ACH Fraud and the Courts
Attorneys Debate Merits of EMI, PATCO DecisionsIt's been nearly three years since hackers rerouted more than $540,000 from a small business account owned by Maine-based PATCO Construction Inc.. Still, legal wrangles between PATCO and Peoples United Bank [formerly known as Ocean Bank] linger.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
In May 2011, a U.S. District Court magistrate recommended the court deny PATCO's motion for a jury trial. That recommendation was later affirmed by a District Court judge. But PATCO appealed the ruling, and Mark Patterson, co-owner of PATCO, this week says the case is expected to appear before an appellate court sometime next month. "Wish us luck," he said.
The PATCO case is one with which legal experts continue to wrangle. Though ACH- and wire-related fraud events, like the one that hit PATCO, have plagued the financial space for several years, courts and attorneys continue to wrestle with just how much responsibility financial institutions bear when breaches occur.
During RSA Conference 2012, a panel of industry experts chimed in, sharing differing perspectives about verdicts in recent ACH fraud cases and areas where federal courts could offer more guidance.
Comparing the PATCO case with the notable ACH fraud debate between Michigan-based Experi-Metal Inc. and Comerica Bank, attorneys David Navetta and Joe Burton offered differing perspectives about the independent facts presented in each case, and why the courts came to such disparate conclusions.
ACH Fraud: Responsibility
The crux of both lawsuits revolved around who bears responsibility when financial losses result from online compromises. Like PATCO, EMI saw more than $560,000 drained from its account after fraudulent transactions exceeding $1.9 million were approved by its former institution, Comerica Bank. In 2009, EMI sued Comerica and won. [See Court Favors EMI in Fraud Suit.]
In the EMI case, the court found that the employee at Comerica who approved the wire transfers was not authorized, and that Comerica's fraud-detection and monitoring tools were insufficient and should have raised red flags.
Pointing to the FFIEC's Authentication Guidance, the court also found and that Comerica's acceptance of the wire transfers did not meet industry standards. [See FFIEC Authentication Guidance.]
That same guidance was referenced in the PATCO case, but the outcome was much different. "The court looked at the FFIEC guidance and said the bank's security was multilayered," said Navetta, co-founder of the Information Law Group. In the PATCO case, that determination was enough to prove Ocean Bank had implemented "reasonable security."
"The court determined that multilayered security was used, and once it determined that, it went no further," said Burton, an attorney at Duane Morris. "In the PATCO case, what was being decided was whether Peoples United's security was commercially reasonable, and that was all that was being examined."
Comparatively, in the EMI case, determining what is commercially reasonable was not even an issue. In EMI, Burton says the case revolved around two matters of fact: was a bank employee authorized to approve the transactions, and did the bank, after the fraud occurred, respond and react in "good faith"?
"It's all about the contract," Burton said. "In the EMI case, why was the commercially reasonable question not an issue? Because in the contract, EMI said it agreed that Comerica's procedures were commercially reasonable. And that was enough for the court."
In the EMI case, the court's review of good faith at least offers some perspective for banks and commercial customers. In the PATCO case, however, Navetta says the court failed to address the industry's two key concerns: reasonable security and good faith.
"This case did not give guidance or set a precedent on how to determine good faith or reasonable security," he said. "I think the court looked at the fraud controls the bank had in place to determine good faith, and that doesn't offer attorneys like me or technologists in security any guidance or interpretation of what good faith is. I also think the court should have looked at reasonable security: 'What is reasonable security?'"
U.S. District Judge John Facciola, who also sat on the RSA panel, says the ruling reflects a short-sighted view on the part of the court, and reflects the court's inexperience in dealing with cases about ACH and wire fraud.
"The losses to ACH fraud in this case are staggering," he said. "And with most of the transactions coming out of Eastern Europe, the bank should have realized these were not legitimate."
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.