About

Comment Policy

Disclaimer

Share or Subscribe

Add me to your TypePad People list

Search BLB


  • Google

Stats

Blog powered by TypePad
Member since 03/2004

FFIEC

April 22, 2013

FDIC's Take On FFIEC's Social Media Guidance

GuidanceI ran across an interview recently that the FDIC's Elizabeth Khalil gave to InfoSecurity's Tracy Kitten about the FFIEC's proposed guidance on social media. Among my take-aways are the following:

  • The push for the guidance came from smaller banks that wanted the regulators to give them some free advice. We all understand the fact that because small banks have less money available to pay for expensive lawyers, they look to leverage off of every free resource they can glom onto. Trade associations aren't free, but if you're paying your dues, you look to them to give you your money's worth. Since banks pay the federal bank regulators assessments, they want some bang for those bucks, as well. I get it.
  • While Ms. Khalil mentioned "reputational risk" as the second major risk of the three she discussed ("compliance issues" was number one and "third party risk" was the third), I think reputational risk layers through much of the regulators' concerns. For example, misuse of consumers' personal information may be a compliance risk issue, and a Facebook vulnerability to hackers is a third-party risk. However, they both can impact the bank's reputation. Bad things that happen in a bank's social media endeavors often pose a reputational risk as an additional risk, and that's a safety and soundness concern which, in turn, is a regulatory compliance concern.
  • None of what's in the guidance is new, and banks that are already engaged in social media activities should already be familiar with the elements of the guidance. If they're not, they better become familiar in a hurry and hope that no one notices.
  • Due diligence on third party service providers that you intend to use is critical. The due diligence needs to be ongoing. A third party's faux pas can bite the bank in the backside as well as the third party. Monitoring is essential.
  • As is the case with online banking security, the regulators encourage banks to educate consumers on social media risks. For example, the regulators will look favorably on a bank educating its social media users on the risk of fraudulent bank sites, how to recognize the real deal from the fraudster, and that they should never give up personal information over social media. 
  • Whether or not a bank is actively using social media to interface with current or potential customers, it needs to have a social media use policy. The bank's employees are using social media, and other people may be saying bad things about you in cyberspace. The bank should have a policy that deals with these issues.

The final guidance is expected to be out in the near future (the comment period closed March 25th), depending on the nature of the comments received.Interested bankers should keep their eyes peeled (although, don't hold your breath).

I'll be giving a breakout session on social media compliance on July 3, 2013 at CUNA’s America’s Credit Union Conference in New York City. If you're a reader and are attending that conference, say hello.

10:01 PM in CFPB, Compliance, Consumer Law-General, Credit Unions, FDIC, FFIEC, FRB, Marketing, OCC, Risk Management, Social Media, Web/Tech | | TrackBack (0)

April 01, 2013

Eductaing Customers About Online Fraud: A Case Study

Educate MeTwo years ago, we discussed the fact that, pursuant to supplemental guidance issued by the FFIEC, financial institutions were going to have take seriously the need to educate their online banking customers about ways to prevent online banking fraud. BankInfoSecurity's Tracy Kitten recently interviewed the heads of social media and information security for Bank of the West about their efforts in this area. In addition to posting educational videos for customers on the bank's web site, the bank is uploading to the bank's Youtube channel in an attempt to make those videos "go viral." In other words, the bank is blending its internal information security technology and social media expertise to do what the bank regulators want them to do: help combat online banking fraud by educating their customers.

While the entire, relatively short, interview is worth a listen, I took away the following points:

  • If you want social media content to "go viral" (for the social media challenged: "circulate widely via social media"), you have to make the content "relevant and compelling." You also must update it frequently. Easier said than done. It's why I believe that banks need to blend their internal talents, the way that Bank of the West is doing. Social media is not the sole province of either marketing or "technologists." It takes folks with a variety of skills to make it rock.
  • To banks like this one, that have been in the social media game for a while, the recently proposed FFIEC social media guidelines are no big deal. They should be well positioned to meet those guidelines with little, if any, modification to their existing procedures. As one of the gentlemen interviewed observed, they've been expecting these guidelines for years.
  • Social media (videos) is only one arrow in the educational quiver. The bank is also using seminars targeted to specific groups of customers (small businesses, primarily, since that's the customer group that is most at risk for online banking fraud losses).
  • Of most concern to information security officers is the movement of organized criminal organizations into this arena. They bring with them the money and skill set (not to mention the ruthlessness) to pull off the most successful heists, targeting not the banks but their customers.
  • Quality is more important than quantity in online education efforts. Throwing everything against the wall and seeing what sticks will likely not be a successful approach.
  • You need cooperation from different areas of the bank to do this successfully. Therefore, you need "buyoff" internally before you launch, not after.
  • Most of these efforts are too new to be able to measure their effectiveness, but using the tools that are available to do so on an ongoing basis is important. If your efforts aren't paying off, then you need to consider tweaking them.

09:34 PM in Banking Law-General, Compliance, Crime, FFIEC, Marketing, Risk Management, Social Media, Web/Tech | | TrackBack (0)

February 24, 2013

Vendor Management Is Still A Regulatory Hot Button

Hot ButtonAccording to the FDIC, a common theme in IT examination downgrades is poor vendor management by banks.

Last year, in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor, says Donald Saxinger, senior examination specialist in FDIC's Technology Supervision Branch.

"I'm not saying it was the primal causal factor, but, in 46% of the downgrades, vendor management was cited," Saxinger says. He spoke during the recent ABA Telephone Briefing "Vendor management: Unlocking the value beyond regulatory compliance."

Although the most common “error” that FDIC examiners discovered was the failure by banks to ask their vendors for copies of regulatory examinations, that wasn’t the only nugget contained in the linked article from the ABA Banking Journal. Among the others:

• Vendor management needs to consider all service providers that hold sensitive customer information, not just IT vendors. These include loan workout consulting, appraisal review companies, outside attorneys, and others.

• Make sure to get the proper exam reports about individual vendors. Some banks just obtain reports for the host data center, but not for the specific application that the banks were using.

• Even the proper reports don't cover everything that a bank must consider in its security risk management efforts. For example, one service provider with an otherwise clean report did not have an internal audit program and its business continuity planning was poorly documented.

This is all sound advice, of course, but knowing what you need to ask for is only half the battle. You also need to make certain that the agreement with your vendor gives the bank the right to ask for, and the vendor the obligation to deliver to the bank, copies of the necessary reports. Relying on the goodwill of the vendor in coughing up examination and audit reports, especially when they may contain results that are less than flattering to the vendor, is "unwise."

Here's one more tip: if the report reveals problems, the agreement with the vendor should require the vendor to notify the bank of what action the vendor intends to take to remedy the defects, and should also require the vendor to give the bank periodic progress reports on its progress in correcting those problems.

I'll be doing a webinar on March 6, 2013 on the topic "Technology Service Agreements: Meeting Regulator’s Expectations." It covers regulatory guidance applicable to credit unions, banks, and thrifts, although the same essential principles apply to each. The goal is to discuss the provisions of a technology service agreement that regulators expect (and that sound business judgment requires) be included, and to give financial institutions guidance on how to approach the issues covered by each of those provisions so that the institution meets its regulator's expectations while also meeting the institution's business needs.

09:42 PM in Banking Law-General, Compliance, Contracts, Credit Unions, Electronic Banking, FDIC, FFIEC, NCUA, OCC, Outsourcing, Risk Management, Web/Tech | | TrackBack (0)

February 11, 2013

Social Media Compliance Guidance Finally (Almost) Arrives

FinallyA couple of years ago, I opined that the time was coming when the federal bank regulators would get around to "suggesting" that every bank have a policy in place that governed the use of social media by its employees.

At some point (which may have already arrived), banks aren’t going to have the option of doing nothing. Social media use by employees is proceeding at a rapid pace, and social media governance policies are a wise idea, whether or not the bank is going to jump into the use of social media itself. Not having any policy to govern the use of social media by employees in ways that could adversely affect the bank, or, having a policy in place but not adopting effective tools to monitor and enforce it, might be considered to be unsafe. As a recent client alert from Norris McLaughlin & Norris P.A. points out, the SEC and FINRA are already focused on social media sites and the risks they pose to the businesses they regulate. While the federal banking agencies are currently otherwise occupied, banks should take the trend seriously and be seriously thinking about social media governance.

The federal banking regulators have finally gotten around to specifically addressing social media risks, and the time for seriously thinking about social media governance has arrived for even the most dilatory of banks. On January 22, 2013, the FFIEC issued proposed consumer compliance risk guidance with respect to social media. Included in the proposed guidance is the following admonition:

Financial institutions should be aware that employees’ communications via social media — even through employees’ own personal social media accounts — may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. Employee communications can also subject the financial institution to compliance risk as well as reputation risk. Therefore, financial institutions should establish appropriate policies to address employee participation in social media that implicates the financial institution.

Yes, it's "proposed guidance." The FFIEC is asking for comments, and if you have any, get them in within the 60-day window. Nevertheless, I do not expect that the FFIEC will abandon its position that financial institutions should adopt "appropriate policies" regarding employee use of social media that could impact the institution.

Don't be one of those laggards like the slugs we saw who dragged their heels on multi-factor authentication in online banking. If you haven't already done so, get a sound policy in place. By "sound," I mean well thought out and cognizant of the practical and legal nuances. You'll be glad you did, and so will your regulator.

****************************************************************************************************************************

Chris Dye of Harland Financial Solutions and I are doing a webinar next month for BankersHub on the topic of "de-risking" the legal risk of social media use by financial institutions and their employees. Although special attention will be given to the proposed FFIEC guidance, we'll be ranging beyond that subject.

09:59 PM in Banking Law-General, Compliance, Consumer Law-General, FFIEC, Risk Management, Social Media, Web/Tech | | TrackBack (0)

February 03, 2013

Cyberheists: Big Banks Increase Small Banks' Losses

Cybercrime 4Internet security guru Brian Krebs had an excellent post a few weeks ago about much of the attention on cyberheists may be focused on the security vulnerabilities of small banks and their business customers, the large banks are playing a large role in small banks' losses.

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

Krebs responds to a question often asked of him, whether it's safer for a business to bank with a large bank rather than a small bank, by asserting that it's a difficult question to answer "because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses"

Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.

That's right. Regulation E does not apply to business customers. That's something that sometimes comes as a shock to small business customers, especially those who were too cheap to hire legal counsel to review the account and other online banking agreements before they were signed. "Forewarned is forearmed" is an old adage with a lot of wisdom behind it. It's not that banks will negotiate the terms of their agreements (most of them will not, especially with small customers), but that customers who understand their legal position going into the relationship are more likely to be concerned about doing due diligence on the bank's security procedures and track record and considering other methods to lessen and cover their risks (I've seen a few who suddenly realize that having a PC dedicated solely to online banking transactions and no other activities is not such a waste of money, after all).

Krebs also points out that since larger banks are more likely to have the resources to settle even large losses to avoid the reputational risk of cyberheists, it may be difficult to know how many instances of loss occur. However, it's reasonable to assume that the large banks spend a lot more money and person-power on security measures than do small banks.

Wearing my cyberthief glasses, if I’m looking at a huge pile of data stolen from thousands of victims, I’m probably more apt to target victims at smaller banks based on one simple assumption: Because I’m going to have a much higher success rate than I would targeting customers of larger institutions.

Krebs takes a shot at technology service providers who service many of the smaller banks for not doing more to secure online banking transactions.

Case in point: Optimumbank’s service provider is Fiserv, one of the largest banking industry service providers. According to Fiserv’s site, at least 52 percent of the nation’s $19 billion in ACH payments are processed using Fiserv software. If this is true, one might think that Fiserv’s systems handled about half of the mule transfers that were sent from Niles Nursing’s hacked bank account.

But according to Murray Walton, Fiserv’s chief risk officer, the software that most of its customer banks run — called PEP+ – is a client solution that does not interact with the company’s data centers. He said while Fiserv does offer an antifraud solution called FraudNet, that tool is designed for online bill pay services that banks can use to detect fraud patterns on consumer accounts.

“There are vendors who can knit it all together for banks, but that isn’t what we do,” Walton said in an interview. “For various and sundry reasons we don’t offer an engine that does the same thing as [an anti-fraud provider like] Guardian Analytics. Realistically, the client and end-user have responsibilities that they can’t abdicate to us. Everyone in this needs to take it seriously and not think that someone else has their back.”

I understand Walton's point, but on the other hand, a small bank's takeaway from those three paragraphs might be "Fiserv doesn't have your back, so look elsewhere." A competing core platform and processing vendor that "does have your back" might have a tag line to use.

Large banks are also lambasted for allowing so many "mule accounts" to be established.

As it stands, the big banks don’t have an incentive to police new accounts for mule activity, because it’s generally not their customers who are getting robbed from this activity, said Avivah Litan, a fraud analyst with Gartner Inc.

“The bad guys shouldn’t be able to set up these mule accounts in the first place,” Litan said. “The bigger banks are not doing a good job of screening for this activity because they’re not the ones eating the fraud on these attacks on smaller bank customers. [The bank service providers] should be spending more money. And the regulators should be coming down on them harder.”

Krebs suggests that, perhaps, "small, regional and local banks can pool their clout and resources to extract more from service providers than what those companies are currently offering." Fat chance. Several years ago, some of the largest users of technology services in the country made a concerted effort to get giant service providers to take more contractual responsibility for the performance, and vulnerabilities, of their technology. It fell flat. Unless the bank regulatory agencies intervene directly with the service providers, they'll continue to do what they do best: collect fees and deny liability.

As for watching your own back as it applies to business customers, Krebs offers some good suggestions, among them:

  • Shop around for banks until you find one that assures you that it uses layered security.
  • Use "Positive Pay" if your bank offers it because it not only deters check fraud but other unauthorized transfers, online and off (I heartily concur).
  • Use Live CD to temporarily covert your PC from Microsoft to Linux for doing online banking transactions.

Krebs also offers an online "best practices" guide for businesses. As with much of his material, it's good stuff.

09:34 PM in Banking Law-General, Compliance, Contracts, Crime, Deposits, Electronic Banking, FFIEC, Litigation, Outsourcing, Risk Management, Web/Tech | | TrackBack (0)

July 31, 2012

Patco and Experi-Metals: How Much Hope Do They Really Give Small Businesses?

HopeThe Wall Street Journal ran an article by Joe Palazzolo today that discussed the court decisions in the Patco and Exeri-Metal cases, in which a federal district court (Experi-Metal) and a federal appeals court (Patco) found that banks' online security measures were not commercially reasonable. Palazzolo's point of view is that these cases give some "hope" to small business owners that when their bank accounts are hijacked because the business owners' security was flawed, the business owners are not necessarily going to eat the entire loss. According to lawyers for the business owners involved, owners of small businesses "often lack an understanding of cyberthreats when they accept bank security procedures," and, therefore, the bank bears a higher responsibility for making sure those security procedures are effective.

I'm not reading that much into the two decisions. First, last year, I questioned the soundness of the reasoning behind the court's reasoning in the Experi-Metal case, and I haven't changed my view. The bank settled that case rather than appeal it, so while it provides some precedential value in an area of the law where there's not much precedent, I don't think banks should quake in their boots over Experi-Metal.

As to Patco, while (as noted in a post last week) it's an appeals court that rendered the decision and, therefore, the ruling carries more weight, the facts are fairly bad for the bank involved. The bank had in place a process for flagging high risk transactions, the flags were raised, and the bank ignored those flags for an extended period of time while the thieves made off with the loot. If you have procedures in place and you don't follow them, it's hard to argue that you shouldn't be held at least partially responsible for the loss. Also, the appeals court sent the case back to district court to determine (among other things) the extent to which the customer ought to be held responsible for lax security in permitting its online security identifiers to be compromised. That's an issue on which it might be good to have some case law that states that the customer can't be lax in protecting itself (in other words, ignorance will not be an excuse). The fact that the court suggested that this was a good case for settlement indicates that neither side had clean hands.

I do agree with a couple of other points made in the article. One is that banks ought not to simply rely upon the protective language contained in their online banking agreements as to the commercial reasonableness of their security procedures and then go to sleep. Those contractual protections are very important, but they're not the end of the story. If, in fact, those procedures don't pass a judge's smell test for reasonableness or, even if they do, if the bank doesn't implement and follow them effectively, the bank may be exposed to liability.

Another point that appears at the end of the article also strikes me as being valid.

...William T. Repasky, a Louisville, Ky., lawyer who represents financial institutions, says the First Circuit ruling could prompt some banks to view small businesses as higher risk customers.

As a result, banks might then begin to pass on to small business customers their own increased costs for added security and customer education, he predicts.

If the courts keep coming down on the side of small business borrowers that have their security credentials compromised, I agree with Repasky that it's going likely going to cost small business borrowers more money to do online banking business with banks.

I think it's important that banks educate their customers in online security, and not merely because such education is now mandated by FFIEC guidelines. Education can result in decreasing the chances of cybertheft with respect to those clients who take such education to heart, and provide an additional defense for the bank against those customers who don't and whose accounts are compromised.

09:43 PM in Banking Law-General, Compliance, Contracts, Crime, Electronic Banking, FFIEC, Litigation, Risk Management, Weblogs | | Comments (0) | TrackBack (0)

July 24, 2012

PATCO Panic

Sky-is-fallingThe recent federal appeals court ruling that found that a bank's multifactor authentication security measures were not, under the facts of the case, "commercially reasonable," has thrown some commentators into a Chicken Little tizzy. Others are more measured, and one of those is managing partner of Duane Morris, Joe Burton. Interviewed recently by InfoSecurity's Tracy Kitten, Bruton gave some useful insights into the impact of the ruling. Among those insights are the following:

  • The ruling is a "fairly significant" one, Burton points out, since it's the first appellate case of this type. "It's going to have precedential value because it's an appellate court case, and as you know there really are a small number of cases that have considered the question of apportioning responsibility between a customer and the bank." In other words, courst in other jurisdictions may refer to it for guidance. Judges, like nature, abhor a vacuum.
  • The appellate court sent the case back to the trial court to determine the limits of the bank's customer's liability even if the bank's security procedures were not "commercially reasonable." "It opens the possibility that you have a circumstance where you had a commercially unreasonable procedure that was utilized by the bank, but the liability might not be on the bank because there may be responsibility [on] the customer," he says. To me, this is significant, because in just about every one of these cases, the root cause of the loss is the fact that someone purloined the customer's user name, password, or other unique identifiers because of poor online security practices by the customer.
  • The problem for the lender in this case is that while it had in place procedures that identified that high-risk online transactions were taking place in the customer's account, the lender didn't act on that intelligence. According to Bruton, [i]t's not enough just to have a generally accepted security procedure in place if that procedure is not implemented in a way that makes sense," Burton says. "That's the conduct aspect that has to do with the actual security and not just the check-box [mentality]." The appellate court in this case didn't take into account conformance with the FFIEC guidelines, but whether the bank had implemented appropriate security.

The entire interview is well worth the time it takes to read it, whether of not you bill by the hour.

09:44 PM in Banking Law-General, Crime, FFIEC, Litigation, Web/Tech | | TrackBack (0)

July 02, 2012

Confusion In The Ranks

ConfusedSince we've recently been discussing the topic of mutlifactor authentication for online banking activities, I thought I'd point out another interesting post by Tracy Kitten, this one discussing the results of a recent survey that contained some disturbing news: many bankers are asking the feds, "Whadda ya want from me?"

Too many executives say they don't really know that the investments they're institutions are making will have significant impacts on fraud. Moreover, they don't understand regulatory demands, and question whether the new guidelines really address the right fraud-prevention needs.

Ms Kitten finds these results to be "alarming."

For one, the updated guidance is not really that updated. The update definitely offers many more details than the guidance issued back in 2005. But the tenets are the same. Multifactor authentication, regular risk assessments, transaction verification, account monitoring and customer/member education were all noted in the 2005 release, and though they're clarified in the 2011 update, the message is the same.

Those recommendations should not be surprising. Banks and credit unions should have been addressing those areas for the last seven years.

The updated guidance definitely clarifies a few suggestions, by, for example, explaining how an institution might implement multifactor authentication or transaction verification through device identification. But, really, there's no great variance between the 2005 and 2011 releases.

Eh, we could quibble about that, but she's got a point. Banks engaged in online banking, no matter what their size, need to be on top of multifactor authentication and the related guidance. Living in a "What, Me Worry" world is a ticket to a plethora of pain, including, potentially, monetary losses in a lawsuit and regulatory enforcement action. Moreover, as Tracy correctly observes, the FFIEC Guidance is a baseline, not an ironclad guaranty of security in all circumstances. Each bank has to consider its own activities and address the risk accordingly, and that may mean that doing the bare minimum is not nearly enough.

I'm off the air until next week. Y'all have a Festive Fourth.

09:54 PM in Banking Law-General, Compliance, Electronic Banking, FFIEC, Risk Management, Web/Tech | | TrackBack (0)

July 01, 2012

Settlement Of Hacked Account Case: Lessons For All Banks

HackedBank Info Security's Tracy Kitten recently interviewed plaintiffs' lawyers Julie Rogers and Kim Dincel about the settlement they reaced with a California-based bank in a lawsuit that arose out of a classic "hacked bank account" incident. Cyberthieves obtained access to  an escrow company's bank account (how access was obtained was disputed by the parties), wire transfer orders were issued by the thieves to unwitting "money mules" who thought they were engaging in legitimate transactions, the the mules, in turn, wired the money via Western Union to the crooks, who were based in Eastern Europe and The Middle East. Kitten posted the audio of the interview here.

Bankers would be well advised to give the eleven minute audio interview a listen. Here are my take-aways:

  • Section 4A of the UCC is the "The Bible" for both defendants and plaintiffs, and whether or not the bank's security procedures were "commercially reasonable" and the bank accepted the funds transfer requests "in good faith" will be the battleground.
  • The plaintiffs' contention that the bank has a better opportunity than a small business customer to prevent and detect such incidents is a theme that has been sung, and will continue to be sung, by plaintiffs' attorneys in these cases. Because the bank is (or should be) more sophisticated, the standard for what constitutes "reasonable security" compliance for a bank will be higher than for the poor, dumb customer.
  • Because there's not a lot of case law in many jurisdictions on this issue (and what case law exists is inconsistent), the tactic of the plaintiff's lawyers in this case of urging the court to consider precedent from other jurisdiction (even unpublished decisions) is likely to be popular, at least until more appellate decisions are rendered in more jurisdictions. Dincel's exhortation to plaintiffs' lawyers to "be creative" in coming up with bases for claims and not to become "bogged down in the UCC" will strike a responsive chord with fellow sharks.
  • Whether or not a bank's security procedures for authentication are "multi-factor" or "layered single factor" ought to be decided by reference to the FFIEC guidelines, which give examples.
  • Rogers is correct in asserting that the FFIEC Guidelines are only "guidance" and not binding law (as is the UCC), so courts are not bound by them; however, banks should treat the FFIEC as the regulators' view of baseline compliance with safety and soundness principles and comply with them to the best of their ability. They certainly aren't all that a bank can do, so bank's shouldn't stop trying to be as safe and secure as they can be, but all banks engaged in online banking activities have simply got to start with them as a baseline and treat them with the utmost seriousness.
  • I'm a little surprised that the settlement agreement did not contain a confidentiality provision that would have prevented the parties or their counsel from publicly discussing the amount of the settlement. In this case, Rogers states that the plaintiff received from the bank all of its lost funds, plus interest (the maximum recover permitted by the UCC), "and a little extra." 

Rogers also correctly states that because the maximum recovery is limited by statute, and the losses are often substantial, many plaintiffs that are small businesses may not have the financial resources to fund lengthy litigation against a financial institution with greater financial resources. In this case, the lawyers had a "great client." In other words, one with pockets deep enough to wage war. Plaintiffs' lawyers love deep pocketed clients. Come to think of it, so do defense lawyers.

09:41 PM in Banking Law-General, Compliance, Consumer Law-General, Contracts, Crime, Deposits, Electronic Banking, FFIEC, Litigation, Risk Management, State Law, Web/Tech | | Comments (0) | TrackBack (0)

May 15, 2012

Let Me Just Clarify That Point

ClarityMy post of the day before yesterday, concerning a "warranty" offered by Greenway Solutions that would cover a portion of losses suffered by a bank's business customer by reason of an online account takeover (provided the customer uses an approved online security product from a third-party vendor), caused Jon Meyer of Greenway Solutions to reach out to me. Jon wanted to discuss some points I raised in my story and to provide some clarification. After a very pleasant telephone conversation, I offered to supplement my previous post with additional information and clarification.

As to my question about the fees paid by the customer and the bank to Greenway Solutions, Chartis, and the security software providers, Jon informed me that Greenway Solutions will launch this solution with $24.95 per-month "all-in" pricing. In other words, the cost of the service is a total of $24.95 a month. The customer would pay that cost to Greenway Solutions, and that would be the only cost paid. Of course, the customer's bank could decide to pay that cost, if it wished to do so, for competitive reasons.

Jon also wanted to emphasize that business customers do not have the equivalent protection afforded to consumers by Regulation E (no liability for unauthorized funds transfers provided the customer reports the unauthorized nature of the transfer within time limits established by Regulation E). He also made the point that Article 4A, Section 202, of the Uniform Commercial Code provides little practical protection for unauthorized "payment orders," because in the vast majority of cases of account takeover, (1) the customer has expressly agreed in writing with the bank to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with a security procedure chosen by the customer, which, under the Code, makes the security procedure "commercially reasonable"; and (2) the unauthorized payment order is usually made in compliance with such security procedure because the crooks have penetrated the customer's computer system and gained access to the information needed to compromise those security procedures. You'll continue to have lawsuits brought by victimized customers that allege that the security procedures of the bank were not "commercially reasonable," notwithstanding the terms of the applicable account agreement (perhaps because the security procedures do not comply with the mutli-factor authentication guidance of the FFIEC), but  that fight is in most cases an uphill battle for the customer. Counting on banks to settle in order to avoid reputational risk is cold comfort. Therefore, I agree that there is value in "incentivizing" business customers to add additional software security solutions and to cover at least some of the financial risk with "insurance." Although I'm not endorsing Greenway Solutions' specific product, I'm in favor of exploring creative answers to a problem is that is not going to be resolved anytime soon.

As to my wisecrack about vendor's collecting fees and denying liability, Jon wanted me to point out that this stance is not unusual in the software security vendor "space" given the "price point" ($24.95 a month). I agree that it's not unusual. Technology service providers, especially those that collect relatively low monthly fees for providing a standardized product, will generally provide indemnification against intellectual property infringement claims that arise out of the use of their technology within the limitations on use contained in their license agreement, but generally aren't going to take on additional liability for indemnifcation that could result in the vendor incurring "bet-the-company" damages. Whether or not this is a reasonable position to take, my intent was to point out to banks that because of it, they need to make certain they aren't going to be on the hook for liability caused by the acts or omissions of the vendor or its product.

Plus, I was going for the cheap laugh. It's what I do.

I hope I've now clarified the pertinent points and can return tomorrow to my customary menu of ill-considered snark and off-the-cuff, half-baked opinions of inconsequentiality that my readers have come to expect from this blog.

09:31 PM in Banking Law-General, Blogging, Compliance, Contracts, Crime, Deposits, Electronic Banking, Federal Legislation, FFIEC, Risk Management, State Law, Web/Tech | | TrackBack (0)

Next »

Recent Posts

Archives

More...

Categories