Inconvenient Security: When Attorneys Drive Security Decisions
The Choice Escrow fraud liability case was once again in the news as an appellate court denied its request for a rehearing of its case against BancorpSouth over wire fraud liability. Choice Escrow was found responsible for a $440,000 online wire fraud in 2010, primarily because it refused to use dual authorization security offered by the bank for wire transfers.
Unfortunately for Choice Escrow, its legal team did not sufficiently argue that using such a security measure would negatively affect the company’s business. If it had proved that dual authorization would have slowed down payment execution due to its limited staff — which would have negatively affected its business — the decision would likely have been different.
The Challenge of Usable Security
One of the biggest issues facing the financial services industry is usable security — that is, security methods that are both highly effective and highly convenient for bank customers. Unfortunately, the Choice Escrow decision will encourage many bank attorneys to convince their clients to offer inconvenient and potentially ineffective solutions to their commercial customers as a route to fraud indemnification. The simple indemnity argument will be as follows:
“We offered a security solution, but the customer didn’t accept it. If he or she used it, we would have prevented the fraud. Because the customer made the choice to not use it, we should not be held liable for the fraud as per the Choice Escrow case.”
Because it is both relatively inexpensive and effective, many banks will take a page from the Choice Escrow case and offer their customers dual authorization and then document the communication between the customers who refuse the offer. This will become the “get out of jail free” card in case of a successful fraud event.
Dual Authorization Is Not Foolproof
Dual authorization, however, is not a panacea. It has been — and can be — bypassed by malware and phishing-based fraud schemes. In fact, virtually all authentication procedures can be bypassed by malware and phishing-based fraud schemes. If the industry begins to expand its use of dual authorization, cyber criminals will step up their game against this defense. When customers experience fraud that bypasses dual authorization, banks will have to go back to the drawing board to come up with an acceptable legal defense.
The primary reason why dual authorization is not used more in commercial banking is simply due to its negative impact on the customer experience. Just consider the operational gymnastics that would be required to initiate and authorize a single payment in almost any situation where employees aren’t working closely together on that payment. On one side is the burden created by the initiator having to fully explain the reason for the payment to the authorizer, or the authorizer having to find an initiator and provide the explanation for the payment. Because both parties are liable for inappropriate payments, the payment process just got a lot longer and far more resource-intensive.
On the other side are those authorizers who simply don’t have the time or interest to review each payment. They approve every payment that comes their way, thereby defeating the whole purpose of dual authorization. Burdened with authorizing multiple online payments while trying to perform their regular job, authorizers can become lax and miss fraudulent payments. For banks, putting the burden back on the customer makes sense because fraudulent payments that an employee actually authorizes are clearly the fault of the customer.
Choice Escrow Case Has Far-Reaching Effects
The outcome of the Choice Escrow case could be the beginning of a slippery slope, with banks pushing more and more of the online security burden onto their clients, who are simply not prepared to take on this additional responsibility. The so-called convenience of online banking and payments will slowly become a riskier, more burdensome endeavor for commercial clients. This scenario produces several unfortunate outcomes. Commercial clients may move back to physical payment approaches (i.e., checks) to shift the burden back to the bank. Banks may start actually competing on security and usability, claiming to be safer and more convenient than their competitors. Finally, third parties may emerge that offer more secure and convenient payment options for commercial customers.
While this “indemnification approach” may seem reasonable to some, banks should not allow their legal teams to make security and customer decisions. The vast majority of commercial banking clients do not know the seriousness of current cyber threats, do not understand the effectiveness of the solutions being provided and cannot anticipate the operational implications of using a particular solution that has been implemented.
Financial institutions are in a far better position both economically and experientially to deal with protecting their clients against online fraud. Further, the industry now has plenty of tools available to effectively detect and prevent online fraud with negligible impact to the customer experience.
Ultimately, a strong fraud prevention platform that prevents the bank from getting embroiled in an ugly, public lawsuit trumps a “get out of jail free” card any day.