ACH Fraud on TrialEMI, Comerica Case Unlikely to Decide 'Reasonable Security'
Michigan-based Experi-Metal Inc. and Comerica Bank headed to court this month. Their case is the first major corporate account takeover incident to actually go to trial.
The two parties now appear before the U.S. District Court of Michigan to debate how much responsibility EMI should assume for the takeover of its bank account with Comerica. What won't be debated, however, is how banks should define "reasonable" security, says IT security attorney David Navetta -- a definition left open to interpretation by the Uniform Commercial Code.
"In this case, the court focused on the contracting process between the parties," says Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association's Information Security Committee. "It declared, as a matter of law, that Comerica's security was reasonable, because EMI had agreed that it was reasonable in a contract."
EMI and Comerica could not be reached for comment, but the two have been at legal odds since December 2009, when EMI filed suit against Comerica.
Account Takeover VictimsThe EMI-Comerica case is just one along a trail of account takeover debates that have heated in the last year. Bankers and merchants have seen account takeovers hit:
- Village View Escrow of Redondo Beach, Calif., which in March lost $465,000 to an online hack;
- Choice Escrow, which in November 2010 sued its bank, BankcorpSouth, alleging inadequate security measures;
- Hillary Machinery, which in January 2010 was sued by its bank, PlainsCapital Bank, after a legal battle over ACH fraud liability. The suit was later settled for undisclosed terms;
- The Catholic Diocese of Des Moines, Iowa, which in August lost $600,000 in fraudulent ACH transactions.
From an industry perspective, the EMI-Comerica verdict is not expected to have much of an impact, Navetta says. And until courts have guidance that better defines "reasonable," assessing reasonable security is challenging. Courts, Navetta says, look "usually to experts and available documentation and guidance, including guidance from regulators like the FFIEC."
Guidance would have an impact in the courtroom. Pointing to the 2009 Shames-Yeakel v. Citizens Bank case, Navetta says the court determined the bank's security standards were not reasonable, because they did not follow Federal Financial Institutions Examination Council guidelines regarding two-factor authentication.
The Shames case, Navetta says, "reveals how some courts view security standards and approach the question of whether a company has achieved reasonable security."
"If that is the case, some would argue that the guidance effectively becomes 'mandatory,' at least when it comes to a bank's ability to win a motion for summary judgment," he says.
New FFIEC Guidance: More Liability for Banks?
Avivah Litan, vice president and distinguished analyst at Gartner, says the FFIEC is preparing for more IT security scrutiny. Based on insights gathered during a recent meeting with the FFIEC IT Subcomittee, Litan says expected new guidance could hold banks more accountable for online security and commercial bank account protection. "With these lawsuits, someone's got to do something," she says. "They can't just let the judges figure this out. If you made the banks completely liable for compromises to customer accounts, then they would be motivated to get the problems fixed."
But Doug Johnson, vice president of risk management policy for the American Bankers Association, does not see new guidance playing such a cut-and-dry role. In fact, Johnson, who also attended the FFIEC's recent subcommittee meeting, is hesitant to speculate about guidance at all. "We can expect new guidance, I'm just not sure when," he says. And new guidance, as it relates to the question of "reasonable," might not be so impactful in the courtroom anyway.
"I do think we currently have sources for the courts to look to," Johnson says. "Looking at the Uniform Commercial Code, UCC4A is pretty uniform across the country; but the way it applies and its concept makes it somewhat localized. That's because it's up to the parties to look at what is commercially reasonable, as a matter of protection, from a localized perspective."
Beyond the Regulators and the CourtsHow far regulatory bodies, such as the FFIEC, and state-applied codes, such as the Uniform Commercial Code, can go is limited, says Jim Woodhill, an anti-fraud activist supporting small merchants in the ACH battle. At some point, if the industry cannot solve the problem, then Congress has to step in, he says, and that opens even more proverbial worm-filled cans.
"Congress decides when it must act, and then it chooses between alternatives presented to it," Woodhill says. "Right now, the alternatives presented to it are, in effect, do nothing or extend Regulation E to cover more and more accounts, and neither of those things inherently stops this problem, much less stops it quickly."
For 2011, Woodhill says he's made it his mission to end ACH fraud. How? Through new technology and legislation. "Congress [must] understand that they are going to have to force a solution, rather than have the private sector step forward," he says.