Posts filed under ‘Small Business/SBA/Community Banks’
Written by: Bryce Langford, Summer Associate
The most imminent threats facing banks today are not gun-wielding robbers like John Dillinger and Bonnie and Clyde. Today’s financial institutions face a different kind of threat— cyberattacks. Banks and their customers rely upon technology more so today than they ever have before. Because so much banking business is conducted online, the threat of cyberattacks on commercial customer deposit accounts increases rapidly.
The most significant type of cyberattack in the banking industry is called “corporate account takeover,” which occurs when a computer hacker steals a depositor’s online banking credentials and then, acting as the depositor, makes fraudulent outgoing wire transfers. The customer’s funds end up in very far-away places. To the bank, the transactions appear to be authorized by the accountholder and valid. By the time the bank and depositor realize there has been a theft, it is usually too late to recover the funds. Who bears the loss—the bank or the customer? Laws and regulations in the last decade have increased the liability for banks who do not take the proper preventative measures to insure against corporate account takeover. This article examines those laws and regulations, and discusses how banks can best manage the risk of account takeovers.
The UCC rules. Under Article 4A of the Uniform Commercial Code (“UCC”), the general rule is that the loss falls on the bank for an unauthorized outgoing wire, even if it appears to the bank that the transaction has been authorized. However, there are two exceptions to this rule: (1) the depositor fails to report the unauthorized debits to its account within one year and (2) the bank has in place a “commercially reasonable security procedure” to protect against hacking, the security procedure is embodied in a contract between bank and customer, and the bank accepted the outgoing wire in good faith and in compliance with the security procedure. The rules governing the second exception have been heavily litigated; they are codified in UCC 4A-201 through 4A-204.
The FFIEC guidance. To determine what is a commercially reasonable security procedure, the Federal Financial Institutions Examination Council (“FFIEC”) periodically releases “guidance” to help banks to “identify and mitigate cyberattacks.” The most recent guidance was issued on March 30, 2015. It includes eight “risk mitigation” recommendations for financial institutions. This is a must-read for bankers.
- Financial Institutions should securely configure systems and services.
- Financial Institutions should review, update, and test incident response and business continuity plans.
- Financial Institutions should conduct ongoing information security risk assessments.
- Financial Institutions should perform security monitoring, prevention, and risk mitigation.
- Financial Institutions should protect against unauthorized access.
- Financial Institutions should implement and test controls around critical systems regularly.
- Financial Institutions should enhance information security awareness and training programs.
- Financial Institutions should participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
The expectation of layered security. The eight recommendations set out by the FFIEC in 2015 expand upon earlier recommendations issued in 2005 and 2011. One of the most important aspects of the earlier guidance was the FFIEC’s recommendation of layered security. The 2011 Guidance described layered security as “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” The FFIEC recommends that financial institutions use more than a single layer of customer authentication. The most common example of a single layer of authentication is requiring a customer’s username and login. The FFIEC requires more security layers than simply requiring password authentication. Financial institutions should consult the FFIEC guidelines for examples of other layers of authentication.
The FFIEC guidelines set forth two particularly important types of layered security: (1) the use of dual-factor authentication such as usernames/passwords plus tokens, callback or challenge questions and (2) the use of software to detect out-of-pattern transactions involving outgoing wires. Keep in mind that the courts use the FFIEC guidance to determine whether the bank’s security procedure was commercially reasonable and in good faith. Courts sometimes confuse commercially reasonable and good faith. By employing layered security and complying with the FFIEC Guidance, banks can show their security procedures were commercially reasonable and in good faith. Layered security is one of the best ways to protect a financial institution from civil liability as well as protect customers’ assets from the threats of deposit account takeover.
How the courts are resolving cyberattack disputes: the two key cases. There are two key federal appellate decisions in this area—one in favor of the customer and the other in favor of the bank. In 2012, the First Circuit held that a bank’s security procedure was not commercially reasonable even though it used dual-factor authentication. In Patco Construction Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), the bank employed multiple security procedures to comply with the 2005 FFIEC guidance, but it lost the case because at least one procedure was counter-productive.
Most notably, the security company’s software allowed banks to set a threshold amount for transactions that would trigger a security challenge question to authenticate the transaction. Initially, the bank in Patco set the threshold at $100,000. The bank later lowered the threshold to $1, effectively requiring security challenge questions on every internet transaction. The bank argued that this raised the level of security because it required answering security questions for every transaction. In 2009, a hacker obtained a customer’s banking information and authenticated a series of transactions close to $600,000. The bank was unable to retrieve $243,406 of these funds.
The First Circuit held that the lower threshold of $1 triggering the challenge questions hurt customers by increasing the risk of fraud. The court’s rationale was that requiring challenge questions on every transaction gave hackers more opportunity to capture the vital information. The court also held that the bank did not have a practice of closely monitoring all transactions, even if it had warning that fraud was occurring. The court held that these failures, taken as a whole, showed that the bank’s security procedure was not commercially reasonable. This First Circuit case is significant because it shows that employing multi-layered authentication may still not insulate financial institutions from liability.
In contrast to the First Circuit’s decision, a 2014 case from the Eighth Circuit ruled in favor of the bank. In Choice Escrow and Land Title, LLC. v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014), the Eighth Circuit ruled that the bank’s security procedure was commercially reasonable and the bank acted in good faith. The bank provided four security measures for its customers. The first was a simple ID and password requirement. The second was authentication software that monitored the customer’s IP address and other specific information of the customer’s computer. This allowed the bank to ensure that the same computers were authorizing the transactions; if another computer or IP address was used, then the user had to correctly answer challenge questions. The third security layer allowed customers to place dollar limits on wire transfers. The fourth layer was called “dual control.” This measure required every outgoing wire transfer to be authenticated by two separate users with distinct IDs and passwords.
The Eighth Circuit held that the bank’s four levels of security authentication were commercially reasonable, even though the customer in the case had rejected two of them. The court noted that the Uniform Commercial Code releases a bank from liability if a security procedure is offered to a customer and the customer declines the procedure in writing and agrees to a different procedure. This effectively shifts the liability to the customer. The court rejected the argument that to be “commercially reasonable,” a security procedure must include a human being manually reviewing every payment order submitted to the bank. Further, the court found that the bank acted in good faith, and pursuant to agreement, in accepting the outgoing wires.
Importantly, the Eighth Circuit relied on the FFIEC guidance as a test for determining what is a commercially reasonable security procedure. The court called the FFIEC guidance the “primary authority” in measuring the reasonableness of a security measure. This is important for financial institutions to note, since the courts are relying heavily upon the FFIEC guidelines when considering liability in cases of cyberattacks.
Conclusion. Cases involving cybersecurity and financial institutions are sure to continue to flow in the coming years as customers and banks increasingly rely upon technology for conducting business and hackers increase in their ability to conduct cyberattacks. One of the best ways for a bank to protect itself against liability is to take action and measures that are in accord with the FFIEC guidance, including the 2015 version. As technology changes, so will the requirements of the FFIEC. Notably, the most recent guidance recommends that financial institutions should share with one another, in forums, how to mitigate cybersecurity threats. The courts have yet to litigate what exactly these forum-sharing recommendations mean, but financial institutions should be on notice that this is just one of the new requirements set out by the FFIEC. The best course of action for financial institutions is to work with legal counsel to insure the institution is up-to-date with the guidance issued by the FFIEC. Although the 2015 guidance attests that it “does not contain any new regulatory expectations,” experience shows that bank compliance with the new guidance is the best way to manage the risk of deposit account takeover. The attorneys of Stinson Leonard Street’s Banking and Financial Services division have extensive experience in this area of law, and financial institutions are encouraged to reach out to such experts.
At the request of members of Congress, the Federal Trade Commission (FTC) announced on May 28, 2010 that it would, for the fifth time, delay enforcement of the Identity Theft Red Flags Rule (the Rule). This time, the enforcement date has been pushed back until December 31, 2010. This delay gives Congress time to act on recently introduced legislation that would exempt healthcare, accounting and legal practices with 20 or fewer employees from compliance with the Rule.
Developed under the Fair and Accurate Credit Transaction Act of 2003, the Rule has already been enforced by banking regulators for most financial institutions since November, 2008. The FTC has interpreted enforcement of the Rule as having a surprisingly wide application for the non-financial institution businesses that it regulates. Under the FTC’s interpretation, any business that bills customers after providing goods or services is a “creditor” subject to the Rule. This includes many health care providers, construction companies and other merchants and service providers. If such “creditors” have “covered accounts” (as defined in the Rule), they must adopt an identity theft prevention program. That program must be designed to identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that might indicate identity theft.
It is precisely the wide scope of the FTC’s interpretation of the Rule which has caused the delays. Initially, many business did not believe the Rule applied to them. After the FTC opined that many service providers, including attorneys and health care providers, would be subject to the Rule, industry trade associations have attempted to limit the application of the Rule through various forums. On October 29, 2009, the American Bar Association secured a decision in federal district court that the Rule does not apply to lawyers, which the FTC is appealing. More recently, in May 2010, the American Medical Association, along with the American Osteopathic Association and the Medical Society of the District of Columbia, filed a lawsuit against the FTC to prevent application of the Rule to physicians after unsuccessfully petitioning the FTC to reconsider its broad interpretation of the Rule. That lawsuit is still pending.
A full copy of the FTC’s May 28, 2010 press release is available here.
The President announced plans today that, if put into action, would lead to the realization of at least some much-needed and long-sought-after assistance for community banks. A copy of the President’s announcement is available here. (Skip to Page 2 for Details).
According to the President’s proposal, which is part of the White House’s “Financial Stability Plan,” the program would target small business lending, but would also offer a mechanism for banks with less than $1 billion in assets to access capital with an annual dividend rate of 3%. The announcement is short on specifics, but here are the basics:
(1) Banks will receive capital in an amount equaling up to 2% of risk-weighted assets;
(2) The annual dividends on the capital will equal 3% for the first five years and 9% thereafter; and
(3) Banks seeking to participate in the program will submit a “small business lending plan” in which the bank explains how additional capital will help increase its lending to small businesses. (Banks approved for the program that elect to participate will also be required to follow up with quarterly reports detailing small business activities).
Over the next few weeks, Treasury will work with community banks and the small business community to hammer out the program’s specifics. Notably, the release contemplates that banks already participating in the capital purchase program will be able to replace existing capital, which carries a 5% dividend (7.7% for S-Corps), with investments under the new program.
The President also announced support for legislation that would increase the size of key Small Business Administration (SBA) loans. The aim of the increase would (supposedly) allow the SBA to ensure that more small businesses can get access to credit.
The first prong of the proposed legislation would increase the Maximum 7(a) loan from $2 million to $5 million, providing greater access to capital that businesses could use to boost working capital as well as purchase machinery equipment and real estate.
The second prong of the proposed legislation would increase the maximum 504 project loan from $2 million to $5 million for standard borrowers (supporting a total project of $12.5 million) and from $4 million to $5.5 million for manufacturers (supporting a total project of $13.75 million), thereby increasing the qualifying borrowers’ ability to undertake larger projects.
And the third prong of the proposed legislation would increase the maximum loan size of the SBA microloan programs from $35,000 to $50,000.
FDIC Issues Frequently Asked Questions to Provide Additional Guidance Regarding Sweep Account Disclosure Requirements
On July 6, 2009 the FDIC issued a list of Frequently Asked Questions (FAQs) in response to industry questions regarding sweep account disclosure requirements in 12 C.F.R. § 360.8. These FAQs can be found here in FDIC FIL-39-2009. Notably, the FAQs address the requirements for a properly executed repo sweep arrangement, such that the customer has a perfected security interest in the underlying securities upon the event of a bank failure, which is significant, because otherwise the customer’s funds could be treated as uninsured deposits.
Today the FDIC announced that it is seeking public input on whether to extend the Transaction Account Guarantee (TAG) component of the Temporary Liquidity Guarantee Program (TLGP). As you may recall, the FDIC established the TAG program in October 2008 as part of a broader effort to stabilize the nation’s financial system. Under the TAG program, the FDIC guarantees all deposits held in qualifying noninterest-bearing transaction accounts at participating depository institutions. The TAG program is currently set to expire on December 31, 2009.
According to its announcement (available here), the FDIC is seeking input on whether to allow the TAG program to expire as scheduled, on December 31st, or whether to extend the TAG program for six months until June 30, 2010. If extended, depository institutions currently participating in the TAG program would be given the opportunity to opt out. However, any institution opting out of the program would be required to notify its customers that, beginning on January 1, 2010, deposits in qualifying noninterest-bearing transaction accounts would not be covered by the FDIC beyond standard deposit insurance limits.
For institutions that do not opt out of the extended TAG program, the FDIC would increase the fees currently assessed for the program by 10 to 25 basis points during the proposed extension period.