New Court Decision Upends U.C.C. Rule Typically Applied, Holds Bank Liable for Unrecovered Funds from a Phishing Attack
By: Micah Ratner
A U.S. District Court in the Eastern Disrict of Michigan has issued its decision in Experi-Metal, Inc. v. Comerica Bank, holding that a bank—instead of the bank’s customer—was liable for $560,000 in unrecovered funds from a phishing attack. The case is noteworthy because a customer is typically liable for unauthorized transfers under Uniform Commercial Code (“U.C.C”) Article 4A. Under U.C.C. Section 4A-202, the customer is responsible for unauthorized transfers if (1) the bank and customer agree that the bank will authenticate transfers through a security procedure, (2) the security procedure is commercially reasonable, and (3) the bank accepted the transfer in good faith.
In Experi-Metal, a phishing email tricked an Experi-Metal employee into entering his confidential secure token identification and other online credentials, which allowed criminals to make 93 transfers from its Coamerica accounts over about 6.5 hours. The fraudulent transfers amounted to over $1.9 million, though all but $560,000 was recovered. Coamerica flagged the transfers 4 hours after they began and disabled Experi-Metal’s user identification soon after, but the attackers were able to make transfers until Coamerica “killed” the attackers’ user session 2.5 hours later. Experi-Metal sued, arguing that Coamerica should have stopped the fraudulent transfers sooner.
According to the court, the bank satisfied the first two prongs of U.C.C. Section 4A-202 needed to avoid liability, but the court held a bench trial on the remaining issue of whether Comerica accepted the wire transfers in good faith. The court found the bank had not provided enough evidence of the reasonable commercial standards of fair dealing “for a bank responding to a phishing incident” and Comerica’s compliance with those standards. The court reasoned that the security mechanisms in the Financial Institution Examination Council (“FFIEC”) Handbook did not set the “reasonable commercial standards of fair dealing” because the mechanisms are not mandatory.
Nonetheless, the court held that “a bank dealing fairly with its customers would have detected and/or stopped the fraudulent activity earlier,” based on the volume and frequency of the orders, the customer’s limited prior wire activity, the large overdraft, and the destination and identities of the beneficiaries
The case illustrates the dangers of phishing attacks on both customers and banks. It further highlights the need for attention to the terms of wire transfers, deposit agreements, and proper procedures and controls on both sides. Beyond the U.C.C. issues, the case shows the importance of the FFIEC’s new guidance on authentication in the Internet environment that may clarify industry standards for dealing with similar attacks. It also underscores NACHA’s (The Electronic Payments Association) efforts to combat corporate account takeover, a form of corporate identity theft where criminals steal online credentials from businesses.