Section 4A-202. (a) A payment order received by the receiving bank is the authorized order of the person identified as sender if such person authorized the order or is otherwise bound by it under the law of agency.
(b) If a bank and its customer have agreed that the authenticity of a payment order issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against an unauthorized payment order, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of such customer restricting acceptance of a payment order issued in the name of such customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.
(c) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated. A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for such customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by such customer.
(d) The term ''sender'' in this Article includes the customer in whose name a payment order is issued if the order is the authorized order of the customer under subsection (a), or it is effective as the order of the customer under subsection (b).
(e) This section shall apply to an amendment or cancellation of a payment order to the same extent it applies to a payment order.
(f) Except as provided in this section and in paragraph (1) of subsection (a) of section 4A-203, rights and obligations arising under this section or said section 4A-203 may not be varied by agreement.