-
Comerica has settled its Experi-Metal hacking case out of court, despite an earlier vow that it would appeal. It's a sign of how new security guidelines are starting to affect banks.
August 3 -
In an unintended consequence of the newly revised federal rules on cybersecurity, banks are likely to fare much worse in lawsuits over fraud losses.
July 1
The U.S. government likes small businesses — in a quaint, 20th-century way. It will bend over backward to support lending to these economic engines, but it won't adequately safeguard their online bank accounts against a more modern plague: hacking.
The result is a pain point for banks and their commercial clients. Consumers are covered by Regulation E and the Electronic Fund Transfer Act, which protect them against theft through online banking. But small businesses have no equivalent protections.
That leaves vendors — and their bank clients — to fill the gap over and above the universal commercial code's section 404 2A, which specifies that banks must supply a basic level of security for their commercial clients.
Greenway Solutions launched one such product, EFTGuard, in late April. EFTGuard covers commercial clients against losses from online account takeovers, provided the victimized companies use at least one of a handful of preapproved third-party security products.
Some banks, like Mechanics Bank in Richmond, Calif., are already considering offering EFTGuard to commercial customers.
"We are trying to protect [commercial clients] against themselves, because most small-business owners are no more sophisticated or knowledgeable than the average consumer" about the risk of an account takeover, says Bradley G. Leimer, vice president of online and mobile strategy for Mechanics Bank.
In theory, EFTGuard could save small businesses and their banks a whole lot of legal hassle. As a result of the reduced protection offered by the universal commercial code, some banks have refused to reimburse merchants after an account takeover — and it has led some merchants, in turn, to take their banks to court.
But whether EFTGuard and products like it, given their limitations, would satisfy merchants like Experi-Metal is an open question.
EFTGuard is more like a warranty than an insurance product, says Jerry Tylman, a partner at Greenway, of Charlotte, N.C. (Insurance products are difficult to get approved in all 50 states, he says.) The product is backed by Chartis, a subsidiary of American International Group, and it covers only $100,000 per business account, with a limit of $500,000.
"The impact of corporate account takeover can far exceed these [covered] amounts, so the communications between the bank and the business customer will need to be quite clear," Julie Conroy McNelley, research director for the retail banking practice at Aite Group, wrote in an email.
Still, EFTGuard is a good first step, and analysts were surprised that something similar hasn't been tested before. "It makes sense to tie the liability of business customers to their willingness to accept security measures," says Avivah Litan, a vice president and distinguished analyst at Gartner.
The
"If I know what my obligations are as a party to a contract, then I can do the right thing to make sure I honor the terms of the contract, but I also know that I can obtain insurance coverage for those areas that are my responsibility or my risk," says Bill Repasky, a partner with the law firm Frost Brown Todd in Louisville, Ky.
Mechanics, which has 100,000 customers and assets of $3 billion, also has 15,000 commercial clients, including some municipalities. About 500 regularly do high dollar-volume transactions, Leimer says, though he would not specify the average dollar amount. Some of the biggest customers have millions of dollars in their accounts, Leimer says.
Mechanics currently distributes an anti-malware product from Trusteer free of charge to commercial customers who want it, and Leimer says the bank is thinking of bundling the corporate account protection together with a security education program.
Increasingly, hackers have realized that small businesses, which typically hold tens of thousands to millions of dollars in corporate accounts, are can be more lucrative targets than consumer online banking accounts. More than 12% of small-business owners have had funds stolen from their bank accounts, primarily through electronic funds transfer, according to research by Gartner, which surveyed 210 small-business owners in September. On average, small-business owners had $3,400 stolen from their accounts, the survey found.
Though Chartis is open to approving other products, EFTGuard currently covers only corporate accounts from hacking attacks, provided the account holders use anti-malware products from IronKey, SafeCentral, Trusteer or Webroot, Tylman says. EFTGuard will cost banks about $15 per customer per month.
