So an appellate court has just reversed the PATCO court ruling, essentially deciding against the financial institution. They ruled that the banks’ security procedures were commercially UN-reasonable.
To summarize, a commercial e-banking customer (PATCO Construction) experienced a financial loss due to an account take-over. They sued the bank to recover the loss, claiming the bank used poor security. The original ruling was in favor of the bank. This ruling was in favor of the customer, and has major implications for all financial institutions as they navigate their way through the increasing risk and increased regulatory requirements of Internet banking.
The entire ruling is worth a read, but here are a few of the highlights from my perspective:
- In the end, it wasn’t just a single control failure, but a series of failures on the part of the Bank that led to the ruling. One example is that the Bank lowered the alert trigger for challenge questions from $100,000 to $1, effectively requiring all transactions to require an additional authentication step. The Bank undoubtedly felt they were increasing the safety of all transactions by taking this step, but it actually had the opposite effect. By requiring challenge questions for all transactions they substantially increased the number of chances the criminals had to intercept the correct challenge responses.
- The on-line banking product (NetTeller Premium) and provider (Jack Henry & Associates) offered adequate options for on-line transaction security, but not all options were enabled by the Bank. And…
- …of those security options offered by the Bank, not all were accepted by the customer. And…
- …of those offered and accepted, some were ignored. For example the anomaly detection capabilities worked properly, and automated risk profiling correctly generated abnormally high risk scores for the fraudulent transactions, but no action was taken by the Bank to block them.
- The definition of “commercially reasonable” has evolved from the initial ruling favoring the customer, to the most recent one. Both rulings make several references to Article 4A of the UCC (Uniform Commercial Code). The initial ruling stated that because the customer signed the agreement, they implicitly agreed to the security measures, effectively rendering them commercially reasonable. However the most recent ruling quotes from UCC 4A and states “[t]he standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank.” Therefore…
- …a “one-size-fits-all” approach will not work, institutions MUST tailor their controls to the risks of the transaction.
But here is the most significant take-away for me, and the one with the biggest implication for financial institutions. The judge ruled that based on the UCC 4A official comments on Section (1)(b), if and when the security procedures are deemed commercially reasonable, the burden then shifts to the customer…
“…to supervise its employees to assure compliance with the security procedure and to safeguard confidential security information and access to transmitting facilities so that the security procedure cannot be breached.”
So, all you have to do is risk assess the customer and transactions and employ layered security suitable to the risk, and then the legal and financial liability shifts to the customer, right? Maybe not. According to the FFIEC Internet Authentication update, one of the controls an institution may include (translated from ‘FFIEC-speak’ as SHOULD include) in its layered security program is a “Customer Awareness and Education” program. Which means you are still on the hook unless you can document that you also maintain a customer awareness program AND your customers are actually being trained. (As I mentioned here, you may also want to add a summary of your customer awareness program to your annual report to the Board of Directors).
I’m certain we’ll see more lawsuits on this matter and future rulings may go either way, but the risk is real and immediate so don’t wait for the courts to sort things out. Here is what you need to do:
- Complete the risk assessment if you haven’t already. Define high risk transactions, and identity high risk customers.
- Implement a layered security program. Make sure you know and understand all of the controls available from your e-banking product vendor. Vendors are adding controls all the time to address the evolving threat environment.
- Make sure your customers know and understand all of the controls you’ve made available to them. If they resist or refuse a particular control that you’ve recommended, have them sign-off that they understand and accept the increased risk.
- Educate your customers, initially and periodically throughout the relationship, and regardless of whether they resist. Regardless of the quantity and sophistication of your technical controls, the customer is, and will always remain, the weakest link in the security chain.