Privacy

Saga Continues Over Liability of Bank v. Customer in Hacking Case

Published: Jun. 21, 2013

Updated: Oct. 05, 2020

PIGGYA new step has been taken in the case of Choice Escrow v. BankcorpSouth Bank (“BSB”).  What began in 2010 with a fraudulent $440,000 wire transfer by a hacker from the bank account of Choice Escrow, then progressed through a “close call” that led to a dismissal of the bank’s contract-based counterclaims in August 2012, resulted in a finding this past April that the bank was not liable for the loss since Choice Escrow was offered but turned down authentication technology that likely would have prevented the fraudulent transfer.

As we wrote in April, “BSB produced evidence showing that it typically required its customers to use [dual factor authentication] with their system for transmitting funds.”  Choice declined, so BSB required Choice to sign a memo stating that Choice and its related entities understood the additional risk and that anyone with the proper username/password could access the account.  The memo went on to say that “if funds are fraudulently wired out in this manner there is a substantial probability that we will be unable to retrieve our funds or recover losses.”  When offered a second time, Choice again turned down dual factor authentication.

In an appeal filed on June 17th , Choice Escrow attacks the authentication used by BSB.  It first asserts that BSB did not use “commercially reasonable” authentication procedures when accepting wire transfer instructions, which Missouri’s adoption of UCC Article 4A requires in Sec. 4A-202.  In discussing UCC Article 4A, Choice Escrow notes that the case involves “unique and largely uncharted analysis and application of Article 4A of the Uniform Commercial Code (“Article 4A”) regarding bank wire transfers… The threat of cyber theft from U.S. corporate bank accounts through fraudulent wire transfers is growing exponentially.  Future lawsuits regarding these issues are likely.”  Choice Escrow goes on to assert that the procedures used by BSB fall short of the multifactor authentication guidance provided by the Federal Financial Institutions Examination Council (FFIEC), which states that “agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”

In summarizing its appeal, Choice states that BSB had the burden of proof to show all of the following factors:  first, that BSB used an agreed upon security procedure that was commercially reasonable; second, that BSB used objective good faith in accepting the payment order; and third, that BSB complied with Choice’s limiting instructions contained in a Choice email related to wire transfers to foreign banks.  Choice then asserts that BSB failed to meet that burden.

In light of the novelty of this issue, this case will be closely watched to see how authentication issues are regarded by the court.  The subject matter (fraudulent wire transfers) coupled with the parties (bank and commercial customer) further increase the attention that will be paid.  If BSB prevails on appeal, commercial banking customers may learn to be more vigilant about technology made available by their banks.  On the other hand, if Choice prevails, banks may want to review their current approach to authentication and what they communicate to their customers about its use.  We will update you further as this case progresses.