Community banks often find it difficult to justify the cost of upgrading security procedures, updating customer agreements and training employees on security procedures. If a bank has never experienced a fraudulent account takeover, directors may be reluctant to pay for seemingly optional upgrades. Too often, community banks are unable to get funds approved until after a perpetrator successfully hacks into an account and a financial loss occurs.
Here are four things to consider when making decisions about security procedures:
Competitive Security Procedures Matter
The Uniform Commercial Code requires that banks have “commercially reasonable security procedures” to protect commercial customer accounts. To qualify as commercially reasonable, the bank’s security procedures should fall in line with procedures used by similar customers and banks, adhere to customer instructions, and take into account the circumstances and banking patterns of each commercial customer.
Attention to security trends is important because the bank’s security procedures will be compared to those used by similar banks if a financial loss leads to litigation. While commercially reasonable does not necessarily mean the best on the market, the UCC and relevant case law make it clear that single-layer procedures, such as signature comparisons, are not sufficient. Appropriate security procedures may include the use of algorithms or other codes, identifying words or numbers, encryption, callback procedures or other multi-layered security devices.
Talk with your security provider about the procedures used by similar banks for similar customers. In the unfortunate event that a financial loss leads to litigation, the court will ultimately decide whether a bank’s security procedures are commercially reasonable. Banks that can respond with current and ironclad procedures will be in the best position to protect against liability.
Consider the Value of Preventing an Account Takeover
The financial and reputational impact of a single commercial-scale fraudulent account takeover will likely well exceed the cost of implementing an industry-tested upgrade designed to improve the bank’s security procedures and protect its customers. In the case of Patco Construction Co. v. People’s United Bank (formerly Ocean Bank), fraudsters correctly supplied Patco’s answers to security questions and made six fraudulent withdrawals totaling approximately $588,000. When the U.S. Court of Appeals in Boston last year found the bank’s security procedures failed to meet the commercially reasonable standard, the bank was forced to reimburse its commercial customer for the loss.
In another instructive case, Experi-Metal Inc. v. Comerica Bank, a criminal sent a phishing email and obtained a customer’s confidential identifiers. During six hours of Internet account access, the criminal initiated 97 payment orders totaling $1,901,269. Comerica recovered all but $560,000, which it charged to Experi-Metal’s account. Following a trial, a federal district court in Michigan ruled against the bank, finding the bank fell short of its duty to its commercial customer by failing to stop, or even detect, the fraud.
While ensuring legal fulfillment of a bank’s responsibility to its customers is not inexpensive, the reputational and bottom-line costs associated with a failed security episode can be devastating.
Current Security Procedures Without Employee Training May Fail
Unfamiliar and unattended procedures, no matter how reasonable, do little good. In the case of Patco Construction Co., the court faulted the bank because it did not follow its own security procedures. The bank’s security system flagged six transactions as unusually high-risk, but the bank failed to manually review any of the transactions to determine their legitimacy or otherwise notify Patco.
Train employees on the bank’s security procedures and demand strict adherence. Employees on the front line of transactions are in the best position to impact this potential liability.
Customer Agreements Are Not a Mere Formality
Customer agreements are often used as evidence of the security procedures agreed to by banks and their commercial account holders, and the agreements can be helpful to prove that the bank kept its side of the bargain. In certain circumstances, banks may shift the risk of loss for unauthorized payment orders to commercial customers if there was an agreement that payment orders would be verified using a particular security procedure and, in fact, that procedure was followed.
Updating customer agreements allows the bank to maximize the protection available under the law. Schedule an annual review of your customer agreements and update them before offering a new service or changing security procedures. While not always the final word on liability, customer agreements play a key role and represent a real opportunity for banks to strengthen their hands.
Nathan Garrett is a principal with the law firm Graves Garrett LLC in Kansas City. He can be reached at ngarrett(at)gravesgarrett.com.
Copyright (c) September 2013 by BankNews Media