The latest in a recent string of lawsuits between businesses and their commercial banks is the case of Tennessee Electric Company vs. TriSummit Bank. In the complaint, Tennessee Electric alleges in six counts, ranging from gross negligence to fraud, that TriSummit didn’t honor its agreement to protect the security of ACH initiated payroll transactions.
FREE Ebook: The Security Industry´s Dirty Little Secret
The general framework of this complaint is similar to recent cases such as Patco and Choice Escrow Land & Title. The account holder and the bank are locked in a dispute about the application and reasonableness of security controls. As Brian Krebs points out in his piece about this case, businesses do not enjoy the same protections as do consumers under U.S. law.
There are a few take-aways from this case and this trend:
1. Small banks and credit unions are often at the mercy of their FinTech providers to provide “reasonable” anti-fraud controls.
Most small banks in the U.S. are run like small businesses. A bank with less than $500 million in assets often doesn’t even have dedicated security or anti-fraud staff like the big banks. The guy working on fraud, filing SAR reports and speaking to regulators might be the same guy patching desktops, supporting internal audit, and doing 10 other jobs.
These banks buy their services from large FinTech providers where they get core banking, online banking, ACH/wire clearing, mobile apps and nearly every other IT service. Most of these services are hosted at the FinTech facility, so the bank doesn’t even have access to their own systems.
[wp_ad_camp_3]
Along with these systems, the FinTech provider may offer a menu of anti-fraud services to the bank including anti-phishing, anti-account takeover, multi-factor authentication and transaction monitoring. However, not all providers do.
Imagine how difficult it is to switch from one provider to another. This situation leads to the uncomfortable realization by many small bankers that they might be exposed, that they can get hit anytime, and that there is very little they can do about it.
2. Fallacy of Composition – Detection of one fraud event is not the same as detection of all fraud events.
In order for this to be true, the following syllogism must also be true in practice:
All fraud is detectable.
ACH 1234 is fraud.
ACH 1234 is detectable.
This is the part that burns most fraud managers. Fraud is not something that can, or even must, be stopped. It must be slowed, it must be managed, it must be constrained, it must be made expensive to those who perpetrate it. In the BankInfoSecurity piece, the point is made that reminds me of this fallacy. Does the mere existence of fraud automatically trigger the unreasonableness provision of the law? That seems to stretch the definition of the word and expose how unreasonable this standard is.
3. Fraud Detection and Fraud Management Realities.
While academics and anti-fraud vendors could argue that all fraud is theoretically “detectable” and product XYZ can “solve” account takeover or “solve” anomaly detection, as usual reality presents us with inconvenient truths.
It is true that, theoretically, all fraud that is anomalous can be identified correctly by a properly designed transaction-monitoring tool. However, these tools are often unavailable (see point 1), are out of date (see point 1), and are not highly effective in real-time (see point 1).
The ability for legal systems to adjudicate anything more than disputes related to fraud and breach of contract, in my opinion, are extremely limited. Banks must honor the agreements that they sign and utilize the controls that they deploy. That is a given. There is no standard of reasonableness for anti-fraud controls amongst even the most sophisticated banks, and especially not at the country’s smallest and most vulnerable institutions. I don’t expect any further clarity to emerge from this case, but rather a Ping-Pong game of verdicts and appeals searching for a more permanent resolution. In the meantime, regulators need to clearly define what is accepted as “reasonable” controls, or these lawsuits will continue to make headlines. As for the banks, it is critical that they keep assessing their growing risk of exposure under the current legal framework when planning to implement anti-fraud controls.
By Daniel Ingevaldson, CTO, Easy Solutions
About Easy Solutions
Easy Solutions is the only security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. ITS products range from anti-phishing and secure browsing to multi-factor authentication and transaction anomaly detection, offering a one-stop shop for multiple fraud prevention services.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.