Blog article
See all stories »

An article relating to this blog post on Finextra:

Another US bank sued by hacked customer

California-based Village View Escrow has become the latest US business to sue its bank after having its account drained by cyber-thieves.


See article

The Emergence Of ePayment Fraud Chasers

The jury's out – well, not even selected - on this latest one but, at 1:1, the verdicts on the two previous lawsuits around EFT and ACH frauds in the USA are matched evenly between corporates and banks.

It seems fair to find in favor of corporates where banks haven't complied with FFIEC and other well-established security guidelines. Issued over five years ago, and updated last month, FFIEC's guidance around two factor authentication for Internet Banking have been around for a long enough time and there’s really no excuse for the failure of banks to implement them. The growing popularity of Mint, OfferMatic, BillGuard and other websites that access the customer's bank account on the basis of a simple username and password suggests that there are still plenty of banks in the US that fall under this category, at least when it comes to retail banking, and I won’t be terribly surprised if a similar situation prevails in business banking as well.

However, things get very murky when banks get judged by a broader canvas of expectations around what they should, or shouldn’t, be doing with payment instructions received from their customers.

Take the lawsuit of Experi-Metal Inc. v. Comerica Bank, for instance. According to the BankInfoSecurity article quoted in the Finextra story, the court found in favor of EMI on the grounds that "EMI's prior wire-transfer activity, which had been limited to a select group of domestic entities, should have been noted by Comerica before it approved transfers to overseas accounts".

This prompts the following questions:

  1. Should a bank ignore the "there's a first time for everything?" maxim?
  2. If yes, by the same token, should a bank stop payments to all new beneficiaries just because the corporate had never made payments to any of them in the past?
  3. If no, why blame a bank for approving the first cross-border payment, which could signal the corporate’s entry into an increasingly globalized world rather than fraud?
  4. Assuming that the bank finds a cross-border payment suspicious, what is its contractual obligation to the corporate?
  5. Assuming that the bank decides to go beyond its contractual obligation and takes the initiative to check with the corporate. As experienced bankers know, this could take a couple of hours at times, longer in case the authorized contact at the corporate is traveling or otherwise unavailable. Because of this time lapse, suppose the corporate misses the deadline for submission of security / earnest money deposit for an overseas government tender and sues the bank for loss of the business opportunity?
  6. On the other hand, what if a bank sits on a payment on the pretense of carrying out fraud checks only to enjoy the float? Neither is this a rare scenario, as experienced treasures would agree!

As these issues illustrate, holding banks responsible for things other than contractual commitments and well-established security guidelines might result in unfavorable outcome in the long run – not just for banks but also for corporates. Let’s hope that these cases are decided with this consideration in mind.

At this point, it’s not clear if these are one-off cases or portend a tsunami of ePayment fraud lawsuits waiting to strike banks in the coming months and years. Either way, 'ePayment Fraud Chasers' will likely emerge as a new and lucrative category of practice in the American legal profession very soon!

10292

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 26 March, 2013, 12:04Be the first to give this comment the thumbs up 0 likes

In this latest verdict, the court has found in favor of the bank, citing that the corporate declined the bank's offer of 2FA (two factor authentication) and 2PA (two person authorization) and must therefore take responsibility for the loss of US$ 440K caused by the fraudulent wire transfer from its account. While I haven't kept count, I think the latest tally in verdicts on these lawsuits is 3:2 in favor of banks. 

On another note, with just 5 lawsuits in 20 months since I wrote this post, ACH and EFT frauds certainly appear to be one-off cases and not a tsunami.