“Reasonable Security” Wins Lawsuit

Posted on June 24th, 2014 by Dan Rampe

BankcorpSouth

Recently, in a dispute over account takeover losses, an appellate court ruled in favor of the bank. In lay terms, the appellate court’s ruling says if banks and credit unions offer reasonable security measures that are accepted and implemented by customers, the financial institutions have fulfilled their security obligations.

In her piece on bankinfosecurity.com, Tracy Kitten interviewed legal experts and others including some of the principals involved in exploring a case that definitely has implications for commercial banking customers and the financial institutions who serve them. The following has been edited to fit our format. You may find the full article by clicking on this link.

[After] Missouri-based Choice Escrow Land Title LLC appealed a district court’s findings in its case against BancorpSouth, the Eighth CircuitCourtof Appeals…supported the lower-court’s ruling.

[Dan Mitchell, the attorney who represented account-takeover victim PATCO Construction said] “The Eight Circuit affirmed the trial court’s ruling that the risk of loss was shifted back to the customer, Choice Escrow, because BancorpSouth offered dual control to Choice, but Choice declined it and agreed to be bound by the bank’s other security procedures.” Those other procedures included password protection, daily transfer limits and device identification, a system that would trigger challenge questions if a wire or payment was scheduled from an unrecognized device….

Mitchell, who works in the litigation and business law practice at Maine-based Bernstein Shur, and cybersecurity attorney Joseph Burton, managing partner at the San Francisco office of the law firm Duane Morris, say the ruling supports a wider perspective of what is deemed “commercially reasonable” when it comes to security expectations. They say the federal court leans heavily on Article 4A of the Uniform Commercial Code, which includes a provision about how banking institutions should handle incidents of wire-transfer fraud.

If a bank or credit union offers reasonable security procedures that a customer refuses, then under the 4A provision, the customer is liable if fraud results, Mitchell and Burton say.

Paying Legal Fees

In addition to not getting any compensation for the losses it suffered from its takeover incident, Choice Escrow now has to pay BancorpSouth’s attorneys’ fees as well.

Burton says requiring commercial customers that lose lawsuits against banks to pay the banks’ legal fees will likely deter customers from filing suits related to account-takeover losses.

“Under normal circumstances, parties have to bear their own fees,” he says. “An exception can exist, however, when there is a contractual agreement between the parties that provides for indemnification of legal fees by one party to another. There was such a provision in the account agreement in this case. The bank filed a counterclaim, based on this provision; but the trial court dismissed it. On appeal, the bank argued this was an error, and the Eighth Circuit agreed….”

Parties’ Responses to Ruling

Jim Payne, co-owner of Choice Escrow, says his company is exploring some additional legal options, but that the ruling is an obvious disappointment.

“What is there to say?” he asks. “We’re devastated, and probably going out of business. We can’t pay the attorney fees for them [BancorpSouth].”

“[BancorpSouth says the ruling] underscores the role that customers play in helping to prevent online fraud. We have maintained since the beginning of this case that BancorpSouth always acted in good faith and that its procedures were and are commercially reasonable….”

The Case History

In November 2010, Choice Escrow sued BancorpSouth to recover $440,000 it lost in March of that year after the bank approved fraudulent wire transfers to an overseas account in Cyprus. Choice Escrow argued that the bank’s verification procedures for wire transfers were not commercially reasonable, per Article 4A of the UCC.

In August 2012, a district court in Missouri dismissed BancorpSouth’s counterclaim against Choice Escrow. In the motion the bank had claimed its former commercial customer was liable for the losses. The court labeled the decision as being “a very close call.”

But in March 2013, the same Missouri district court sided with the bank in a ruling on Choice Escrow’s lawsuit, noting that Choice Escrow’s decision to decline BancorpSouth’s offers for dual or two-person authorization for wire transfers made the company vulnerable.

In its June 2013 appeal, Choice Escrow contended that BancorpSouth’s verification procedures, in addition to not being commercially reasonable, failed to meet the good faith standard outlined by the Federal Financial Institutions Examination Council in its 2005 guidance for Internet banking transactions.

Choice Escrow argued the bank should have offered multifactor authentication.

But the Eighth Circuit Court of Appeals, in June 2014 [found] that the bank’s offer of dual or two-person authorization, on its own, was reasonable.

Appellate Court’s Findings

In its decision, the appellate court supports the lower court’s decision, noting that security does not have to be extremely technical or complex in order to be considered “reasonable.”

[If] the security procedure is reasonable, by the most fundamental definition of the term, and the customer turns down that procedure, then the customer, by default, accepts responsibility for fraud that might result by not using that procedure….

In its ruling, the court notes: “If a bank offers its customer a security procedure and the customer declines to use that procedure and agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order if the declined procedure was commercially reasonable.”

Straightforward Case?

Burton says it’s hard to disagree with the court’s findings. “In many ways, the case is fairly straightforward.”

The customer refused a security procedure that was commercially reasonable and suitable, and instead chose to use a higher-risk procedure “because it is more convenient or cheaper.”

Mitchell says Choice Escrow’s refusal to accept the additional security procedures offered by the bank was key to this case for the court.

“The court found no problem with the bank’s acceptance of the payment order because it was ‘not so unusual that it should have raised eyebrows,'” he says. “It was not the largest payment order that Choice ever had submitted and its wire transfers did not follow a general pattern and varied in size from a few thousand dollars to a few hundred thousand dollars.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.