Should Banks be Liable for Business Losses to Fraud?Vendor Pushes for New Protections for Commercial Accounts
Jim Woodhill, founder and chairman of information security vendor Authentify, has met with congressional staffers and is scheduling meetings to talk to top lawmakers, including New York Senator Charles Schumer and House representatives Sam Johnson and Jeb Hensarling. He is asking them to amend Regulation E to include business accounts under the same stipulated fraud loss amounts as consumer accounts -- or to write a new law to limit the amount of fraud losses a business could bear from fraudulent ACH or wire transfers.
The Electronic Funds Transfer Act (EFT), also known as Regulation E, was implemented in the U.S. in 1978 to establish the rights and liabilities of consumers as well as the responsibilities of the financial institution in EFT activities. Regulation E covers a consumer under certain conditions, limiting loss to $50 if the institution is notified within two business days. There currently are no similar loss protections for commercial customers.
"If the industry isn't willing to change and strengthen requirements, then the legislative route is needed," Woodhill says.
But the American Bankers Association (ABA) is braced to oppose any such Reg E amendment, says Risk Management Policy vice president Doug Johnson.
"Security is a shared responsibility," Johnson says. "Responsibility for secure transactions resides at both the business and consumer, as well as at the financial institution. And for these large value transactions that occur in a business environment, if you take any responsibility for security away from business, you do violence to that dynamic."
"This is Why Things Must Change"
This conflict came to a head when PlainsCapital, a $4.4 billion bank headquartered in Dallas, filed suit against Hillary Machinery Inc., following a series of incidents that began last November, when cyber thieves made a series of ACH and wire transactions that totaled $801,495 from Hillary's bank account.
The bank was able to retrieve about $600,000 of the money, but when Hillary subsequently sent a letter requesting that the bank refund the remaining $200,000, PlainsCapital responded by filing a lawsuit in U.S. District Court for the Eastern District of Texas. The lawsuit requests that the court certify that PlainsCapital's security was, in fact reasonable, and that it processed the wire transfers in good faith. Hillary filed a countersuit in February, saying it would not be bullied by the bank, and has since then moved its business accounts to another bank in Texas, citing security as a factor.
Woodhill says this conflict just hit him, and he decided that he would champion the cause of the small businesses losing money via ACH and wire fraud. "It's just wrong that a bank would sue its own business customer in order to get a court to say that its security was commercially reasonable," Woodhill says.
In the past year, many public and private sector organizations have been victimized by fraudulent ACH and wire transfers - even the town of Poughkeepsie, NY, which lost nearly $400,000 to fraudsters. "Every business or municipal government that has a commercial bank account and does banking online is a target," Woodhill says. "This is why things must change."
Woodhill is no stranger to banking regulation and Washington, D.C. He helped craft the final language that made it into the FACT Act to help institutions combat identity theft.
Change Rules of the Game
Should any amendments to Regulation E be made, the action would certainly change the rules of the game, says Wesley Wilhelm, senior analyst at Aite Group, a financial services research firm. "This would change the game, not just from the liability/ownership aspect, but also from an operational standpoint within the banks," says Wilhelm. The impact of such a requirement would most probably affect smaller institutions - not just because of the financial burden of covering lost funds, but because they do not necessarily have a robust monitoring process in place for online transactions.
If enacted, such legislation probably would follow the same path as PCI compliance has in the retailer community, where the small merchants depend on third-party service providers to provide the security to protect transactions. Smaller banks would likely go to their core service providers already providing ACH transaction services for solutions, Wilhelm says.
The route to a workable solution for both sides will require some modifications and changes to how institutions authenticate online users and approve transactions online, but the community banks will adapt and survive any changes. "It wouldn't be the final nail in the coffin for community banks," Wilhelm asserts, observing that community banks and smaller institutions rose to meet requirements for the ID Theft Red Flags Rule.
ABA: "It Goes in the Wrong Direction"
The ABA's Johnson says security vendors such as Woodhill are taking advantage of current headlines to push their own agendas. "I'm not saying that Mr. Woodhill doesn't think he's doing the right thing," Johnson says, "But I would prefer that he would work with us, rather than against us, to work diligently to solve these problems."
Johnson sees peril if Regulation E loss restrictions are applied to business accounts, and says member banks would not support Woodhill's proposal. "I can guarantee you they would not endorse any changes to Reg E to cover business accounts," Johnson says.
If Regulation E covered business losses, the change would unfairly shift the risks and responsibilities for large fraud losses. "It would shift the risk associated with those transactions when the business customer doesn't have any skin in the game," Johnson says. "It goes in the wrong direction."
Regulators have been reviewing the FFIEC's strong authentication guidance and may be coming out with revisions to further strengthen the requirements for online banking authentication, Johnson says. Until such time, he advises financial institutions to put in more procedures and processes, including dual controls at the business end of the transaction, to help cut losses -- and not to focus solely on technology solutions for security. "Many people lose track that the best control is an internal control," Johnson says. "The use of a dual control at the business level will defeat the Zeus Trojan being used by these criminals to collect online banking credentials."
If two people at a business are required to sign off on any transaction, "that will make it extremely difficult for the hacker to be successful," Johnson says.