A federal appeals court ruling in favor of a small business whose bank failed to stop a series of transfers detected by its anti-fraud service opens the door a crack on just how badly a financial institution’s security program can perform before they have to at least share culpability.
The First Court of Appeals in Boston overturned a lower court ruling in favor of Ocean Bank, which had argued successfully that it was not liable for $585,000 stolen from Patco Construction of Maine. Patco is just one of many small businesses, municipal, county governments, school districts etc. that lost thousands of dollars each, victims of Zeus and other banking Trojans.
What can these small businesses do to recoup these losses? So far, pretty much nothing. Their best defense is to not let it happen. The problem is that while the banks will make good on our personal accounts if we are defrauded, your business account is your problem. The concept of “commercially reasonable” security measures generally trumps the small business’ claims. If you accept the bank’s security procedures as reasonable, and the bank follows the procedures, the liability shifts to you.
What happened in this case was that Ocean Bank had authentication and anti-fraud alerting technology in place. And the anti-fraud monitoring worked. But Ocean Bank ignored the warnings and did not alert Patco until it was too late. After six days and six transactions without an alert, Patco notified the bank that the transactions were unauthorized and managed to recover $243,000 of the stolen money.
The appeals court ruled that Ocean’s security procedures were “commercially unreasonable.” It’s not clear what the upshot is. The court didn’t award any money to Patco, basically kicking it back to the lower courts and telling the parties to work something out. But the ruling does give some guidance to lower courts hearing these cases: That the “commercially reasonable” doctrine is not all-encompassing.
The court cited several issues. The bank set the triggering mechanism at $1, assuring that every transaction would trigger challenges, instead of setting high thresholds that would signal suspicious activity. The bank also lacked standard monitoring and notification practices. Basically, they were ignoring the alarms and hitting the snooze button every time they went off.
The court did not cite the fact that the bank did not offer token-based authentication, though perhaps Patco should have taken its business to a bank that did.
That brings us back to the responsibility on the part of the business. If you want to reduce the risk of being the next fraud victim, you need to watch out for yourself.
Start by having a dedicated laptop that you use only for conducted banking. No browsing, no email, no Twitter, no Facebook. Have one or two people responsible for it and lock it away when you are not using it. Chances are Zeus fraudsters will have to look elsewhere.
If security is important — if your business can withstand a $100,000, $500,00 or $1 million hit ignore this — shop for the bank that meets your requirements. Make sure they:
- Offer strong, multifactor authentication
- Have anti-fraud monitoring services in place
- Have standard monitoring and alerting procedures.
- Set customizable thresholds for their customers on the size of permitted transactions. If the largest transaction you typically make is $35,000, a $50,000 transaction should trigger and alert. (Caveat: this can help, but Zeus is a clever intelligence-gathering piece of malware, and can often discover this information and steal your money in below-the-threshold chunks).
- Require the bank to notify you by phone before if it sees suspicious behavior, or maybe even require phone verification for transactions over a certain amount.
Finally, put it all in a contract.