TRENDING:

Choice Escrow Appeals Wire Fraud Ruling

Asks Court to Overturn Judgment in Account Takeover Case Tracy Kitten (FraudBlogger) • June 20, 2013    
Choice Escrow Appeals Wire Fraud Ruling

Missouri-based Choice Escrow Land Title LLC is appealing a district court's ruling in a legal dispute with its former bank over an account takeover case that has attracted widespread attention.

See Also: The Role of Applicant Behavior in Identity Proofing

The company is asking the court to overturn a lower court's ruling that in March favored Mississippi-based BancorpSouth, according to the appeal filed June 17.

The case is notable, ACH fraud experts such as cybersecurity attorney Joseph Burton say, because it touches on key issues raised in similar legal disputes - such as the 2012 settlement between PATCO Construction Inc. and People's United Bank - between commercial customers and banks over incidents of account takeover (see PATCO ACH Fraud Ruling Reversed).

In its March 18 ruling in the Choice Escrow case, the district court favored BancorpSouth, noting that the $440,000 loss Choice Escrow suffered could have been prevented if the land title and escrow company had accepted BancorpSouth's offer for dual or two-person authorization on wire transfers. Choice Escrow, in its appeal, argues that the dual controls offered by the bank were not commercially reasonable and did not meet regulatory requirements for multifactor authentication.

Choice's Challenge

Choice Escrow is challenging every aspect of the lower court's ruling, says David Navetta, a legal expert in ACH and wire fraud and co-founder of the Information Law Group.

In its appeal, Choice Escrow notes that Article 4A of the Uniform Commercial Code - a state-adopted provision that allows banks an exemption from liability in cases of online account takeover, if security practices are deemed commercially reasonable - is a complicated law that has yet to be thoroughly reviewed by the courts.

"The appellate brief is a detailed breakdown and analysis of both 4A and the lower court's opinion applying these facts to 4A," he says. "I do think that this case was literally a judgment call that could have gone either way. The fact that Choice felt compelled to incur the expense of any appeal validates, on some level, that some of the lower court's decision could be considered in the 'gray area.' It will be interesting to see how the [appellate court] rules, since its ruling will have precedential value."

Choice Escrow executives declined to comment about the appeal.

Former federal banking examiner and attorney Amy McHugh, in a recent interview with BankInfoSecurity, speculated that Choice Escrow would appeal because BancorpSouth's offerings did not, in her opinion, constitute reasonable security. "The FFIEC notes that banks should take customers' needs into consideration," she says. "Bancorpsouth kind of offered this one-size-fits-all [security] solution - and I found that kind of questionable."

In the PATCO ruling, one-size-fit-all approaches to online security were frowned upon by the court, she says.

Basis of Appeal

Choice Escrow is asking the U.S. Court of Appeals to review the circumstances surrounding the $440,000 in fraudulent wire transfers that in March 2010 drained its commercial bank account (see Court Favors Bank in Fraud Dispute).

The escrow company also asks the appellate court to hear oral arguments "that will appreciably aid this court in considering the issues presented in this appeal, in avoiding the pitfalls suffered by the district court, and in considering likely future appeals by other cyber-fraud victims."

Specifically, Choice Escrow claims that:

  • BancorpSouth failed to provide adequate transactional analysis;
  • The bank should have granted Choice's request to limit or block foreign transactions;
  • BancorpSouth's use of only a username and password at login did not constitute multifactor verification;
  • The bank's limited dual control offers were not reasonable for a business the size of Choice.

The Background

Choice Escrow sued BancorpSouth in November 2010 to recover the $440,000 it lost after the bank approved and wired those funds to an overseas account in Cyprus.

In August 2012, a district court in Missouri dismissed BancorpSouth's counterclaim against Choice, claiming its former commercial customer was liable for the losses, but labeled the decision as being "a very close call."

In his ruling on the original lawsuit, District Magistrate Judge John Maughmer noted that Choice Escrow's decision to decline BancorpSouth's offers for dual or two-person authorization on wires made the company vulnerable.

But in its appeal, Choice Escrow contends that BancorpSouth's verification procedures for wire transfers were not commercially reasonable under the Uniform Commercial Code's Article 4A, which is adopted by the state. It also contends the procedures failed to meet the good faith standard outlined by the Federal Financial Institutions Examination Council in its 2005 guidance for Internet banking transactions by not meeting the multifactor authentication requirement.

But Choice Escrow also suggests in its appeal that the court should not rely too much on the FFIEC's requirements in its ruling. Instead, the court should only consider whether BancorpSouth met its obligations under Article 4A, which is "the controlling law of Mississippi with regard to wire transfers," Choice Escrow argues.

"The threat of cybertheft from U.S. corporate bank accounts through fraudulent wire transfers is growing exponentially," the appeal states. "Future lawsuits regarding these issues are likely."

Similar Cases

In another case dating back to June 2011, a Michigan district court ruled that Comerica Bank was responsible for the more than $560,000 Experi-Metal Inc. lost in 2009 after fraudulent wires totaling more than $1.9 million in were authorized by the bank and transferred from EMI's account (see Court Favors EMI in Fraud Suit).

In the 27-page bench opinion, the court found that Comerica should have detected and stopped the fraudulent transfers based on EMI's previous transaction history. In particular, the court noted that the bank's account monitoring and fraud-detection systems should have raised a flag when $5 million in overdraft charges accumulated as a result of the fraudulent wires, given that EMI's account typically had a zero balance.

"A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," the court writes. "Comerica fails to present evidence from which this Court could find otherwise."

And in June 2012, Village View Escrow settled with Professional Business Bank for an undisclosed amount over account takeover losses that in March 2010 cost Village View nearly $400,000. Attorneys representing Village View, however, said the settlement included full recovery of the funds lost to fraud as well as interest paid to the bank.

In their complaint against Professional Business Bank, Village View's attorneys also turned to Article 4A of the UCC. The attorneys argued the case based on UCC standards for California, where Village View is based. But they also referenced case law from other jurisdictions, as well as unpublished cases.

The attorneys said decisions handed down in the PATCO and EMI cases likely convinced the bank to settle.

Previous
Creating a DDoS Mitigation Strategy
Next
RSA's Coviello: Cyber-Attacks to Worsen

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.



Around the Network

Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.