Cybercrime Poses New Risks in Commercial Banking

A recent report calculated that small and medium-sized businesses and local government institutions are losing, on average, $100,000 to $200,000 per day to cybercriminals who perpetrate fraudulent electronic funds transfers. Typically, thieves send targeted phishing e-mails that trick users into disclosing banking log-in information or installing password-stealing malware that records their keystrokes and online banking credentials.

Armed with this sensitive data, thieves then seek to initiate unauthorized money transfers through the wire system and Automated Clearing House (“ACH”) (www.fms.treas.gov/ach/index.html) network. The stolen funds are often transferred to foreign accounts located in Eastern Europe or to “money mules” ' individuals recruited via “work from home” ads and directed to open bank accounts to receive and later transfer to the cyberthieves.

Wire Transfers

This article discusses the handling of electronic fund transfers under the Uniform Commercial Code (“UCC”), online banking customer authentication methods, and recent litigation between banks and small and medium-sized businesses that were victims of cybertheft.

Wire transfers are widely used by both financial and non-financial organizations for making large-value payments. In one simple form, remittance corporations such as Western Union wire money to another party, while the most complex and largest wire transfer systems, in terms of U.S. dollars moved, involve the Clearing House Interbank Payments System (“CHIPS”), the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) and Fedwire. (CHIPS is a privately owned U.S. wire transfer system used primarily for processing cross-border U.S. dollar transfers. SWIFT is the principal international system for wire transfer message traffic that initiates funds transfers and provides services to securities brokers and dealers and clearing institutions. Fedwire, operated by the Federal Reserve, is the primary U.S. domestic wire transfer system, which connects Federal Reserve banks with thousands of domestic banks.).

The ACH network is a less costly nationwide mechanism that processes batches of high-volume, low-value credit and debit transfers among financial institutions, typically on behalf of customers. Rather than sending each payment separately, ACH transactions are accumulated and sorted by destination for transmission during a predetermined period, thereby providing faster processing than paper checks.

If the originating institution sends funds, it is called a credit transaction (e.g., payroll direct deposits, Social Security payments, corporate payments to contractors or vendors); if the originating institution requests funds, it is considered a debit transaction (e.g., monthly collection of insurance premiums, mortgage payments, or consumer bill payments).

Unauthorized Transactions

During funds transfers, fraud controls at both the sending and receiving banks seek to authenticate payment orders to ensure the actual customer, as opposed to a thief, authorized the transfer. The law provides differing protections to consumers and business account holders for losses caused by unauthorized transfers. For example, Regulation E, which implements the Electronic Funds Transfer Act (“EFTA”) (www.fdic.gov/regulations/laws/rules/6500-3100.html), greatly limits the losses for unauthorized transfers from consumer accounts used primarily for personal or household purposes; however, such statutory protections do not apply to business accounts.

The UCC Article 4A governs commercial transfers and sets out detailed rules that assign responsibility, allocate risks and establish limits on liability regarding which entity ' the bank or the commercial account holder ' bears the loss for a fraudulent or erroneous funds transfer.

Who Pays?

Generally speaking, UCC ”4A-201-204 provide a detailed scheme for analyzing the rights, duties and liabilities of banks and their customers in connection with the authorization and verification of payment orders. For example, under '4A-202(b), once a bank and its customer have agreed on a security procedure for the authenticity of payment orders, an order will be deemed effective, whether or not authorized, if: 1) the bank's security procedure is commercially reasonable; and 2) the bank establishes that it accepted the order in good faith and was in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of orders issued in the name of the customer. In short, a payment order accepted in good faith pursuant to a commercially reasonable security procedure is effective as the order of the customer, even if it was actually unauthorized. See, Regatos v. North Fork Bank, 257 F. Supp.2d 632, 642 (S.D.N.Y. 2003). But see, Iwuji v. North Fork Bank, 2007 NY Slip Op 32404 (N.Y. Sup. Ct. Suffolk Cty. May 17, 2007) (“The [c]ourt finds that as a matter of law, the security measures were not commercially reasonable given the totality of the circumstances surrounding the fraudulent transfers and attempted transfers from Plaintiff's account.”).

Under '4A-203, the customer may reallocate the loss from “interloper fraud” to the bank. The customer must prove the payment order was not caused by a person: 1) entrusted to act for the customer with respect to payment orders or the security procedure; 2) who used transmitting facilities of the customer; or 3) who obtained from the customer's transmitting facilities information that facilitated a breach of the security procedure, regardless of how the information was obtained or whether the customer was at fault. In the end, a customer with careful record keeping and adequate internal checks over its staff and systems could potentially shift the loss from an unauthorized transfer back to the bank.

Online Banking Security

Financial institutions strive to employ reliable methods to prevent account fraud and identity theft that are commensurate with the risks associated with online banking services. There are a variety of technologies and methodologies to authenticate online banking customers, including, among others, user names and passwords, personal identification numbers, digital certificates, security “tokens” that produce one-time passwords and biometric identification.

Existing authentication methodologies involve three basic “factors”:

1. Something the user knows ( e.g., password, PIN);
2. Something in the user's possession ( e.g., ATM card, one-time password security tokens); and
3. Something the user has ( e.g., biometric characteristics).

While no security protection is foolproof, authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. But see, Thomas Claburn, “Strong Authentication Not Strong Enough,” InformationWeek (Dec. 14, 2009). For example, a logon ID/password is single-factor authentication (i.e., something the user knows), whereas, an ATM transaction requires multifactor authentication (i.e., the card plus the PIN, something the user possesses and something the user knows).

In the wire transfer arena, two-factor authentication may also include “out-of-band” controls, which are techniques allowing the verification of a customer's identity to be performed offline, such as verification via fax, phone or text message. There are also so-called “password hardening” techniques such as software that learns a user's keystroke dynamics or allows users to enter sign-in credentials on the screen with mouse clicks, thereby bypassing the threat caused by keylogging malware used by thieves.

Ultimately, according to the Federal Financial Institutions Examination Council (“FFIEC”) online banking guidelines, financial institutions should assess the adequacy of their authentication techniques in light of emerging risks such as phishing, pharming, malware, and the changing tactics of sophisticated hackers. (Pharming seeks to obtain sensitive personal information by directing users to spoofed, or fraudulent Web sites that mimic legitimate banking sites, where their information is captured, usually from a fill-in form requesting log-in credentials. See generally, Federal Financial Institutions Examination Council (“FFIEC”), “Authentication in an Internet Banking Environment” (www.ffiec.gov/pdf/authentication_guidance.pdf). FFIEC is an interagency body that advises a number of federal agencies on appropriate standards for the regulation of financial institutions. See also, FDIC Special Alert SA-185-2009, “Fraudulent Work-at-Home Funds Transfer Agent Schemes” (Oct. 29, 2009; available at www.fdic.gov/news/news/specialalert/2009/sa09185.html).)

The raft of online banking theft against the commercial accounts of small businesses has resulted in litigation, with the victims seeking redress from the banks that claim they have complied with the security obligations under UCC Article 4A or otherwise had in place commercially reasonable online banking security methods. (See, Internet Crime Complaint Center (IC3), “Compromise of User's Online Banking Credentials Targets Commercial Bank Accounts” (Nov. 3, 2009, www.ic3.gov/media/2009/091103-1.aspx); “Cyberattackers Empty Business Accounts in Minutes,” Network World (Aug. 9, 2009).

Beyond allocating loss in those particular cases, the end result may be that the courts may delineate what are commercially reasonable security measures in the era of Internet banking.

Recent Litigation

In Shames-Yeakel v. Citizens Financial Bank, 2009 WL 2949500 (N.D. Ill. Aug. 21, 2009), the plaintiffs were victims of theft when a hacker gained access to and transferred $26,500 from the plaintiffs' online home equity credit line account, an account that was not protected by the EFTA. When the plaintiffs refused to pay for the loss, the bank reported their account as delinquent to the national credit bureaus and threatened foreclosure. In response, the plaintiffs brought suit, alleging violations of federal banking laws as well as negligence.

Principally, the plaintiffs argued that the bank's use of single-factor authentication, that is, account access via a user ID and password, lagged behind industry standards and provided inadequate security to protect the plaintiffs' account at the time of the theft. The plaintiffs claimed the bank should have used multi-factor authentication, such as a security “token” that generates ever-changing pass codes.

To support their contention, the plaintiffs cited the 2005 FFIEC Internet banking guidelines regarding the use of single-factor authentication: “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”

The court denied, in part, the bank's motion for summary judgment and allowed the plaintiff's negligence claim to go forward. The court stated that a bank's common law duty not to disclose customer information would also involve employing sufficient security measures to protect their customers' online accounts from fraudulent access.

The court held that in light of the bank's apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect the plaintiffs' account against fraudulent access and that such insufficient security caused the plaintiffs' economic loss. The parties have since settled the matter.

In another suit, unknown third parties used the user ID and password of one of the plaintiff's employees to initiate unauthorized ACH transfers from an outside IP address to numerous individual accounts, resulting in a loss of over $345,000. See, Patco Construction Co. Inc. v. People's United Bank, No. 09-00503 (D.Me. Complaint filed Jan. 19, 2010).

The plaintiff, among other claims, alleged that the bank breached its duty to safeguard its accounts by failing to employ proper security procedures to prevent the fraudulent transfer of funds, including a failure to offer options for fax or callback authentication to verify certain large transfers, the ability to block certain orders originating from unapproved foreign IP addresses, or any other form of multifactor authentication that purportedly would have provided an additional layer of security. (See also, Bullitt County Fiscal Court v. First Federal Savings Bank of Elizabethtown Inc. (Ky. Cir. Ct., Bullitt County Complaint, filed Aug. 5, 2009) (county seeking to recover over $415,000 stolen by cyberthieves via unauthorized ACH transactions to out-of-state accounts). But see, Experi-Metal Inc. v. Comerica Inc., No. 09-14890 (E.D. Mich. Complaint filed Dec. 17, 2009). (A business was victimized by multiple unauthorized transfers to foreign and domestic accounts totaling $560,000, despite the bank having instituted multifactor authentication (i.e., the plaintiff was using a security token that emitted one-time passwords). Apparently, the unauthorized access allegedly resulted from the customer falling prey to a phishing e-mail that appeared to be from the bank. The customer was then tricked into typing in its banking credentials and the thieves gained access to its accounts to make the unauthorized electronic transfers. It remains to be seen what, if any, is a bank's legal duty to prevent phishing attacks and whether a customer who falls prey to such an attack would be deemed contributorily negligent for any resulting losses.)

In Patco, the plaintiff also claimed the defendant was not entitled to the safe harbor under UCC '4A-202 because its security procedures in place to prevent unauthorized payment orders at the time of the theft were not commercially reasonable.

In response, the bank filed counterclaims alleging, among other things, that under the terms of the plaintiff's eBanking and ACH Agreements, the plaintiff agreed to assume all liability and responsibility to monitor its commercial checking account on a daily basis. The bank contended the theft arose from the plaintiff's breach of its obligations under the agreements and that the bank was entitled to reimbursement of its costs and fees in defending the action, among other things.

In a departure from other lawsuits, a Texas bank filed a declaratory judgment action against one of its customers that was a victim of wire theft, seeking a ruling that validated its online banking security practices. See, PlainsCapital Bank v. Hillary Machinery Inc., No. 09-00653 (E.D. Tex., Complaint filed Dec. 31, 2009).

After cyberthieves stole over $200,000 from one of the bank's customers via unauthorized wire transfer orders, the customer sent a letter to the bank seeking recovery of the lost monies, contending the loss was due to the bank's failure to employ commercially reasonable security measures.

In response, the bank brought a declaratory judgment action seeking a determination that its online banking security procedures were commercially reasonable and that it was entitled to enforce the wire transfer orders it received concerning the customer's account. Citing the FFIEC banking authentication guidelines, the customer-defendant filed counterclaims asserting negligence and breach of contract claims, among others.

The customer claimed the bank's single-factor authentication procedures for online transactions were below industry standards and that the bank should have detected the unauthorized transactions because of several “red flags,” including the irregular amounts of the transfer requests and the fact that they originated from a foreign IP address.

Conclusion

Given the rise of cybercrime directed at the accounts of small to medium-sized businesses, it would be prudent for such businesses to re-examine their security practices.

As an initial matter, the American Bankers Association (www.aba.com/default.htm) recommends that businesses set aside a dedicated computer for online financial transactions that is not used for e-mail, Web browsing, or any other non-financial online activities that could expose a machine to malware.

In addition, the group advises that businesses perform ACH or wire transfers under dual control ' one employee initiates the transaction, another approves it. Customers might also inquire with their banks about whether the bank employs multifactor authentication techniques or offers other fraud-detection systems for business customers.

Under UCC Article 4A, customers and banks may negotiate written agreements containing instructions restricting acceptance of payment orders issued in the name of the customer. Such additional measures might include out-of-band security measures to verify certain wire transfers, as well as limits on the amount of transfer requests and the days transactions may occur, and a prohibition on transfer requests originating from foreign or unknown IP addresses.

Depending on a customer's business needs and a bank's available security procedures, such protections may not be feasible or may be impractical from a cost standpoint or an imperfect match with customer's operating realities. In the end, customers should scrutinize their daily banking transactions to detect suspicious activity as quickly as possible so their counsel and financial institution can work together to recover outgoing and completed transfers and mitigate any potential losses.

A recent report calculated that small and medium-sized businesses and local government institutions are losing, on average, $100,000 to $200,000 per day to cybercriminals who perpetrate fraudulent electronic funds transfers. Typically, thieves send targeted phishing e-mails that trick users into disclosing banking log-in information or installing password-stealing malware that records their keystrokes and online banking credentials.

Armed with this sensitive data, thieves then seek to initiate unauthorized money transfers through the wire system and Automated Clearing House (“ACH”) (www.fms.treas.gov/ach/index.html) network. The stolen funds are often transferred to foreign accounts located in Eastern Europe or to “money mules” ' individuals recruited via “work from home” ads and directed to open bank accounts to receive and later transfer to the cyberthieves.

Wire Transfers

This article discusses the handling of electronic fund transfers under the Uniform Commercial Code (“UCC”), online banking customer authentication methods, and recent litigation between banks and small and medium-sized businesses that were victims of cybertheft.

Wire transfers are widely used by both financial and non-financial organizations for making large-value payments. In one simple form, remittance corporations such as Western Union wire money to another party, while the most complex and largest wire transfer systems, in terms of U.S. dollars moved, involve the Clearing House Interbank Payments System (“CHIPS”), the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) and Fedwire. (CHIPS is a privately owned U.S. wire transfer system used primarily for processing cross-border U.S. dollar transfers. SWIFT is the principal international system for wire transfer message traffic that initiates funds transfers and provides services to securities brokers and dealers and clearing institutions. Fedwire, operated by the Federal Reserve, is the primary U.S. domestic wire transfer system, which connects Federal Reserve banks with thousands of domestic banks.).

The ACH network is a less costly nationwide mechanism that processes batches of high-volume, low-value credit and debit transfers among financial institutions, typically on behalf of customers. Rather than sending each payment separately, ACH transactions are accumulated and sorted by destination for transmission during a predetermined period, thereby providing faster processing than paper checks.

If the originating institution sends funds, it is called a credit transaction (e.g., payroll direct deposits, Social Security payments, corporate payments to contractors or vendors); if the originating institution requests funds, it is considered a debit transaction (e.g., monthly collection of insurance premiums, mortgage payments, or consumer bill payments).

Unauthorized Transactions

During funds transfers, fraud controls at both the sending and receiving banks seek to authenticate payment orders to ensure the actual customer, as opposed to a thief, authorized the transfer. The law provides differing protections to consumers and business account holders for losses caused by unauthorized transfers. For example, Regulation E, which implements the Electronic Funds Transfer Act (“EFTA”) (www.fdic.gov/regulations/laws/rules/6500-3100.html), greatly limits the losses for unauthorized transfers from consumer accounts used primarily for personal or household purposes; however, such statutory protections do not apply to business accounts.

The UCC Article 4A governs commercial transfers and sets out detailed rules that assign responsibility, allocate risks and establish limits on liability regarding which entity ' the bank or the commercial account holder ' bears the loss for a fraudulent or erroneous funds transfer.

Who Pays?

Generally speaking, UCC ”4A-201-204 provide a detailed scheme for analyzing the rights, duties and liabilities of banks and their customers in connection with the authorization and verification of payment orders. For example, under '4A-202(b), once a bank and its customer have agreed on a security procedure for the authenticity of payment orders, an order will be deemed effective, whether or not authorized, if: 1) the bank's security procedure is commercially reasonable; and 2) the bank establishes that it accepted the order in good faith and was in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of orders issued in the name of the customer. In short, a payment order accepted in good faith pursuant to a commercially reasonable security procedure is effective as the order of the customer, even if it was actually unauthorized. See , Regatos v. North Fork Bank , 257 F. Supp.2d 632, 642 (S.D.N.Y. 2003). But see , Iwuji v. North Fork Bank , 2007 NY Slip Op 32404 (N.Y. Sup. Ct. Suffolk Cty. May 17, 2007) (“The [c]ourt finds that as a matter of law, the security measures were not commercially reasonable given the totality of the circumstances surrounding the fraudulent transfers and attempted transfers from Plaintiff's account.”).

Under '4A-203, the customer may reallocate the loss from “interloper fraud” to the bank. The customer must prove the payment order was not caused by a person: 1) entrusted to act for the customer with respect to payment orders or the security procedure; 2) who used transmitting facilities of the customer; or 3) who obtained from the customer's transmitting facilities information that facilitated a breach of the security procedure, regardless of how the information was obtained or whether the customer was at fault. In the end, a customer with careful record keeping and adequate internal checks over its staff and systems could potentially shift the loss from an unauthorized transfer back to the bank.

Online Banking Security

Financial institutions strive to employ reliable methods to prevent account fraud and identity theft that are commensurate with the risks associated with online banking services. There are a variety of technologies and methodologies to authenticate online banking customers, including, among others, user names and passwords, personal identification numbers, digital certificates, security “tokens” that produce one-time passwords and biometric identification.

Existing authentication methodologies involve three basic “factors”:

1. Something the user knows ( e.g., password, PIN);
2. Something in the user's possession ( e.g., ATM card, one-time password security tokens); and
3. Something the user has ( e.g., biometric characteristics).

While no security protection is foolproof, authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. But see, Thomas Claburn, “Strong Authentication Not Strong Enough,” InformationWeek (Dec. 14, 2009). For example, a logon ID/password is single-factor authentication (i.e., something the user knows), whereas, an ATM transaction requires multifactor authentication (i.e., the card plus the PIN, something the user possesses and something the user knows).

In the wire transfer arena, two-factor authentication may also include “out-of-band” controls, which are techniques allowing the verification of a customer's identity to be performed offline, such as verification via fax, phone or text message. There are also so-called “password hardening” techniques such as software that learns a user's keystroke dynamics or allows users to enter sign-in credentials on the screen with mouse clicks, thereby bypassing the threat caused by keylogging malware used by thieves.

Ultimately, according to the Federal Financial Institutions Examination Council (“FFIEC”) online banking guidelines, financial institutions should assess the adequacy of their authentication techniques in light of emerging risks such as phishing, pharming, malware, and the changing tactics of sophisticated hackers. (Pharming seeks to obtain sensitive personal information by directing users to spoofed, or fraudulent Web sites that mimic legitimate banking sites, where their information is captured, usually from a fill-in form requesting log-in credentials. See generally, Federal Financial Institutions Examination Council (“FFIEC”), “Authentication in an Internet Banking Environment” (www.ffiec.gov/pdf/authentication_guidance.pdf). FFIEC is an interagency body that advises a number of federal agencies on appropriate standards for the regulation of financial institutions. See also, FDIC Special Alert SA-185-2009, “Fraudulent Work-at-Home Funds Transfer Agent Schemes” (Oct. 29, 2009; available at www.fdic.gov/news/news/specialalert/2009/sa09185.html).)

The raft of online banking theft against the commercial accounts of small businesses has resulted in litigation, with the victims seeking redress from the banks that claim they have complied with the security obligations under UCC Article 4A or otherwise had in place commercially reasonable online banking security methods. (See, Internet Crime Complaint Center (IC3), “Compromise of User's Online Banking Credentials Targets Commercial Bank Accounts” (Nov. 3, 2009, www.ic3.gov/media/2009/091103-1.aspx); “Cyberattackers Empty Business Accounts in Minutes,” Network World (Aug. 9, 2009).

Beyond allocating loss in those particular cases, the end result may be that the courts may delineate what are commercially reasonable security measures in the era of Internet banking.

Recent Litigation

In Shames-Yeakel v. Citizens Financial Bank, 2009 WL 2949500 (N.D. Ill. Aug. 21, 2009), the plaintiffs were victims of theft when a hacker gained access to and transferred $26,500 from the plaintiffs' online home equity credit line account, an account that was not protected by the EFTA. When the plaintiffs refused to pay for the loss, the bank reported their account as delinquent to the national credit bureaus and threatened foreclosure. In response, the plaintiffs brought suit, alleging violations of federal banking laws as well as negligence.

Principally, the plaintiffs argued that the bank's use of single-factor authentication, that is, account access via a user ID and password, lagged behind industry standards and provided inadequate security to protect the plaintiffs' account at the time of the theft. The plaintiffs claimed the bank should have used multi-factor authentication, such as a security “token” that generates ever-changing pass codes.

To support their contention, the plaintiffs cited the 2005 FFIEC Internet banking guidelines regarding the use of single-factor authentication: “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”

The court denied, in part, the bank's motion for summary judgment and allowed the plaintiff's negligence claim to go forward. The court stated that a bank's common law duty not to disclose customer information would also involve employing sufficient security measures to protect their customers' online accounts from fraudulent access.

The court held that in light of the bank's apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect the plaintiffs' account against fraudulent access and that such insufficient security caused the plaintiffs' economic loss. The parties have since settled the matter.

In another suit, unknown third parties used the user ID and password of one of the plaintiff's employees to initiate unauthorized ACH transfers from an outside IP address to numerous individual accounts, resulting in a loss of over $345,000. See, Patco Construction Co. Inc. v. People's United Bank, No. 09-00503 (D.Me. Complaint filed Jan. 19, 2010).

The plaintiff, among other claims, alleged that the bank breached its duty to safeguard its accounts by failing to employ proper security procedures to prevent the fraudulent transfer of funds, including a failure to offer options for fax or callback authentication to verify certain large transfers, the ability to block certain orders originating from unapproved foreign IP addresses, or any other form of multifactor authentication that purportedly would have provided an additional layer of security. (See also, Bullitt County Fiscal Court v. First Federal Savings Bank of Elizabethtown Inc. (Ky. Cir. Ct., Bullitt County Complaint, filed Aug. 5, 2009) (county seeking to recover over $415,000 stolen by cyberthieves via unauthorized ACH transactions to out-of-state accounts). But see, Experi-Metal Inc. v. Comerica Inc., No. 09-14890 (E.D. Mich. Complaint filed Dec. 17, 2009). (A business was victimized by multiple unauthorized transfers to foreign and domestic accounts totaling $560,000, despite the bank having instituted multifactor authentication (i.e., the plaintiff was using a security token that emitted one-time passwords). Apparently, the unauthorized access allegedly resulted from the customer falling prey to a phishing e-mail that appeared to be from the bank. The customer was then tricked into typing in its banking credentials and the thieves gained access to its accounts to make the unauthorized electronic transfers. It remains to be seen what, if any, is a bank's legal duty to prevent phishing attacks and whether a customer who falls prey to such an attack would be deemed contributorily negligent for any resulting losses.)

In Patco, the plaintiff also claimed the defendant was not entitled to the safe harbor under UCC '4A-202 because its security procedures in place to prevent unauthorized payment orders at the time of the theft were not commercially reasonable.

In response, the bank filed counterclaims alleging, among other things, that under the terms of the plaintiff's eBanking and ACH Agreements, the plaintiff agreed to assume all liability and responsibility to monitor its commercial checking account on a daily basis. The bank contended the theft arose from the plaintiff's breach of its obligations under the agreements and that the bank was entitled to reimbursement of its costs and fees in defending the action, among other things.

In a departure from other lawsuits, a Texas bank filed a declaratory judgment action against one of its customers that was a victim of wire theft, seeking a ruling that validated its online banking security practices. See, PlainsCapital Bank v. Hillary Machinery Inc., No. 09-00653 (E.D. Tex., Complaint filed Dec. 31, 2009).

After cyberthieves stole over $200,000 from one of the bank's customers via unauthorized wire transfer orders, the customer sent a letter to the bank seeking recovery of the lost monies, contending the loss was due to the bank's failure to employ commercially reasonable security measures.

In response, the bank brought a declaratory judgment action seeking a determination that its online banking security procedures were commercially reasonable and that it was entitled to enforce the wire transfer orders it received concerning the customer's account. Citing the FFIEC banking authentication guidelines, the customer-defendant filed counterclaims asserting negligence and breach of contract claims, among others.

The customer claimed the bank's single-factor authentication procedures for online transactions were below industry standards and that the bank should have detected the unauthorized transactions because of several “red flags,” including the irregular amounts of the transfer requests and the fact that they originated from a foreign IP address.

Conclusion

Given the rise of cybercrime directed at the accounts of small to medium-sized businesses, it would be prudent for such businesses to re-examine their security practices.

As an initial matter, the American Bankers Association (www.aba.com/default.htm) recommends that businesses set aside a dedicated computer for online financial transactions that is not used for e-mail, Web browsing, or any other non-financial online activities that could expose a machine to malware.

In addition, the group advises that businesses perform ACH or wire transfers under dual control ' one employee initiates the transaction, another approves it. Customers might also inquire with their banks about whether the bank employs multifactor authentication techniques or offers other fraud-detection systems for business customers.

Under UCC Article 4A, customers and banks may negotiate written agreements containing instructions restricting acceptance of payment orders issued in the name of the customer. Such additional measures might include out-of-band security measures to verify certain wire transfers, as well as limits on the amount of transfer requests and the days transactions may occur, and a prohibition on transfer requests originating from foreign or unknown IP addresses.

Depending on a customer's business needs and a bank's available security procedures, such protections may not be feasible or may be impractical from a cost standpoint or an imperfect match with customer's operating realities. In the end, customers should scrutinize their daily banking transactions to detect suspicious activity as quickly as possible so their counsel and financial institution can work together to recover outgoing and completed transfers and mitigate any potential losses.