Limiting Bank Liability for Deposit Account Takeover by Following FFIEC Guidance

Written by: Bryce Langford, Summer Associate

The most imminent threats facing banks today are not gun-wielding robbers like John Dillinger and Bonnie and Clyde. Today’s financial institutions face a different kind of threat— cyberattacks. Banks and their customers rely upon technology more so today than they ever have before. Because so much banking business is conducted online, the threat of cyberattacks on commercial customer deposit accounts increases rapidly.

The most significant type of cyberattack in the banking industry is called “corporate account takeover,” which occurs when a computer hacker steals a depositor’s online banking credentials and then, acting as the depositor, makes fraudulent outgoing wire transfers. The customer’s funds end up in very far-away places. To the bank, the transactions appear to be authorized by the accountholder and valid. By the time the bank and depositor realize there has been a theft, it is usually too late to recover the funds. Who bears the loss—the bank or the customer? Laws and regulations in the last decade have increased the liability for banks who do not take the proper preventative measures to insure against corporate account takeover. This article examines those laws and regulations, and discusses how banks can best manage the risk of account takeovers.

The UCC rules. Under Article 4A of the Uniform Commercial Code (“UCC”), the general rule is that the loss falls on the bank for an unauthorized outgoing wire, even if it appears to the bank that the transaction has been authorized. However, there are two exceptions to this rule: (1) the depositor fails to report the unauthorized debits to its account within one year and (2) the bank has in place a “commercially reasonable security procedure” to protect against hacking, the security procedure is embodied in a contract between bank and customer, and the bank accepted the outgoing wire in good faith and in compliance with the security procedure. The rules governing the second exception have been heavily litigated; they are codified in UCC 4A-201 through 4A-204.

The FFIEC guidance. To determine what is a commercially reasonable security procedure, the Federal Financial Institutions Examination Council (“FFIEC”) periodically releases “guidance” to help banks to “identify and mitigate cyberattacks.” The most recent guidance was issued on March 30, 2015. It includes eight “risk mitigation” recommendations for financial institutions. This is a must-read for bankers.

  1. Financial Institutions should securely configure systems and services. 
  2. Financial Institutions should review, update, and test incident response and business continuity plans.
  3. Financial Institutions should conduct ongoing information security risk assessments.
  4. Financial Institutions should perform security monitoring, prevention, and risk mitigation.
  5. Financial Institutions should protect against unauthorized access. 
  6. Financial Institutions should implement and test controls around critical systems regularly. 
  7. Financial Institutions should enhance information security awareness and training programs.
  8. Financial Institutions should participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.

The expectation of layered security. The eight recommendations set out by the FFIEC in 2015 expand upon earlier recommendations issued in 2005 and 2011. One of the most important aspects of the earlier guidance was the FFIEC’s recommendation of layered security. The 2011 Guidance described layered security as “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” The FFIEC recommends that financial institutions use more than a single layer of customer authentication. The most common example of a single layer of authentication is requiring a customer’s username and login. The FFIEC requires more security layers than simply requiring password authentication. Financial institutions should consult the FFIEC guidelines for examples of other layers of authentication.

The FFIEC guidelines set forth two particularly important types of layered security: (1) the use of dual-factor authentication such as usernames/passwords plus tokens, callback or challenge questions and (2) the use of software to detect out-of-pattern transactions involving outgoing wires. Keep in mind that the courts use the FFIEC guidance to determine whether the bank’s security procedure was commercially reasonable and in good faith. Courts sometimes confuse commercially reasonable and good faith. By employing layered security and complying with the FFIEC Guidance, banks can show their security procedures were commercially reasonable and in good faith. Layered security is one of the best ways to protect a financial institution from civil liability as well as protect customers’ assets from the threats of deposit account takeover.

How the courts are resolving cyberattack disputes: the two key cases. There are two key federal appellate decisions in this area—one in favor of the customer and the other in favor of the bank. In 2012, the First Circuit held that a bank’s security procedure was not commercially reasonable even though it used dual-factor authentication. In Patco Construction Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), the bank employed multiple security procedures to comply with the 2005 FFIEC guidance, but it lost the case because at least one procedure was counter-productive.

Most notably, the security company’s software allowed banks to set a threshold amount for transactions that would trigger a security challenge question to authenticate the transaction. Initially, the bank in Patco set the threshold at $100,000. The bank later lowered the threshold to $1, effectively requiring security challenge questions on every internet transaction. The bank argued that this raised the level of security because it required answering security questions for every transaction. In 2009, a hacker obtained a customer’s banking information and authenticated a series of transactions close to $600,000. The bank was unable to retrieve $243,406 of these funds.

The First Circuit held that the lower threshold of $1 triggering the challenge questions hurt customers by increasing the risk of fraud. The court’s rationale was that requiring challenge questions on every transaction gave hackers more opportunity to capture the vital information. The court also held that the bank did not have a practice of closely monitoring all transactions, even if it had warning that fraud was occurring. The court held that these failures, taken as a whole, showed that the bank’s security procedure was not commercially reasonable. This First Circuit case is significant because it shows that employing multi-layered authentication may still not insulate financial institutions from liability.

In contrast to the First Circuit’s decision, a 2014 case from the Eighth Circuit ruled in favor of the bank. In Choice Escrow and Land Title, LLC. v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the Eighth Circuit ruled that the bank’s security procedure was commercially reasonable and the bank acted in good faith. The bank provided four security measures for its customers. The first was a simple ID and password requirement. The second was authentication software that monitored the customer’s IP address and other specific information of the customer’s computer. This allowed the bank to ensure that the same computers were authorizing the transactions; if another computer or IP address was used, then the user had to correctly answer challenge questions. The third security layer allowed customers to place dollar limits on wire transfers. The fourth layer was called “dual control.” This measure required every outgoing wire transfer to be authenticated by two separate users with distinct IDs and passwords.

The Eighth Circuit held that the bank’s four levels of security authentication were commercially reasonable, even though the customer in the case had rejected two of them. The court noted that the Uniform Commercial Code releases a bank from liability if a security procedure is offered to a customer and the customer declines the procedure in writing and agrees to a different procedure. This effectively shifts the liability to the customer. The court rejected the argument that to be “commercially reasonable,” a security procedure must include a human being manually reviewing every payment order submitted to the bank. Further, the court found that the bank acted in good faith, and pursuant to agreement, in accepting the outgoing wires.

Importantly, the Eighth Circuit relied on the FFIEC guidance as a test for determining what is a commercially reasonable security procedure. The court called the FFIEC guidance the “primary authority” in measuring the reasonableness of a security measure. This is important for financial institutions to note, since the courts are relying heavily upon the FFIEC guidelines when considering liability in cases of cyberattacks.

Conclusion. Cases involving cybersecurity and financial institutions are sure to continue to flow in the coming years as customers and banks increasingly rely upon technology for conducting business and hackers increase in their ability to conduct cyberattacks. One of the best ways for a bank to protect itself against liability is to take action and measures that are in accord with the FFIEC guidance, including the 2015 version. As technology changes, so will the requirements of the FFIEC. Notably, the most recent guidance recommends that financial institutions should share with one another, in forums, how to mitigate cybersecurity threats. The courts have yet to litigate what exactly these forum-sharing recommendations mean, but financial institutions should be on notice that this is just one of the new requirements set out by the FFIEC. The best course of action for financial institutions is to work with legal counsel to insure the institution is up-to-date with the guidance issued by the FFIEC. Although the 2015 guidance attests that it “does not contain any new regulatory expectations,” experience shows that bank compliance with the new guidance is the best way to manage the risk of deposit account takeover. The attorneys of Stinson Leonard Street’s Banking and Financial Services division have extensive experience in this area of law, and financial institutions are encouraged to reach out to such experts.

June 30, 2015 at 4:07 pm Leave a comment

CFPB Plans Delay of Know Before You Owe Rule

Written by: David Kantor

Residential mortgage originators struggling to meet the August 1, 2015 implementation date for the new Truth-in-Lending RESPA Integrated Disclosure Rule received a reprieve yesterday.

CFPB Director Richard Cordray issued the following statement on the Know Before You Owe mortgage disclosure rule:

The CFPB will be issuing a proposed amendment to delay the effective date of the Know Before You Owe rule until October 1, 2015. We made this decision to correct an administrative error that we just discovered in meeting the requirements under federal law, which would have delayed the effective date of the rule by two weeks. We further believe that the additional time included in the proposed effective date would better accommodate the interests of the many consumers and providers whose families will be busy with the transition to the new school year at that time.

The public will have an opportunity to comment on this proposal and a final decision is expected shortly thereafter.


On June 24 the CFPB published its proposed rule for extending the effective date for implementation of the Know Before You Owe Rule to October 3, 2015.  The public has until July 7 to submit comments.

See full release here.

June 18, 2015 at 1:42 pm Leave a comment

Please join us for the 2015 Banking Conference

Please join us for the 2015 Banking Conference on Wednesday, May 6. This informative event will include discussion on recent developments in the banking industry. Topics will include:

  • Bankruptcy Risk
  • Domestic Holds on Deposit Accounts
  • Keeping the Guarantor on the Hook
  • Spousal Guarantees
  • Deposit Account Takeovers
  • Consumer Financial Services
  • Tax Credit Finance
  • Banking Marijuana Businesses
  • Vendor Diligence and Contracting
  • ACH Origination Fraud Risk
  • M&A Update

In addition, attendees will hear from a panel of banks and regulators on a variety of top bank issues and concerns.

This seminar will be presented live from our Kansas City, Minneapolis and Denver offices and video-conferenced to our St. Louis, Wichita, Phoenix and Omaha offices. Registration begins at 1PM (CDT). The seminar starts at 1:30PM (CDT) and will be followed by a reception at 5PM (CDT).

Reserve my seat for the 2015 Banking Conference

View the full agenda online.

Visit our website for exact office locations.

CLE credit is approved in:

NE 3.25 hours open

KS 3.5 hours open

MO 3.9 hours

AZ 3.25 hours

MN & CO pending

April 22, 2015 at 10:40 am Leave a comment

Supreme Court Issues Significant Decision Interpreting Truth In Lending Act

Written by: Evan Berquist

In a unanimous decision issued on January 13 of this year, the Supreme Court held that a borrower exercises its right to rescind a loan under Section 1635 of the Truth In Lending Act (“TILA”), simply by notifying its creditor of its intent to rescind within TILA’s three-year limitation period.   See Jesinoski v. Countrywide Home Loans, Inc., No. 13-684, 574 U. S. ___, ___, (2015) (slip op., at 3). The Court reversed a decision by the Eighth Circuit, which held that a borrower could exercise its rights only if it filed a lawsuit within the three-year period. Before Jesinoski, courts were divided about what was required to exercise a borrower’s rights under the statute: five circuits held that a borrower must file a lawsuit, while only three circuit courts held that mere notice was sufficient. Jesinoski thus resolved an important circuit split decisively in favor of the borrowers.

Truth In Lending Act (“TILA”), 15 U. S. C. §§ 1601 et seq.

Congress first passed TILA in 1968, in order to help consumers “avoid the uninformed use of credit, and to protect the consumer against inaccurate and unfair credit billing.” 15 U. S. C. § 1601(a). Among other things, the Act and its implementing regulations require lenders to provide certain mandatory disclosures to consumers in mortgage loan transactions. TILA also grants borrowers the right to rescind loan transactions within given time periods. For up to three days following the closing of a loan transaction, borrowers can rescind the loan for any reason. If the lender failed to make the disclosures required by TILA, however, the borrower has three years to rescind the loan. See 15 U.S.C. § 1635(f). The question presented in this case was what the borrower has to do to exercise its rights of rescission within the 3-year period.

Factual Background

In 2007, the Jesinoskis closed a loan transaction with Countrywide Financial Services, Inc. (“Countrywide”). Exactly three years after closing the transaction, the borrowers mailed notice to Countrywide of their intention to rescind the loan. One year and one day after that—or four years and a day after the loan closing—the Jesinoskis filed suit against Countrywide, seeking to rescind the loan.

Proceedings Below

In federal district court, Countrywide moved for summary judgment, arguing that the borrowers had failed to satisfy the Act’s limitation period. The district court agreed, citing binding precedent in the Eighth Circuit that “a suit for rescission filed more than three years after consummation of an eligible transaction is barred by TILA’s statute of repose.” The Eighth Circuit affirmed.

The Supreme Court’s Opinion

In a unanimous opinion authored by Justice Scalia, the Supreme Court reversed. The Court resolved the case as a matter of simple statutory construction. In particular, the Court relied on 15 U.S.C. § 1635(a), which provides that a borrower “shall have the right to rescind . . . by notifying the creditor, in accordance with regulations of the Board, of his intention to do so.”*  This language, the Court held, “leaves no doubt that rescission is effected when the borrower notifies the creditor of its intention to rescind.” The entire opinion went on for less than six pages, one of the shortest to be issued this Term.

In its opinion, the Court quickly rejected Countrywide’s arguments that rescission could result only from a lawsuit or judicial action. As Countrywide pointed out, under the common law doctrine of rescission, the borrower had to either tender the amount it had received to the lender (rescission at law) or receive a judicial decree of rescission (rescission at equity). The Court held that nothing in the Act, or in the Court’s jurisprudence, modifies “the clear import of 1635(a) . . . that a borrower need only provide written notice to a lender in order to exercise its right to rescind.”

Advocates for the financial services industry warn that the decision will harm consumers in the long run, by adding to clouds on title, incentivizing needless litigation, and injecting uncertainty into the mortgage market. As Countrywide argued in its brief, the circumstances presented in the Jesinowskis’ case—where a borrower sends notice of its intent to rescind but fails to bring a lawsuit within that time—already represented a “narrow, though frequently reprised, set of circumstances.” Following the Supreme Court’s decision, those circumstances are likely to become significantly more common. From now on, any bank that receives notice of a borrower’s intent to rescind a loan within three years of a loan closing should at least be prepared for the possibility of litigation.

* Following the events of this case, in 2010 Congress transferred rulemaking authority under the Act from the “Board” (Federal Reserve Board) to the Consumer Financial Protection Bureau. See Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, as amended.

January 27, 2015 at 8:58 am Leave a comment

Proposed Reg E Amendments: Prepaid Cards

Written by: Greg Johnson

The Bureau of Consumer Financial Protection (CFPB) recently issued proposed regulations that would amend Regulation E (12 CFR part 1005 et seq.) and Regulation Z (12 CFR part 1026 et seq.).  The proposed regulations would adopt specific disclosure, periodic statement, limited liability, error resolution and other requirements for prepaid cards and accounts.


In its release of the proposed regulations, the CFPB noted that, among all non-cash payment forms (such as credit, debit, and check), usage of prepaid cards and accounts increased at the fastest rate from 2009 to 2012, reaching 9.2 billion transactions in 2012.  The amount loaded to general purpose reloadable (GPR) cards grew from $1 billion in 2003 to $65 billion in 2012, and is projected to reach $98 billion in 2014.  The CFPB also recited several positive attributes of prepaid cards and accounts, including their popularity among individuals who do not have traditional bank accounts.

As currently in effect, Regulation E applies to payroll cards, gift cards, and cards that accept government loads but does not apply to other prepaid cards or accounts.  The CFPB stated that prior regulations did not address other types of prepaid cards or accounts due to the wide variety of types and usage.  In an apparent response to the increased usage of prepaid cards and the perceived lack of consumer protection under Regulation E for other types of prepaid cards and accounts, the CFPB proposes to amend Regulation E so that it would generally apply to all prepaid cards and accounts on a consistent basis.

Proposed Amendments

Prepaid Account.  As proposed, Regulation E would generally apply to a Prepaid Account, which is defined as any card, code or other device that is established primarily for personal, family or household purposes and that satisfies each of the following criteria: (i) it is issued on a prepaid basis in a specific amount or is capable of being loaded with funds after issuance, (ii) it is redeemable upon presentation at multiple, unaffiliated merchants for goods or services, usable at ATMs or usable for person-to-person transfers, and (iii) it is a not a gift card or loyalty, award or promotional gift card that is marketed and labeled as such.  Prepaid Accounts do not include HSAs, flexible spending accounts, medical savings accounts or health reimbursement arrangements.

Fee Disclosure Requirements.  Issuers would generally be required to provide two fee disclosures before a consumer agrees to acquire a Prepaid Account.  The first disclosure would highlight certain fees, such as periodic, per-purchase, and inactivity fees.  The second disclosure would set forth all of the fees and the conditions under which the fees could be imposed.

Transaction Information.  Issuers would generally be required to provide periodic statements or, in the alternative, make available the account balance through a readily available telephone line and at a terminal, an electronic history of account transactions that covers at least 18 months, and a written history of account transactions that covers at least 18 months upon request.  Issuers would be required to disclose monthly and annual summary totals of fees imposed, as well as the total amount of loads to and debits from the prepaid account, when providing a periodic statement or account history.

Limitation of Liability/Error Resolution.  Regulation E provides that a consumer may be liable for an unauthorized transfer only if the issuer has provided certain disclosures and other conditions are satisfied.  Regulation E also limits the amount of liability that may be imposed on the consumer.  With certain modifications, this regime would be extended to all Prepaid Accounts.

Credit Features.  If overdraft services or other credit features are offered in connection with a Prepaid Account, the services would generally be subject to Regulation Z’s open end credit rules, including (i) obtaining the consumer’s consent to add such services and waiting at least 30 days until after card registration to add such services, (ii) obtaining the customer’s consent to an automatic repayment plan, (iii) under an authorized repayment plan, not deducting payments more frequently than once per calendar month, (iv) providing periodic statements at least 21 days in advance of the payment due date, and (v) complying with error resolution and limited liability provisions that are more consumer-protective than those under Regulation E.

The full version of the proposed regulations may be found at:

The CFPB invited public comments regarding the proposed regulations.  Please contact your regular SLS lawyer if you have any questions regarding the proposed regulations or if you would like assistance in submitting comments to the CFPB.

December 15, 2014 at 11:23 am Leave a comment


Removing the Non-Payment Testing Period Should Provide Clarity to Borrowers, Banks, Credit Unions and Other Financial Institutions

Continue Reading December 4, 2014 at 1:39 pm Leave a comment

“Ticking TRUPs” Threaten Bank Holding Companies

Written by: Mike W. Lochmann

Trust preferred securities (TRUPs), the hybrid security that counted as Tier 1 regulatory capital but generated tax deductible interest payments, were a favored source of capital for community banks. When the financial crisis hit, many bank holding companies (BHCs) with troubled bank subsidiaries exercised the right to defer interest payments on their outstanding TRUPs for up to five years. Interest continued to accrue during the deferral period, but the deferral was not a default and there was nothing that the TRUPs holder could do but wait. Many deferral periods that began late in 2009 and early 2010 are about to expire. TRUPs holders − long shackled by contractual stand still covenants – are about to be unleashed to exercise their creditor rights against the troubled BHCs that issues the TRUPs.

Deferred Interest Becomes Due and Payable In most cases, the five years of deferred interest on the TRUPs becomes due and payable in full when the deferral period ends. If the accrued interest is not paid, then the TRUPs holders may declare a default, accelerate the principal and demand immediate repayment of all principal and accrued interest on the TRUPs. The trustee for the unpaid TRUPs has all the rights of an unsecured creditor, may obtain a judgment against the BHC and can force the BHC (but not its subsidiary bank) into bankruptcy, which has already happened to at least three BHCs.

Dividends from Subsidiary Bank The obvious solution is for the BHC to pay all accrued interest on the TRUPs when the deferral period ends (after which a new five-year deferred period could begin). In many cases, however, the BHC may not have millions of dollars of liquid assets available to pay the accrued interest. The BHC may be dependent upon dividends from its subsidiary bank to make the interest payment due on the TRUPs. All of the accrued and unpaid interest may, in effect, be capital of the subsidiary bank (because during the deferral period, dividends were not paid by the bank to the BHC to pay the interest on the TRUPs). This retention of capital strengthened the subsidiary bank, helping it recover from the financial crisis. The subsidiary bank may no longer be in a troubled condition, but in many cases it will not have excess capital sufficient to pay an extraordinary dividend and remain well capitalized. The OCC and FDIC may be unwilling to approve an extraordinary dividend from the bank to the holding company. Also, the Federal Reserve may not permit a troubled BHC to pay the accrued interest due on the TRUPs.

Proceeds of Stock Offering Some BHCs may raise funds to repay TRUPs accrued interest by issuing new common stock. Convertible preferred stock is preferred by some private equity funds. A stock offering will usually dilute existing shareholders, but is generally preferable to a default on the TRUPs.

If the BHC and/or subsidiary bank are still in a troubled condition, regulators may prohibit the BHC from using the proceeds of a stock offering to pay the TRUPs interest. The Federal Reserve could direct a troubled BHC to retain such proceeds to be a source of strength to the subsidiary bank. In one instance, the Federal Reserve permitted a BHC to issue stock with proceeds placed in escrow and used by the escrow agent (not the BHC) to pay the TRUPs accrued interest. The Federal Reserve has indicated that structure may not be permitted in the future.

Merger with Acquiror Another alternative is for the BHC to sell by merging with a financially stronger BHC. In that case, TRUPs indentures generally require that the buyer assume all the obligations of the seller under the TRUPs. TRUPs holders have been unwilling in most cases to negotiate any discount with the buyer. The result is a lower price for the selling BHC’s shareholders. In most cases, the TRUPs indenture prohibits the BHC from selling or merging its subsidiary bank unless the acquiring bank and BHC assume all the seller’s TRUPs obligations.

Downsizing the Bank TRUPs indentures generally do not prohibit the subsidiary bank from selling its assets or branches. A bank may raise capital by selling deposits and branches, shrinking its balance sheet and increasing its regulatory capital ratios. If the downsized bank remains viable and well capitalized, banking regulators may approve a dividend of any resulting excess capital to the BHC.

Section 363 Sale in Bankruptcy If a BHC cannot receive dividends from its subsidiary bank, use proceeds from a stock offering or merge with another BHC, then the BHC must consider a holding company bankruptcy as a possible solution. If the subsidiary bank is viable, but the BHC is illiquid, then the debtor BHC may engage in a Section 363 sale (named after the bankruptcy code section authorizing such sales) of its subsidiary bank. Under bankruptcy court supervision, the BHC may sell the stock of its subsidiary bank free and clear of the BHC’s debts (including the TRUPs). Proceeds from the sale of the bank stock are then distributed according to the bankruptcy code:

  • First, to any secured bank stock lender
  • Second, to unsecured creditors, including TRUPs
  • Third, to any preferred stockholders
  • Fourth, any remainder to the common stockholders.

Holders of defaulted TRUPs may initiate an involuntary bankruptcy, but strategically, the BHC may want to file a voluntary bankruptcy. This is more likely to result in a favorable sales price for the subsidiary bank. The debtor BHC can pre-arrange for a stalking horse acquiror to submit a reasonable and competitive bid to purchase the stock of the subsidiary bank. Creditors, shareholders and third parties are then given a limited amount of time to top the stalking horse bid for the bank stock, usually in a bankruptcy court auction. The highest bidder purchases the stock of the bank, and receives a bankruptcy court order that it acquired the stock free and clear of all liens and claims of third parties (including the TRUPs).

Section 382 Recapitalization in Bankruptcy A BHC with significant net operating losses (NOLs) may pursue a Section 382 bankruptcy transaction. In this complex tax-driven transaction, the debtor BHC retains and recapitalizes its subsidiary bank, cleans the BHC balance sheet and preserves the economic value of its NOLs. Under bankruptcy court supervision, the BHC converts the TRUPs and other BHC debt into equity (in which the existing common shareholders are severely diluted or wiped out). The BHC then raises new equity from investors, which must constitute less than 50 percent of total equity. The reorganized and debt free BHC then operates the recapitalized subsidiary bank and uses its NOLs to shelter income and increase capital and value until the BHC and bank are subsequently sold.

Conclusion Troubled BHCs and healthy but illiquid BHCs that have TRUPs deferral periods about to expire face unique problems. There are various ways to address such problems, but careful advanced planning is required. BHCs that do not have a plan to deal with their maturing TRUPs may lose control to the TRUPs trustee and the bankruptcy court.

This article first appeared in Issue #18-November 2014 of the Western Independent Bankers CFO & Finance Digest linked here.

November 19, 2014 at 10:31 am Leave a comment

Older Posts

Produced & Maintained By

Stinson Leonard Street Logo


a legal resource for the banking & financial services industry

Follow me on Twitter


Get every new post delivered to your Inbox.