Lessons From Fraud Settlement

Experts Analyze Implications of ACH Fraud Case Outcome

By , June 20, 2012.
Lessons From Fraud Settlement

The out-of-court settlement reached in a dispute between Village View Escrow Inc. and California-based Professional Business Bank shows it's getting more difficult for banks to avoid liability, even when commercial customers' lax security controls make them vulnerable to fraud, experts say (see Settlement Reached in ACH Fraud Case).

See Also: I Found an APT: Now What? Operationalizing Advanced Threat and Breach Response

David Navetta, an IT security and privacy attorney who's been outspoken about cases involving ACH and wire fraud, says the fact that Village View was reimbursed all the funds it lost is significant.

And Peter Tapling, president and CEO of online security and authentication solution provider Authentify, says the settlement reinforces the number of legal variables that have to be reviewed and considered after incidents of ACH and wire fraud.

Case Background

In March 2010, Village View lost nearly $400,000 after its online bank account was taken over by hackers. In its March 2011 complaint, the escrow company acknowledges it was not using dual controls at the time of the attack, but also notes that an e-mail verification service offered by Professional Business Bank was successfully disabled by the cybercriminals.

In a statement issued by Village View about the settlement, the escrow company says external investigations conducted by the California Department of Corporations, the Federal Deposit Insurance Corp. and the Redondo, Calif., Police Department vindicated Village View Escrow from playing role in the cybertheft.

"While we remain confident in the strength of our legal position, we entered into the settlement agreement to bring this matter to a conclusion and to focus all our energy on our business," says Michelle Marsico, Village View's owner and president.

As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from its account, the company says in a statement.

Between the Lines of the Settlement

The case dates back to 2011, when Village View sued Professional Business Bank for reimbursement of direct financial losses suffered from the attack as well as damages. Village View also requested reimbursement of maintenance and service fees it paid to the bank between 2008 and 2010.

"This case, and settlements like it, show that banking customers can generate good arguments on issues of reasonable security and good faith, especially as related to UCC 4A-202," says Navetta, the attorney. UCC 4A-202 refers to the Uniform Commercial Code, which stipulates certain protections institutions must provide for commercial accounts.

Village View's claim that the disablement of Professional Business Bank's e-mail verification system contributed to the attack was likely the hook that led to the settlement, Navetta says.

"One thing that is key is even if a bank has commercially reasonable security policies, it still can be on the hook for fraudulent wire transfers under 4A-202 if it fails to follow those policies," he says.

Tapling of Authentify says lacking legal precedents in cases of ACH and wire fraud have posed challenges for the courts.

"You have so many players pointing fingers," Tapling says. "It's hard to say one is more to blame than another. These cases are going to get down to some very, very specific details, just as we see here."

Those variables also illustrate why court rulings on previous disputes over incidents of corporate account takeover have set no consistent legal precedents.

Legal Precedents?

Decisions passed down in the ACH and wire cases PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank raised questions about liability and reasonable security, but resulted in very different verdicts.

In the PATCO case, the construction company argued that Ocean Bank's use of only log-in and password credentials for transaction verification did not comply with the FFIEC's requirements for multifactor authentication. That lacking multifactor authentication, PATCO argued, allowed cyberfraudsters in May 2009 to drain more than $500,000 from its commercial account.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE POS Vendor Investigates Breach

POS vendor NEXTEP Systems is investigating a security breach that exposed card data from at least...

Latest Tweets and Mentions

ARTICLE POS Vendor Investigates Breach

POS vendor NEXTEP Systems is investigating a security breach that exposed card data from at least...

The ISMG Network