EMI, Comerica Await VerdictCorporate Account Takeover Case Could Set Precedent
The case -- the first major ACH/wire fraud incident to actually go to trial -- ended Jan. 26. The two parties now await judgment. EMI attorney Richard B. Tomlinson says he expects a verdict to be passed down within 60 days.
EMI and Comerica have been at legal odds since December 2009, when EMI filed suit against the bank. "It was a bad situation for all parties," Allison says. "I had a great relationship with Comerica prior to this occurring."
Responsible Security MeasuresAlthough originally framed as a legal showdown over what constitutes "reasonable security," that question was taken off the table by the court. According to a July 2010 opinion filed by the district judge presiding over the case, "Based the plain and unambiguous terms of the Service Agreement and Master Agreement, the Court finds as a matter of law that Comerica's secure token technology was commercially reasonable."
Reached for comment, Comerica spokesman Wayne J. Mielke says: "Comerica is constantly evaluating its security architecture in an effort to provide the highest level of privacy and safety for our customers. We safeguard information according to industry security standards and procedures, and we continually assess new technology for protecting information."
But EMI's attorney, Tomlinson, says the question over reasonable security is a mere sliver of the big picture. "We had three real themes in this case," he says. The themes include:
- Approving a wire transfer that was allegedly authorized by EMI's controller, even though the controller was not authorized by EMI to approve or initiate wire transfers;
- Comerica's acceptance of a wire transfer that was not initiated in accordance with industry standards;
- Comerica's lack of adequate fraud-detection and monitoring tools.
"This not just about a lack of authorization, but that Comerica failed to have any monitoring, with respect to the payments," Tomlinson says. "As a result, a customer who had made zero transfers in 19 months suddenly made 90 in one day."
That should have been a red flag, Tomlinson and Allison say.
"If Comerica had some simple technology in place to score, those transactions would have triggered an alert," Tomlinson says. What's worse, he says, is that even after a Comerica employee notified Comerica's online banking department about the suspicious activity, two hours passed before the transactions were suspended. By that time, several of the wire transfers, routed to a personal account in Russia, had already gone through.
"Under the FFIEC, monitoring is the industry standard," Tomlinson says. "Nearly all of the top 40 banks monitor. Comerica, being the 31st biggest bank in the country, should have monitored those transactions."
Business: Not as Usual for EMINow EMI is working with a new financial institution, which Allison would not name, and every wire and ACH transaction initiated by EMI is individually authentication via dual controls. "I never knew I could have more than one approval," she says. "Now we have multiple layers, and we have a computer that is solely dedicated to online banking. We also have a bank that uses authentication for each transaction, and in order to initiate any transaction, you have to have dual approval and enter a unique password and token code."
Going forward, Allison says she expects all financial institutions to do a better job of communicating with their commercial customers. Banks and credit unions also need better fraud-monitoring solutions and layered security approaches, she says.
"There are analytics out there that will flag transactions when things like this happen," Allison says. "They compare what's currently happening to historical data and flag anything that is out of the ordinary, like payments that are going overseas, to countries like Estonia, Russia and China that are known for this kind of activity."
Commercial customer education should be a required part of that layered security, Allison says. She also says banks have an obligation to inform their commercial customers about protections. "Before this all happened, I never realized there was a difference between the laws and the protections (under Regulation E) for commercial businesses versus consumer accounts," she says. "The laws are not the same. That never occurred to me. That should have been something we were notified about by the bank."