Online Banking Fraud: Who Pays?

More lawsuits press the issue of whether or not companies are liable when hackers attack
Alix StuartAugust 1, 2011

In the movie “The Town,” actor Ben Affleck dons an impressive array of disguises as he holds up banks, employing everything from goblin masks to nun habits. When it comes to draining corporate bank accounts, though, most thieves are masquerading in a more muted way: as finance executives.

While it is hard to know exactly how many accounts have been compromised, a growing number of lawsuits between small businesses and their banks reveal that the problem is on the rise. Village View Escrow, for one, recently sued Professional Business Bank for allowing more than $465,000 to be hacked out of its account in March 2010. In general, hackers get a company’s banking information through emailing corporate officers with infected attachments, or convincing-looking requests for confidential information from the Internal Revenue Service or electronic payments association NACHA, and then make multiple transfers out of the account before anyone realizes what’s happening.

These types of fraudulent attacks are not new concepts, of course. What’s new is that  “they have moved from the consumer sector over to the business sector,” where higher balances yield greater rewards for thieves, notes Christopher Loeffler, an attorney with Kelley Drye & Warren who specializes in online security. 

The question, as debated by the lawsuits, is who should pay for that theft, the bank or the company?

So far, the courts have been divided over the answer. In June, a Maine judge ruled that Patco Construction Company should have been more vigilant about its bank account, and denied its request for People’s United Bank to cover the $345,000 it lost in an attack in 2009.  Conversely, within weeks, a Michigan judge found Comerica Bank liable for $560,000 that was fraudulently transferred out of the bank account of Experi-Metal, a privately-held metal parts manufacturer, charging that the bank did not act “in good faith” by not catching the unusually high volume of transfers in time.

Attorneys say that these cases should serve as a wake-up call, not just about bank security measures but also the terms of standard banking agreements. “These are to some extent contract disputes,” with different bank agreements contributing to the divergent outcomes, says Christopher Loeffler, an attorney with Kelley Drye & Warren who specializes in online security.

Patco, for example, had clauses in its ACH and e-banking agreements that said the bank would not be held responsible for unauthorized entry into its bank account, according to court documents.  Those agreements also held Patco to the duty of monitoring its account on a daily basis. Since the frauds took place over the course of a week without the company realizing or reporting them, the company had less leverage in court.  (Patco’s side of the story: it was outraged when its bank notified it of the first fraud by snail mail, and argued the bank should have noticed the unusually large and frequent transfers, since the privately-owned construction company only used the ACH function for Friday paychecks.)

Experi-Metal, meanwhile, successfully argued that it had never added its controller Keith Maslowski to the list of authorized users when its bank, Comerica, switched from a digital certificate technology for security to a secure token technology, and thus was not bound by any of those agreements when Maslowski unwittingly handed over his log-in credentials to a phishing site. (Maslowski maintained that he fell for the scheme because it mimicked the emails he had gotten regularly to update his digital certificate credentials.)

Much of the debate hinges on the Uniform Commercial Code, and what security measures on both sides are “commercially reasonable,” a vague term.  In light of these cases, finance executives should think about negotiating and even demanding what they consider reasonable. For example, “businesses may want to push back and say we’re not going to log into our accounts to check them every day,” says Loeffler. CFOs may also want to scrutinize the technology and other security measures their banks are offering and ask for more or better measures, or a guarantee that the measures will continually change as fraudsters get more sophisticated.

Indeed, “every measure has its vulnerabilities,” says Doug Johnson, vice-president of risk management policy for the American Banking Association. He says the best approach banks can take is to keep communicating about the topic to its customers as they discover new threats. In the most recent guidance on what Internet security measures banks should take, issued by the Federal Financial Institutions Examination Council in late June, the focus is on ongoing and dynamic risk assessment, rather than advocating specific technologies. “Because the threats change, protection measures have to change, and the customer has to be apprised of those threats and what new measures need to be taken,” he says.

Among the ways Johnson currently sees as most successful: having a standalone computer dedicated to ACH transactions, with no Web-browsing functions; employing callbacks to employees for transactions; and putting more people in the mix in general. Banks may also ask if they can put monitoring software on company computers with Web-browsing functions so that they can track Internet banking transactions for irregularities.

Whatever the solutions, few companies are going back to paper checks, says Johnson. “We are not seeing a change in [the use of ACH]; it’s important to remember than millions of these transactions are being completed legitimately and efficiently every day,” he says. In fact ACH is so much less costly, it’s more important than ever “to protect that environment so it can prosper.”