As I write this, the only case to go to trial of a Bank suing the Merchant over account takeover losses is awaiting the jury’s decision. The result may redefine the liability, and by definition the roles and responsibilities, of both the financial institution and the merchant when it comes to securing electronic transactions. It may also finally determine what is considered “commercially reasonable” security, or (I hope) even toss out the use of this murky term altogether. I believe there is a perfect storm brewing over this issue, with several factors converging simultaneously to produce my final compliance trend for 2011:
Corporate Account Security (merchant capture, remote ACH and remote wire transfer).
Here are all the converging elements and their implications:
- The aforementioned lawsuit between EMI and Comerica- The trial just ended on 1/26 and it’s now in the hands of the jury. We’ll see how this plays out, but it will have implications either way particularly if (as I suspect) the merchant prevails.
- The upcoming FFIEC update to authentication guidance – We are expecting final guidance on this from the FFIEC any day, but whatever the final requirements, increased scrutiny of authentication mechanisms will be the result. New guidance always results in increased regulator focus, even if it is only an update to existing guidance. Additionally, I suspect that the update won’t go far enough to address preventive measures.
- The tendency for affected institutions to under report incidents – Because of the potential for reputation risk, financial institutions are reluctant to report account takeover incidents. That is the primary reason that most institutions choose to settle with customers rather than take the case to court (there have been only 2 cases brought to court so far). In the meantime, we know that online crime complaints have increased substantially each year since 2005, resulting in losses of hundreds of millions of dollars.
- A fundamental misunderstanding by both merchants and financial institutions of their respective responsibilities – BankInfoSecurity.com recently interviewed a bank CEO affected by an account takeover incident. In the interview, he reveals that he believes that remote transactions should carry a lower degree of perceived protection than transactions carried out inside the Bank’s security perimeter. He also expected the third-party vendor that provided the remote ACH software to have done more to keep the bank secure. In the meantime, merchants expect the transactions they initiate remotely to be just as secure as those initiated inside the physical confines of the bank.
Here is how this trend differs from the others...regardless of whether or not regulators increase focus on this issue in 2011, I believe institutions absolutely must. The guidance is behind the curve on this issue, and institutions simply have too much to lose. It is clear that the minimum requirement is not sufficient, you must go further. Implement additional preventive controls at the merchant side, and educate everyone on basic security best practices.