Lessons From Fraud SettlementExperts Analyze Implications of ACH Fraud Case Outcome
The out-of-court settlement reached in a dispute between Village View Escrow Inc. and California-based Professional Business Bank shows it's getting more difficult for banks to avoid liability, even when commercial customers' lax security controls make them vulnerable to fraud, experts say (see Settlement Reached in ACH Fraud Case).
See Also: Secure Access in a Hybrid IT World
David Navetta, an IT security and privacy attorney who's been outspoken about cases involving ACH and wire fraud, says the fact that Village View was reimbursed all the funds it lost is significant.
And Peter Tapling, president and CEO of online security and authentication solution provider Authentify, says the settlement reinforces the number of legal variables that have to be reviewed and considered after incidents of ACH and wire fraud.
In March 2010, Village View lost nearly $400,000 after its online bank account was taken over by hackers. In its March 2011 complaint, the escrow company acknowledges it was not using dual controls at the time of the attack, but also notes that an e-mail verification service offered by Professional Business Bank was successfully disabled by the cybercriminals.
In a statement issued by Village View about the settlement, the escrow company says external investigations conducted by the California Department of Corporations, the Federal Deposit Insurance Corp. and the Redondo, Calif., Police Department vindicated Village View Escrow from playing role in the cybertheft.
"While we remain confident in the strength of our legal position, we entered into the settlement agreement to bring this matter to a conclusion and to focus all our energy on our business," says Michelle Marsico, Village View's owner and president.
As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from its account, the company says in a statement.
Between the Lines of the Settlement
The case dates back to 2011, when Village View sued Professional Business Bank for reimbursement of direct financial losses suffered from the attack as well as damages. Village View also requested reimbursement of maintenance and service fees it paid to the bank between 2008 and 2010.
"This case, and settlements like it, show that banking customers can generate good arguments on issues of reasonable security and good faith, especially as related to UCC 4A-202," says Navetta, the attorney. UCC 4A-202 refers to the Uniform Commercial Code, which stipulates certain protections institutions must provide for commercial accounts.
Village View's claim that the disablement of Professional Business Bank's e-mail verification system contributed to the attack was likely the hook that led to the settlement, Navetta says.
"One thing that is key is even if a bank has commercially reasonable security policies, it still can be on the hook for fraudulent wire transfers under 4A-202 if it fails to follow those policies," he says.
Tapling of Authentify says lacking legal precedents in cases of ACH and wire fraud have posed challenges for the courts.
"You have so many players pointing fingers," Tapling says. "It's hard to say one is more to blame than another. These cases are going to get down to some very, very specific details, just as we see here."
Those variables also illustrate why court rulings on previous disputes over incidents of corporate account takeover have set no consistent legal precedents.
Decisions passed down in the ACH and wire cases PATCO Construction Inc. vs. Ocean Bank and Experi-Metal Inc. vs. Comerica Bank raised questions about liability and reasonable security, but resulted in very different verdicts.
In the PATCO case, the construction company argued that Ocean Bank's use of only log-in and password credentials for transaction verification did not comply with the FFIEC's requirements for multifactor authentication. That lacking multifactor authentication, PATCO argued, allowed cyberfraudsters in May 2009 to drain more than $500,000 from its commercial account.
The court disagreed. In its 2011 opinion, a District Court magistrate found the bank met legal requirements for multifactor authentication and dismissed the suit.
In the EMI case, EMI claimed Comerica should have raised a flag before more than $550,000 in fraudulent wire transfers left EMI's account.
And the court agreed. In its June 2011 ruling, the court found that Comerica should have identified and disallowed the fraudulent transactions, based on EMI's history, which had been limited to transactions with a select group of domestic entities. The court also noted that Comerica's knowledge of phishing attempts should have caused the bank to be more cautious.
The court required Comerica to reimburse EMI the full amount for the funds that were lost.
Navetta says those cases likely played a role in Professional Business Bank's decision to settle with Village View.
"Without culpability on the customer side, the bank likely had a more difficult battle to fight, making settlement attractive," he says. "You have to think that EMI and PATCO were looming in the background, and likely also influenced the outcome on some level."