Two recent news items should serve to get every financial institution in America asking how it might better protect its e-bank account holders from online bank fraud.
In a lawsuit filed by a customer, Experi-Metal, against its bank, Comerica, over responsibility for an online bank fraud that cost Experi-Metal more than $500,000, United States District Court Judge Patrick Duggan held that Comerica failed to act “in good faith” in protecting Experi-Metal from on-line bank fraud. (For an overview of the decision see KrebsOnSecurity.com. The judge’s decision is available here as a downloadable PDF.)
The Judge — suggesting that Comerica’s actions were illustrative of a “pure heart, empty head” — found that while (i) Comerica provided evidence that it properly intended to protect Experi-Metal — it’s heart was in the right place, (ii) Comerica failed to rebut plaintiff’s claim that the specific actions the bank took to protect Experi-Metal failed to met “reasonable commercial standards of fair dealing.” This is the second prong — the “head” component — required for a successful “good faith” argument.
The ruling suggests that — in a disagreement over responsibility for online bank fraud — a financial institution’s account holder may likely argue that the institution failed to act in “good faith,” i.e, commensurate with “reasonable commercial standards of fair dealing.”
The second piece of important financial cyber security news is that regulators have released a long-awaited update to their 2005 guidelines that describe what financial institutions should be doing to protect e-banking customers from hackers and account takeovers. (Good overviews of the regulations are available at BankInfoSecurity and KrebsOnSecurity.com. The new guidelines are available here as a downloadable PDF.)
The updated guidelines call on financial institutions to
- Conduct more rigorous risk assessments
- Implement stronger “layered defenses”
- Better monitor account holder transactions for suspicious activity
- Do more to educate account holders — particularly businesses — about the risks involved in banking online
Based on our firm’s experience, the specifics of Experi-Metal v Comerica leading the Judge to conclude that Comerica failed to act in good faith, and the new guidelines for protecting customers against online bank fraud, our expectation is that a significant percentage of community banks — as well as significant numbers of larger banks — fail to meet the “good faith” standard of “reasonable commercial standards of fair dealing.” (See our White Paper, The Commercial Reasonableness of Bank Security Procedures.)
Forward looking financial institutions will see in these two news items the opportunity to review how they currently protect e-customers from online bank fraud. They’ll want to carefully review the new guidelines, identify any gaps between the guidelines and current protections, and put in place Action Plans to close these gaps. By focusing on meeting the new guidelines, a financial institution in a dispute with an account holder will be better able to demonstrate that it acted in “good faith,” commensurate with “reasonable commercial standards of fair dealing.”
By doing more to educate account holders about the risks involved in online banking, these forward looking financial institutions will also reap the competitive advantage that comes anytime a business and its customer collaborate together to solve the customer’s problem. As more account holders become more concerned about the risk of online bank fraud, financial institutions with a reputation for working closely with their account holders to manage the problem will be positioned to take advantage of this market differentiator.