Defining the security responsibilities of banking institutions and their commercial customers is becoming a bit easier, thanks to recent court decisions and legal settlements in account takeover cases, as well as the updated authentication guidance issued in June 2011 by the Federal Financial Institutions Examination Council.
Legal and cybersecurity experts participating in the panel discussion, however, point out that what is deemed reasonable security for one institution or commercial customer might not be reasonable for another. And this is one area where banking regulators are expected to focus increasing attention as they conduct their new cybersecurity exams this summer aimed at community-based institutions (see New FFIEC Cyber Exams: What to Expect).
During the panel, Doug Johnson of the American Bankers Association, cybersecurity attorney Joseph Burton and former FDIC IT examination analyst Amy McHugh discuss the implications of two recent ACH fraud court cases: Choice Escrow Land Title LLC vs. BancorpSouth and TRC Operating Co. vs. United Security Bank of Fresno. The three experts review what the banks did right and where they could have done more.
"Different institutions have different risk profiles," Johnson says. "But the [FFIEC] authentication guidance clearly puts the requirement on the bank to offer more than username and password," regardless of the institution's asset size.
It will become increasingly critical for banks and credit unions to review their circumstances and come up with layered security options, per the FFIEC's recommendations, that adequately secure their environments, Johnson adds.
A key legal issue brought up in the two cases is the notion of what constitutes reasonable security measures.
"The issue today is trying to determine what is commercially reasonable," Burton says. "I think the courts will tend to look for industry standards and practices they can adopt. ... If you don't meet the FFIEC standards, you're not commercially reasonable."
The critical points for banks and credit unions, Burton says: Know your customers and ensure that the security procedures offered meet their needs, as well as comply with existing industry standards.
If a commercial customer turns down certain reasonable security features, as was the case in the Choice Escrow case, that customer could be left holding the bag for subsequent fraud losses it suffers, he says.
In the TRC case, McHugh says it appears that the bank may have failed to perform a review to ensure its security procedures complied with industry standards. United Security Bank wound up settling its dispute with TRC for $350,000, and the case provides valuable lessons for other banking institutions about the adverse impact of inadequate information security, she says.
"It does look like the bank was just offering username and password, which is not satisfactory," McHugh says. "I think the bank was wise to settle. ... Banks need to offer something in their systems that does more to detect fraud, and they have offer more than just username and password."
During this interview, Johnson, Burton and McHugh also discuss:
- The impact states' adoption of the Uniform Commercial Code has on commercial customer fraud liability;
- How banks and credit unions can test their security procedures to determine whether they are "reasonable"; and
- How the FFIEC will use its new cybersecurity exam process, now being piloted, to reform future IT banking examinations.
Johnson leads the ABA's enterprise risk, physical and cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues. And he serves on the BITS/Financial Services Roundtable Security Steering Committee.
Burton, managing partner of the San Francisco office for law firm Duane Morris LLP, is a nationally recognized expert in information security law, with an emphasis on cybercrime and cybersecurity. He is a former assistant U.S. attorney for the Northern District of California, where he handled the first prosecution in the U.S. for criminal copyright infringement of computer code.
McHugh, an attorney and Certified Information Systems Auditor, is a former IT examination analyst for the Federal Deposit Insurance Corp. who now works as a banking institution adviser for CliftonLarsonAllen, a professional services firm. Her areas of specialization include Gramm-Leach-Bliley Act compliance; information systems review; risk assessments and policy development; information security program development and implementation; vendor management; cloud computing; and corporate account takeover fraud.