security.jpgIf you are a community bank executive, imagine facing this unpleasant scenario:  Your head of operations calls to tell you that one of the bank’s largest customers suffered a computer hack and millions of dollars were transferred out of the customer’s accounts. 

This situation will deliver a severe stress test to your bank’s operational systems. Were the right procedures in place?  Were they followed?  Are you liable and is the loss insurable?  When your biggest customer has taken a crushing financial loss and is desperately looking for a source of recovery, you don’t want to be discovering for the first time that there were some basic steps you could have taken. While hacking can never be prevented entirely, a careful bank can avoid liability for a hacking incident. A careless bank can be forced to absorb the customer’s loss, plus interest and other amounts.

In most cases, the fraud is discovered well after deadlines for reversing or cancelling the transfer.  However, depending on applicable state law, there may be a way to impose a freeze on the funds by delivering the correct affidavit and/or indemnity.  Sometimes, if there is a reasonable basis for believing the funds have not left the destination account, the bank’s attorneys can impose a temporary restraining order to freeze the funds in place.  The success of such measures is highly uncertain, given the strict deadlines that apply to funds transfers.  If the funds were sent outside the U.S., then legal recourse is usually limited or unavailable as a practical matter.

Insurance of course is vital and all community banks should ensure that they (and hopefully their customers) have a policy directly covering losses caused by unauthorized online transfers. It is well worth the time to “stress test” your policy by running through a common online fraud scenario. Does your insurance application accurately describe all of your online banking operations?  And, is the coverage amount adequate if a criminal drains all the funds in your largest business deposit account? Because these cases are almost always litigated, you need to know that your defense costs are squarely covered and that the policy limit is enough to cover defense costs and the dollar amount of your customer’s loss. 

After a loss, observe the basics in obtaining coverage such as not agreeing to settle with your customer without the insurer’s express consent.  Even if all of these issues are adequately addressed, a bank may still face an insurer that denies coverage for at least a portion of the bank’s costs, delays a coverage determination or obstructs a settlement, forcing the bank to litigate with its customer. 

Far better than relying on only an assumed insurance coverage is a thorough review of the bank’s policies and account documents to ensure the bank can withstand a massive online fraud on one of its business customers. Do your operations, Bank Secrecy Act and information technology teams understand what the other is doing with regard to online fraud prevention? Are you positive that your team has pored over the Federal Financial Institutions Examination Council guidance on “Authentication in an Internet Banking Environment” (supplemented in June 2011) and made a thoughtful choice as to the online banking security and anti-fraud procedures the bank will follow and offer to its customers? 

Keep in mind a recent harsh federal court decision in the Patco Construction Co. case (July 2012, First Circuit Court of Appeals in Boston) that faulted a bank for not using features of its computer system that the court theorized could have been used to prevent the account hijacking. The court also faulted the bank for taking a uniform approach to fraud prevention, i.e., not taking the customer’s particular circumstances into account. It is generally worth the investment to seek written assurance from legal and/or security experts as to compliance of the bank’s online security with FFIEC guidance and those in Uniform Commercial Code Article 4A.

There is a continuing clash between the security a bank wants its customers to implement and what the customers are actually willing to do. A bank is not required to force its customers to adopt and follow all security best practices, but it should carefully document its offer of additional security precautions and the customer’s rejection of the offer. 

Once a bank has designed a suitable online security program, the bank must ensure careful compliance with those procedures. Banks’ security procedures do evolve and change over time. It is critically important to know what the bank’s actual procedures are so that new personnel can seamlessly comply and the bank’s auditors can accurately audit compliance. 

A bank should also inventory and review the agreements, certifications and other documents that affect the relative rights and obligations of the bank and its customers with respect to online fraud. If the bank’s form documentation is outdated, then those documents may allocate far more liability to the bank than banking regulations require or that is acceptable in the industry. 

Designing and following robust and compliant online security procedures is necessary to avoid catastrophic liability for a bank. It is also smart business. Senior management that thoroughly understands the bank’s security system is a management team that can then communicate the value of that system to customers and enhance the value of the franchise.

Dan Wheeler