The jury's out – well, not even selected - on this latest one but, at 1:1, the verdicts on the two previous lawsuits around EFT and ACH frauds in the USA are matched evenly between corporates and banks.
It seems fair to find in favor of corporates where banks haven't complied with FFIEC and other well-established security guidelines. Issued over five years ago, and updated last month, FFIEC's guidance around two factor authentication for Internet Banking
have been around for a long enough time and there’s really no excuse for the failure of banks to implement them. The growing popularity of Mint, OfferMatic, BillGuard and other websites that access the customer's bank account on the basis of a simple username
and password suggests that there are still plenty of banks in the US that fall under this category, at least when it comes to retail banking, and I won’t be terribly surprised if a similar situation prevails in business banking as well.
However, things get very murky when banks get judged by a broader canvas of expectations around what they should, or shouldn’t, be doing with payment instructions received from their customers.
Take the lawsuit of Experi-Metal Inc. v. Comerica Bank, for instance. According to the BankInfoSecurity article quoted in the Finextra story, the court found in favor of EMI on the grounds
that "EMI's prior wire-transfer activity, which had been limited to a select group of domestic entities, should have been noted by Comerica before it approved transfers to overseas accounts".
This prompts the following questions:
- Should a bank ignore the "there's a first time for everything?" maxim?
- If yes, by the same token, should a bank stop payments to all new beneficiaries just because the corporate had never made payments to any of them in the past?
- If no, why blame a bank for approving the first cross-border payment, which could signal the corporate’s entry into an increasingly globalized world rather than fraud?
- Assuming that the bank finds a cross-border payment suspicious, what is its contractual obligation to the corporate?
- Assuming that the bank decides to go beyond its contractual obligation and takes the initiative to check with the corporate. As experienced bankers know, this could take a couple of hours at times, longer in case the authorized contact at the corporate
is traveling or otherwise unavailable. Because of this time lapse, suppose the corporate misses the deadline for submission of security / earnest money deposit for an overseas government tender and sues the bank for loss of the business opportunity?
- On the other hand, what if a bank sits on a payment on the pretense of carrying out fraud checks only to enjoy the float? Neither is this a rare scenario, as experienced treasures would agree!
As these issues illustrate, holding banks responsible for things other than contractual commitments and well-established security guidelines might result in unfavorable outcome in the long run – not just for banks but also for corporates. Let’s hope that
these cases are decided with this consideration in mind.
At this point, it’s not clear if these are one-off cases or portend a tsunami of ePayment fraud lawsuits waiting to strike banks in the coming months and years. Either way, 'ePayment Fraud Chasers' will likely emerge as a new and lucrative category of practice
in the American legal profession very soon!