In a 27-page bench opinion, U.S. District Judge Patrick J. Duggan says Comerica Bank should have detected and stopped fraudulent transfers it approved for Michigan-based Experi-Metal Inc., a former Comerica customer. EMI sued Comerica 18 months ago, after Comerica approved fraudulent wire transfers totaling more than $1.9 million, asking that the bank reimburse the more than $550,000 EMI lost as a result of the transfers.
"There are a number of considerations relevant to whether Comerica acted in good faith with respect to this incident," the opinion states. "A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," Duggan writes. "Comerica fails to present evidence from which this Court could find otherwise."
On June 13, the court ordered Comerica to pay EMI for the losses. Comerica says it expects to appeal the decision. "While we respect the judge's opinion, Comerica believes it acted in good faith and plans to appeal," Comerica says in a statement issued about the opinion. "As noted by the judge, Comerica's security token technology is commercially reasonable and in compliance with current Federal Financial Institutions Examination Council guidelines. We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision."
EMI attorney Richard Tomlinson says the case highlights a number of points, the least of which relates to corporate ethics. "It tells us that the banks can't rely on their own self-serving contracts; they have to have an objective good-faith standard," he says. "This allows the courts to look at the banks' actions and determine whether they are good faith and fair."
Implications for Banks?The court's message in the EMI-Comerica is pretty clear, but not simple, says privacy attorney David Navetta, who specializes in IT security. "The real focus here was the good faith requirement under UCC [Uniform Commercial Code] 4A-202," he says. "The burden to establish good faith was on Comerica, according to the court."
Navetta says the court did not find evidence of intentional wrongdoing, but it did focus on whether Comerica practiced "reasonable commercial standards of fair dealing."
"This is where the opinion gets a bit confused," Navetta says. "One the one hand, the court indicated that the bank had established commercially reasonable security. On the other hand, the court based its decision on the lack of fraud detection mechanisms employed by Comerica."
Navetta says the court's view was that Comerica should have had better fraud detection mechanisms to detect and analyze risks.
Jim Payne, director of business development of Missouri-based Choice Escrow, which lost $440,000 to wire fraud, says banks should have better fraud mechanisms in place, and that the judge's opinion in the EMI case is a win for small business. Choice Escrow in November 2010 sued its former bank, BankcorpSouth, alleging inadequate security measures.
Other recent account takeover incident striking small businesses include:
- Village View Escrow of Redondo Beach, Calif., which in March lost $465,000 to an online hack, and has recently filed a suit against its former bank;
- Hillary Machinery, which in January 2009 was sued by its bank, Plains Capital Bank, after a heated legal battle over ACH fraud liability. The suit was later settled for undisclosed terms; and
- The Catholic Diocese of Des Moines, Iowa, which in August lost $600,000 in fraudulent ACH transactions.
"Simple passwords alone do not provide sufficient commercially reasonable security," Payne says. "Where is the principle of doing what is right and just? ... In the end, Comerica knew it had screwed up, but would not take responsibility; shame on their business model."
'Reasonable' and FFIEC GuidanceThe courts' findings regarding legal liability, reasonable security and contractual obligations have not been consistent. In late May, a District Court in Maine found that Ocean Bank had fulfilled its contractual obligations for security and authentication when it requested only log-in and password credentials before approving transfers for former customer PATCO Construction Inc. [See ACH Legal Ruling Favors Bank.]
PATCO sued Ocean Bank in 2010, after the construction company's account was taken over by cyberthieves, resulting in more than $500,000 in fraudulent ACH transactions.
The question over "reasonable" security, outlined in the Uniform Commercial Code, is one the financial industry has hoped courts would answer. Whether the ruling in the EMI case stands the test of time, however, remains to be seen.
Navetta says courts don't not want to touch the "reasonableness" issue, but it's getting more difficult to avoid it. And the FFIEC's guidance on what is reasonable would certainly be considered in most cases," he says. Pointing to the 2009 Shames-Yeakel v. Citizens Bank case, Navetta says the court found in favor of the plaintiff, since the bank's security standards were clearly not reasonable, when compared with standing FFIEC guidance.
Tomlinson says the guidance also carried weight in the EMI-Comerica case, "Although the judge made sure he wasn't citing it as controlling, he did cite, and I think it did influence his ultimate finding," he says.