Two recent court decisions in cases in which companies suing their banks after their business accounts were looted by online fraudsters underscore the need for banking regulators to expedite new guidance on authenticating online banking transactions.
As the incidence of online fraud increases rapidly, banks’ liability concerns were assuaged on May 27 when a Maine court sided with Ocean Bank, deciding that it was not liable for more than $300,000 in fraudulent transfers out of Sanford, Maine-based Patco Construction Co.’s business account.
On Monday, however, a Michigan court decided that Dallas-based Comerica Bank must reimburse Experi-Metal Inc. for $561,000 the company lost when fraudsters used wire transfers to move funds to accounts in Russia, China and other havens.
The decisions seemingly resulted in a stalemate in terms of precedents for lawsuits in which banks and their business customers wrangle over the responsibility for cybercrimes.
In the Patco case, the judge tied his decision to the authentication guidelines issued by the Federal Financial Institutions Examination Council (FFIEC) in 2005, which both parties acknowledged as the prevailing standard. The judge found that Ocean Bank, a division of Bridgeport, Conn.-based People’s United Bank, upheld its responsibilities under those guidelines.
Richard Tomlinson, a lawyer at Driggers Schultz & Herbst who represented Sterling Heights, Mich.-based Experi-Metal, a sheet metal company, says the decisions in the two cases were not conflicting. “In [Experi-Metal’s] case, the court found that Comerica failed to meet its burden of proof to show it acted in good faith, and it failed to establish what the industry standards were and comply with them,” Tomlinson says.
Tomlinson notes that Experi-Metal decided to stop making wire transfers 18 months prior to the fraud but didn’t realize it could tell the bank to eliminate that service from its account. The fraudulent transfers occurred over a six-hour period, and during the last few hours, Comerica knew or should have known something was amiss, he says. Tomlinson adds that “the court was astounded by the fact” that the cyberthieves were able to fund the wires by transferring $5 million from a separate corporate account that typically held a zero balance.
In a statement, Comerica said its security token technology is “commercially reasonable and in compliance with current [FFIEC] guidelines,” and that it plans to appeal the decision.
Avivah Litan, an analyst at Gartner Group, says liability for online corporate banking fraud remains a “very gray” area because there are no laws or updated regulations to clarify responsibilities. Thus decisions in such cases depend very much on the specific judge and the laws in his or her district.
Litan notes that consumers are protected by Regulation E, which requires banks to fully reimburse them assuming certain conditions are met, such as reporting the fraud within two days. “There’s no such law protecting business accounts, so it’s up to the contracts they sign with their banks,” she says.
The FFIEC has been working on updated guidelines since last year, but they have yet to be issued, and the regulatory body hasn’t said when it will release the new guidelines. The FFIEC is made up of five banking regulators: the Federal Reserve Board, the Federal Deposit Insurance Corp., the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.
Tiffany Riley, vice president of marketing at Guardian Analytics, which provides software that helps banks monitor for fraudulent activity, described the two cases as “an important call to action.”
“The common message [from the decisions] is that banks should be doing more, and the FFIEC should provide them with new guidelines,” Riley says.