Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

« Tourism Traffic Boosts Prepaid Cards | Main | Mind the Gap: PIN versus Signature Authentication »

August 20, 2012

Finding a Reasonable Definition of Commercially Reasonable

Corporate account takeovers have cost businesses millions of dollars over the last several years. According to 2011 congressional testimony of Gordon Snow, assistant director of the FBI's cyber division, the FBI was at that time investigating more than 400 reported cases of corporate account takeovers. These 400 cases involved the attempted theft of over $255 million, resulting in actual losses of approximately $85 million.

Corporate accounts are not offered the same protections as consumer accounts, which are protected from financial loss from online fraud through the Electronic Funds Transfer Act and Regulation E. Article 4A of the Uniform Commercial Code (UCC) states that as long as a bank adopts commercially reasonable security measures, its business customers are accountable for fraud losses arising from funds transfers. Unfortunately, Article 4A does not provide a definition for "commercially reasonable," which leaves the term open to interpretation.

A recent ruling by a court of appeals reveals one court's opinion on what is commercially reasonable versus unreasonable. Despite the bank's compliance with Federal Financial Institutions Examination Council (FFIEC) guidance, the court found in favor of the bank's customer. In accordance with the FFIEC guidance, the bank employed multifactor authentication and had the capacity to detect and stop possible fraud. However, the court still found the bank's security measures unreasonable due to two factors.

First, the bank failed to consider the circumstances of its customer's frequency and volume of ACH transactions when implementing security measures and developing security procedures. And second, it failed to monitor and provide notice of possible fraudulent transactions to the customer. A key takeaway from this court's opinion is that financial institutions must take a holistic approach to preventing and detecting fraud. Having the proper prevention and detection tools in place is just one aspect of a fraud mitigation strategy. Financial institutions should also have policies and procedures in place to effectively use their deployed resources and technology for the unique circumstances of each of their customers. Unfortunately, a "one-size-fits-all" approach does not work in the fraud prevention arena.

Though the court did not offer an opinion on the customer's obligations in this particular case, it did recognize that commercial customers also have "obligations and responsibilities" under Article 4A of the UCC. So, at least according to this court's opinion, the holistic approach to fraud prevention does not stop with the financial institution. Corporate customers must also incorporate systems and policies to prevent unauthorized access to its financial accounts and other sensitive documents. With corporate account takeover fraud showing no signs of slowing down, it is imperative that financial institutions and their corporate customers discuss each others' roles and obligations to effectively minimize their risks.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 20, 2012 in account takeovers, ACH | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0176175624e1970c

Listed below are links to blogs that reference Finding a Reasonable Definition of Commercially Reasonable:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in