Court Sides With BancorpSouth Against Wire Transfer Fraud Victim
When wire transfer fraud occurs, who should bear the loss — the bank or the client? The answer is increasingly being decided in the courtroom.
Last month, a Missouri court sided with a financial institution on such a case — the first such win BTN has come across. The industry victory is unlikely to ease banks' anxiety over the sensitive and costly issue, but the verdict could help provide financial institutions keener insight into existing law and incentive to better educate their corporate customers on risk, say fraud experts.
The U.S. District Court for the Western District of Missouri rejected in mid-March a suit brought by Choice Escrow and Land Title against its financial institution, BancorpSouth Bank (BSB). The escrow company sought to get back $440,000 stolen by cyber criminals who hijacked the company's account in 2010.
The court's decision was based on the fact that the corporate client declined to use security measures the bank encouraged it to use, according to official documents. A copy of the court filing can be found here.
The conflict began when Choice opened an online banking product in 2009, according to court papers. At the time, BSB typically required customers to utilize "Dual Control," which mandated that two individuals use separate user IDs and passwords to complete an electronic wire transfer. Choice turned down Dual Control in communications with the bank on two different occasions, citing a preference for convenience and that saying that often, the employee who handled wire transfers was in the office by herself.
Under the Uniform Commercial Code, banks must provide "commercially reasonable" security.
"The case hinged on the whole idea that the bank offered a security option and the customer didn't want to use it," says George Tubin, a senior security strategist at security company Trusteer.
The Missouri verdict follows several wire transfer fraud cases that went against banks, including The Ocean Bank (since acquired by People's United Bank) and Patco Company of Maine. In these earlier cases, the rulings hinted that customers could be held liable under some circumstances.
"It's been an interesting situation," says Shirley Inscoe, senior analyst at Aite Group. "Courts are trying to look at each case individually to find out who had the opportunity to prevent fraud and who didn't."
Banks are unlikely to feel safe even with the latest win. "You won't see banks pay less attention or have fewer concerns just because it turned out well," Inscoe says. "No bank wants to end up in the headlines with their own customers."
The Missouri case also points to the delicate balance between security and convenience.
According to analysts, dual controls are a common fraud prevention method, though other stronger security techniques exist.
Inscoe says in recent months, banks have been deploying more advanced techniques designed to ensure a customer is legitimate. That includes using behavioral analytics to spot suspicious activity, for example. But it's early days for such technology deployments for a typical bank, she says.
Government agencies have provided security suggestions for banks.
The Federal Financial Institutions Examination Council (FFIEC) issued security guidance in 2005; it was updated in 2010. (The Missouri wire fraud episode occurred prior to the most recent updated FFIEC guidance.) The document recommends technologies that help deflect occurrences of fraud and encourages multi-factor authentication and a layered security approach.
"Convenience and security are on a teeter totter," says Charisse Castagnoli, an adjunct teacher at John Marshall Law School and security consultant. "It's difficult to get a balance."
But no matter what security techniques a bank deploys, hackers will continue to find vulnerabilities.
"There's no such thing as a perfectly secure system," says Castagnoli.
This is why commercial customers need to better understand the risks involved in digital transactions. "Businesses need to walk into an online banking contract understanding there is risk [banks] can't mitigate," Castagnoli says. "There's many ways to get malware on a system."
To that end, banks have to step up their educational efforts to better caution commercial clients. "If people don't know what to be afraid of, they probably won't be afraid," says Al Pascual, security risk and fraud analyst at Javelin Strategy & Research.
In the event of a lawsuit, settling outside of court is in the bank's best interest. Why? If more companies take banks to court over wire fraud, there's the eventual risk of government agencies writing heavier regulation for banks, says Pascual. "If commercial clients keep taking banks to court, regulators will start to wonder if changes need to be made.
"Banks sometimes win. Sometimes they lose," he says. "It might be worth their while to settle."