New ACH Fraud Suit FiledVillage View Escrow is Latest Fraud Victim to Sue Bank
California-based Village View Escrow Inc. on June 27 filed a complaint with the California Superior Court, Los Angeles, against Professional Business Bank, claiming the bank is liable for the $465,000 financial loss Village View suffered after hackers infiltrated its online bank account.
Now Village View wants Professional Business Bank not only to reimburse it for the direct financial losses it suffered because of the hack, but also for online banking maintenance and service fees paid to the bank between 2008 and 2010. Other demands listed in the complaint include payment for damages Village View suffered stemming from loan penalties and interest.
From a higher level, the suit raises questions about "good faith," reasonable security and Professional Business Bank's compliance with existing Federal Financial Institutions Examination Council guidelines. [See the updated FFIEC authentication guidance.]
The complaint alleges that Professional Business Bank failed to have procedures in place for the recovery of stolen funds, in essence ignoring "numerous warnings from the FFIEC and the FDIC [Federal Deposit Insurance Corp.] of the prevalence of" online attacks and incidents of corporate account takeover.
All About 'Good Faith'David Navetta, an attorney who specializes in IT security and privacy, says the complaint echoes similar allegations and claims recently made by other victims of ACH-related fraud.
"The allegations track to other cases we've seen in a lot of ways," Navetta says. "They touch on good faith, but I'm not sure how strong it will be in this context. They're looking at commercially reasonable security and misrepresentation. So, at the end of the day, we are looking at the same concepts we've seen in other recent cases."
Two similar cases: PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. v. Comerica Bank. Both cases raised questions about liability and reasonable security, yet each resulted in a very different verdict.
In 2010, PATCO sued Ocean Bank for the more than $500,000 it lost in May 2009, after its commercial bank account with Ocean Bank was taken over. PATCO argued that Ocean Bank was not complying with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.
A U.S. District Court disagreed. In May, a District Court magistrate, conceding that Ocean Bank's online security in 2009 could have been better, found that the bank did meet legal requirements for multifactor authentication.
In December 2009, EMI filed its suit against Comerica, after more than $550,000 in fraudulent wire transfers were approved by Comerica from EMI's account.
In the EMI ruling, unlike the PATCO decision, the court found that Comerica should have identified and disallowed the fraudulent transactions, based on EMI's history. EMI's prior wire-transfer activity, which had been limited to a select group of domestic entities, should have been noted by Comerica before it approved transfers to overseas accounts, the court said. The court also noted that Comerica's knowledge of phishing attempts aimed at its clients should have caused the bank to be more cautious.
In his 27-page bench opinion, U.S. District Judge Patrick J. Duggan said Comerica should have detected and stopped fraudulent transfers. "There are a number of considerations relevant to whether Comerica acted in good faith with respect to this incident," Duggan's opinion states.
Impact of FFIEC Authentication GuidanceIn the Village View complaint, like the EMI ruling, "good faith" is mentioned. "What they're doing is a little more focused on misrepresentations that were allegedly made - the promises that were made about security, despite what was mentioned in the contract," Navetta says.
It's a gray area re: what should be considered contractually applicable and reasonable. "In the EMI case, it was the good faith part that the judge focused on," Navetta says. "Comerica 'should have' known better."
Navetta says the precedent set by the EMI ruling is giving attorneys for commercial customers more ammunition, allowing them to move beyond the black-and-white terms of contracts and into the hazier areas of good faith and reasonable security.
"So the question is, 'Is the new FFIEC guidance going to make a difference?'" Navetta asks. "And now we have to remember that all of this stuff happened before the new guidance came out, and that's likely what the banks are going to argue."
In the PATCO case, the court took a fairly literal approach to its analysis and bought the bank's argument that the scheme being used was multifactor, as described in the FFIEC guidance, Navetta says.
But if the PATCO case were to go to trial today, the outcome might be very different, since the court's view of what constitutes multifactor does not jibe with common industry standards, nor does it fall in line with how the FFIEC defines multifactor.
"I think the courts are viewing multifactor authentication differently today," Navetta says. "Again, these are all guidance documents, but they would certainly influence a judge's viewpoint. ... When we look at reasonable security, there are certain things banks should already be doing, according to the guidance. This is not like a law; this is guidance that tries to reflect good industry standards about controls."