As banks look to attract and retain commercial banking customers, they must keep in mind that customers want to protect their funds from cyber thieves. However, what steps does a bank need to take to ensure it is protected if a commercial customer’s computer network is compromised, resulting in a “Corporate Account Takeover?” This is especially important for banks that enter into a cash management agreement with a commercial customer, allowing the customer to conduct online ACH and wire transfers. This article explores the necessary steps a bank must take in order to address this exposure in the evolving world of cybercrime.
What are commercially reasonable security procedures?
Article 4A of the Uniform Commercial Code (UCC) establishes the rights and liabilities of banks and their commercial customers with respect to electronic funds transfers (EFTs). Unlike the Electronic Funds Transfer Act (also known as Regulation E), which protects a retail customer under certain circumstances, Article 4A does not provide similar protections for commercial customers.
Under Article 4A, the bank assumes the risk when a third party steals a commercial customer’s identity and issues a fraudulent payment order to the bank. However, a bank may shift the liability to the commercial customer if the bank and its customer agree to implement a security procedure designed to protect themselves against fraud and the following apply:
- The security procedure is a “commercially reasonable” method of providing security against unauthorized payment orders;
- The bank proves that it accepted the payment order in good faith; and
- The bank was in compliance with the agreed upon security procedure.
Therefore, under Article 4A, a bank can protect itself from liability and the commercial customer will incur the loss from the fraudulent EFT or wire transfer.
In addition, recent court cases offer additional guidance on the steps banks must take to prevent unauthorized corporate account takeovers and minimize their risk of liability if such breaches occur.
For example, in Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the court held that a bank’s security procedures were commercially reasonable and that a real estate escrow service company (“Choice”) was responsible for the loss of funds when an unknown third party accessed their online bank account and instructed BancorpSouth Bank (“BancorpSouth”) to wire funds from Choice’s account to a bank in the Republic of Cypress. In its determination, the court stated:
The commercial reasonableness standard is designed to encourage banks to institute reasonable safeguards against fraud but not to make them insurers against fraud. Thus, the standard is not whether the security procedure is the best available. Rather, it is whether the procedure is reasonable for the particular customer and the particular bank, which is a lower standard.Similarly, the Federal Financial Institutions Examination Council advises that banks should “adjust, as appropriate, their information security programs in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information.” As the court in Choice states, “one size does not fit all,” and “the concept of what is commercially reasonable in each case is flexible.”
Educating your staff and commercial customers about corporate account takeovers
Even though the bank’s security system may have been commercially reasonable by identifying the unusual transaction, educating the bank’s staff on security procedures is equally important for a bank to avoid liability.
The court in Patco Construction Company v. People’s United Bank, 684 4.3d 197 (1st Cir. 2012) held that the bank’s security system had flagged the transaction in question as “high risk,” but the bank did not provide the commercial customer notice before completing the transaction.
Therefore, educating a bank’s customers about security protocols is critical in combating unauthorized transfers. Most commercial bank customers do not feel that their bank communicates best practices to protect themselves from a computer network breach. Moreover, most banks do not always clearly communicate the steps a commercial customer should take to address instances of fraud. Regular email communications to a bank’s commercial customers is an effective way to educate the customer on the latest cyber perils and remind them of best practices on the anniversary date of the cash management account agreement.
Get insurance protection for your bank even if you have commercially reasonable security measures
While it is critical to protect the bank’s interest, simply minimizing the risk to the bank without addressing the impact of losses on valuable customers is seldom the best outcome.
Fortunately, there’s a solution. Up until recently, financial institutions did not have an insurance option to cover breaches that occur outside of their own computer systems. The assumption that corporate account takeover is covered under the financial institution bond is incorrect and has resulted in many disputes between insurance companies and their bank clients. Keep in mind that not all financial institution bonds are created equal. Some bonds will provide coverage if the bank is legally liable under Section 4A of the UCC, some carriers’ bonds will specifically exclude it and, in older bonds, the language is unclear.
Midwest Bankers Insurance Services (MBIS) – the MBA’s insurance subsidiary – has a simple solution to address this dilemma. If it is determined that the commercial account customer is legally liable, our new EFT Guard insurance product will respond. EFT Guard protects a financial institution’s business banking customers for losses stemming from corporate account takeover, including fraudulent ACH and wire transfers perpetrated through the customer’s system and outside of the care, custody and control of the financial institution. This coverage will help the bank to educate its customers about the need to secure their own systems and the importance of following agreed upon security measures. EFT Guard will ultimately prevent disputes and costly litigation between the bank and its customer by providing coverage to reimburse the customer for the loss.
Whether it’s incorporating the latest technology to be commercially reasonable, educating customers on the cyber perils that exist in today’s world or purchasing insurance, a bank should frequently evaluate how it protects itself from corporate account takeovers. A well-rounded approach will help a commercial customer mitigate loss, minimize disputes and preserve and retain important customer relationships.
As an insurance agency run by those defending and advocating for banking, you can rest assured MBIS will always have your best interests in mind. Further, as an independent agency, MBIS has access to a variety of insurance providers to help them tailor plans to meet the specific needs of banks.