Limiting Bank Liability for Deposit Account Takeover by Following FFIEC Guidance
The most imminent threats facing banks today are not gun-wielding robbers like John Dillinger and Bonnie and Clyde. Today’s financial institutions face a different kind of threat— cyberattacks. Banks and their customers rely upon technology more so today than they ever have before. Because so much banking business is conducted online, the threat of cyberattacks on commercial customer deposit accounts increases rapidly.
The most significant type of cyberattack in the banking industry is called “corporate account takeover,” which occurs when a computer hacker steals a depositor’s online banking credentials and then, acting as the depositor, makes fraudulent outgoing wire transfers. The customer’s funds end up in very far-away places. To the bank, the transactions appear to be authorized by the accountholder and valid. By the time the bank and depositor realize there has been a theft, it is usually too late to recover the funds. Who bears the loss—the bank or the customer? Laws and regulations in the last decade have increased the liability for banks who do not take the proper preventative measures to insure against corporate account takeover. This article examines those laws and regulations, and discusses how banks can best manage the risk of account takeovers.
The UCC rules. Under Article 4A of the Uniform Commercial Code (“UCC”), the general rule is that the loss falls on the bank for an unauthorized outgoing wire, even if it appears to the bank that the transaction has been authorized. However, there are two exceptions to this rule: (1) the depositor fails to report the unauthorized debits to its account within one year and (2) the bank has in place a “commercially reasonable security procedure” to protect against hacking, the security procedure is embodied in a contract between bank and customer, and the bank accepted the outgoing wire in good faith and in compliance with the security procedure. The rules governing the second exception have been heavily litigated; they are codified in UCC 4A-201 through 4A-204.
The FFIEC guidance. To determine what is a commercially reasonable security procedure, the Federal Financial Institutions Examination Council (“FFIEC”) periodically releases “guidance” to help banks to “identify and mitigate cyberattacks.” The most recent guidance was issued on March 30, 2015. It includes eight “risk mitigation” recommendations for financial institutions. This is a must-read for bankers.
1. Financial Institutions should securely configure systems and services.
2. Financial Institutions should review, update, and test incident response and business continuity plans.
3. Financial Institutions should conduct ongoing information security risk assessments.
4. Financial Institutions should perform security monitoring, prevention, and risk mitigation.
5. Financial Institutions should protect against unauthorized access.
6. Financial Institutions should implement and test controls around critical systems regularly.
7. Financial Institutions should enhance information security awareness and training programs.
8. Financial Institutions should participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
The expectation of layered security. The eight recommendations set out by the FFIEC in 2015 expand upon earlier recommendations issued in 2005 and 2011. One of the most important aspects of the earlier guidance was the FFIEC’s recommendation of layered security. The 2011 Guidance described layered security as “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” The FFIEC recommends that financial institutions use more than a single layer of customer authentication. The most common example of a single layer of authentication is requiring a customer’s username and login. The FFIEC requires more security layers than simply requiring password authentication. Financial institutions should consult the FFIEC guidelines for examples of other layers of authentication.
The FFIEC guidelines set forth two particularly important types of layered security: (1) the use of dual-factor authentication such as usernames/passwords plus tokens, callback or challenge questions and (2) the use of software to detect out-of-pattern transactions involving outgoing wires. Keep in mind that the courts use the FFIEC guidance to determine whether the bank’s security procedure was commercially reasonable and in good faith. Courts sometimes confuse commercially reasonable and good faith. By employing layered security and complying with the FFIEC Guidance, banks can show their security procedures were commercially reasonable and in good faith. Layered security is one of the best ways to protect a financial institution from civil liability as well as protect customers’ assets from the threats of deposit account takeover.
How the courts are resolving cyberattack disputes: the two key cases. There are two key federal appellate decisions in this area—one in favor of the customer and the other in favor of the bank. In 2012, the First Circuit held that a bank’s security procedure was not commercially reasonable even though it used dual-factor authentication. In Patco Construction Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), the bank employed multiple security procedures to comply with the 2005 FFIEC guidance, but it lost the case because at least one procedure was counter-productive.
Most notably, the security company’s software allowed banks to set a threshold amount for transactions that would trigger a security challenge question to authenticate the transaction. Initially, the bank in Patco set the threshold at $100,000. The bank later lowered the threshold to $1, effectively requiring security challenge questions on every internet transaction. The bank argued that this raised the level of security because it required answering security questions for every transaction. In 2009, a hacker obtained a customer’s banking information and authenticated a series of transactions close to $600,000. The bank was unable to retrieve $243,406 of these funds.
The First Circuit held that the lower threshold of $1 triggering the challenge questions hurt customers by increasing the risk of fraud. The court’s rationale was that requiring challenge questions on every transaction gave hackers more opportunity to capture the vital information. The court also held that the bank did not have a practice of closely monitoring all transactions, even if it had warning that fraud was occurring. The court held that these failures, taken as a whole, showed that the bank’s security procedure was not commercially reasonable. This First Circuit case is significant because it shows that employing multi-layered authentication may still not insulate financial institutions from liability.
In contrast to the First Circuit’s decision, a 2014 case from the Eighth Circuit ruled in favor of the bank. In Choice Escrow and Land Title, LLC. v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the Eighth Circuit ruled that the bank’s security procedure was commercially reasonable and the bank acted in good faith. The bank provided four security measures for its customers. The first was a simple ID and password requirement. The second was authentication software that monitored the customer’s IP address and other specific information of the customer’s computer. This allowed the bank to ensure that the same computers were authorizing the transactions; if another computer or IP address was used, then the user had to correctly answer challenge questions. The third security layer allowed customers to place dollar limits on wire transfers. The fourth layer was called “dual control.” This measure required every outgoing wire transfer to be authenticated by two separate users with distinct IDs and passwords.
The Eighth Circuit held that the bank’s four levels of security authentication were commercially reasonable, even though the customer in the case had rejected two of them. The court noted that the Uniform Commercial Code releases a bank from liability if a security procedure is offered to a customer and the customer declines the procedure in writing and agrees to a different procedure. This effectively shifts the liability to the customer. The court rejected the argument that to be “commercially reasonable,” a security procedure must include a human being manually reviewing every payment order submitted to the bank. Further, the court found that the bank acted in good faith, and pursuant to agreement, in accepting the outgoing wires.
Importantly, the Eighth Circuit relied on the FFIEC guidance as a test for determining what is a commercially reasonable security procedure. The court called the FFIEC guidance the “primary authority” in measuring the reasonableness of a security measure. This is important for financial institutions to note, since the courts are relying heavily upon the FFIEC guidelines when considering liability in cases of cyberattacks.
Conclusion. Cases involving cybersecurity and financial institutions are sure to continue to flow in the coming years as customers and banks increasingly rely upon technology for conducting business and hackers increase in their ability to conduct cyberattacks. One of the best ways for a bank to protect itself against liability is to take action and measures that are in accord with the FFIEC guidance, including the 2015 version. As technology changes, so will the requirements of the FFIEC. Notably, the most recent guidance recommends that financial institutions should share with one another, in forums, how to mitigate cybersecurity threats. The courts have yet to litigate what exactly these forum-sharing recommendations mean, but financial institutions should be on notice that this is just one of the new requirements set out by the FFIEC. The best course of action for financial institutions is to work with legal counsel to insure the institution is up-to-date with the guidance issued by the FFIEC. Although the 2015 guidance attests that it “does not contain any new regulatory expectations,” experience shows that bank compliance with the new guidance is the best way to manage the risk of deposit account takeover.
This was originally published on BankinBits, which discusses recent developments in the banking industry, is produced and maintained by attorneys in the Banking and Financial Services Division at Stinson Leonard Street. Read more posts like this at www.bankinbits.com.