Court Recommendation is a Call To Action for the FFIEC on Authentication Guidance

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in the case of PATCO Construction suing its former bank, Ocean Bank over a $500,000 fraud loss. According to the order, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials.
At issue in the case is whether financial institutions should be held responsible when commercial accounts are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to their commercial accounts? The magistrate in this case has closely aligned his recommendation with a literal interpretation of the 2005 FFIEC Guidance that states single factor is not enough.
Now that this water is almost under the bridge, we feel the remaining issue is what the FFIEC can do now to offer leadership to the industry and stem the flood of similar losses and resulting lawsuits.  While the courts may feel that the bank was using reasonable security from a legal standpoint, clearly that security isn’t enough from a practical standpoint and should no longer be the standard.  The court even commented that the bank could have done more and could have prevented the loss.
The case must still be reviewed by the presiding judge, but regardless of how it is ultimately decided, it’s a hollow victory for the “winner.” The only winners in this case were the fraudsters that stole the money.  The bank spent time, treasure and good will defending its contractual obligations and its security framework. And PATCO lost over a quarter of a million dollars plus legal costs and productivity losses.   Worse, this isn’t an isolated incident.   There are many more victims – banks and credit unions, commercial and retail accounts – going through the same thing every day.  And unnecessarily so.
The technology and processes to stop this blight exist in the market today. They are affordable for any size institution and have been proven over and over again to be effective at stopping online and mobile fraud. The financial institutions need to adopt them.  The commercial account holders need to insist on them.
But what’s most important in light of this legal precedent is that the FFIEC step off the sidelines and take action by releasing their long-expected updated guidance with more specificity around risk assessments and control expectations. The FFIEC has the chance to lead the way – but they need to act, and act now.
For a nice summary on the recommendation by the magistrate read Bank Info Security’s article: ACH Legal Ruling Favors Bank