FFIEC: Impact on Consumer Accounts

Will Banks Face Legal Woes if Retail Accounts Are Breached?
FFIEC: Impact on Consumer Accounts

Too many banking institutions have been narrow-minded in their approach to FFIEC Authentication Guidance conformance, says Joseph Burton, an information security legal expert and partner at Duane Morris LLP.

See Also: Gartner Market Guide for DFIR Retainer Services

Rather than just focusing on online commercial accounts, banks and credit unions need to also anticipate the impact the updated guidance will have on security expectations for online retail accounts as well.

"You're dead today if you don't take the FFIEC guidance to heart on both levels," Burton says.

Negligence: A Gateway for Class Action

Many financial institutions have focused their attention on improving education efforts and enhancing authentication techniques and technologies for commercial accountholders - the customers and members most often hit, at least for now, by incidents of corporate account takeover.

But Burton says bankers are ignoring security enhancements for consumer accounts, and doing so could expose them to more legal woes.

"On the horizon are more problems on the consumer side, and I'm just as concerned for the banks," he says.

The big worry: class action suits, filed by groups of consumers whose online accounts are hijacked via phishing or some other social engineering technique. If those accounts are compromised and a bank subsequently authorizes fraudulent transactions on those accounts, a door could open for consumers to sue the bank for negligence. And that's a Pandora's box no banking institution wants to open.

"The FFIEC was a godsend to plaintiffs in that regard - a guidance, a near-regulation - that if you have banks not following it, you've got the perfect storm to declare them negligent," Burton says.

The Legal Precedent?

Because Regulation E, the Electronic Funds Transfer Act, protects consumers against paying for unauthorized transactions, many banking institutions have not worried much about reasonable security and negligence on the retail side.

"Regulation E speaks to the issue of the liability of the consumer for unauthorized transactions, and it puts bounds around what liability a consumer will have," Burton says. While Reg. E does not address a bank's liability, the FFIEC's Authentication Guidance does.

That means banks and credit unions that don't follow the guidance to the letter of the law, for consumers and businesses, could be setting themselves up for lawsuits. And Burton says there is relevant case law on the matter.

In a 2009 case, Shames-Yeakel vs. Citizens Financial Bank, a U.S. District Court in Illinois found that consumer protections under Reg. E were not at issue in a case that involved consumer transactions; rather the bank's liability for approving those fraudulent transactions was relevant.

The case is an interesting one, because it involved the takeover of a commercial account that was used for personal payments. But because the compromised account was a commercial account, the court did not consider Reg E.

Burton argues, however, that the separation between commercial-use and consumer-use is blurring. He contends that the Shames case highlights an increasingly gray area. He also says it would not be much of a legal leap to see attorneys cite the Shames case in other cases involving negligence related to consumer accounts.

"Shames-Yeakel is a case very similar to one that consumer accounts would be involved in," he says. "I see potential liability, based on negligence, and the bank's failure in that case to follow the FFIEC guidelines. That, to me, is evidence of negligence."

In Shames, the court found that Citizens Financial Bank was liable under a theory of negligence. The bank had a duty to protect the account and the accountholder from identity fraud.

What It Means for Banks

From a legal perspective, the fight over so-called "reasonable security" is over, Burton says. Recent ACH fraud cases, like the one involving PATCO Construction Inc. and the former Ocean Bank (now People's United Bank), though on the commercial side, found that if a customer agrees to a bank's contract, then the customer agrees with the reasonableness of the bank's security.

But as more attention is paid to ACH fraud against commercial and consumer accounts, and as the FFIEC guidelines for online security get more attention, banking institutions need to prepare themselves for more legal wrangles.

"You've got to get down in the trenches and see whether or not you're doing what the FFIEC guidelines call for," where consumer and business accounts are concerned, Burton says. "The guidelines make no distinction, but banks have focused too much on the commercial side."

Institutions that lack layers of security and multifactor authentication on the retail side run the risk of eventually being found negligent, should they face a lawsuit, he adds.

Action items

Burton's recommendations:

  • Follow FFIEC guidance to the letter for retail and commercial accounts. "It would then be hard for a court to find you negligent," he says.
  • Offer more consumer education. "The FFIEC makes no distinction between education for commercial versus retail accounts," he says. Banks have to do more to effectively educate consumers about online dangers. He suggests that more public service announcements about social engineering would be good to see.
  • Invest in more back-end fraud detection. "There are a number of fraud-detection solutions and authorization solutions that the credit card industry uses that the banking industry does not," he says. As more consumers move to online banking, he notes, banks will have to enhance their detection systems, and follow the credit industry's lead.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.