Comerica Settles After Updated Security Rules Weaken Its Case

After new security rules weakened its chances in a court appeal, Comerica Bank has decided to settle a lawsuit over fraud losses, in which it was earlier ordered to pay half a million dollars to one customer.

Between the ruling and the Dallas, Texas bank's decision to settle, regulators came out with new mandates that experts say further weakened a case the bank already lost once.

Updated guidelines from the Federal Financial Institutions Examination Council, issued June 29, make clear that many banks' security procedures are no longer considered effective against today's threats. Banks are now expected to take a layered security approach, placing more emphasis on business accounts, which are bigger targets for hackers.

"The new FFIEC guidance clarifies that … the measures put in place were not adequate," says Avivah Litan, a vice president and distinguished analyst at the research firm Gartner Inc. "This would have worked against Comerica."

Comerica has offered no details on its decision to settle other than to say, through a spokesman, that "the matter has been resolved" as of July 22. Experi-Metal Inc., of Sterling Heights, Mich., did not respond to requests for an interview. Other reports indicate the company confirmed receiving restitution from the bank.

The U.S. District Court for the Eastern Division of Michigan Southern Division made its June 13 decision citing matters of commercial "good faith" and "reasonableness" under the Uniform Commercial Code, section 4A-202.

The court also relied on the 2005 FFIEC guidance at the time, as well as a supplement from December 2010 which suggested that anomaly detection would be part of the new guidance.

The federal court ordered Comerica to pay Experi-Metal $560,000 because the judge determined Comerica had not operated in good faith with respect to its online banking protections. In 2009, hackers broke into Experi-Metal's commercial accounts following a phishing exploit. Over the course of a day, fraudsters stole $5 million, using more than 100 transactions that directed the funds to foreign accounts.

At least one member of the legal community says he thinks Comerica's capitulation was a bad development for banks.

"This leaves untested the federal district court's decision, which will now be quoted against all our banks for the foreseeable future whenever a commercial customer allows its computers to be hacked," says Bill Repasky, a partner with law firm Frost Brown Todd LLC of Louisville, Ky.

Repasky says Comerica might have successfully appealed had it had challenged the court on its determination of "good faith" and "commercially reasonable."

Repasky says the UCC code's section 4A 202 defines "good faith" in the context of honesty and fact.

"Unless the bank had reason to believe that each transaction was improper, they are off the hook," Repasky says.

By contrast, adding "commercially reasonable" applies a subjective standard to such cases that did not operate before, and such a standard nearly always operates in hindsight.

The updated FFIEC guidance would not legally impact the older cases, but "it is in the atmosphere and it is part of the changing [security] environment," Repasky says.

Other industry observers say the lawsuit might have done extensive damage to Comerica's brand, and that reputation was probably an important driver for the settlement.

"No bank wants to be in the headlines associated with fraud, or in association with a lawsuit with their customer, [and] this case represents a double whammy of bad press associated with both," says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.

McNelley says the new FFIEC guidance adds a more objective bar for what is considered commercially reasonable, codifying industry practices that are already becoming widespread among the largest banks, such as using a multi-layered security approach for online banking.

"The risk of filing an appeal and having the case again decided in favor of Experi-Metal was quite substantial," McNelley says.