Financial institutions were handed a victory last week when the United States Court of Appeals for the Eighth Circuit affirmed that BancorpSouth Bank (BSB) is not liable for $440,000 of losses in a case of wire transfer fraud. The court also ruled that the bank can attempt to recoup legal expenses from the fraud victim and plaintiff, its former account holder Choice Escrow and Land Title.

At first blush, this case appears to be the decisive win banks need to defend themselves against future lawsuits. The ruling firmly states that commercial customers actually do share risk for electronic wire fraud losses. But upon closer inspection, the triumph may not be as solid as it appears.

The unquestionably good news is that the case relieves banks from bearing the sole onus to secure online banking and affirms that customers are required to play a significant role as well. Since hackers can target customers’ computers as well as bank’s servers, customers must actively participate in fraud mitigation in order to prevent cybercrime.

Freshly armed with this new legal precedent, banks can tell their customers that resisting additional security measures could make them liable for electronic fraud losses.  The court firmly held that when a customer “insists on using a higher-risk procedure because it is more convenient or cheaper [the account holder has] voluntarily assumed the risk of failure of the procedure and cannot shift the loss to the bank”.

However, banks must be mindful of how they offer additional security to customers. There appears to be a firm distinction between whether the security options are opt-in or opt-out. Before Bancorp South allowed Choice Escrow to decline the use of Dual Control, a security procedure in which one authorized user initiates a transaction and a second authenticates it, the bank required its customer to opt-out by signing a memo stating that it had been made aware of the threats to online banking, was declining the use of a security control which would mitigate those risks, and in doing so was assuming liability for any fraudulent transfers.  BancorpSouth’s best practice stands in stark contrast to the case brought against Ocean Bank (which was later acquired by People’s United Bank) by construction company Patco. Patco was able to successfully argue that because the bank’s security controls were opt-in, it was unaware of any additional protections it offered. 

Banks are also likely jumping for joy because of the court’s ruling that financial institutions do not have to implement a system that manually reviews every transaction to be commercially reasonable.  However, this comes with a big caveat, as the fraud occurred prior to the release of Federal Financial Institutions Examination Council guidance that instructs bank to set up automated or manual processes to detect fraud.  Banks hoping to use this precedent in future cases may be left holding the bag when the opposing side successfully argues that since banks failed to review each transaction, the payment order was not accepted in accordance with guidance and was thus not in good faith. 

This case firmly demonstrates that banks following industry best practices to deter fraud can successfully shift liability of fraudulent losses to the customer. But in order to do so, banks must properly educate their customers about the risks of online banking and carefully document all of its efforts and communications.  As with customers that choose apathy over security, banks that fail to do the extra work will find themselves cutting six-figure checks when corporate account takeover occurs.

Ryan Elmer is the national director of eBankSafe by Total Networx, a fraud-deterrence line designed to mitigate the risk of corporate account takeover and electronic wire fraud.