On the morning of January 22, 2009, an employee of Experi-Metal in Macomb County, Michigan, a manufacturer for the auto industry, received an email forwarded from a colleague. It appeared to come from the company’s financial institution, Dallas-based Comerica Bank, and said: “Comerica Business Connect Customer Form.” The employee followed the link to another web site, where he complied with instructions to type in his secure login for the company’s bank account and other identifying information.
Sometime between the hours of 7:30 a.m. and 2:02 p.m. that day, 93 fraudulent payment orders totaling $1.9 million were executed on the company’s account.
Comerica eventually recovered all but $561,399. Experi-Metal sued the bank for its loss and won the case last month, putting Comerica on the hook for the fraud.
A Comerica spokesman, Wayne Mielke, said the company is considering alternatives, including a possible appeal.
U.S. District Court Judge Patrick Duggan wrote in his opinion that he considered multiple factors as to whether the bank acted in “good faith,” using “commercially reasonable” security measures. Among clues that something was going wrong at Experi-Metal: The sheer volume and frequency of the fraudulent transactions; a $5 million overdraft executed on an account with normally a zero balance; a history of limited wire activity on the part of the company; and the destinations and beneficiaries of those funds (banks in places such as Russia or Estonia, long known as hubs for such fraud).
That case emphasizes the importance of looking for anomalies in accounts—missing those could make a bank liable for fraud. There are other reasons why providing customers with a log in and password is not enough.
Michael Dunne, an attorney with Day Pitney in Parsippany, New Jersey, thinks the new guidance issued last month from federal regulators—the Federal Financial Institutions Examination Council—raises the bar much higher in terms of what’s “commercially reasonable,” the legal standard for what a bank is supposed to provide in terms of Internet security for customers.
No longer can banks rely on dual-factor security, typically a log in, password, plus something like a security token that recognizes a computer or other device that is logging in. That dual-factor security was OK in the 2005 guidance on Internet security, Dunne says. Now, banks will have to introduce even more layers of security on top of that, which many of them already are doing.
An example of an extra layer would be email notifications to the customer every time payments are requested on the account.
At a minimum, banks will now be required to have a process that detects anomalies and responds to them, such as a customer suddenly initiating 93 payment orders for $1.9 million in one day, where few such transactions occurred before.
Banks also must have controls for system administrators on business accounts. Such a person could have the ability to approve all transactions on a commercial account when multiple employees have access to the account.
The guidance goes into effect in January for bank examinations, but Dunne thinks it could have an impact much earlier, in terms of the lawyers bringing up the new standard in court cases where banks get sued by victims of fraud.