Judicial Decision favors Bank over defrauded business – Regulatory Blunder?

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in a money transfer case that Patco Construction Inc. filed against its bank, Ocean Bank in 2010. In May 2009, the construction company had its account taken over by cybercriminals and lost more than half a million dollars. Only $230,000 was recovered. For more information on this decision see http://www.bankinfosecurity.com/articles.php?art_id=3705&rf=2011-06-07-eb

In my opinion, this is an injustice against small U.S. businesses, whose health is critical to the economic recovery in this country. It is also a failure of the U.S. banking regulatory system to act quickly and proactively.

The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from cyberattacks that compromise the safety and security of their accounts, just as consumers are protected under Regulation E.

While subject to many different interpretations, I don’t believe this magistrate correctly interpreted the 2005 FFIEC authentication guidance, “Authentication in an Internet Banking Environment,” which is the last guidance issued on this matter.

On Page 1 of that guidance, the FFIEC states:

“Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services.”

Clearly, the methods used by Patco’s bank’s processor (and many other banks who experienced similar incidents) at the time did not successfully thwart the risks associated with online business banking in 2009. Zeus, browser based Trojans and other modern-day threats are known to circumvent all the methods that were being used to protect Patco’s account.

Unfortunately, the 2005 FFIEC guidance referred to examples of relatively basic online theft techniques that were commonplace in 2004 and 2005. The cybercriminal of 2011 has long ago bypassed and surpassed those old techniques. Still, the basic premise of the guidance as transcribed above remains sound and I think should have been interpreted differently by the judge. Again the operative phrase in the guidance is on page 1 “….the … techniques employed by the financial institution should be appropriate to the risks associated with those products and services.”

The FFIEC was on the verge of releasing updated guidance at the end of last year that was supposed to clarify the new and stronger types of multi-layered defenses required in 2011. They were also supposed to have explained in the update that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next generation cybercrimes. It’s very disappointing that that much-needed update was never issued, no doubt because of politics and disagreements among the regulatory agencies.

But better yet, the legislature should simply make banks responsible for unauthorized access and activity in business bank accounts, just as they are responsible for such activities in consumer accounts.

I see this as a failure of government to protect the banking system by creating the right laws, guidance and incentives. Current laws protect consumers, probably because legislators realized long ago that they couldn’t necessarily protect themselves. Small businesses especially have the same issues – the threats have moved beyond small business ability to stop them via most commercially available anti-virus software and personal firewalls.

Banks will justifiably do what’s in their own interest, and for now, are covered by contractual agreements with their business customers. Most businesses, on the other hand, need specific tools and methods – that their banks instruct them to use as necessary and appropriate – if they are to be responsible for what happens inside their bank accounts.

Otherwise, banks should hang out a big shingle on their online banking web site that reads “Businesses: bank at your own risk.”