In an unintended consequence of the newly revised federal rules on cybersecurity, banks are likely to fare much worse in lawsuits over fraud losses.
Two recent court decisions relied on the 2005 guidance by the Federal Financial Institutions Examination Council to determine whether banks had enough protections in place when hundreds of thousands of dollars in fraudulent transfers occurred. In one case, the bank appears close to victory; in the other, the bank has already lost — even though the judge used the older, softer FFIEC rules as a compass.
The FFIEC's new rules, issued June 29, stress that the fraud protections put in place six years ago are no longer sufficient to withstand today's threats. This could not have come at a worse time for banks that are in court over fraud losses they refused to cover for business clients.
In June, a court ruled that Comerica Bank of Dallas, Texas, would be on the hook for over half a million dollars in fraudulent transfers it failed to stop, even though its protections satisfied the FFIEC's requirements at the time.
That ruling "will have a chilling effect on everyone who wants to engage in electronic commerce and in online banking," said Bill Repasky, a partner with law firm Frost Brown Todd LLC of Lexington, Ky. "It imposes a new level of uncertainty that was not there previously."
In the other case, a magistrate's recommendation in May for summary judgment in favor of Ocean Bank, a unit of People's United Bank of Bridgeport, Conn., stated that the bank provided sufficient protections for its client Patco Construction Co. Inc. under the FFIEC's rules at the time. The bank had the ability to use passwords, challenge questions, transaction risk assessments, dollar amount rules and a cookie to secure online banking sessions. (The judge has yet to issue a final ruling.)
Daniel J. Mitchell, a partner at the law firm Bernstein Shur, of Portland, Maine, and Patco's lead attorney, said even this level of security was not enough. "The FFIEC guidance is instructive, but it does not contain guidelines that define every issue," he said.
Avivah Litan, a vice president and distinguished analyst at the research firm Gartner Inc., said that had the judge seen the FFIEC's new guidance, "it would have altered the Patco decision because the bank would have been found out of compliance with the FFIEC guidance, as now updated."
Ocean Bank should have insisted on dual authorizations for transactions and positive pay lists, she said. "The bank was relying on basic multi-factor authentication, not a [true] layered security approach."
At issue in both court cases is a determination of what it means to be commercially reasonable and acting in good faith when protecting accounts, according to the Universal Commercial Code, section 4A-202.
The magistrate in the Ocean Bank case said Patco, of Sanford, Maine, will likely be held liable for $345,000 in fraud losses because the bank had taken "commercially reasonable" measures to protect the security of the account. Bernstein Shur has issued an objection, and the litigation is still pending.
In the Comerica case, Judge Patrick J. Duggan of the United States District Court for the Eastern District of Michigan said that Comerica had to pay $560,000 to a small metals shop called Experi-Metal Inc., of Sterling Heights, Mich., because the bank had not acted in good faith by permitting transactions it should have detected were fraudulent.
Comerica is appealing the decision. A spokesman for the bank said in an email that "it is Comerica's expectation that the judgment, as finally determined by the judge, will be for a nominal amount in recognition of the efforts of the bank, once it confirmed that fraud had in fact occurred, to timely recover the vast majority of the funds that the customer lost."
The original FFIEC guidance required banks to use something stronger than a static password to authenticate users. The updated guidance looks beyond the initial authentication. The agency now requires banks to have a layered approach to security and to have continuous risk assessments. Banks must protect security at the transaction level.
"This guidance is much more prescriptive and will give courts a clearer idea of what an acceptable level of security is," Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC said.
But "the lawsuits will continue to come," she said.
George Tubin, a senior research director with TowerGroup, said the Comerica decision may encourage more businesses to sue their banks over fraud liability because the businesses stand a better chance of a favorable outcome.
"Small-business attorneys typically advise their clients that no one has won these cases, and they may not get anything," Tubin said, adding that small businesses have typically recouped 15% to 25% of losses in prior hack attacks.
The decisions also highlight the differences between large banks and small ones, industry observers said. Larger banks are in the vanguard with their security practices. By contrast, smaller banks rely heavily on the security their online banking vendors offer.
Jack Henry & Associates Inc., of Monett, Mo., which provides the online banking platform used by Ocean Bank and which was praised for its security precautions by the magistrate in his recommended summary judgement in the Patco case, would not comment on pending litigation.
Commenting on the new FFIEC guidance, Pete Hopkins, the general manager of Internet solutions for Jack Henry, said the vendor has been continuously updating its security beyond what the 2005 guidance requires. "We certainly did not sit back and wait until the guidelines came out," Hopkins said.
In addition to using hard tokens from VeriSign Inc., Jack Henry has set transaction values that trigger security questions, out-of-band text or email messages, or both.
Such transaction-level scrutiny can be expected from now on.
"The [FFIEC] supplement explicitly requires anomaly detection for business accounts, so if the bank didn't have it in place they would likely be held liable," Tubin said.
McNelley said the two court decisions and the new FFIEC guidance may open up a sales opportunity for the banks.
"Banks will reexamine their contracts with businesses to give themselves whatever protections they can," she said. "But they can take the product protections that exists on the consumer side today and sell it to businesses."