Bank Pays Oil Co. $350,000 Settlement
Account Takeover Dispute Hinged on 'Reasonable' SecurityWhen it comes to account takeover disputes, recent court cases involving commercial customers and their former banks have veiled the reality that most disagreements over fraud liability are settled outside the courtroom.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
For example, in a settlement reached this month, United Security Bank of Fresno agreed to pay Taft, Calif.-based TRC Operating Co., an independent oil production company, $350,000 to settle a dispute over losses linked to $3.5 million in fraudulent wire transfers that drained the company's account in November 2011.
In contrast, a few other high-profile account takeover disputes, including those involving PATCO Construction Inc. and Choice Escrow Land Title LLC, resulted in protracted court battles.
In the wake of its settlement with USB, TRC dismissed its complaint that alleged the bank failed to offer a "commercially reasonable" security procedure.
USB president and CEO Dennis Woods says the cost of the settlement will be covered by the bank's insurance company, which agreed to the deal.
The bank would have preferred that the case go to trial, he says. "There wasn't a case here, though we would have liked to have seen a ruling," Woods says.
Having the court rule on whether a bank is liable for the compromise of a customer's online credentials that results from phishing attacks, which Woods claims is what happened in TRC's case, would have benefited USB and the industry, he says.
Woods declined to comment about whether he deemed USB's authentication practices as being "reasonable" or in compliance with the FFIEC's guidelines for user authentication. He also did not comment about whether the bank offered more than usernames and passwords to authenticate online transactions and wire transfers.
"We stopped nine of the 12 [fraudulent transfers] and only one got through," he says. "They wanted us to pay them back and we told them, 'Of course we can't, because that is part of your agreement with our bank - that you have to be responsible for your own username and password.' So we just turned it over to our insurance company ... and after two years, the insurance company just settled."
Account Takeover
It's clear that account takeover fraud and questions over liability continue to plague the financial services industry, even some three years after the Federal Financial Institutions Examination Council issued updated guidance about how banking institutions should deal with online cyber-attacks.
While details surrounding USB's security practices are a bit sketchy, if the bank only required the entry of a username and password to authenticate users and transactions, then it was clearly falling short of what the FFIEC recommends, says cybersecurity attorney David Navetta, co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee.
And if the settlement did, in fact, hinge on 'reasonable' security, "that means that UCC [Uniform Commercial Code] 4-A-202 was in play," he notes. "It requires that banks utilize commercially reasonable security practices."
The Uniform Commercial Code is a state-adopted provision that defines how banking institutions should handle security for commercial customers. If a bank or credit union offers customers reasonable security procedures, then it is not liable for fraud losses, according to the UCC.
Financial fraud expert Shirley Inscoe, an analyst at the consultancy Aite, says the TRC case highlights why banking institutions should remain focused on ensuring they meet FFIEC expectations for online security.
"The bank was wise to settle," Inscoe says, if it was, in fact, only relying on usernames and passwords to authenticate transactions. "The FFIEC has made it clear that usernames and passwords alone are not an acceptable level of security, so it would seem to be poor form to argue in court that they are."
Still, Al Pascual, a fraud and financial security analyst for consultancy Javelin Strategy & Research, says it's difficult to predict how a court might rule in a case like USB's, especially when defining "reasonable security" comes into play.
"The issue of commercially reasonable security, if you remember the PATCO case, was not so much defined by which particular types of security solutions were offered, but, rather, how they were implemented," he says.
And leaning on the FFIEC guidelines as a legal argument for why banks need stronger security also has failed in recent cases, Pascual adds.
"I believe the argument that was used by the plaintiff in the Choice Escrow case was that the bank's security was deficient, because it did not meet guidelines as set by the 2011 FFIEC authentication supplement; this argument obviously did not hold much water with the court," he says.
But Pascual agrees U.S. institutions should take note of the settlement between USB and TRC.
"Had the bank lost in court, it could have set a precedent that would have immediately affected banks across the country that continue to rely on similarly remedial security procedures," Pascual says. "I'd view this as a close call for the financial industry."
Unreasonable Security?
Questions over the "reasonableness" of a bank's or credit union's authentication and overall online security have been at the core of most account takeover cases.
On June 11, a federal appeals court favored BancorpSouth in an account takeover dispute with its former customer Choice Escrow dating back to November 2010. While Choice Escrow lost $440,000 to an overseas account, the court found that the bank's security measures for its customers were reasonable. Choice Escrow, however, decided not to use those security measures (see Bank Wins Account Takeover Loss Case).
In a similar case involving PATCO and the former Ocean Bank that dates back to 2013, an appeals court found that the bank was liable because its so-called "one-size-fits-all" approach to monitoring and authenticating high-dollar transactions was not commercially reasonable.
PATCO argued that Ocean Bank's use of only log-in and password credentials for transaction verification did not comply with the FFIEC's requirements for multifactor authentication. That deficiency, PATCO argued, allowed hackers in May 2009 to drain more than $500,000 from its account.
On July 3, 2013, the First Circuit Court of Appeals in Boston agreed and ruled in favor of PATCO, reversing a lower court's 2011 judgment that favored the bank. The court ultimately recommended that the two parties pursue an out-of-court settlement of the case.
In both the Choice Escrow and PATCO cases, appellate judges leaned heavily on Article 4A of the UCC.
Inscoe says the view of the courts and banking regulators about what constitutes reasonable security is increasingly less disputable. "I think the UCC and FFIEC are clearly in agreement in this situation," she explains.
TRC versus USB
In the case involving TRC and USB, the alleged unreasonableness of USB's authentication for wire transfers ultimately convinced the bank to settle, contends Julie Rogers, attorney with The Dincel Law Group, which represented TRC.
"Nearly two years after litigation began, USB has agreed to pay $350,000 to TRC for its losses," Rogers says in a statement about the settlement. "The settlement offer came just a few days before the Kern County Superior Court [California] was to rule on a summary judgment motion filed by TRC, which, if granted, would have entitled TRC to the $299,600, plus substantial interest and a finding that USB failed to provide a 'commercially reasonable' security procedure for its online banking customer."
Rogers also represented California-based Village View Escrow Inc. in its June 2012 settlement with Professional Business Bank in a case involving a $400,000 account takeover loss dating back to March 2010 (see Settlement Reached in ACH Fraud Case).
Over the course of five days,12 fraudulent wires totaling $3.45 million left TRC's account in November 2011, says Charles Comfort, a co-owner of the company, in the statement. In the end, the total loss came out to $299,600, and USB denied liability.
"Due to USB's refusal to discuss this matter and also refusing an offer to use mediation to resolve this matter without filing a lawsuit, TRC felt it necessary to file a lawsuit against USB," the statement says.