The Bank’s Liability for Cyber Theft on Commercial Accounts

3-12-13_Graves_Bartle_MarcusGarrett.pngThe amount of financial loss that cybercrime inflicts on banks and their customers is staggering.  In the case of Patco Construction Company v. People’s United Bank (formerly Ocean Bank), fraudsters correctly supplied Patco’s answers to security questions and made six fraudulent withdrawals that totaled about $588,000.  When the U.S.  Court of Appeals in Boston last year found the bank’s security procedures didn’t meet the standard for commercially reasonable, the bank was forced to reimburse the company’s losses from the theft.

The take away from this and other similar rulings is that bank security procedures matter — to customers, to the brand and to the bottom line.  Banks can take steps to dramatically reduce the amount of financial loss to customer accounts and avoid or mitigate the risk of footing the bill for commercial account takeovers.

Here are five steps that banks can take to avoid having commercial account takeovers damage their bottom line:

Implement Commercially Reasonable Security Procedures

The Uniform Commercial Code (UCC) requires that banks have “commercially reasonable security procedures” to protect commercial customer accounts. Without these procedures, banks could most certainly be left holding the bag in the event of an account takeover.

To qualify as “commercially reasonable,” the bank’s security procedures should fall in line with procedures used by similar customers and banks, adhere to customer instructions, and take into account the circumstances and banking patterns of each commercial customer.

When a financial loss leads to litigation, the court will ultimately decide whether a bank’s security procedures are commercially reasonable.  Banks that can respond with current and ironclad procedures will be in the best position to protect against liability.

Train Employees to Follow Security Procedures

In the case of Patco Construction Company, the court faulted the bank because it did not follow its own security procedures.  The bank’s security system had flagged six transactions as unusually high-risk, but the bank failed to monitor the transactions or notify the customers before completing the transactions.  Unattended procedures, no matter how “reasonable,” do little good.

Train your employees on the bank’s procedures and demand strict adherence.  Employees on the front line of transactions are in the best position to impact this potential liability.

Perform Annual Review of Customer Agreements

A key pivot point on the question of liability is the content and nature of the bank’s customer agreements.

Customer agreements are often used as evidence of the security procedures agreed to by banks and their commercial account holders, and the agreements can be helpful to prove that the bank kept its side of the bargain. In certain circumstances, banks may shift the risk of loss for unauthorized payment orders to commercial customers if there was an agreement that payment orders would be verified using a particular security procedure.  This increased protection is available if the bank proves that it accepted the payment order in good faith and in compliance with the specified security procedure.

Schedule an annual review of your customer agreements and update them before you offer a new service or change your security procedures.  While not always protecting you against liability, customer agreements play a key role.

Develop and Test an Incident Response Plan

Without a plan, a bank’s chances of capping the loss and favorably positioning itself are slim.  An incident response plan equips employees with knowledge of whom to call and what to do when they suspect fraud.

The contents of an incident response plan should be tailored to the individual bank.  The format must be user-friendly, so that employees can easily follow the instructions in a stressful situation. The plan should include steps such as notification of the bank’s fraud department, designated management, and the customer, shutting down an online session, reversing payment orders, and invalidating online credentials that have become jeopardized.

Just as fire drills are practiced, so, too, should a bank exercise its employees’ understanding of the response plan. Time is of the essence in limiting loss and the bank’s reaction to the occurrence will be replayed in great detail. 

Promptly Conduct an Investigation of the Fraud

A prompt investigation is necessary to determine the cause of the security breach.  An investigation should include a customer interview by a trained bank employee and, to the extent it is accessible and permitted, a forensic examination of the customer’s computer.  The bank should contact its security provider to find out if the system was functioning properly at the time of loss.  Obtain documents from your security provider that show the customer’s online account activity, the IP address that initiated the fraudulent transfer, and whether the perpetrator used the customer’s credentials.

Prepare, plan, practice and perform.  Your bottom line is at stake.

Nathan Garrett

Elizabeth Murray