It is startling that while the annual losses in the UK to online banking fraud in 2012 amounted to £39.6 million, there are so few reported litigation cases. The lack of cases may be explained because many of the businesses targeted may be eligible to complain to the Financial Ombudsman Service and those that are not eligible are unlikely to want to risk the uncertainty of costly and time-consuming litigation when they have just lost significant sums of money to cyber pirates.
The dearth of case law on this matter makes it difficult for lawyers acting for banks or customers to determine whether there are reasonable prospects of pursuing/defending an online banking fraud claim. However it is submitted that lessons can be learned by looking across the Atlantic at recent American online banking fraud case law.
Patco Construction v People's United Bank
A small property development business called Patco Construction ("Patco") sued its bank, People's United Bank, for authorising six fraudulent withdrawals from its account in May 2009 which amounted to $588,851. It was disclosed that the bank had flagged each transaction as 'high risk' but had still authorised them. The bank did manage to $243,406 from the fraudsters but the rest of th funds were lost and the bank refused to refund Patco.
After Patco's refund requests were rejected by the bank, a Court action was raised in Maine District Court. In June 2011, the Court ruled in favour of the bank noting the law does not demand that the bank implement the best security measures. However Patco appealed and the American Federal Court of Appeal handed down their decision in July 2012 ruling in favour of Patco for recovery of their losses caused by an online phishing fraud. The Court decided that the bank's online security procedures did not comply with Article 4A of the Uniform Commercial Code (specfically section 202) which states that the bank's online security procedures must be 'commercially reasonable' .
The Court's reasoning for finding the security procedures to be commercially unreasonable was influenced by the following factors:
The bank ignored numerous warnings from its own online security system which flagged the transactions as 'high risk'.
The instructions to make the online transfers came from a computer which had never been used before by Patco.
The instructions to make the online transfers came from an IP address not recognised as from Patco.
The transfer amounts were signifcantly greater than any transfers Patco had made before to third parties.
The transfers had been made to third parties that Patco had never paid before.
The Court of Appeal returned the case to the District Court and recommended that parties consider settling the case which did in fact subsequently happen with media commentators speculating that Patco were refunded all their losses by the bank.
In January 2009, a customs metal company based in Michigan lost $560,000 when its bank, Comerica, allowed an online cyber pirate to make almost 100 bank transfers. An email purporting to be from Comerica had tricked an employee into clicking on a link to a fake Comerica site whch then requested EMI's passwords and one-time passcodes. Within the space of a few hours, 97 bank transfers were made to accounts in countries including Estonia, Scotland and China.
Interestingly, the Court in EMI found that the bank's security procedures were commercially reasonable because EMI agreed in its contract with the bank that the bank's security was commercially reasonable. However EMI focused their attention on the part of Article 4A of the Uniform Commercial Code where it states that a bank must accept the payment order in good faith. The Court said the burden of proving that the payment orders were accepted in good faith was on the bank and they had failed to observe commercial standards of fair dealing. The reasoning behind the decision was influenced by the following factors:
a failure by the bank's security system to look at previous bank transfer activity.
a failure by the bank's security system to consider the bank customer's previous length of online banking sessions.
a failure by the bank's security system to consider the speed at which payment orders were made.
a failure by the bank's security system to consider the destinations of the payment orders.
a failure by the bank's security system to consider the identities of the beneficiaries.
In broad terms, the failure to implement a security system with behavioural analytics to identify 'red flags' was viewed by the Court as a failure to act in good faith in its processing and acceptance of the unauthorised transactions.
It is not a huge leap for Scots delict (tort) to construct a duty to have implemented a commercially reasonable security procedure (i.e. to provide protection against unauthorised payment transactions) which could be used to allocate the risk of loss between bank and customer.
Furthemore the law of contract may well be flexible enough to allow a term to be implied that the bank must accept the payment order in good faith encouraged by recent persuasive English cases such as Yam Seng PTE Ltd v International Trade Corporation Limited .
If the bank's security procedure is able to authenticate identity by the use of behavioural analytics then that would arguably satisfy the 'commercially reasonable' test. The behavioural analytics would consider various factors such as:
location of the log-in
log-in history and previous activity
the IP address normally used by the customer to log in; and
both the frequency and size of the transactions.
It is submitted that a comparison between the current user's behaviour and the behaviour of known authorised users would signifcantly increase the chances of identifying a fraudster before they can make significant bank transfers. If the banks implemented such measures then it would not only greatly decrease the risk of online banking fraud but also strengthen the banks' legal position should a business litigate against them.
If banks do not enhance their security procedure then they run the risk of losing any litigation brought against them together with the huge reputational damage litigating an online banking fraud case that would invariably arise.
In conclusion, businesses who have suffered online banking losses should not be discouraged by the lack of case law and should consider litigation if attempts at settlement with the bank have floundered and they are ineligible to complain to the Financial Ombudsman Service.
We have expertise in online banking fraud disputes and recently recovered an SME's losses from their bank after they had fallen victim to a vishing scam and their bank had refused to pay out. We are also currently assisting clients with recovery of losses from their banks following more recent phishing/vishing scams.
If you have been affected by a phishing/vishing scam and your bank has refused to pay out then we may be able to provide you with the necessary legal assistance to seek recovery of your losses from your bank. Please feel free to call a solicitor in our Financial Services & Banking Disputes Team on 0131 226 8200.
Disclaimer: While every effort has been made to ensure the accuracy of this blog post, it is not intended to provide legal advice as individual situations will differ. No recipients of content in this blog post should act or refrain from acting on the basis of the blog post without seeking the appropriate legal advice on the particular facts and circumstances at issue from a qualified solicitor in their jurisdiction. The blog post is for general information only and is not legal advice. The law changes frequently and varies from jurisdiction and jurisdiction. No solicitor-client relationship is formed nor should any such relationship be implied. If you require legal advice, please consult with a solicitor qualified to practise in your jurisdiction. Should you be interested in seeking our assistance with a legal matter, please contact the Dispute Resolution team on 0131 226 8200.