New Transaction Liability
Court rulings underscore the need for layered security systems
By Cary Whaley
How does the reversal by the U.S. Court of Appeal for the First Circuit of PATCO v. People’s United affect your community bank’s corporate online services? It signals a trend by several courts to rule against banks that fail to do enough to prevent fraudulent ACH transactions or corporate account takeovers, even in instances where a bank’s business client’s computer network is breached.
This trend is underscored by the recent revisions to the Federal Financial Institutions Examination Council’s 2011 authentication supplement that warns, “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security.”
So even if your community bank includes contractual language in its corporate account agreements to protect itself from liabilities caused by breaches of a client’s network, that legal precaution may not absolve your bank from the intended liability.
This is a marked shift in potential legal liability for banks. No longer is a bank’s duty of security of its customers’ accounts limited to just the locks on the doors (authentication), but it now also needs to include monitoring those accounts for suspicious behavior (anomaly detection).
The PATCO reversal
The court decision in the PATCO case brings new ramifications to community banks that offer online banking services to their small-business customers. In this case, a bank provided a business banking service to PATCO, a Maine construction company. The online log-in and password credentials for transaction verification with the company’s bank account did not comply with the FFIEC’s requirements for multifactor authentication.
In 2009, cyberfraudsters breached the account’s credentials and stole more than $500,000 from the account after initiating several wire transfers.
During a civil lawsuit between the bank and the construction company over the account theft, an appeals court found the bank’s security procedures to be “commercially unreasonable” and said the bank should have detected and stopped the fraudulent wire transfers. The court determined that the wire transfers should have raised red flags at the bank and triggered extra security measures to validate the transactions.
Meanwhile, in 2011, as a response to growing account takeover threats, the FFIEC issued, “Supplement to Authentication in an Internet Banking Environment,” which updates the agency’s 2005 guidance establishing expectations regarding customer authentication, layered security or other controls in the increasingly hostile online environment. Specifically, the FFIEC supplement focuses on online business systems, particularly those that use ACH and wire transfers, and identifies these transactions and providing increased risk to the banks that offer them.
The supplement recommends layered security, using different controls at different points in a transaction process. Adding layers can strengthen the overall security of Internet-based services and can be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and their resulting financial losses.
Put another way, as cyber-fraudsters evolve their tactics, banks have had to increase their security controls and methods to combat the threat. Online security has to be approached with the same mindset and action that a bank would uphold to safeguard its physical assets. The analogy follows that banks not only use locks and a safe to secure its cash, but they also use cameras to monitor people who might be acting suspiciously on their property. In the same way, banks are expected to use multiple layers of protections to digitally safeguard their customers’ accounts.
A recent fraud survey conducted by the Federal Reserve Bank in Minneapolis in cooperation with ICBA shows that community banks are employing a number of online account protections covered under the 2011 supplement and that those efforts have resulted in a significant reduction in fraud. Seventy-four percent of banks with reductions in fraud had changed their risk management practices to better protect against online fraud. Among the most used authentication technologies was customer authentication for online transactions (79 percent), which was also most frequently rated by banks that participated in the Minneapolis Fed’s survey as very effective.
Many community banks are evaluating methods for transaction monitoring. Many of these solutions add an additional layer of security without adding hardware costs (as with hard tokens), and the technology can be used to notify proactively a bank’s customer of a potential account compromise.
However, the Minneapolis Fed’s survey also shows the heightened risk association with ACH and wire transfers. While only 6 percent of the survey’s respondents said wire transfer generated the highest number of fraud attempts, 5 percent of those polled equated it to their highest dollar losses.
Among the online security solutions most frequently rated as very effective in fighting this type of fraud is pattern matching (59 percent), a technique used by Guardian Analytics, a systems security firm in Mountain View, Calif., to spot and flag atypical activities relative to a customer’s behavior. The company’s software analyzes not just transaction data, but also the full scope of the account and any deviation in past transaction patterns—such as the amount of a transaction; how, when and where a customer logs in to an account; the order and the pace at which a transaction is performed; and the type of payment and even payees assigned to a particular payment, explains Tiffany Riley, Guardian Analytics’ vice president of marketing.
Technology is only as effective as the latest malware fix and the knowledge of those put in charge of implementing it, the regulations also emphasize the importance of testing the adequacy of risk management procedures. It’s up to a bank to contact its third-party provider and inquire about its fraud prevention measures and available account protection options. It’s also the responsibility of the bank to educate its online banking customers, particularly those that perform high-risk transactions, about the fraud environment and how those customers can mitigate their exposure.
While community banks are experiencing fewer fraud losses from business accounts than from their retail consumer accounts, corporate account takeover was strongly associated with the highest fraud losses at community banks. Compared with all other community banks, the community banks experiencing fraud losses in excess of $10,000 were much more likely to have experienced either business ID theft (61 percent versus 11 percent) or a compromised online business account password (39 percent versus 4 percent), according to the 2012 ICBA Community Bank Technology Survey.
The issue of employing robust multifactor security systems is no longer just a matter of compliance. Court rulings are now increasingly creating significantly more legal responsibility for banks over how they protect their customers and their money.
Cary Whaley (email@example.com) is vice president of payments and technology for ICBA.