Gartner Blog Network


Judicial Decision favors Bank over defrauded business – Regulatory Blunder?

by Avivah Litan  |  June 7, 2011  |  5 Comments

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in a money transfer case that Patco Construction Inc. filed against its bank, Ocean Bank in 2010. In May 2009, the construction company had its account taken over by cybercriminals and lost more than half a million dollars. Only $230,000 was recovered. For more information on this decision see http://www.bankinfosecurity.com/articles.php?art_id=3705&rf=2011-06-07-eb

In my opinion, this is an injustice against small U.S. businesses, whose health is critical to the economic recovery in this country. It is also a failure of the U.S. banking regulatory system to act quickly and proactively.

The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from cyberattacks that compromise the safety and security of their accounts, just as consumers are protected under Regulation E.

While subject to many different interpretations, I don’t believe this magistrate correctly interpreted the 2005 FFIEC authentication guidance, “Authentication in an Internet Banking Environment,” which is the last guidance issued on this matter.

On Page 1 of that guidance, the FFIEC states:

“Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services.”

Clearly, the methods used by Patco’s bank’s processor (and many other banks who experienced similar incidents) at the time did not successfully thwart the risks associated with online business banking in 2009. Zeus, browser based Trojans and other modern-day threats are known to circumvent all the methods that were being used to protect Patco’s account.

Unfortunately, the 2005 FFIEC guidance referred to examples of relatively basic online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques. Still, the basic premise of the guidance as transcribed above remains sound and I think should have been interpreted differently by the judge. Again the operative phrase in the guidance is on page 1 “….the … techniques employed by the financial institution should be appropriate to the risks associated with those products and services.”

The FFIEC was on the verge of releasing updated guidance at the end of last year that was supposed to clarify the new and stronger types of multi-layered defenses required in 2011. They were also supposed to have explained in the update that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next generation cybercrimes. It’s very disappointing that that much-needed update was never issued, no doubt because of politics and disagreements among the regulatory agencies.

But better yet, the legislature should simply make banks responsible for unauthorized access and activity in business bank accounts, just as they are responsible for such activities in consumer accounts.

I see this as a failure of government to protect the banking system by creating the right laws, guidance and incentives. Current laws protect consumers, probably because legislators realized long ago that they couldn’t necessarily protect themselves. Small businesses especially have the same issues – the threats have moved beyond small business ability to stop them via most commercially available anti-virus software and personal firewalls.

Banks will justifiably do what’s in their own interest, and for now, are covered by contractual agreements with their business customers. Most businesses, on the other hand, need specific tools and methods – that their banks instruct them to use as necessary and appropriate – if they are to be responsible for what happens inside their bank accounts.

Otherwise, banks should hang out a big shingle on their online banking web site that reads “Businesses: bank at your own risk.”

Category: 

Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio


Thoughts on Judicial Decision favors Bank over defrauded business – Regulatory Blunder?


  1. […] off the hook to do anymore than with is contained in the outdated FFIEC guidance guidelines. As one industry analyst wrote “Businesses: at your own […]

  2. jfbauer says:

    Avivah,

    I think there are challenges on both sides of the bank versus on-line customer equation when it comes to authentication security. I recently posted my thoughts on my blog here: http://bit.ly/kQYN8G

    If you don’t mind, I referenced your concluding statement linking users back here to your post.

  3. […] Biometric authentication is undoubtedly a growing area of our industry, and advances like this are to be applauded. However, we must remember that authentication at this level is unlikely to be adopted on a mass-market scale, so innovations like this one will probably never directly affect many of us. The reason for this is simple: all authentication must be risk-appropriate. […]

  4. […] recent blog post by Avivah Litan, vice president and distinguished analyst at Gartner, raises the following […]

  5. […] using corporate banking products online and, as a consequence, likely not be covered under Reg E.  Like many small organisations, they are particularly vulnerable to any monetary loss and lack the technical know-how to […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.