Posts

Regulation E Protects Consumers, Not Businesses

Consumers enjoy a certain level of protection that business bank accounts do not, and it’s called “Regulation E.”

Here is Regulation E in black and white:

ELECTRONIC FUND TRANSFERS (REGULATION E)

Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

1. Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

2. Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.”

Businesses do not get this kind or protection. So when business accounts are compromised, they often have to fight for their money. And today, more than ever, they are losing. But banks are losing, too. The only winners here are the criminal hacking enterprises.

In order to meet the Federal Financial Institutions Examination Council’s compliance guidelines by January of 2012, banks must implement multiple layers of security. Called out in the recent FFIEC guidance was using complex device identification and moving to out-of-wallet questions. 

Financial institutions and their clients aren’t only losing millions to fraud; they are losing millions more fighting each other. It makes more sense for banks to beef up security (all while properly managing friction for legitimate customers) than to battle with their customers.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep cyber criminals out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360, which is used by leading financial institutions such as credit issuers and banks, to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Fox News. Disclosures

Bad News For Banks: Courts Side With Customers

Who is responsible for financial losses due to fraud? The bank, or the customers whose accounts have been drained?

One Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this case.

Clearly, the bank’s client, Experi-Metal, made some serious errors, but in the end, the bank paid the price. The court’s decision acknowledges that a vice president of Experi-Metal made the initial mistake of clicking on a link within a phishing email, which appeared to have been sent by Comerica but was in fact sent by a scammer. He then responded to a request for his Comerica account data, despite Comerica’s regular warnings about phishing scams and advice to never provide account information in response to an email. In doing so, the customer offered the scammer immediate online access to his company’s Comerica bank accounts. Naturally, the scammer began transferring money out of the accounts.

I’ll spare you the legalese and get to the nitty-gritty.

“The Court considered several factors as relevant to whether Comerica acted in good faith, including:

  • The volume and frequency of the payment orders and the book transfers that enabled the fraudster to fund those orders;
  • The $5 million overdraft created by those book transfers in what is regularly a zero balance account;
  • Experi-Metal’s limited prior wire activity;
  • The destinations (Russia and Estonia) and beneficiaries of the funds; and
  • Comerica’s knowledge of prior and current phishing attempts.

It was the Court’s inclination to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Furthermore, the Court found that Comerica “fails to present evidence from which this Court could find otherwise.”

This case means that Comerica and, by extension, all banks, must adhere more closely to the FFIECs recently released supplement to its previously released guidelines on authentication in an Internet banking environment, by adding multiple layers of security.

In this case, the computer or other device the scammer used to access Comerica’s website could surely have been traced overseas and flagged for: hiding behind a proxy, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360, and is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)