-
See the Archives
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- February 2009
-
Filter by Category
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
Time for Financial Institutions to Ask: How Do We Better Protect Account Holders from Online Bank Fraud
Two recent news items should serve to get every financial institution in America asking how it might better protect its e-bank account holders from online bank fraud.
In a lawsuit filed by a customer, Experi-Metal, against its bank, Comerica, over responsibility for an online bank fraud that cost Experi-Metal more than $500,000, United States District Court Judge Patrick Duggan held that Comerica failed to act “in good faith” in protecting Experi-Metal from on-line bank fraud. (For an overview of the decision see KrebsOnSecurity.com. The judge’s decision is available here as a downloadable PDF.)
The Judge — suggesting that Comerica’s actions were illustrative of a “pure heart, empty head” — found that while (i) Comerica provided evidence that it properly intended to protect Experi-Metal — it’s heart was in the right place, (ii) Comerica failed to rebut plaintiff’s claim that the specific actions the bank took to protect Experi-Metal failed to met “reasonable commercial standards of fair dealing.” This is the second prong — the “head” component — required for a successful “good faith” argument.
The ruling suggests that — in a disagreement over responsibility for online bank fraud — a financial institution’s account holder may likely argue that the institution failed to act in “good faith,” i.e, commensurate with “reasonable commercial standards of fair dealing.”
The second piece of important financial cyber security news is that regulators have released a long-awaited update to their 2005 guidelines that describe what financial institutions should be doing to protect e-banking customers from hackers and account takeovers. (Good overviews of the regulations are available at BankInfoSecurity and KrebsOnSecurity.com. The new guidelines are available here as a downloadable PDF.)
The updated guidelines call on financial institutions to
- Conduct more rigorous risk assessments
- Implement stronger “layered defenses”
- Better monitor account holder transactions for suspicious activity
- Do more to educate account holders — particularly businesses — about the risks involved in banking online
Based on our firm’s experience, the specifics of Experi-Metal v Comerica leading the Judge to conclude that Comerica failed to act in good faith, and the new guidelines for protecting customers against online bank fraud, our expectation is that a significant percentage of community banks — as well as significant numbers of larger banks — fail to meet the “good faith” standard of “reasonable commercial standards of fair dealing.” (See our White Paper, The Commercial Reasonableness of Bank Security Procedures.)
Forward looking financial institutions will see in these two news items the opportunity to review how they currently protect e-customers from online bank fraud. They’ll want to carefully review the new guidelines, identify any gaps between the guidelines and current protections, and put in place Action Plans to close these gaps. By focusing on meeting the new guidelines, a financial institution in a dispute with an account holder will be better able to demonstrate that it acted in “good faith,” commensurate with “reasonable commercial standards of fair dealing.”
By doing more to educate account holders about the risks involved in online banking, these forward looking financial institutions will also reap the competitive advantage that comes anytime a business and its customer collaborate together to solve the customer’s problem. As more account holders become more concerned about the risk of online bank fraud, financial institutions with a reputation for working closely with their account holders to manage the problem will be positioned to take advantage of this market differentiator.
