FFIEC: Impact on Consumer Accounts
Will Banks Face Legal Woes if Retail Accounts Are Breached?Too many banking institutions have been narrow-minded in their approach to FFIEC Authentication Guidance conformance, says Joseph Burton, an information security legal expert and partner at Duane Morris LLP.
See Also: Gartner Market Guide for DFIR Retainer Services
Rather than just focusing on online commercial accounts, banks and credit unions need to also anticipate the impact the updated guidance will have on security expectations for online retail accounts as well.
"You're dead today if you don't take the FFIEC guidance to heart on both levels," Burton says.
Negligence: A Gateway for Class Action
Many financial institutions have focused their attention on improving education efforts and enhancing authentication techniques and technologies for commercial accountholders - the customers and members most often hit, at least for now, by incidents of corporate account takeover.
But Burton says bankers are ignoring security enhancements for consumer accounts, and doing so could expose them to more legal woes.
"On the horizon are more problems on the consumer side, and I'm just as concerned for the banks," he says.
The big worry: class action suits, filed by groups of consumers whose online accounts are hijacked via phishing or some other social engineering technique. If those accounts are compromised and a bank subsequently authorizes fraudulent transactions on those accounts, a door could open for consumers to sue the bank for negligence. And that's a Pandora's box no banking institution wants to open.
"The FFIEC was a godsend to plaintiffs in that regard - a guidance, a near-regulation - that if you have banks not following it, you've got the perfect storm to declare them negligent," Burton says.
The Legal Precedent?
Because Regulation E, the Electronic Funds Transfer Act, protects consumers against paying for unauthorized transactions, many banking institutions have not worried much about reasonable security and negligence on the retail side.
"Regulation E speaks to the issue of the liability of the consumer for unauthorized transactions, and it puts bounds around what liability a consumer will have," Burton says. While Reg. E does not address a bank's liability, the FFIEC's Authentication Guidance does.
That means banks and credit unions that don't follow the guidance to the letter of the law, for consumers and businesses, could be setting themselves up for lawsuits. And Burton says there is relevant case law on the matter.
In a 2009 case, Shames-Yeakel vs. Citizens Financial Bank, a U.S. District Court in Illinois found that consumer protections under Reg. E were not at issue in a case that involved consumer transactions; rather the bank's liability for approving those fraudulent transactions was relevant.
The case is an interesting one, because it involved the takeover of a commercial account that was used for personal payments. But because the compromised account was a commercial account, the court did not consider Reg E.
Burton argues, however, that the separation between commercial-use and consumer-use is blurring. He contends that the Shames case highlights an increasingly gray area. He also says it would not be much of a legal leap to see attorneys cite the Shames case in other cases involving negligence related to consumer accounts.
"Shames-Yeakel is a case very similar to one that consumer accounts would be involved in," he says. "I see potential liability, based on negligence, and the bank's failure in that case to follow the FFIEC guidelines. That, to me, is evidence of negligence."
In Shames, the court found that Citizens Financial Bank was liable under a theory of negligence. The bank had a duty to protect the account and the accountholder from identity fraud.
What It Means for Banks
From a legal perspective, the fight over so-called "reasonable security" is over, Burton says. Recent ACH fraud cases, like the one involving PATCO Construction Inc. and the former Ocean Bank (now People's United Bank), though on the commercial side, found that if a customer agrees to a bank's contract, then the customer agrees with the reasonableness of the bank's security.
But as more attention is paid to ACH fraud against commercial and consumer accounts, and as the FFIEC guidelines for online security get more attention, banking institutions need to prepare themselves for more legal wrangles.
"You've got to get down in the trenches and see whether or not you're doing what the FFIEC guidelines call for," where consumer and business accounts are concerned, Burton says. "The guidelines make no distinction, but banks have focused too much on the commercial side."
Institutions that lack layers of security and multifactor authentication on the retail side run the risk of eventually being found negligent, should they face a lawsuit, he adds.
Action items
Burton's recommendations:
- Follow FFIEC guidance to the letter for retail and commercial accounts. "It would then be hard for a court to find you negligent," he says.
- Offer more consumer education. "The FFIEC makes no distinction between education for commercial versus retail accounts," he says. Banks have to do more to effectively educate consumers about online dangers. He suggests that more public service announcements about social engineering would be good to see.
- Invest in more back-end fraud detection. "There are a number of fraud-detection solutions and authorization solutions that the credit card industry uses that the banking industry does not," he says. As more consumers move to online banking, he notes, banks will have to enhance their detection systems, and follow the credit industry's lead.