Fraud Cases: Black Eye for Banking?

Experts Debate Long-Term Impact of Customer vs. Bank Lawsuits
Fraud Cases: Black Eye for Banking?
In a Michigan courtroom, Comerica Bank and its business customer, Experi-Metal Inc., exchange testy legal motions over which party is more responsible for the circumstances that exposed Experi-Metal to fraudulent transactions of over $550,000.

Meanwhile, in Sanford, Maine, Patco, a construction company, has sued Ocean Bank of Portsmouth, NH, alleging that the institution failed to prevent fraudulent ACH transactions totaling more than $500,000.

And in Redondo Beach, Calif., the owner of Village View Escrow Inc. is preparing to file suit against Professional Business Bank, Pasadena, CA, after losing $465,000 in fraudulent account takeovers.

Ultimately, these customer vs. bank legal actions may help answer the question of "What is reasonable security?" when it comes to protecting institutions and customers from fraudsters. But what's the message being sent to banking customers?

In the court of public opinion, banking has suffered a black eye, industry experts say. And the solution requires a return to basics - of banking and protection.

'Another Example'

Exactly what is the cumulative impact of these customer/bank legal cases - particularly in troubled economic times?

"Customers are increasingly viewing banks as being large, uncaring institutions that depend upon the government to bail them out when bad things happen, instead of taking the time and effort to care about customers and prevent bad things from happening in the first place," says Rebecca Herold, an independent consultant based in Iowa.

The banking public sees these cases as "another" example of banks not making good with their customers when there's a dispute about who is responsible for a financial loss, says Tom Wills, security, fraud and compliance senior analyst at Javelin Research, a security research firm based in Pleasanton, Calif.

In the short run, these fraud cases can create a negative customer view of the specific banks involved, says Christopher Loeffler, an attorney at Kelley, Drye and Warren's Privacy and Information Security practice. "If a person is actively searching for a new bank, news about an incident may dissuade the person from selecting that particular bank," he says. But when the fraud involves an isolated incident rather than a widespread data breach, especially when customer error is involved, current customers are unlikely to switch banks. "Of course, with each new case, customers and banks become more aware of the need to actively examine the steps taken to prevent fraud."

A Black Eye?

As to how deep the damage runs, the expert opinions are split.

Asked whether these cases have given the industry a black eye, Wills says "Yes." Whenever there's a doubt about who's responsible for a fraud loss (except in clear cases of customer abuse), the bank should give the customer the benefit of the doubt, he says. "Absorbing fraud costs in the name of good customer care is usually worth more to the bottom line than the actual losses incurred from the fraud."

A bank's reputation for taking care of its customers -- whether positive or negative -- is a very strong factor in retaining and acquiring business customers, notes Wills. "It's unfortunate that more banks don't understand this, but it's a goldmine for the relative few that do."

Loeffler disagrees with Wills' assessment of the impact of these lawsuits. There are certainly practical lessons that banks and customers can take away from these cases, he says. "But it is unlikely that a case involving a single customer will cast a pall on the entire banking industry," says Loeffler. However, he notes that these actions may motivate some business customers to reexamine the security protections being offered by their banks and the terms of their agreements.

"Because customers are now able to choose from any number of banks across the nation and world, not just those located in the customer's hometown, banks must compete not only on the services and rates they provide, but also the security they provide," Loeffler says.

Time to 'Step Up'

The problem of ACH fraud - the root cause of most of these recent incidents -- has been ongoing for many years, but the issues behind this problem haven't been worked on in the past decade, says Herold, who says it's time for the industry to step up and resolve these issues. One primary reason that ACH fraud continues is because as the security "fixes" are made for the technology with the problems, new procedures are built specifically to address them. Then as the technology evolves and is implemented by the banks, new problems allow for ACH fraud to continue. "As technology continues to evolve, and as banks continue to adopt it, new vulnerabilities and threats related to those new technologies will allow for ACH fraud to continue," Herold says.

In order to address ACH fraud, customers and banks alike need to be active participants in creating viable solutions, notes Loeffler. In order for proposed solutions to be effective, whether technology-based or from enhanced communication and training, there needs to be buy-in from both groups. "A top-of-the-line solution provided by a bank is largely ineffective if it does not meet the customer's needs or the customer does not know the best way to implement it," he says. On the other hand, superior training and vigilance by the customer will not save inadequate technical security provided by a bank. Among the solutions Herold says banking institutions should work with business customers to employ:

  • Implement strong, consistently enforced, information security policies;
  • Provide regular information security and privacy training and ongoing awareness communications for not only the policies, but also information security and privacy issues related to new technologies and processes;
  • Consistently apply sanctions for non-compliance;
  • Perform comprehensive risk assessments before deploying new and changed systems and applications into production;
  • Establish proper due diligence activities for outsourced and other third-party entities.

Beyond technology solutions, new policies and increased awareness, Wills says the banking industry needs to return to old fashioned business values and improve its reputation for trust and good customer care. Quoting Benjamin Franklin, Javelin's Wills says, "It takes many good deeds to build a reputation, and only one bad one to lose it."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.