Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Court rules against bank in business account cyber-heist but who’s to blame?

by Avivah Litan  |  July 10, 2012  |  Comments Off

Last week, a federal appeals court reversed a May 2011 lower court ruling that held PATCO Construction Inc. responsible for ACH fraud committed by hackers who used the Zeus Trojan to pilfer $588,000 out of PATCO’s account at Ocean Bank in 2009. The appeals court deemed the bank’s security procedures ‘commercially unreasonable’ and recommended that the two parties settle the matter out of court. For more information on the court case, see http://www.bankinfosecurity.com/inside-pacto-fraud-ruling-a-4927

Similar to the 2008 financial crisis and the subprime mortgage market meltdown, everyone has an opinion on who is responsible for preventing business account heists, i.e. the bank, the business, or the government. I happen to think that while every party shares a piece of the culpability, the ultimate responsibility for preventing this type of fraud lies with our Congress who is all too heavily influenced by the almighty financial services lobby.

After all, the role of government is to look after and protect consumer and business interests that are not necessarily protected if the entities consumers and businesses trust (e.g. the banks) fail to protect them themselves.

Ocean Bank relied on a third party online banking processor for its security and was asleep at the wheel when the fraud took place. They had the means to filter and monitor high risk transactions but didn’t make good use of what they had. No doubt Ocean Bank assumed they were covered contractually with PATCO and had no liability for any business account losses, as there is no Reg E (that protects consumer accounts) equivalent on the business account side.

Further, our nation’s banking regulators – stretched as they may have been – also failed to ensure small banks like Ocean were doing their part in protecting customer assets. (The FFIEC banking regulators finally came out with an update to their Guidance on Internet Banking security in June 2011, or about three years too late).

This specific ruling will likely only have incremental impact. Other small businesses with the resources to sue their bank over similar incidents can now point to this ruling as they make their own case. But this battle will have to be fought one case at a time.

PATCO’s and many similar small business account takeover cases have been well publicized and already have had their major immediate impact with the 2011 update of FFIEC guidance, which frankly isn’t enough. It’s only guidance, not regulation. And it’s definitely not a federal law.

The federal appeals court judge was right to say the bank did not employ reasonable security. But what the judge did not say, for whatever reason, was that the U.S. laws that apply to banks safeguarding of business accounts (found in the Uniform Commercial Code) are not anywhere near as clear as they are when it comes to protecting consumer accounts (ala Regulation E). If they were, I doubt Ocean Bank would have ignored the signs that a theft of nearly $600,000 from one of its business customer accounts was going down.

Comments Off

Category: Uncategorized     Tags: