In a relatively high profile court case, an appellate court ruled in favor of the defendant/bank rather than the plaintiff (the bank’s customer) in a dispute over an account takeover claim. Also, in a rare move, the court reversed a lower court opinion and ruled that the bank may seek attorney’s fees from the plaintiff. In many respects, the decision handed down will be a significant influence not only on future court cases, but also on security or verification procedures a bank mandates or places on accounts regarding account transfer requests.
Choice Escrow and Land Title, LLC v BancorpSouth Bank
In 2010, BancorpSouth’s customer, Choice Escrow and Land Title, LLC, suffered a loss of $440,000 when a Choice employee fell for a phishing scam, allowing malware to be installed on a company computer. Through the use of the malware, the cybercriminals obtained and used the employee’s user name, password, computer IP address and other information to instruct the bank to transfer funds from Choice’s account to a bank in the Republic of Cypress. Funds were stolen, and Choice sued the bank.
BancorpSouth made available to Choice the following security procedures to verify the authenticity of transfer requests:
- Verification of the user name, password and IP address of the computer used to initiate the instruction. As stated, the malware installed on Choice’s computer gave the cybercriminals access to this information.
- Placement of a dollar limit on the daily volume of wire transfer activity from a customer’s account(s). Choice declined to place a daily limit on its account.
- A “dual control” feature requiring verification by a second authorized user utilizing a unique and different user ID, password and IP address to allow a pending payment transaction. Choice declined the dual control feature, signing a waiver to that effect.
The court ruled that BancorpSouth’s security procedures were “commercially reasonable” and executed both in good faith and in compliance with Choice’s requests. BancorpSouth was not liable for the amount stolen. On appeal, the Court of Appeals upheld this portion of the lower court’s order, but reversed an order dismissing the bank’s counterclaim for its attorney’s fees, noting that the bank “may seek attorney’s fees.”
What can this potentially mean?
In account takeover suits, banks may prevail, but the courts are upping the ante when considering what constitutes “commercially reasonable security procedures.” Consider the following when setting up accounts:
Establish a security verification process with the account holder. There must be an agreement in place between the bank and its customer specifying what security procedures are to be employed in order to verify the authenticity of payment orders. The bank must follow these set security procedures each and every time it handles one of these transfer requests.
Use of a login ID and password as the sole means of verification of a payment order is not commercially reasonable. In lawsuits, courts are looking for multifactor authentication. We have seen claims where the crooks were able to mimic an IP address. In Choice Escrow and Land Title, LLC v BancorpSouth Bank, a strong factor for the court’s ruling in favor of the bank was that the customer was offered the dual control and daily limit features and declined. In other words, if the security procedure offered by the bank had consisted only of a logon id and password and IP address recognition, the decision may have turned out differently. The court specifically referenced expert testimony which stated that, beginning in 2009 and 2010, the crooks formulated software that could emulate a computer’s IP address, so any security procedure relying solely on a login ID and password along with IP address recognition appears outdated.
Consider other security measures. A bank should employ and offer to customers various validation/approval options for a commercially reasonable security process to be considered in place. While callbacks are valuable, we have seen cases where these are not always reliable on their own–a bank employee calls the wrong number, the crooks hack into phone lines and divert calls or they provide fake callback numbers pretending to be the account holder. It is becoming more common for banks to implement out-of-band authentification processes to alert a customer of a pending transaction, such as a text message to a predetermined number, an email to a predetermined address or through an authorized cellphone app offered by the bank. The benefits of these alternatives are that (1) an affirmative reply from the customer is required for a transaction to proceed, and (2) the method to validate the transfer instruction is a different form of communication than that from which the original instruction was received.
Any discussion relating to policy language and/or coverage requirements is non-exhaustive and provided for informational purposes only. For details on coverage provided by your specific policy, please refer to your policy.