November 13, 2018
On Banking, Account Takeovers and FFIEC Compliance
Posted July 9, 2015
Law Firm Details Ways Banks Can Limit Liability in Corporate Account Takeovers by Complying with FFIEC Guidelines
With offices from KC to DC, Stinson Leonard Street is a law firm with an extensive practice that includes banking and finance, business and commercial litigation, healthcare, technology and a whole lot more. Let’s just say they’re pretty big and probably have an hourly rate rivaling a parking garage in Midtown Manhattan.
In a piece on lexology.com, the law firm examines laws and regulations governing account takeover situations and details how banks can best manage account takeover risks. The following has been excerpted from the lexology.com piece and edited to fit our format. You may find the complete article by clicking on this link.
The most significant type of cyberattack in…banking…is [the] “corporate account takeover,” which occurs when a computer hacker steals a depositor’s online banking credentials and then, acting as the depositor, makes fraudulent outgoing wire transfers. The customer’s funds end up in very far-away places. To the bank, the transactions appear to be authorized by the accountholder and valid. By the time the bank and depositor realize there has been a theft, it is usually too late to recover the funds.
Who bears the loss—the bank or the customer?
Laws and regulations in the last decade have increased the liability for banks who do not take the proper preventative measures to insure against corporate account takeover.
The Uniform Commercial Code general rule is the bank is stuck
Under Article 4A of the [UCC], the general rule is that the loss falls on the bank for an unauthorized outgoing wire, even if it appears to the bank that the transaction has been authorized.
However, there are two exceptions to this rule: (1) the depositor fails to report the unauthorized debits to its account within one year and (2) the bank has in place a “commercially reasonable security procedure” to protect against hacking, the security procedure is embodied in a contract between bank and customer, and the bank accepted the outgoing wire in good faith and in compliance with the security procedure. The rules governing the second exception have been heavily litigated….
Federal Financial Institutions Examination Council (FFIEC) “Guidance”: a banker’s “must-read”
To determine what is a commercially reasonable security procedure, the Federal Financial Institutions Examination Council …periodically releases “Guidance” to help banks to “identify and mitigate cyberattacks.” The most recent guidance was issued on March 30, 2015. It includes eight “risk mitigation” recommendations for financial institutions.
Financial institutions should:
- securely configure systems and services
- review, update, and test incident response and business continuity plans
- conduct ongoing information security risk assessments
- perform security monitoring, prevention, and risk mitigation
- protect against unauthorized access
- implement and test controls around critical systems regularly
- enhance information security awareness and training programs
- participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center
The expectation of layered security
The 2011 Guidance described layered security as “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” The FFIEC recommends that financial institutions use more than a single layer of customer authentication. The most common example of a single layer of authentication is requiring a customer’s username and login. The FFIEC requires more security layers than simply requiring password authentication. Financial institutions should consult the FFIEC guidelines for examples of other layers of authentication.
Two types of layered security
The FFIEC guidelines set forth two particularly important types of layered security: (1) the use of dual-factor authentication such as usernames/passwords plus tokens, callback or challenge questions and (2) the use of software to detect out-of-pattern transactions involving outgoing wires. Keep in mind that the courts use the FFIEC Guidance to determine whether the bank’s security procedure was commercially reasonable and in good faith.
Confusion in the courts
Courts sometimes confuse commercially reasonable and good faith. By employing layered security and complying with the FFIEC Guidance, banks can show their security procedures were commercially reasonable and in good faith. Layered security is one of the best ways to protect a financial institution from civil liability as well as protect customers’ assets from the threats of deposit account takeover.
Two key court cases
There are two key federal appellate decisions in this area—one in favor of the customer and the other in favor of the bank. In 2012, the First Circuit held that a bank’s security procedure was not commercially reasonable even though it used dual-factor authentication. In Patco Construction Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), the bank employed multiple security procedures to comply with the 2005 FFIEC Guidance, but it lost the case because at least one procedure was counter-productive.
How much security do you get for $1?
Most notably, the security company’s software allowed banks to set a threshold amount for transactions that would trigger a security challenge question to authenticate the transaction. Initially, the bank in Patco set the threshold at $100,000. The bank later lowered the threshold to $1, effectively requiring security challenge questions on every internet transaction. The bank argued that this raised the level of security because it required answering security questions for every transaction. In 2009, a hacker obtained a customer’s banking information and authenticated a series of transactions close to $600,000. The bank was unable to retrieve $243,406 of these funds.
Actually increased fraud risk
The First Circuit held that the lower threshold of $1 triggering the challenge questions hurt customers by increasing the risk of fraud. The court’s rationale was that requiring challenge questions on every transaction gave hackers more opportunity to capture the vital information. The court also held that the bank did not have a practice of closely monitoring all transactions, even if it had warning that fraud was occurring. The court held that these failures, taken as a whole, showed that the bank’s security procedure was not commercially reasonable.
Multilayered defense might not be enough
This First Circuit case is significant because it shows that employing multi-layered authentication may still not insulate financial institutions from liability.
A difference of opinion between courts
In contrast to the First Circuit’s decision, a 2014 case from the Eighth Circuit ruled in favor of the bank. In Choice Escrow and Land Title, LLC. v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the Eighth Circuit ruled that the bank’s security procedure was commercially reasonable and the bank acted in good faith.
Four layers of security
The bank provided four security measures for its customers. The first was a simple ID and password requirement. The second was authentication software that monitored the customer’s IP address and other specific information of the customer’s computer. This allowed the bank to ensure that the same computers were authorizing the transactions; if another computer or IP address was used, then the user had to correctly answer challenge questions. The third security layer allowed customers to place dollar limits on wire transfers. The fourth layer was called “dual control.” This measure required every outgoing wire transfer to be authenticated by two separate users with distinct IDs and passwords.
Commercially reasonable security
The Eighth Circuit held that the bank’s four levels of security authentication were commercially reasonable, even though the customer in the case had rejected two of them. The court noted that the Uniform Commercial Code releases a bank from liability if a security procedure is offered to a customer and the customer declines the procedure in writing and agrees to a different procedure. This effectively shifts the liability to the customer.
Having the human touch was “unreasonable”
The court rejected the argument that to be “commercially reasonable,” a security procedure must include a human being manually reviewing every payment order submitted to the bank. Further, the court found that the bank acted in good faith, and pursuant to agreement, in accepting the outgoing wires.
FFIEC Guidance the primary authority
Importantly, the Eighth Circuit relied on the FFIEC Guidance as a test for determining what is a commercially reasonable security procedure. The court called the FFIEC Guidance the “primary authority” in measuring the reasonableness of a security measure. This is important for financial institutions to note, since the courts are relying heavily upon the FFIEC guidelines when considering liability in cases of cyberattacks.