Bank Sues Customer Over ACH/Wire FraudCounterclaim Alleges Business is to Blame for $440K Loss
In another legal wrangling over liability linked to ACH and wire fraud, a bank is taking action against a former commercial customer, claiming the customer, not the bank, is liable for losses and damages, as well as legal costs.
See Also: Rethinking Endpoint Security
In March, BancorpSouth, a $14.3 billion bank in Mississippi, filed a counterclaim against Choice Escrow and Land Title LLC, a family-owned business based in Missouri. This week, Choice Escrow co-owner Jim Payne is being questioned in a deposition tied to the counterclaim.
The case between Choice Escrow and BancorpSouth is the third lawsuit between a bank and commercial customer involving an incident of ACH and wire to get attention in recent weeks.
Last week, a federal appellate court reversed a lower court's ruling in the ACH/wire fraud dispute between PATCO Construction Inc. and the former Ocean Bank, which is now part of People's United. In the July 3 decision, the court ruled in favor of PATCO, reversing a district court's judgment that favored the bank, and further recommended that the two parties pursue an out-of-court settlement of the case. The case is the first ACH/wire fraud dispute to be reviewed by a federal court (see PATCO ACH Fraud Ruling Reversed).
And in June, Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, settled with the bank for an undisclosed amount. Despite not going to trial, the settlement was noteworthy, legal experts say, because Village View recovered more than the full amount of the funds it lost, plus interest (see Settlement Reached in ACH Fraud Case).
The Counterclaim Arguments
In its counterclaim, BancorpSouth contends Choice Escrow is responsible for the $440,000 hit its online business account took in March 2010 after cyberthieves compromised Choice's username and password.
BancorpSouth notes, in its counterclaim to the court, three primary points:
- The wire transfer it approved was the "direct and proximate result of the negligence of Choice [Escrow], acting by and through its agents and employees."
- According to the contract Choice Escrow signed with the bank, which includes a funds transfer agreement, the business services agreement and an agreement to use the bank's InView System, "Choice [Escrow] is contractually obligated to indemnify and hold harmless BancorpSouth Bank from any losses and damages sustained by Choice [Escrow] arising from its own conduct or negligence or the actions or omissions of its own agents or employees."
- The contracts Choice Escrow signed with BancorpSouth make it obligated to indemnify the bank for attorneys' fees, court costs and other expenses related to its suit against the bank.
Choice Escrow in November 2010 filed a lawsuit against the bank seeking damages and recovery of losses linked to the attack, claiming the bank should have declined the transfer. The funds were routed to Cyprus, and Choice Escrow had no history of wiring funds overseas.
In its counterclaim, BancorpSouth contends Choice Escrow's lawsuit is without merit.
Now a Missouri court will have to decide which party is ultimately responsible for the loss.
Neither Payne nor BancorpSouth's attorneys could be reached for comment, as depositions are ongoing. But in its 12-page counterclaim, BancorpSouth contends that Choice Escrow's contractual decision to not take advantage of dual-control authentication offered by the bank made Choice Escrow vulnerable, and ultimately responsible for the fraud.
In its counterclaim filed in Missouri, BancorpSouth says Choice Escrow's refusal to use dual-control authentication, which would have required two Choice Escrow employees with separate usernames and passwords to initiate and complete outgoing wires, relieves the bank of any responsibility or liability.
In April 2009, when Choice Escrow signed up for the bank's InView Automated Information Reporting Services, which include account access and management and provide businesses with the ability to schedule wire transfers, it opted out of the dual-control option, the counterclaim says. Later in 2009, Choice Escrow again declined to sign for the dual-control feature after BancorpSouth asked the business to acknowledge in writing that it had voluntary chosen not to use the feature, according to the counterclaim.
In November 2009, according to the filing, a representative from BancorpSouth contacted Payne via e-mail about the bank's dual control, stating that the bank always recommends dual controls for wire transfers. "If someone in the company is compromised, then the hacker would not be able to initiate a wire with just the one user's information," the bank told Choice Escrow in the e-mail, according to the counterclaim. BancorpSouth says Payne declined, saying it would be too difficult for Choice Escrow to have two employees always available at the same time to approve wires.
The dispute between BancorpSouth and Choice Escrow has been ongoing since late 2010, eight months after cyberthieves infected one of Choice Escrow's computers and hijacked the business' online username and password.