In May 2009, an unknown hacker gained access to PATCO Construction’s online banking account at People’s United Bank (doing business as Ocean Bank). PATCO claimed the hacker somehow installed malware on a company PC to obtain banking credentials and commit online fraud. The fraudster was then able to use the stolen credentials — a user ID, password and the answers to three security questions — to access a PATCO employee’s online bank account.
Over a five-day period, the hacker initiated fraudulent Automated Clearing House (ACH) and wire transfers totaling over $588,000. Although the bank’s risk engine flagged the transactions as being “very high risk,” the debit requests were successfully processed. Once the fraud was discovered, the bank was able to recover less than half of the funds, leaving PATCO with a loss of approximately $345,000.
Reversing a lower-court ruling, a federal court of appeals stated that the bank’s security system was “commercially unreasonable,” based on requirements set under Article 4A of the Uniform Commercial Code. While the technology components of the bank’s security system appeared reasonable on paper, the manner in which the bank operated the technologies was called into question.
The appellate court’s final advice? “On remand, the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.”
Earlier this month, the parties did just that. PATCO’s Chief Executive Officer Mark Patterson reported that a settlement had been reached, with People’s United Bank refunding all losses suffered by his company. This settlement, coupled with the outcome of the Experi-Metal lawsuit, which also favored the commercial customer over its bank, has set a precedent that will have far-reaching ramifications for the industry.
Sentiment Has Shifted Toward the Commercial Customer
The recent update to the Federal Financial Institutions Examination Council’s (FFIEC) 2005 “Authentication in an Internet Banking Environment” guidance was clearly focused on driving banks to implement better fraud prevention capabilities to protect commercial customer accounts, especially for small- and medium-sized businesses (SMBs). Now, with two landmark cases ruling in favor of the commercial customer, legal precedent has also shifted away from financial institutions regarding online fraud incidents. With regulators and courts stepping in to protect SMBs, the days of banks using UCC 4A to deflect fraud liability to the customer are over.
‘Commercially Reasonable’ Isn’t What It Used to Be
Many financial institutions believe that providing “commercially reasonable” security consists of acquiring a set of fraud prevention technologies similar to those of their peer institutions. However, recent court rulings indicate that the manner in which the technologies are implemented and operated are critical factors in determining commercial reasonableness. If an alleged “commercially reasonable” fraud prevention platform does not detect a commonly used fraud scheme, it will be very difficult to argue that it was implemented properly.
Most Banks Will Now Refund Commercial Account Losses From Online Fraud
Based on the two recent cases, we expect the vast majority of banks to refund SMB fraud losses as a matter of course. Rather than deal with the reputational damage associated with an exposed — and especially litigated — fraud event, banks will simply avoid the gamble and refund losses (except for cases of egregious client negligence).
Compliance and Legal Departments Take a Back Seat
Fraud prevention will no longer be driven by administrative functions that seek to invest in fraud prevention programs that best position the bank for regulatory examinations and legal proceedings. Instead, customer service and fraud prevention specialists will devise, implement and maintain fraud prevention programs that are actually designed to prevent losses and not simply meet a compliance check box. When fraud is being prevented, litigation is avoided, regulatory compliance is met, costs are reduced, etc. When fraud prevention is given a primary focus rather than a secondary focus, legal and regulatory compliance requirements will fall in line.
Banks Are Forced to Deal With Malware-Based Fraud
The terms “malware,” “key-logging” and “man-in-the-browser/man-in-the-middle” are mentioned over 20 times in the recent 12-page FFIEC authentication guidance supplement. Both the PATCO and Experi-Metal fraud incidents involved malware. It is a well-known and documented fact that malware is being used extensively to compromise bank customers’ devices and commit fraud. Traditional antivirus applications do a poor job of detecting and preventing dangerous financial malware. Meanwhile, traditional authentication techniques and risk engines are only partially effective when it comes to identifying and preventing many forms of malware-based fraud. They also come at a high cost. A new approach for preventing malware-based fraud is sorely needed.
The PATCO ruling has triggered a seismic shift in fraud liability. Given this new landscape, preventing fraud — and specifically malware-based fraud — should be the top priority of every bank’s fraud prevention program. While it sounds obvious, many banks are more concerned with peer bank comparisons and legal positioning than actually preventing fraud. We know malware-based fraud can be prevented in a cost-effective, customer-friendly, manageable and regularly compliant fashion.