The 2010 Federal Reserve Payments Study reveals the migration to non-traditional payment channels continues to accelerate, with electronic payments (cards and ACH) now exceeding three-quarters of all noncash payments. Correspondingly, many financial institutions are seeing ever increasing utilization of their on-line technology for payment origination and account management. In this environment many wait anxiously for the “official” release of the FFIEC’s revisions to its 2005 Guidance for “Authentication in an Internet Banking Environment.” On top of all this, two important case law decisions recently have been released, one with results favorable for financial institutions and other decidedly not so.
The Patco Construction Lawsuit
In May of 2009, Patco Construction, a Maine company, lost control over its commercial accounts at People’s United Bank. The criminal hackers gained control via the now infamous Zeus/Zbot keylogger malware. More than $500,000 in fraudulent ACH transactions was authorized over a 5-day attack. The customer’s final loss from the event was approximately $350,000. There was no evidence that the Bank’s systems were ever compromised.After Patco filed its Complaint, People’s United moved for summary judgment on all counts. On May 27, 2011, the presiding Magistrate Judge issued a 70 page “Recommended Decision” awarding summary judgment to the Bank. If the Recommended Decision is adopted by the District Court Judge, the lawsuit will terminate with an important victory for the financial institutions industry.
The central issue of the case was whether the parties’ contract provided for a commercially reasonable method for authenticating the identity of the user who was purportedly initiating the on-line banking transaction, all as required under 4A-202 of the Uniform Commercial Codes. By way of operational background, the Bank used Jack Henry and Associates for its core online banking platform, which in turn incorporated RSA/Cyota multifactor solution technology. The Bank selected the vendor’s “premium” security package respecting authentication. The system used 7 primary features: Password and ID’s, Challenge Questions, Risk Profiling, Device Cookies, Dollar Amount Rule, eFraud Network and Reports to the Bank via the Cyota dashboard.
The Magistrate Judge began his discussion by reviewing the FFIEC’s 2005 Guidance’s concept of multifactor authentication. Neither party disputed that the Bank’s product satisfied the first of the three FFIEC factors, being “something you know,” as this was met by the user Password/ID requirement. The Bank asserted that its device identification, a “device cookie” inserted into the customer’s computer, satisfied the second factor of “something the user has,” and that its account user profile protocol also satisfied the third FFIEC prong of “something the user is.” The Decision may also be read as a tacit endorsement of the “challenge question” protocol as an acceptable security feature, for example when the device identification factor might trigger a prompt. The Magistrate Judge ruled that the Bank’s system provided the requisite multifactor authentication as recommended, and the “layered security” as is suggested, within the FFIEC’s 2005 Guidance. The Court also favorably commented upon the contract’s language wherein the customer accepted the authentication protocol as being reasonable. Finally, the Magistrate Judge recognized that the multi-factors need not be unchanging inside the institution’s product and that different factors and levels of factors may be separately invoked depending upon circumstances. Thus the Bank’s in-place contract with Patco provided for a commercially reasonable method of authenticating the subject ACH transactions.
The Magistrate Judge also addressed the consequences of the Bank’s decision to exercise a customizable security feature offered in its core processor’s product, specifically here the “Dollar Amount Rule.” The Bank elected to set the amount at $1, at least for a short period of time, knowing that this modification would prompt more “challenge question” situations because of the low threshold. Counter-intuitively, the customer’s counsel argued that this actually reduced the security of the product, as voyeuristic criminals would have an increased number of opportunities to learn the challenge questions/response. The Court also helpfully discussed the alternative security features that the Bank did not in fact employ, such as out of band notification and physical security tokens. As many practicing in this area have already learned, these are commonly raised arguments, to wit that there was alternative technology that if employed might have stopped the subject attack. For fans of security tokens, this case will not be favored reading. After discussing the rational for the adoption or rejection of each technology, the Magistrate Judge correctly applied the legal standard as that of commercial reasonableness, and did not require that the Bank offer the hypothetical fool-proof system that only is available in the mind of a paid expert using the advantage of hindsight. There is final helpful guidance about post-event triage and in the preservation of computer forensic evidence.
The opinion concludes by dismissing Patco’s common law claims against its bank, being claims for negligence, breach of contract and breach of fiduciary duty, as those causes of action have been displaced by Chapter 4A of the UCC. Patco’s remaining counts for unjust enrichment and conversion, arising from the Bank’s debiting of Patco’s commercial line of credit to fund the fraudulent ACH transactions also failed because its other claims failed. “If the Bank employed commercially reasonable security procedures, it cannot have been unjustly enriched or have wrongfully converted Patco’s funds, when it drew on Patco’s line of credit pursuant to the Sweep Account to cover the allegedly unauthorized withdrawals.”
The Experi-Metal Lawsuit
On January 22, 2009, criminal hackers initiated wire transfers from Experi-Metal’s commercial bank account at Comerica Bank. The attack originated via a phishing email, purportedly sent by the Bank, directing the Bank’s customers to a bogus website. One of Experi-Metal’s officers clicked on the malicious link, at 7:35 a.m., and in so doing compromised his secure authenticating information held in part on a secure physical token device. By 2:02 p.m., 93 fraudulent payment orders had been initiated, in a total amount of over $1.9M. The criminals were also able to transfer funds in other Experi-Metal bank accounts, and even in the business’ President’s own personal accounts, to the business’ cash management account. None of the 20 inter-bank transfers were rejected by the Bank as fraudulent, though 3 were rejected for insufficient funds. By 11:30 that same day, the Bank was notified by another financial institution of suspicious transactions in the customer’s account, and relatively immediately notified Experi-Metals. Quickly thereafter the open on-line wire session was terminated. The account customer’s principal loss at the end of the event was approximately $560,000.
The District Court in Michigan heard the parties at a bench trial in late January of 2011, and issued its written Bench Opinion on June 13, 2011. Upon the Bank’s earlier motion for summary judgment, the Court had ruled that Michigan’s UCC, particularly 4A-202(2), provided the controlling law. Though unsuccessful, the summary judgment efforts lead to the judicial findings (a) that the person(s) who committed the fraud against Experi-Metal obtained that customer’s confidential information from one of the customer’s employees or agents and (b) that there was no material question of fact as to whether the parties’ contract employed a commercially reasonable method of authentication because the subject contract itself contained the parties’ express agreement that such was the case. Thus the bench trial was held to address two remaining factual questions: (1) Whether the impersonated Experi-Metal employee was authorized to initiate electronic wire transfer orders and whether Comerica complied with the contractual security procedures during the loss event; and (2) Whether Comerica acted in “good faith” when it accepted the fraudulent payment orders.
In its post-trial Bench Opinion, the Court found that the Experi-Metal employee, who had been impersonated to initiate the subject wire transactions, was authorized to act on his employer’s behalf with respect to such on-line banking matters. This determination of authority was fact sensitive and unique to the actual contract presented to the Court. The Court also found that the Bank, in accepting the fraudulent instructions, otherwise complied with the written contract. In short, the hackers, after gaining dominion over the customer’s authorized user’s credentials, followed the proper procedures for initiating the transactions.
But then the Court turned to its second factual issue, the question of Comerica’s “good faith” in accepting the subject payment orders. As written into Chapter 4A of the UCC, despite otherwise good compliance procedures, transfer orders will not be effective as to its customers if a bank does not accept the orders in good faith. UCC 4A-202(b)(ii). On this point, financial institutions bear the burden of proof.
Under the UCC, good faith has both subjective features (“honesty in fact”) and objective features (“observance of reasonable commercial standards of fair dealing”). See gen., 1-201(20) and Official Comments. The Michigan Court ruled that Comerica’s proof satisfied the subjective criteria of the test. But the Court found that that Bank could not meet its burden on the second prong. “Comerica was required to present evidence from which this Court could determine what the reasonable commercial standards of fair dealing are for a bank responding to a phishing incident such as the one at issue and thus whether Comerica acted in observance of those standards.” Unfortunately for the Bank, The court ruled that the Bank’s expert witness was unqualified to instruct on online wire transfer activity and phishing issues, primarily because the expert had no actual internet banking experience. Though not mentioned by the Court, the Official Comments to Article 4A also mention the need to be cognizant of the actual environment in which banks operate, based at least upon size and geography. Also persuasive to the Court was the volume and frequency of the payment orders initiated by the fraudsters, the $5 million overdraft created by the book transfers in what normally was a zero balance account, the commercial customer’s limited prior wire activity, destinations and beneficiaries of the payment orders, and the Bank’s knowledge of prior similar phishing attacks directed against the Bank’s customer. In conclusion it was too much for the Bank. The Court ruled that the Bank had not met its burden of proof, and under this section of the Code all “ties” go to the account customer. Thus the decision finally stands as a cautionary tale about the selection of one’s knight whenever faced with a future battle of the experts under Article 4A of the Uniform Commercial Code.
- Both cases put to bed the notion that the FFIEC’s Guidance document is nothing more than a recommendation of possible technological practice. Rather, both courts appeared to view the Guidance as promulgating required standards of performance, which are to be applied as decisional.
- Despite the similarities of their core event, a cyber account take-over attack, the above reported decisions are remarkably dissimilar in the substantive subjects they cover. This lack of overlap is largely attributable to the cases’ procedural histories and the arguments selected by the litigants. For example, the Patco Construction decision did address the legal issue of a financial institution’s duty of good faith under 4A-202, because for some reason the customer did not raise that defense. The Experi-Metal holding does not address issue of the commercial reasonable in the contract, because the Court had already addressed it (and ruled in the Bank’s favor) in earlier motion practice. Between them, however, most of the salient points typical to occur in such cyber fraud cases have been touched upon. Here I note the value of studying the “older” docket entries in Experi-Metal, where issues were covered that are similar to those discussed in Patco Construction.
- On a purely personal note, problematic issues are raised in Experi-Metal’s analysis of the good faith, as the concept operates within 4A-202(b). Accepting that the Experi-Metal Court applied a reasonable interpretation the UCC’s text as it was statutorily adopted by the State’s legislature, it is perhaps the drafters of the Uniform Commercial Code’s provisions who may wish to revisit the text of this Code provision. In short, the Code as it exists appears to give the complaining customer two bites at the same apple.
The Code requires that the parties’ contract be judged as to whether it provides a commercially reasonable method for authenticating the on-line customer. In the Official Comments, what is a commercially reasonable depends upon the circumstances of the institution (primarily) and takes into account things like geography, institution size and circumstances of the customer relationship. The Code also provides that this is to be decided by the judge, and not by a jury. Yet, later in the same UCC section, the customer is given the right to argue (re-argue?) the concept of commercial reasonableness. It is required that “…(ii) the bank proves that it accepted the payment order in good faith…” Thus, although a contract may be ruled commercially reasonable, as the Experi-Metal Court ruled, the customer has the right to argue that the bank was not commercially reasonable when it acted pursuant to that the same contract. So, what did the court decide when it addressed the earlier commercial reasonableness question? Under the Code, one cannot get to the second commercial reasonable question (i.e., evaluating the objective element of good faith) until only after successfully passing the first commercial reasonableness test, i.e, convincing the judge that the contract provides for commercially reasonable interaction between the bank and its customer.
It is also the UCC’s relatively new definition of “good faith” that creates troublesome issues under this section of Article 4A. The drafters added a new, second element to the definition, an objective element. The objective element may be summarized as what is reasonable for similarly situated commercial banks. What is it that is different about the on-line environment that makes a second level of “good faith” analysis appropriate in the context of accepting orders via the electronic banking channel? What is substantively different from dealing with a check writing customer at the teller window, where bankers have no real or automatic duty to “look behind” the face of the instrument? Rather, a good argument may be made that only the subjective element of good faith should be applied within the required 4A-202(b)(ii) analysis, to the end that a bank’s conduct is to be judged solely upon an “honesty in fact” standard.
In addition to the above, the proposed (but as of yet unreleased and unofficial) amendments of the FFIEC to its Guidance document, particularly via the risk assessment criteria, offers further support for an argument that the Code suggests an unnecessary, and potentially conflicting, redundancy in this area.
- One last suggested lesson to be drawn from the Patco Construction and Experi-Metal cases relates to the importance of good drafting within the contracts that financial institutions execute with their commercial customers. Both courts relied heavily upon the contracts’ terms and hinged important parts of their respective ruling on each contract. Words matter; at least when they are memorialized in an authenticated writing. It may also be suggested that head way may be made in dealing with the troubling aspects of the “good faith” issues as they may be perceived to exist within 4A-202 through careful drafting. While experienced compliance personnel know that one cannot contract away an institution’s duty of good faith, there are ways in which the exercise of that duty may be defined to manageable areas from the institution’s business perspective. Finally, both cases offer indirect but helpful guidance to institutions in their business interactions with the vendors who may supply their online transaction functionality.