When Business Banking Goes Bad: Threat of the Week
When Kingsport, Tenn.,-based construction company Tennessee Electric filed suit against its bank, the $278 million TriSummit Bank, also headquartered in Kingsport, it drew a line in the legal sand that could change the fundamental relationship between business customers and their banks.
Stung by a $327,000 cyberheist, TEC claimed that the fault is TriSummit’s and the construction company wants its money back. It also has asked the court to award $2 million in punitive damages.
Usually in cases involving businesses, such as the recent case involving BancorpSouth and Choice Escrow, the presumption has been that the bank will prevail.
That is very different than with consumer fraud cases which fall under Regulation E, federal doctrine that limits the banking losses consumers may suffer.
Businesses, by contrast, fall under the Universal Commercial Code, which offers much more protection to banks and correspondingly little to businesses.
But the TEC case may turn that assumption on its ear.
Why does this matter to credit unions?
Francois Henriquez, a lawyer with Shutts and Bowen in Miami who primarily handles credit union clients, said that every large credit union he works with is in member business services or is looking to get into it.
It’s an attractive revenue stream, Henriquez elaborated, and many credit unions appear to believe they can very capably serve small and mid-sized businesses.
Both sides of this story in Tennessee are not yet known. What TEC has said is damning, indicated multiple experts, assuming the facts are not later shown to be different by TriSummit.
Apparently, Russian hackers dipped into the TEC account and stole $327,000. Roughly $135,000 was “clawed back by TriSummit,” reported security blogger Brian Krebs, who broke this story.
Best guesses are that malware was downloaded to TEC’s computers and the criminals got the login credentials that way.
Either way, TriSummit paid out 55 ACH transfers, according to TEC’s complaint, and - in a departure from norm - TriSummit did not seek verbal confirmation of the transfers in a phone call.
The phone call is key.
As recently as February 2012, TriSummit and TEC had agreed to use telephone verification before ACH payments were processed. That call was supposed to come in on a line that is recorded. Apparently no such call came in, or so TEC alleged in its complaint.
“TriSummit is toast,” Aite analyst Julie Conroy said.
However, she stressed that in her opinion this case will not affect future cybersecurity litigation. The facts, at least as presently known, turn on the bank’s failure to follow through on the telephone verification procedures to which it had agreed.
“There was a written agreement that the bank will do XYZ and it didn’t,” Conroy said.
Kenneth Ehrlich, co-chair of the financial services practice at law firm Nutter in Boston, where he said he represents eight or nine credit unions, stressed that in his view none of this changes anything for financial institutions.
“The financial institutions will win if there are no facts that show culpability on the part of the FI,” he said.
Ehrlich added: “The credit union generally wins unless it screws up.”
In this instance, TEC has alleged substantial bungling by TriSummit. The bank has not offered its side.
So if the decision goes against the financial institution, it can be presumed it would be because of the bungling, not because of any shift in perception of the legal protection enjoyed by financial institutions under the Universal Commercial Code.
“The member will not be able to hold the credit union liable if the credit union has been using commercially reasonable procedures,” Henriquez said.
Don’t be too quick to take solace from the opinions that financial institutions will probably emerge from the TEC case none the weaker. That’s because, Conroy said, threats aimed at you are mounting.
“We have seen a shift. Criminals are putting more focus on small and mid-sized business and also financial institutions,” she said.
It has become very difficult to breach the money center banks. Small financial institutions? Not so much.
“The bigger banks are putting in better defenses. Criminals will go to smaller financial institutions,” Trusteer cyber fraud expert George Tubin said. “Smaller FIs have to wake up; there are very sophisticated cyber criminals and they are coming after you.”
“The odds,” Conroy said, “shifted a long time ago. They now are solidly in favor of the criminals.”