Court Rules Business Responsible for Fraud Losses
Some $440,000 was looted from the BancorpSouth checking account of Missouri-based title company Choice Escrow. That is undisputed.
The legal dispute arose over who is to blame.
But financial institutions are applauding a recent ruling by the Eighth Circuit Court of Appeals in St. Louis.
That’s because the federal appeals court — which serves a district that includes Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota and South Dakota — ruled the loss was the responsibility of Choice Escrow.
Furthermore, the court said the Tupelo, Miss.-based BancorpSouth could seek reimbursement for its legal fees in defending the case.
Francois Henriquez, former CEO of U.S. Central FCU and a Miami attorney who serves a large credit union clientele with Florida-based firm Shutts and Bowen, said the decision “allows for a reallocation of risk on business account holders.”
Henriquez stressed the decision has no applicability to consumer accounts.
The Choice Escrow loss occurred after cyber criminals obtained the company’s account login information. The crooks requested a wire for $440,000 to Bank of New York and from there, it quickly hopped to Cyprus where the money vanished.
BancorpSouth sought the assistance of the FBI, State Department and the U.S. Embassy in Cyprus. The funds could not be located.
BancorpSouth declined to reimburse Choice Escrow for the losses; the escrow company then sued.
Prior to its appeals court loss, Choice Escrow also lost a lower court case in Missouri.
A key point in the case was that BancorpSouth offered Choice Escrow what it called Dual Control on wires, which would have required two different internal staffers to approve transactions. Choice Escrow, citing staffing issues, declined the offer in writing.
Additionally, BancorpSouth offered its business customers, Choice Escrow included, what it called PassMark, which is a device authentication tool that required users to login from an authenticated computer, or to answer challenge questions.
The nature of the Choice Escrow compromise nullified PassMark.
“A Choice employee fell prey to a phishing attack and contracted a computer virus. This virus gave an unknown third party access to the employee’s username and password and allowed the third party to mimic the computer’s IP address and other characteristics,” the appellate court explained in its ruling.
Choice Escrow maintained that BancorpSouth’s wire approval practices were not FFIEC compliant.
The trial court and appeals court both disagreed.
The takeaway for credit unions in the case was that Choice Escrow was offered stepped up security, declined it, and consequently, the resulting loss was its responsibility, not the financial institution’s.
“Article 4A [of the Universal Commercial Code] ... permits the bank to take steps to protect itself from liability by implementing commercially reasonable security procedures. If the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer will bear the risk of loss from a fraudulent payment order,” the court wrote in its decision.
The appellate court said BancorpSouth had fulfilled its end of the bargain.
“In sum, because BancorpSouth’s security procedures were commercially reasonable, because BancorpSouth complied with its security procedures and with Choice’s instructions, and because BancorpSouth accepted the ... payment order in good faith, the loss of funds from Choice’s account falls on Choice,” court documents said.
“Banks are breathing a sigh of relief,” said Doug Parr, a senior vice president at the Atlanta, Ga. office of transaction authentication company Entersekt, about the decision.
The appellate court’s ruling sets precedent only in its district, said Peter Toren, a lawyer with the Washington, D.C.-based firm Weisbrod Matteis & Copley. Other districts are not obliged to pay heed to the decision, although some may, he added.
More broadly, Henriquez said he is urging credit union clients that service businesses to review the agreements they have with those companies. The agreements need to be updated to reflect present realities, Henriquez said, to make sure the businesses agree to the terms in writing.
“Use the security procedures you say you will use,” he said. “Do all that, and you will have an opportunity for risk shifting.”