ACH Fraud: Comerica Pays SettlementExperi-Metal Reimbursed; PATCO Case Awaits Hearing
Last month, a U.S. District Court in Michigan ordered Comerica to reimburse Michigan-based Experi-Metal Inc. more than $560,000 for funds EMI lost after Comerica approved fraudulent wire transfers that totaled more than $1.9 million.
When the judgment was handed down, Comerica spokeswoman Kathleen Pitton said the bank believed it had acted in "good faith" and planned to appeal the ruling.
"Comerica's security token technology is commercially reasonable and in compliance with current Federal Financial Institutions Examination Council guidelines," she said. "We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision."
This week, however, Pitton said simply that the matter had been resolved. EMI, meanwhile, confirmed that it received restitution from the bank.
ACH Fraud Debate Heats upThe case between EMI and Comerica was the first ACH-related fraud incident to actually go to trial. But it has not been the last.
Since the EMI-Comerica trial in January, PATCO Construction Inc. and Ocean Bank have faced off in a courtroom over a similar incident of account takeover that in May 2009 resulted in the transfer of more than $500,000 from PATCO's account.
But that ruling did not favor the plaintiff. A U.S. District Court in Maine denied PATCO's motion for a jury trial, saying Ocean Bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials. The order, however, awaits review and approval by the presiding judge. A hearing in the PATCO case has been set for Aug. 3.
David Navetta, an attorney who specializes in IT security and privacy, says the Comerica settlement sheds an interesting light on the PATCO order, given the differing perspectives from the courts about banks' contractual obligations and the definition of multifactor authentication.
"This set of cases, out of all the lawsuits we've seen over the years around credit card fraud and other incidents, were the first to delve into commercially reasonable security," Navetta says.
At this point, it's too early to discern agreement on exactly what is reasonable security, with only two decisions to weigh, Navetta adds. "Both sides are going to be looking at these cases and trying to make their arguments based on what's already been decided."
Foreshadowing: Comerica's SettlementComerica's decision to not appeal the EMI verdict could be telling. "It's always hard to tell what the decision-making process is for a bank or a company in a case like this; but the [FFIEC] supplement does discuss some of the behavioral analytics and fraud detection - issues that are addressed in the EMI case," Navetta says. "The actual breach occurred a couple of years ago, before the supplement was issued. But because there are references to some of the behavioral stuff, it may have impacted their decision to not appeal." [See Full Text of Final Guidance.]
EMI's case against Comerica focused on three themes:
- Approving a wire transfer that was allegedly authorized by EMI's controller, even though the controller was not authorized by EMI to approve or initiate wire transfers;
- Comerica's acceptance of a wire transfer that was not initiated in accordance with industry standards;
- Comerica's lack of adequate fraud-detection and monitoring tools.
In his 27-page bench opinion, U.S. District Judge Patrick J. Duggan found that Comerica should have detected and stopped fraudulent transfers. "There are a number of considerations relevant to whether Comerica acted in good faith with respect to this incident," Duggan writes. "A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise."
Other points noted in the ruling: the volume and frequency of the transactions, which the court says Comerica should have picked up on before approving the transfers; EMI's prior wire-transfer activity, which had been limited to a select group of domestic entities; and Comerica's knowledge of phishing attempts aimed at its clients.
As for the PATCO case, if the judge accepts the magistrate's opinion, the ruling could set an interesting legal precedent about the security banks are expected to provide. But Navetta says, "It's a quirky case."
"The court took a fairly literal approach to its analysis and bought the bank's argument that the scheme being used was multifactor, as described in the [FFIEC] guidance. The analysis on what constitutes multifactor and whether some multifactor schemes [out of band; physical token] are better than others was discussed; and, to some degree, the court acknowledged that the bank's security could have been better. Even so, it was technically multifactor, as described in the FFEIC guidance, in the court's opinion, and 'the best' was not necessary."
But the ACH fraud debate over good faith and reasonable security seems to be gaining momentum. On June 27,
California-based Village View Escrow Inc. filed a complaint with the California Superior Court, Los Angeles, against Professional Business Bank, claiming the bank is liable for the $465,000 financial loss Village View suffered after hackers infiltrated its online account. In its complaint, Village View explicitly mentions good faith, reasonable security and the industry standard for multifactor authentication outlined in the FFIEC's online authentication guidance. No trial date has yet been announced. [See New ACH Fraud Suit Filed.]
Choice Escrow, which in November 2010 sued its bank, BankcorpSouth, alleging inadequate security measures, is another case that remains unresolved. Choice and BankcorpSouth are still at legal odds and are expected to go to trial.
And we can't overlook the controversial case between Hillary Machinery and PlainsCapital Bank, which in January 2010 launched the debate over ACH fraud liability. In the Hillary-PlainsCapital case, PlainsCapital actually sued Hillary. The suit was later settled for undisclosed terms.
"The fact that we now have a little more case law, which means more guidance to litigants and defendants, the arguments that are successful are going to be adopted by plaintiffs," Navetta says. "As time goes on, you'll get a body of law and have more guidance from the courts. ... Eventually, you get agreement from the courts on approaches to analyze these reasonable security issues."