Bank Wins Account Takeover Loss CaseAppellate Court Says BancorpSouth Offered 'Reasonable' Security
An appellate court ruling in favor of a bank in a dispute over account takeover losses dating back to 2010 has broad implications for financial institutions.
See Also: How to Defend Your Attack Surface
The message from the court is that as long as banks and credit unions offer reasonable security measures, and note in their contracts whether those measures were accepted and implemented by their customers, they have fulfilled their obligations for security, legal experts say.
Plus, the court's move to require the customer who filed the lawsuit to pay the bank's legal fees could deter others from taking legal action against banks.
Result 'Isn't Surprising'
Nearly a year after Missouri-based Choice Escrow Land Title LLC appealed a district court's findings in its case against BancorpSouth, the Eighth Circuit Court of Appeals, in a June 11 decision, supported the lower-court's ruling (see Choice Escrow Appeals Wire Fraud Ruling).
"The result isn't surprising, in light of the underlying facts of the case," says Dan Mitchell, the attorney who represented account-takeover victim PATCO Construction in its federal appeal of a ruling related to wire fraud. "The Eight Circuit affirmed the trial court's ruling that the risk of loss was shifted back to the customer, Choice Escrow, because BancorpSouth offered dual control to Choice, but Choice declined it and agreed to be bound by the bank's other security procedures."
Those other procedures included password protection, daily transfer limits and device identification, a system that would trigger challenge questions if a wire or payment was scheduled from an unrecognized device, Mitchell notes.
Mitchell, who works in the litigation and business law practice at Maine-based Bernstein Shur, and cybersecurity attorney Joseph Burton, managing partner at the San Francisco office of the law firm Duane Morris, say the ruling supports a wider perspective of what is deemed "commercially reasonable" when it comes to security expectations.
They say the federal court leans heavily on Article 4A of the Uniform Commercial Code, which includes a provision about how banking institutions should handle incidents of wire-transfer fraud.
If a bank or credit union offers reasonable security procedures that a customer refuses, then under the 4A provision, the customer is liable if fraud results, Mitchell and Burton say.
Paying Legal Fees
In addition to not getting any compensation for the losses it suffered from its takeover incident, Choice Escrow now has to pay BancorpSouth's attorneys' fees as well.
Burton says requiring commercial customers that lose lawsuits against banks to pay the banks' legal fees will likely deter customers from filing suits related to account-takeover losses.
"Being able to go after attorneys' fees would seem to significantly raise the litigation risk for commercial customers contemplating filing a legal claim for funds losses," he says.
Mitchell says the appellate court's ruling related to payment of the attorneys' fees sends a strong message.
"Under normal circumstances, parties have to bear their own fees," he says. "An exception can exist, however, when there is a contractual agreement between the parties that provides for indemnification of legal fees by one party to another. There was such a provision in the account agreement in this case. The bank filed a counterclaim, based on this provision; but the trial court dismissed it. On appeal, the bank argued this was an error, and the Eighth Circuit agreed, reversing this aspect of the trial court's handling of the case."
Parties' Responses to Ruling
Jim Payne, co-owner of Choice Escrow, says his company is exploring some additional legal options, but that the ruling is an obvious disappointment.
In a statement provided to Information Security Media Group, BancorpSouth says the appellate court's ruling vindicates the integrity of the bank's security procedures for Internet banking.
"It also underscores the role that customers play in helping to prevent online fraud," the bank states. "We have maintained since the beginning of this case that BancorpSouth always acted in good faith and that its procedures were and are commercially reasonable. We are pleased that the federal court of appeals unanimously agreed with the bank on both points."
The Case History
In November 2010, Choice Escrow sued BancorpSouth to recover $440,000 it lost in March of that year after the bank approved fraudulent wire transfers to an overseas account in Cyprus. Choice Escrow argued that the bank's verification procedures for wire transfers were not commercially reasonable, per Article 4A of the UCC.
In August 2012, a district court in Missouri dismissed BancorpSouth's counterclaim against Choice Escrow. In the motion the bank had claimed its former commercial customer was liable for the losses. The court labeled the decision as being "a very close call."
But in March 2013, the same Missouri district court sided with the bank in a ruling on Choice Escrow's lawsuit, noting that Choice Escrow's decision to decline BancorpSouth's offers for dual or two-person authorization for wire transfers made the company vulnerable.
In its June 2013 appeal, Choice Escrow contended that BancorpSouth's verification procedures, in addition to not being commercially reasonable, failed to meet the good faith standard outlined by the Federal Financial Institutions Examination Council in its 2005 guidance for Internet banking transactions. Choice Escrow argued the bank should have offered multifactor authentication.
But the Eighth Circuit Court of Appeals, in June 2014, saw it differently, finding that the bank's offer of dual or two-person authorization, on its own, was reasonable.
Appellate Court's Findings
In its decision, the appellate court supports the lower court's decision, noting that security does not have to be extremely technical or complex in order to be considered "reasonable."
"A security procedure is a procedure established by agreement of a customer and a receiving bank for the purpose of ... verifying that a payment order ... is that of the customer," the 27-page ruling states. "As this definition makes clear, only security measures established by agreement are considered security procedures for the purposes of Article 4A; security measures implemented unilaterally by the bank are irrelevant."
And if that security procedure is reasonable, by the most fundamental definition of the term, and the customer turns down that procedure, then the customer, by default, accepts responsibility for fraud that might result by not using that procedure, the court determined.
In its ruling, the court notes: "If a bank offers its customer a security procedure and the customer declines to use that procedure and agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order if the declined procedure was commercially reasonable."
Burton says it's hard to disagree with the court's findings. "In many ways, the case is fairly straightforward," he says.
The customer refused a security procedure that was commercially reasonable and suitable, and instead chose to use a higher-risk procedure "because it is more convenient or cheaper," Burton says.
"Frankly, I would think that this would be neither a surprising nor a controversial position," Burton adds. "Again, the touchstone of the analysis is the commercial reasonableness of the security procedure offered."
Mitchell says Choice Escrow's refusal to accept the additional security procedures offered by the bank was key to this case for the court.
"The court found no problem with the bank's acceptance of the payment order because it was 'not so unusual that it should have raised eyebrows,'" he says. "It was not the largest payment order that Choice ever had submitted and its wire transfers did not follow a general pattern and varied in size from a few thousand dollars to a few hundred thousand dollars."