PATCO ACH Fraud Ruling – Lessons Learned
As you’ve probably read by now, on July 3 the First Circuit Court of Appeals in Boston ruled in favor of PATCO in their lawsuit against Ocean Bank over fraud losses, reversing the U.S. District Court‘s 2011 judgment that favored the bank. Rather than merely rehashing the ruling, I’d like to offer some lessons learned and thoughts on how financial institutions can respond.
Where this all began – a fraud attack
In a series of 6 fraudulent ACH transfers in 2009, fraudsters were able to drain $580,000 out of PATCO’s commercial account with the former Ocean Bank (now People’s United Bank). The bank was able to recover $243,000, leaving approximately $340,000 in losses.
The Initial Ruling
In 2010 PATCO file suit against Ocean Bank to recover its losses. In the original ruling in August 2011, the District Court ruled in favor of Ocean Bank based stating that the bank did, in its opinion, have “commercially reasonable” security in place. This opinion stemmed primarily from the fact that PATCO had signed a contract with the bank agreeing to the security procedures at the bank and also that the bank had common security solution in place.
With that said, the ruling did go out of its way to note that the bank probably should have detected the unusual activity since it was so unusual for PATCO’s typical behavior.
The Reversal on Appeal
Interestingly, the appellate court took a much broader view of what a “commercially reasonable” security solution offered and paid greater attention to the bank’s actions in utilizing the technology solutions that they had in place, not just the technology itself.
Here are some noteable examples from the latest ruling:
- The bank used what the court calls a “one-size-fits-all” approach to monitoring and authenticating transactions. All ACH and wire transactions over $1 triggered a challenge question. The original intent was to increase security, but the actual impact was an increase in the chance that the response would be compromised, ultimately weakening this defense.
- The bank had the ability to monitor high-risk transactions through its transaction-profiling and risk-scoring system, but chose not to do so. As one example, Ocean Bank’s scoring system gave the first fraudulent transaction a risk score of 790; PATCO’s usual risk scores ranged between 10 and 214.
- The fraudulent ACH transfers out of PATCO’s account went to numerous individuals PATCO had never paid before. The perpetrators also logged in from devices and IP addresses never used by PATCO.
“The payment orders at issue were entirely uncharacteristic of PATCO’s ordinary transactions,” the ruling states. “These collective failures, taken as a whole, rendered Ocean Bank’s security procedures commercially unreasonable.”
I’m not trying to paint Ocean Bank as a ‘bad guy’ but more express a challenge the whole industry is facing. With criminal attacks growing more stealthy and more speedy every day and without the right tools to pinpoint the bad actors, it difficult for any bank to stay on top of the ever-growing online and mobile activity.
With that said, here are a few some takeaways from this whole situation.
- Having a lot of technology is not enough. The courts are setting the stage that they will look for how the use of technology impacts the overall security.
- The courts are shifting expectations of banks. Taken in conjunction with two other high-visibility lawsuits – EMI v. Comerica and Village View Escrow v. Professional Business Bank – the courts are expanding what is expected of financial institutions, or at least setting precedents that define terms such as “reasonable security” or “good faith”. In both cases with judgements, the courts mention that the banks should have been able to detect the fraudulent activity because it was so unusual relative to typical customer behavior.
- “One size fits all” doesn’t work. Security solutions and policies must be dynamic and tuned to each customer, situation, transaction, or online banking session. In other words, financial institutions need better tools to avoid having to consider such a “one size fits all” approach. On this point Gartner’s Avivah Litan commented, “Small banks just don’t have any resources to monitor 15-20 percent of the log-ins every day; they need better tools.”
- Monitor. Monitor. Monitor. The fraudsters are clever and sophisticated, and unfortunately, financial institutions cannot let up for a minute. In the PATCO case, the fraudsters got through user ID & password, cookie-based device authentication, IP address profiling, challenge questions, and risk scoring, which taken together satisfied the “commercially reasonable” litmus test. And while fraudsters have repeatedly demonstrated the ability to surmount these defenses, they stand a better chance of detecting fraud only when the financial institution is actively monitoring activities and alerts.
- Total losses are much higher than the fraudulent transfer. While the ruling did not award specific damages, instead simply encouraging the two parties to settle out of court, the legal costs, productivity losses, and negative PR dwarf the nominal fraud loss.
What’s a Financial Institution to Do?
I doubt anyone would debate that fraud prevention is a responsibility shared between the financial institution and their commercial clients. And when things go bad, it’s clearly a point of contention – often a severely divisive one – as to how this responsibility is shared. I encourage bankers to thoroughly consider how they can use the lessons learned from this case to do their part, and maybe even more than their part.
In today’s competitive, tight-margin banking environment, this ruling suggests to me an opportunity to use security as a differentiator to win new accounts and expand services (i.e. increase revenue). This is the ideal time to first put in place truly effective fraud prevention solutions across online, mobile and ACH channels, and then feature your commitment to preventing fraud in your communications to customers and prospects. And, there are modern tools available that deliver efficient and effective fraud prevention.
Your business clients are not experts in security, which is why they are under attack from criminals. And again, security today is a shared responsibility, but the reality is that they are dependent upon you, their banking institution, and they (quite reasonably) expect you to be an expert (keep an eye out for more stats on this from our upcoming business banking trust study).
So, I encourage you to be the expert. Put in place outstanding layered security with the people and policies to ensure it works as designed. And then use that investment to gain new business and improve customer trust, loyalty, and longevity.