A New Legal Perspective on ACH FraudChoice Escrow Ruling Faults Customer, Not Bank
Future ACH fraud cases may wind up favoring banks more often than customers, says cybersecurity attorney and ACH fraud expert Joseph Burton.
Unlike other recent rulings in account takeover cases involving banking institutions and commercial customers, the judgment handed down by a Missouri court in the wire fraud dispute between Choice Escrow and BancorpSouth favored the bank. And while the Choice Escrow decision may be appealed, Burton says the judge's findings will likely have a significant impact on how future cases are decided.
"We went through a period of analyzing, 'Was the bank doing it right? What did the bank do right or what did the bank do wrong?'" says Burton, managing partner for the San Francisco office of the law firm Duane Morris, in an interview with Information Security Media Group [transcript below].
While the Experi-Metal Inc. vs. Comerica Bank case reviewed the commercial reasonableness of the bank's security offerings, and the PATCO Construction Inc. vs. People's United Bank case reviewed the actual application of the bank's procedures, the Choice Escrow case went a step further, Burton says. That case asked what obligations the commercial customer should have met.
"We [as banks and attorneys for banks] have to decide what sort of things we can do to help out the customers," Burton says, because customers need to figure out what can be done technically to avoid the liability in ACH-related cases.
During this interview, Burton reviews and discusses:
- The roles Article 4A of the Uniform Commercial Code and the Federal Financial Institutions Examination Council's updated authentication guidance are playing in court decisions;
- Why more emphasis will be placed on commercial customers to prove their own security procedures are reasonable;
- How banking institutions' are winning the ACH and wire fraud battle.
At the law firm Duane Morris, Burton focuses on information security and cyberfraud issues as well as civil, criminal and appellate litigation. He advises and represents individuals and corporations regarding their rights and responsibilities in maintaining the security of digital information. His practice includes trade secret, trademark and patent litigation, with an emphasis on cybercrime and cybersecurity. Burton is a former assistant U.S. attorney who handled several pioneering high technology investigations and prosecutions, including the first prosecution in the nation for criminal copyright infringement of computer code.
Ruling Faults Customer, Not Bank
TRACY KITTEN: In the Choice Escrow case, the magistrate judge's summary judgment favored the bank. Why?
JOSEPH BURTON: I really love this case. In some ways, I think the case maybe gets overlooked. It's chock full of information that I think can be helpful in analyzing this area and maybe predicting where things may go. The judge found in favor of the bank because this was a case in which the bank did everything right. This was a case in which the bank looked first at the question of the commercial reasonableness of the procedure that was offered and determined that it was commercially reasonable; second, that the magistrate judge looked at the bank's conduct in accepting the order and found that the bank did so appropriately. That is, that the bank acted in good faith. For those reasons, it found in favor of the bank.
Now, previously, you had the two most important decisions. The Experi-Metal decision was a decision in which the court found that the procedure offered wasn't commercially reasonable and in that case found against the bank. Then, probably the most prominent decision, which was the PATCO decision, the court found that the bank's conduct was not in good faith and for that reason it found against the bank. But in this case, in the Choice Escrow case, the court found in the bank's favor on both of those issues, and that's what resulted in this win, if you can call anything in this area a win.
Increasing Role of UCC
KITTEN: What makes the Choice Escrow case noteworthy?
BURTON: One, because it does consider and it was necessary as part of the analysis in the case to analyze those three aspects. The court sets out pretty clearly that those are the three principal prongs or pillars of analysis in this area, and it proceeds to do an analysis of all three. But also what I think is sometimes forgotten in this area is shifting of responsibility under the Uniform Commercial Code, and that's important to bear in mind. That is, as the analysis proceeds, the responsibility for an order may shift. The bank can shift, if you will, responsibility to the customer if it follows certain guidelines, and those relate to the commercial reasonableness of the procedure that they offer. But at the end of the day, it's potential that the responsibility could shift back to the bank if the customer is able to make a certain showing with respect to how the attack or the break-in was caused. I think that's sometimes forgotten that this shifting occurs, and this case really made that clear.
Another thing about it that I think is noteworthy is that this is the first case in which a court has analyzed a circumstance in which a security procedure was turned down by the customer. Now, the Uniform Commercial Code talks about that, but this is the first instance in which you had an actual turn down of a procedure, and the court was then forced to analyze whether that turn down was proper. Those two things, and particularly the latter, make this really a noteworthy case and different from all the cases that have preceded it.
Court's View Evolving
KITTEN: How do you see the court's views in cases involving ACH fraud evolving?
BURTON: What you see is really a progression from, first, looking at commercial reasonableness and a determination of whether certain security procedures are commercially reasonable, to then moving to assuming the procedure is reasonable, what happens if the banks act in a way that in effect vitiates that commercially reasonable procedure? That's what happened in the PATCO case. In both of those cases, it was found against the bank. This is a case in which the court stepped through both of those, found that the bank acted properly and then was prepared to analyze the third question, which is whether or not there was a relationship to the customer's transmission facility, his commuters, or not. But in this case, the customer never made an argument that would have potentially shifted responsibility back to the bank under that third prong. That third prong is still left open. It was left open by PATCO; it was left open here. I think there are differences between the PATCO facts and here with respect to that prong, but it clearly showed that from the analytical standpoint we know what this area looks like and what's left from a legal standpoint is to analyze this question of under what circumstances will the customer be held liable or in what circumstances can the customer shift the responsibility back; that is, from a legal standpoint, an area that has not been fully explored by any of the cases there, but I think that we will eventually get to a case which will be able to address that head-on.
Anticipating an Appeal?
KITTEN: Do you anticipate an appeal in this case?
BURTON: [It's] difficult to know because even though there's a significant amount of money at stake, $440,000, given the cost of litigation, I think that there's a lot of pressure to settle these matters. If you look at the PATCO case, even though it went on appeal and then it was sent back to the court below, it eventually settled. There's significant pressure on the parties in a case like this to settle. It's difficult to predict an appeal. Certainly, there is, in effect, an automatic appeal from the magistrate judge to the district court. The district court will have an opportunity to review the magistrate's finding and make a ruling, and that's an appeal in one sense. But an appeal from a district court level to an appellate level, such as in the PATCO case, I think that's difficult to predict.
Mistakes by Choice Escrow
KITTEN: What do you think Choice Escrow could have done differently here?
BURTON: I'm not sure that Choice Escrow would have been able to make a persuasive argument after the third prong. That's an argument that the account takeover was not the result of information that was gained from its computers. Now, the magistrate judge discusses the fact that there was evidence in the record to indicate that the Choice Escrow computers were hacked into. I think that's probably the reason that they chose not to try and make an argument under the third analytical prong. We don't know that, but I would suspect that that's a strong reason. I would suspect that the evidence that their computers had been hacked into was probably very strong. It's difficult to call that a mistake.
I would say the mistake, if there was any mistake that they made, was really not so much a legal one but one of practice and that relates to this question of the turndown of the initial security procedures that were offered by the bank, the so-called dual-control method; and that was offered by the bank initially. It was turned down by Choice Escrow and it leads from the opinion, it appears, that the reason they turned it down was one of, essentially, convenience, that it was inconvenient for them to have the two people necessary to effectuate that control on premises that were available at the same time, and they certainly argued that to the court in the case. The court found that clearly under the UCC and under some other cases, inconvenience is not a sufficient reason to turn down, or more specifically that an inconvenience does not amount to commercial unreasonableness. You can't argue that a procedure is commercially unreasonable because you'd like a different procedure because it's more convenient or in fact you'd like a better procedure. It would look like, had Choice Escrow used the dual control procedure, the unauthorized transfer could have been prevented.
What the Bank Did Right
KITTEN: What would you say the bank did right in this case? What do you anticipate its argument to be should this ruling be appealed?
BURTON: An appeal, at least on the record, is going to be difficult for Choice Escrow. The bank did everything right in this case. The court found that they offered a commercially reasonable procedure in the first instance. The experimental problem was solved. Secondly, and I think the problem that's more likely to come up, is the problem in the PATCO case where there's an ostensibly or facially valid commercially reasonable procedure. But its implementation, which leads to the acceptance of the order, is not in good faith. In this case, the bank didn't commit the sorts of errors that occurred in the PATCO case. They were able to craft and utilize their already commercially reasonable procedure to apply it properly.
That second aspect is really critical. The one thing that I think we learned from PATCO is that there's more to commercial reasonableness than just having a procedure which in theory or on its face is commercially reasonable. It has to be crafted and tailored to a degree to the customer - it has to fit the customer - and the bank's actions in implementing that procedure have to be commercially reasonable. The bank did both of those important things correctly, and particularly the second.
New Focus on the Customer
KITTEN: What parts of this case are worth noting?
BURTON: Hopefully now a focus on the customer that we haven't had as much. We went through a period of analyzing, "Was the bank doing it right? What did the bank do right or what did the bank do wrong?" I think that's important. But I think that we have seen that the banks certainly are capable of getting it right. Banks will get it right. They have in the past, and they'll continue to do so. Particularly after PATCO, they'll get better about getting their procedures right.
Given that, what that does is it really focuses on the customer because if, as in this case, the liability for the loss is going to rest on the customer - and what that means is, as in history, we have to decide what sort of things can we do to help out the customers - customers are going to have to realize that more likely that liability is going to rest with them. They've got to be figuring out what can be done technically to avoid, if you will, that liability, to avoid some of these problems in the first instance, which also raises a question of what responsibility do banks have to assist their customers in that regard. The FFIEC stresses the importance of training and other measures that the bank can take with respect to their customer, and I think these cases push everyone toward looking at the customer, and that's where the effort has to be focused to make this whole transactional change free of fraud.