

                                                    Plaintiff - Appellant,

                                versus

MERCANTIL COMMERCEBANK, N.A.,

                                                    Defendant - Appellee.


                     ________________________

              Appeal from the United States District Court
                  for the Southern District of Florida
                    ________________________

                          (November 27, 2012)
               Case: 11-15804       Date Filed: 11/27/2012       Page: 2 of 26

Before BARKETT and PRYOR, Circuit Judges, and BATTEN, * District Judge.

BATTEN, District Judge:

       Roger Chavez is a customer of Mercantil Commercebank, N.A. (“the

bank”). This case involves an allegedly fraudulent payment order that resulted in

the bank’s transfer of $329,500 from his account to someone in the Dominican

Republic. Chavez sued the bank to recover the $329,500. In response to Chavez’s

complaint, the bank asserted, inter alia, an affirmative defense premised upon Fla.

Stat. § 670.202(2), which relieves a bank of liability for fraudulent payment orders

in certain situations. The district court granted the bank’s motion for summary

judgment and denied Chavez’s motion for partial summary judgment on this

defense. Chavez appeals.

       Generally speaking, under Florida’s version of the Uniform Commercial

Code (“UCC”), if a bank and its customer agree upon a “security procedure,” as

that phrase is defined by Fla. Stat. § 670.201, and the procedure is commercially

reasonable, a bank is absolved of liability for a fraudulent transfer of the

customer’s funds if the bank, when processing an order to transfer the customer’s

funds, follows the security procedure in good faith. See FLA. STAT. §§ 670.201 &

670.202(2). We conclude that the parties’ agreed-upon security procedure does not



       *
        Honorable Timothy C. Batten, Sr., United States District Judge for the Northern District
of Georgia, sitting by designation.
                                               2
              Case: 11-15804        Date Filed: 11/27/2012   Page: 3 of 26

satisfy § 670.201 and consequently § 670.202(2) does not apply. Accordingly, we

reverse.

                               I.      BACKGROUND

      In September 2002, Chavez, a resident of Venezuela, opened an account

with the bank, which is located in Miami, Florida. Chavez contends that when he

opened his account, the bank created and maintained an electronic file that had a

copy of his passport and that included his address and phone number.

      Chavez’s account was subject to the bank’s funds transfer agreement

(“FTA”). Relevant to the current dispute is § 5 of the FTA, which details the

security procedure for the account. In general, a security procedure is a procedure

that the bank uses when processing payment orders in order to verify the

authenticity of the order and to detect any errors in their transmission or content.

FLA. STAT. § 670.201. Section 5 of the FTA provides in pertinent part:

      (i)    The parties shall comply with the security procedure selected
             on Annex 1 to this Agreement (the “Security Procedure”). . . .

      (ii)   The use of the Security Procedure is hereby accepted and
             authorized by the Client and, unless and until any writing that is
             signed by the Bank and made a part of this Agreement, the use
             of the Security Procedure in the manner set forth in this
             Agreement shall be the sole security procedure required with
             respect to any Order, and the Client acknowledges and agrees
             that: (a) the Bank offers various procedures affording differing
             degrees of security; (b) the Security Procedure is sufficient to
             protect the interests of the Client in light of the Client’s needs,
             and no special circumstances exist with respect to the Client
             that would require any other security procedure; and (c) the
                                             3
              Case: 11-15804     Date Filed: 11/27/2012   Page: 4 of 26

              Security Procedure is a method of providing security against
              unauthorized Orders that is commercially reasonable under the
              circumstances of the Client and in light of the size, type,
              frequency and volume of Transfers the Client contemplates
              undertaking.

      (iii)   The Bank may execute any Payment Order and act on any other
              instruction relating to the Payment Order and the Payment
              Order or instruction shall be effective as the Client’s Order,
              whether or not authorized by the Client and regardless of the
              actual transmitter, provided that the Bank accepts the Payment
              Order or instruction in good faith and in compliance with the
              Security Procedure. At its option, the Bank may use, in
              addition to the Security Procedure selected by the Client, any
              other means to verify any Payment Order or related instruction.

      (iv)    The Client shall preserve the security and confidentiality of the
              Security Procedure and any related devices or materials, and
              shall promptly notify the Bank of any suspected compromise of
              the integrity of the Security Procedure.

      (v)     The Client acknowledges that the sole purpose of the Security
              Procedure is to determine the authenticity of Orders, and not to
              determine their accuracy. . . .

As indicated above, § 5(i) incorporates by reference a document entitled Annex 1,

which lists three different options for security procedures that the bank will use

when processing a customer’s payment orders. Depending on the option,

customers can select one option and at most two options.

      Chavez selected only the first option, “Written Payment Orders.” It

provides:

             Written Payment Orders shall be delivered by an Authorized
      Representative (as defined below) to the Bank either in original form,
      in person or by mail, or by facsimile transmission. Each written
                                          4
             Case: 11-15804     Date Filed: 11/27/2012   Page: 5 of 26

      Payment Order must be signed by at least one Authorized
      Representative or, if the terms of the account to which the Payment
      Order relates (the “Affected Account”) require signature by more than
      one Authorized Representative, by the number of Authorized
      Representatives so required. Each written Payment Order not
      delivered to the Bank in person by an Authorized Representative must
      be confirmed by the Bank by telephone callback to any person who
      identifies himself or herself to the Bank’s satisfaction as one of the
      Authorized Representatives, (irrespective of whether the terms of the
      Affected Account require more than one Authorized Representative to
      sign Payment Orders)….

For Chavez’s account, he was the only authorized representative. Thus, for written

payment orders delivered in person, Chavez had to sign the payment order.

      On February 4, 2008, Chavez flew to Miami and visited the bank’s Doral

branch. He inquired about why he had not been receiving monthly statements, and

he made a large cash deposit. The next day, he returned and made a smaller cash

deposit. On February 6, he returned his rental car to the Miami airport around 6:40

a.m. and flew back to Venezuela.

      On February 6, someone purporting to be Chavez went to the Doral branch

with a written payment order for $329,500. Chavez contends that he had already

departed for Venezuela at the time the payment order was delivered to the bank.

The order was processed by bank employee Rossana Gutierrez, who was a greeter

at the bank, but she occasionally performed the responsibilities of a customer

service representative, the type of employee who would typically process a

payment order.


                                         5
             Case: 11-15804     Date Filed: 11/27/2012   Page: 6 of 26

      According to the district court, Gutierrez confirmed (1) the information on

the payment order, (2) the customer’s identity via an identification document

provided by the customer, (3) the sufficiency of funds in the account, (4) the

existence of an FTA for the account, and (5) the authenticity of the signature on the

payment order. She then obtained written approval from two branch officers, Talia

Pina and Lolita Peroza, who then performed additional steps to verify the

authenticity of the payment order. After Pina and Peroza signed off on the order,

Gutierrez submitted the payment order for completion, and on February 7 the funds

were transferred from Chavez’s account to a beneficiary in the Dominican

Republic.

      The bank’s security cameras were not working on the day the payment order

was delivered, and Gutierrez did not make a copy of the ID she was shown. As a

result, the identity of the person allegedly impersonating Chavez cannot be

determined. The bank does not concede that the person presenting the payment

order was not in fact Chavez or someone acting on his behalf.

      On April 14, 2008, over two months after the payment order was processed,

Chavez checked his account online from Venezuela. He claims that this is when

he first learned that his balance was considerably lower than expected. He called

the bank and allegedly learned for the first time of the February 7 payment order

and transfer of the $329,500.

                                          6
              Case: 11-15804    Date Filed: 11/27/2012   Page: 7 of 26

      On August 6, 2010, Chavez filed this action against the bank in state court,

seeking to recover the $329,500 transferred from his account. The bank timely

removed the action to the U.S. District Court for the Southern District of Florida.

      The bank filed a motion for summary judgment in which it argued that its

third affirmative defense, premised upon the safe-harbor provision in § 202, shifted

the risk of loss to Chavez. Chavez filed a motion for partial summary judgment in

which he contended that the bank’s safe-harbor defense failed as a matter of law.

      The district court entered an order granting the bank’s motion and denying

Chavez’s. The district court ruled that the safe-harbor provision in § 202(2) shifted

the risk of loss from the bank to Chavez because the parties’ agreed-upon security

procedure satisfied the statutory definition of a “security procedure” contained in

§ 201, the bank’s security procedure was commercially reasonable, and the bank

complied with its security procedure in good faith.

                        II.    STANDARD OF REVIEW

      We review de novo a district court’s rulings on cross-motions for summary

judgment, Owen v. I.C. Sys., Inc., 629 F.3d 1263, 1270 (11th Cir. 2011), and the

facts are viewed in the light most favorable to the non-moving party on each

motion, Am. Bankers Ins. Grp. v. United States, 408 F.3d 1328, 1331 (11th Cir.

2005). Summary judgment is appropriate when “there is no genuine dispute as to




                                          7
              Case: 11-15804     Date Filed: 11/27/2012   Page: 8 of 26

any material fact and the movant is entitled to judgment as a matter of law.” FED.

R. CIV. P. 56(a).

                                III.   DISCUSSION

      We divide our discussion into three parts. We begin with a brief overview

of Article 4A of the UCC, which has been adopted in Florida. We then address the

safe-harbor defense and what the bank must show to shift the risk of loss from the

bank to Chavez. Lastly, we address what the parties’ agreed-upon security

procedure actually was and whether that procedure satisfied § 201.

A.    Article 4A of the Uniform Commercial Code

      As this case involves a payment order, Article 4A of the UCC applies.

Given the oftentimes confusing nature of UCC provisions and case law applying

them, we give a brief overview of the article.

      Article 4A, as adopted in Florida, “governs a specialized method of payment

referred to in the Article as a funds transfer but also commonly referred to in the

commercial community as a wholesale wire transfer.” FLA. STAT. § 670.102

cmt. The article is meant to govern the rights, duties and liabilities of banks and

their customers with respect to funds transfers, which may be initiated by a written

payment order. Id. § 670.103.




                                          8
                Case: 11-15804   Date Filed: 11/27/2012     Page: 9 of 26

      The statutes at issue here are Fla. Stat. §§ 670.201 & 670.202. Section 201

defines “security procedure.” Section 202 addresses when a bank can shift the risk

of loss to the customer, i.e., the safe-harbor provision.

      Ordinarily, the bank receiving a payment order bears the risk of loss of any

unauthorized funds transfer. FLA. STAT. § 670.204. However, pursuant to § 202

the bank may shift the risk of loss to the customer by showing one of two things:

(1) the “payment order received . . . is the authorized order of the person identified

as sender if that person authorized the order or is otherwise bound by it under the

law of agency,” id. § 670.202(1), or (2) the parties agreed to a security procedure

that is commercially reasonable and that the bank followed in good faith, id.

§ 670.202(2).

      Section 202(1) is not before us, as the bank did not rely upon it when filing

its motion for summary judgment. The bank moved for summary judgment

pursuant to only § 202(2), which provides in pertinent part,

             If a bank and its customer have agreed that the authenticity of
      payment orders issued to the bank in the name of the customer as
      sender will be verified pursuant to a security procedure, a payment
      order received by the receiving bank is effective as the order of the
      customer, whether or not authorized, if the security procedure is a
      commercially reasonable method of providing security against
      unauthorized payment orders and the bank proves that it accepted the
      payment order in good faith and in compliance with the security
      procedure and any written agreement or instruction of the customer
      restricting acceptance of payment orders issued in the name of the
      customer. . . .

                                           9
             Case: 11-15804     Date Filed: 11/27/2012    Page: 10 of 26

Thus, § 202(2) imposes three requirements: (1) the bank and the customer must

have agreed on a security procedure for verifying payment orders; (2) the agreed-

upon security procedure must be a “commercially reasonable method of providing

security against unauthorized payment orders”; and (3) the bank must have

accepted the payment order in good faith and in compliance with the security

procedure and any relevant written agreement or customer instruction. With

respect to the first requirement, the agreed-upon security procedure must satisfy

the definition of that term in § 201. With respect to the second requirement, the

commercial reasonableness of a security procedure is a question of law for the

court. Id. § 670.202(3).

B.    Safe Harbor

      The bank based its third affirmative defense on § 202(2), asserting that the

parties’ agreed-upon security procedure was commercially reasonable, it accepted

the payment order in good faith, and consequently the safe-harbor provision shifted

the risk of loss to Chavez. The district court agreed and granted the bank summary

judgment based on this defense.

      As stated above, the first element of § 202(2) requires the bank to show that

it and Chavez agreed upon a security procedure and that the procedure satisfies the

definition of that term in § 201. Consequently, this is where we begin our analysis.

It is undisputed that the parties agreed to a security procedure for verifying

                                          10
             Case: 11-15804     Date Filed: 11/27/2012   Page: 11 of 26

payment orders. However, the parties disagree as to the scope of the agreed-upon

security procedure. Thus, we first identify the security procedure to which the

parties agreed. We then assess whether the agreed-upon procedure satisfies the

definition of “security procedure” contained in § 201.

      1.     The Agreed-Upon Security Procedure

      Chavez contends that the district court misinterpreted the FTA and the

security procedure identified therein. He asserts that § 5 of the FTA “expressly

provides that the sole agreed security procedure is set forth in Annex 1 and shall

remain exclusively so unless and until amended by a writing signed by the bank

and made a part of the contract.” Chavez argues that no such writing exists, and as

a result the security procedure is limited to the annex option selected by Chavez,

i.e., a written payment order signed and delivered by an authorized representative.

      The bank responds that Chavez misconstrues the FTA by ignoring § 5(iii),

which provides in part, “At its option, the Bank may use, in addition to the

Security Procedure selected by the Client, any other means to verify any Payment

Order or related instruction.” The bank contends that this language allows it to add

additional procedures—which it actually used—and which, when coupled with the

security procedure set forth in the annex, combine to provide for a security

procedure that satisfies §§ 201 & 202. In other words, the bank asserts that the




                                         11
             Case: 11-15804     Date Filed: 11/27/2012   Page: 12 of 26

agreed-upon security procedure included both the procedure in the annex and the

“other means” referenced in § 5(iii).

      The district court accepted the bank’s position, citing Filho v. Interaudi

Bank, No. 03 Civ. 4795(SAS), 2008 WL 1752693, at *4 (S.D.N.Y. Apr. 16, 2008),

and held that the agreed-upon security procedure was (1) the procedure in the

annex and (2) certain procedures (but not all) the bank, at its option, used when it

processed a payment order.

      Section 201 defines a security procedure as a “procedure established by

agreement of a customer and a receiving bank for the purpose of: (1) Verifying that

a payment order or communication amending or canceling a payment order is that

of the customer; or (2) Detecting error in the transmission or the content of the

payment order or communication.” Thus, the security procedure must be one

established by agreement of the parties. To determine what Chavez and the bank

agreed to, we turn to the FTA and the annex.

      Section 5(i) of the FTA provides, “The parties shall comply with the security

procedure selected on Annex 1 to the Agreement (the ‘Security Procedure’).”

Thus, the FTA makes the phrase “Security Procedure” a defined term, and through

Chavez’s selection of option one on the annex, limits its meaning to a written

payment order delivered and signed by an authorized representative. The

remainder of § 5 refers solely to “the Security Procedure,” which further shows

                                          12
             Case: 11-15804     Date Filed: 11/27/2012    Page: 13 of 26

that the parties consistently used the limited term in its defined sense. In addition,

§ 5(ii) states that “the use of the Security Procedure in the manner set forth in this

Agreement shall be the sole security procedure required with respect to any

Order.” (Emphasis added.) This unambiguous language shows that the parties

agreed upon only the security procedure selected by Chavez in the annex.

      The district court’s holding that the parties agreed in § 5(iii) that the bank

could use other procedures, in addition to the one selected by Chavez, to satisfy

§ 201 was error. Section 5(iii) provides that the bank “may use . . . any other

means to verify any Payment Order or related instruction.” (Emphasis added.)

Relying on Filho, 2008 WL 1752693, at *4, the district court interpreted § 5(iii) as

broadening the parties’ agreed-upon security procedure to include an identification

verification before execution of payment orders. However, the language of § 5

does not support the district court’s holding.

      As discussed above, §§ 5(i) & (ii) of the FTA explicitly limit the agreed-

upon security procedure to the procedure selected by Chavez. Section 5(iii) does

not change that. It provides that the bank “may use, in addition to the Security

Procedure selected by the Client, any other means” to verify payment orders. This

language does not show that the “any other means” is a security procedure. In fact,

it shows just the opposite, as § 5(iii) intentionally sets “any other means” apart

from the defined “Security Procedure.” In addition, the bank—which drafted the

                                          13
               Case: 11-15804     Date Filed: 11/27/2012    Page: 14 of 26

FTA and therefore will have any ambiguities construed against it—defined “the

Security Procedure” in § 5(i) and chose not to include within that definition the

language in § 5(iii). Consequently, “any other means” is not synonymous with

“additional security procedures agreed upon by the parties,” as the district court

held.

        Filho, upon which the district court relied, is inapposite. There, the plaintiffs

signed an agreement that explicitly provided that their bank would “select security

procedures for accepting instructions that are commercially reasonable,” 2008 WL

1752693, at *4, and the court understandably held that in so doing the plaintiffs

had agreed that they would be bound by whatever commercially reasonable

security procedure the bank selected. The court reasoned that as long as the

selected procedure was commercially reasonable, the plaintiffs could not complain

about what the bank selected. What was important was that the agreement, signed

by the plaintiffs, explicitly granted to the bank the right to select the security

procedure.

        Section 5(iii) does not do this. Its language that the bank may use “any other

means to verify any Payment Order” does not constitute an agreement by Chavez

that the bank had the power, at its sole discretion, to select any security procedure

as long as the procedure was commercially reasonable. It appears that the bank

drafted § 5(iii) to enable but not require it to use other means when processing

                                            14
               Case: 11-15804       Date Filed: 11/27/2012      Page: 15 of 26

payment orders, and Chavez could not be heard to complain if the bank failed to

employ those additional security procedures—because the parties never agreed that

the bank would use such additional security procedures. 1 As a result, in § 5(ii)(c)

the parties agreed that only “the Security Procedure [from the annex] is a method

of providing security against unauthorized Orders that is commercially

reasonable.” Conspicuously absent from this provision is incorporation of the “any

other means” provided for in § 5(iii).

       The procedure for adding or changing “the Security Procedure” further

supports the conclusion that Chavez did not agree in § 5(iii) that the bank could

choose whatever security procedures it wanted. Section 5(ii) provides that “unless

and until any additional or different procedures are specified in a writing that is

signed by [the bank] and made a part of” the FTA, the only required security

procedure was the one Chavez selected. It is undisputed that there was no writing

modifying the security procedure he selected.



       1
          As Filho suggests, the bank could edit the FTA to permit it to use commercially
reasonable security procedures without providing additional detail about what those procedures
are; then it would be free to choose whatever procedures it wanted to verify payment orders, of
course mindful that “a bank that chooses unreasonable procedures does so at its own peril.”
Filho, 2008 WL 1756293, at *4. See also Patco Constr. Co. v. People’s United Bank, No. 2:09-
cv-503-DBH, 2011 WL 2174507, at *24 (D. Me. May 27, 2011) (addressing commercial
reasonableness first and not addressing customer’s argument that it did not agree to security
procedures bank used because customer failed to respond to bank’s argument that it had in fact
agreed “expressly and/or implicitly, to the full panoply of security measures implemented by the
Bank.”), rev’d on other grounds, Patco Constr. Co. v. People’s United Bank, 684 F.3d 197 (1st
Cir. 2012).
                                               15
             Case: 11-15804       Date Filed: 11/27/2012   Page: 16 of 26

      The bank contends that § 5(ii) applies only to changes to the annex, not to

the additional security procedures it could add through § 5(iii). However, even

assuming that § 5(iii) actually allows the bank to add additional security

procedures, § 5(ii) does not contain any language that supports the limitation the

bank proposes. Quite plainly, § 5(ii) provides that it applies to additional and

different procedures, and there is nothing therein to suggest that this language

excludes the procedures in § 5(iii). In fact, there is nothing in the FTA that

exempts § 5(iii) from the amendment process; consequently, if we were to accept

the bank’s contention that Chavez agreed that the bank could add additional

security procedures through § 5(iii) without having to comply with § 5(ii), we

would have to negate the amendment process entirely. This is contrary to the basic

rules of contract construction.

      The official comment to § 201 also shows that the parties did not agree in

§ 5(iii) that the bank could at its sole discretion use additional security procedures.

The comment explains that the “definition of security procedure limits the term to

a procedure ‘established by agreement of a customer and a receiving bank.’ The

term does not apply to procedures that the receiving bank may follow unilaterally

in processing payment orders.” Section 5(iii)’s language that the bank may use

“any other means to verify any Payment Order” is akin to the procedures a bank

follows in processing payment orders, not procedures established by agreement, as

                                           16
             Case: 11-15804     Date Filed: 11/27/2012   Page: 17 of 26

required by § 201. And, adopting this interpretation gives effect to both the

amendment process in § 5(ii) and the language in § 5(iii).

      In sum, the parties did not agree in § 5(iii) that the bank could add additional

procedures at its discretion; consequently, the only agreed-upon security procedure

is the one Chavez selected in the annex. The district court erroneously concluded

that the security procedure agreed to by the parties included the procedure selected

by Chavez in the annex and the other procedures the bank purportedly added

through § 5(iii). However, this conclusion does not end our analysis of whether

the bank has satisfied the first element of § 202(2). We must next determine

whether the agreed-upon procedure satisfies the definition of “security procedure”

in § 201.

      2.     “Security Procedure” as Defined in § 201

      The security procedure selected by Chavez requires only that payment

orders delivered in person be in writing and delivered and signed by Chavez.

Chavez asserts that this procedure does not satisfy § 201’s definition of a security

procedure because § 201 explicitly disavows the adequacy of the parties’ agreed-

upon security procedure. We agree.

      Section 201 states that “[c]omparison of a signature on a payment order or

communication with an authorized specimen signature of the customer is not by

itself a security procedure.” Consequently, the parties’ agreed-upon procedure

                                         17
              Case: 11-15804    Date Filed: 11/27/2012    Page: 18 of 26

must have at least this and one other step in order to qualify as a § 201 “security

procedure.”

      Here, the agreed-upon security procedure does not even require a signature

comparison. In fact, the security procedure is silent as to how the bank would

verify a payment order delivered in person. For example, there is no requirement

that the bank check the identification of the person presenting the payment order to

ensure that Chavez was the one presenting the order. Nor does the FTA (or the

annex) require a signature comparison or verification that the account even allows

payment orders delivered in person. Rather, the agreed-upon procedure imposes

requirements only upon Chavez before he can present a payment order to the bank.

Because the agreed-upon procedure does not specify what the bank would do to

verify a payment order, it cannot satisfy § 201. Consequently, the parties’ agreed-

upon procedure is not in fact a security procedure as defined by § 201, and the

bank failed to shift the risk of loss to Chavez pursuant to § 202(2).

                                 IV.    Conclusion

      For the foregoing reasons, we hold that the bank and Chavez did not have an

agreed-upon security procedure as that term is defined in § 201. Consequently,

§ 202(2) does not apply to this case, and the bank was not entitled to summary

judgment on its affirmative defense premised thereon. The district court’s order




                                          18
           Case: 11-15804   Date Filed: 11/27/2012   Page: 19 of 26

granting the bank summary judgment and denying Chavez summary judgment is

REVERSED.




                                     19
             Case: 11-15804    Date Filed: 11/27/2012   Page: 20 of 26

PRYOR, Circuit Judge, dissenting:

      I respectfully dissent. The majority opinion concludes that Chavez and

Mercantil Commercebank agreed only to the security procedure defined in section

5(i) of the Funds Transfer Agreement and that section 5(iii) of the Agreement,

which permits the Bank also to use “any other means” to verify payment orders, is

not part of the parties’ agreed upon security procedure. Majority Opinion at 13–

14. But that conclusion reflects a strained reading of the Agreement and related

provisions of Florida law. Because the Agreement encompassed both the required

and discretionary security procedures, which together here were commercially

reasonable, and the Bank acted in good faith when it accepted the payment order, I

would affirm the judgment in favor of the Bank.

A. The Agreement to Additional Means for Verification of Payment Orders Is Part
                     of the Agreed Security Procedures.

      Under Florida law, Chavez bears the risk of loss for the allegedly fraudulent

payment order if he agreed to a commercially reasonable security procedure, and

the Bank relied on that procedure in good faith when it accepted the payment

order. Florida law defines a “security procedure” in relevant part as “a procedure

established by agreement of a customer and a receiving bank for the purpose of . . .

[v]erifying that a payment order or communication amending or canceling a

payment order is that of the customer.” Fla. Stat. § 670.201. The “security

procedure” under Florida law is not limited to what the parties expressly define as
                                         20
             Case: 11-15804      Date Filed: 11/27/2012   Page: 21 of 26

the “security procedure,” but incorporates all procedures agreed upon by the

parties to serve that purpose.

      These parties agreed to two procedures for verifying the authenticity of

payment orders. Section 5(i) provides that “[t]he parties shall comply with the

security procedure selected on Annex 1 to this Agreement.” And Section 5(iii)

provides that “[a]t its option, the Bank may use, in addition to the Security

Procedure selected by the Client, any other means to verify any Payment Order or

related instruction.” These provisions, when read together, establish that Chavez

agreed to the use of both the required procedure he selected in Annex 1 and any

other security procedures adopted by the Bank, in its discretion, to verify the

payment order.

      The majority contends that “any other means” is not synonymous with

“additional security procedures agreed upon by the parties” because the Agreement

had already defined “Security Procedure” in a more limited manner, Majority

Opinion at 13–14, but that argument both misreads the Agreement and Florida law.

Section 5(iii) provides that, “[a]t its option, the Bank may use, in addition to the

Security Procedure selected by the Client, any other means to verify any Payment

Order or related instruction.” Section 5(iii) reflects that the Bank must use the

security procedure selected by the customer in Annex 1 and that the Bank, at its

option, may also employ additional security procedures. The use of the words “in

                                          21
              Case: 11-15804     Date Filed: 11/27/2012     Page: 22 of 26

addition” and “any other means” clarify that the additional means envisioned are

additional security procedures, as does the location of this provision in section 5,

which is titled “Security Procedure.” And Florida law defines “Security

Procedure” in section 670.201 in language that tracks the text of section 5(iii) of

the Agreement. Section 670.201 defines a security procedure as “a procedure

established by agreement . . . for the purpose of . . . [v]erifying . . . a payment

order,” Fla. Stat. § 670.201, and section 5(iii) permits the Bank to use “any other

means to verify any Payment Order.”

      The majority also misreads section 5(ii) of the Agreement. Section 5(ii)

provides, in relevant part, that “unless and until any additional or different

procedures are specified in a writing that is signed by the Bank and made a part of

this Agreement, the use of the Security Procedure in the manner set forth in this

Agreement shall be the sole security procedure required with respect to any

Order.” According to the majority, this language “shows that the parties agreed

upon only the security procedure selected by Chavez in the annex.” Majority

Opinion at 13. But the majority reaches this conclusion by relying on the word

“sole” at the expense of the rest of the provision. See id. The text clarifies that the

security procedure selected in Annex 1 was the “sole security procedure required

with respect to any Order.” But that provision does not undermine the

discretionary authority granted to the Bank in section 5(iii) to adopt additional

                                           22
             Case: 11-15804     Date Filed: 11/27/2012    Page: 23 of 26

security procedures to verify payment orders. When section 5(ii) is read in the

light of section 5(iii), the meaning of the Agreement is evident. Chavez could not

require the Bank to adopt “any other means” under the Agreement, but he could

also not object to the adoption by the Bank of any other means because he had

agreed to that exercise of discretion by the Bank. Contrary to the majority’s

suggestion, see id. at 16, the amendment process is still meaningful under this

reading because Chavez could not gain greater rights to security under the

Agreement without the consent of the Bank.

      The majority attempts to distinguish Filho v. Interaudi Bank, No. 03 Civ.

4795(SAS), 2008 WL 1752693 (S.D.N.Y. Apr. 16, 2008), on the ground that the

agreement in that case “explicitly granted to the bank the right to select the security

procedure,” Majority Opinion at 14, but the Agreement in this appeal too explicitly

granted the bank the right to select an additional security procedure. The only

difference between this case and Filho is that the Agreement in this case also

established a minimum level of security selected by Chavez that the Bank had to

provide to him. The creation of that minimum baseline of security does not

override the additional grant of authority to the Bank to use additional means to

verify the authenticity of payment orders. To the extent that the Bank adopted

additional procedures in this case and those procedures were commercially




                                          23
             Case: 11-15804     Date Filed: 11/27/2012   Page: 24 of 26

reasonable, the Bank may rely on them under section 202. See Fla. Stat.

§ 670.202(2).

           B. The Bank Adopted Commercially Reasonable Procedures.

      Although section 5(iii) of the Agreement allowed the Bank to adopt

additional security procedures, those procedures had to be commercially

reasonable for Chavez to bear the risk of loss under section 202. The Bank

performed several security procedures to determine the authenticity of the

allegedly fraudulent order: the Bank employee checked the presenter’s

identification, compared the signature on the written order to the signature on file,

verified the accuracy of the account number provided on the order, reviewed the

availability of sufficient funds to process the requested order, and confirmed that

Chavez had a funds transfer agreement in place for the account.

      The security procedures adopted by the Bank for payment orders on

Chavez’s account were commercially reasonable. The Florida statute instructs us

to consider several factors to determine commercial reasonableness:

      The commercial reasonableness of a security procedure is a question
      of law to be determined by considering the wishes of the customer
      expressed to the bank; the circumstances of the customer known to the
      bank, including the size, type, and frequency of payment orders
      normally issued by the customer to the bank; alternative security
      procedures offered to the customer; and security procedures in general
      use by customers and receiving banks similarly situated.




                                          24
             Case: 11-15804     Date Filed: 11/27/2012    Page: 25 of 26

Fla. Stat. § 670.202(3). All of these factors weigh in favor of a finding of

commercial reasonableness. The Bank complied with Chavez’s requested security

procedure and adopted additional procedures for Chavez’s protection. Chavez had

certified in the Agreement that “the Security Procedure is sufficient to protect the

interests of the Client in light of the Client’s needs, and no special circumstances

exist with respect to the Client that would require any other security procedure.”

The Bank offered, and Chavez rejected, two different security procedures that

would have utilized individual passcodes and test keys. And an expert for the

Bank presented undisputed testimony that the security procedures used by the

Bank satisfied the prevailing standards in the banking industry.

    C. The Bank Complied with Its Security Procedure in Good Faith When It
                       Accepted the Payment Order.

      The final requirement for the application of the safe harbor provision of

section 202 is that the Bank acted in good faith and in compliance with the agreed-

upon security procedures when it accepted the payment order. See Fla. Stat.

§ 670.202(2). The district court held that “Mercantil acted in good faith in

accepting and processing the subject payment order.” Chavez did not challenge

this holding on appeal. Chavez waived any argument that the Bank did not act in

good faith and in compliance with its security procedures when it accepted the

order. See United States v. Nealy, 232 F.3d 825, 830 (11th Cir. 2000).



                                          25
            Case: 11-15804       Date Filed: 11/27/2012   Page: 26 of 26

                                   D. Conclusion.

      For the foregoing reasons, I respectfully dissent. I would affirm the

judgment in favor of the Bank.




                                          26
