Banks 1, Corporate Account Holders 1?
0 comment(s)
For those keeping score in the legal battles between financial institutions and their commercial account holders, a recent decision by Judge Patrick J. Duggan in the Experi-Metal Inc. (EMI) vs. Comerica case evened the score at one a piece for the interested parties…or did it? Two weeks ago the recommendation by the magistrate in the Patco vs. Ocean Bank case favored the bank. The District Court has yet to decide if that recommendation will be accepted, but observers have expressed the opinion it will be. With the Michigan bench opinion out, maybe not. Now we get an opposing view that the bank may be liable for the losses. This could have serious repercussions for the industry, because anyone paying attention knows that commercial accounts are regulated under UCC statutes, not Reg. E. Commercial customers and their banks are subject to the UCC4a guidelines, specifically by § 4A-202.(c), which reads, “Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.” I can see in part where the Michigan ruling is coming from. It’s not one of those considerations, it’s all of them. The italicized phrase in particular leads one to the conclusion that the framers had transaction monitoring in mind.
Looking at the EMI case, it’s hard to imagine that no alerts were triggered from the wire activity that took place. Consider that EMI had not sent an international wire in 19 months and then on a single day in January 2009 between 7:30 AM and 2:02 PM had 97 fraudulent payment orders initiated to China, Estonia, Finland, Russia and Scotland. Additionally, the wires put EMI’s account in an overdrawn position and yet were still allowed to continue. It appears that some wires were released after the bank had instructions to suspend all transfers until further notice. It seems entirely feasible that something should have been done to stop these wires so divergent from past account activity, and the judge mentioned that directly in his opinion, … “a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”
I believe the lawsuits speak to the difficulty associated with stopping account takeover and the resulting fraudulent ACH and Wire payments that are used to move the money. This is not just an online security problem. Both parties have a job to do; the bank customer should do everything to ensure that their credentials aren’t compromised. This has been proven difficult (if not impossible) with the different strains of Malware such as Zeus and SpyEye, and the sophistication of professional fraudsters. The bank also has a critical role to play in preventing fraud. Of course it should authenticate the customer, but after authentication the bank must use other methods to validate the initiated payments. The EMI case indicates that the window of placing the responsibility solely on the customer may be closing.
Layered security is the term used in the industry for the combination of authentication and payment monitoring to provide additional checks and balances to eliminate fraud. At the beginning of the year, draft FFIEC guidance calling for layered security was leaked that would have updated the 2005 version. While many industry experts believe this guidance will not be updated until 2012, the legal actions and numerous ACH and Wire fraud events indicate that waiting to act could be dangerous. Financial institutions don’t need new regulation to tell them what to do; the legal precedence, brand damage associated with an incident, and customer attrition should be enough to act. In the EMI case, the ruling had some strong words for financial institutions as noted above.
The time to put layered security in place is now.
Posted in:
ACH and Wire Fraud
Collusive Networks