The latest in a recent string of lawsuits between businesses and their commercial banks is the case of Tennnessee Electric Company vs. TriSummit Bank. In the complaint, Tennessee Electric alleges in six counts, from gross negligence to fraud, that TriSummit didn’t honor its agreement to protect the security of ACH initiated payroll transactions.
The general framework of this complaint is similar to recent cases such as Patco, and Choice Escrow Land & Title. The account holder and the bank are locked in a dispute about the application and reasonableness of security controls. As Brian Krebs points out in his piece about this case, businesses do not enjoy the same protections under U.S. law as consumers. There are a few take-aways from this case and this trend in aggregate:
- Small banks and credit unions are often at the mercy of their FinTech providers to provide “reasonable” anti-fraud controls
Most small banks in the U.S. are run like small businesses. A bank with less than $500 million in assets often doesn’t even have dedicated security or anti-fraud staff like the big banks. The guy working on fraud, filing SAR reports and speaking to regulators might be the same guy patching desktops, supporting internal audit, and doing ten other jobs. These banks buy their services from large FinTech providers, where they get core banking, online banking, ACH/wire clearing, mobile apps and nearly every other IT service. Most of these services are hosted at the FinTech facility, so the bank doesn’t even have access to their own systems.
Along with these systems, the FinTech provider may offer a menu of anti-fraud services to the bank, including anti-phishing, anti-account takeover, multi-factor authentication and transaction monitoring. However, not all do.
Imagine how difficult it is to switch from one provider to another. This situation leads to the uncomfortable realization by many small bankers that they might be exposed, they can get hit anytime, and there is very little they can do about it.
- Fallacy of Composition – Detection of one fraud event is not the same as detection of all fraud events
In order for this to be true, the following syllogism must also be true in practice:
All fraud is detectable
ACH 1234 is fraud
ACH 1234 is detectable
This is the part that burns most fraud managers. Fraud is not something that can, or even must be stopped. It must be slowed, it must be managed, it must be constrained, it must be made expensive to those who perpetrate it. In the BankInfo Security piece, the point is made that reminds me of this fallacy. Does the mere existence of fraud automatically trigger the unreasonableness provision of the law? That seems to stretch the definition of the word and expose how unreasonable this standard is.
- Fraud Detection and Fraud Management Realities
While academics and anti-fraud vendors could argue that all fraud is theoretically “detectable” and product XYZ can “solve” account takeover, or “solve” anomaly detection, as usual, reality presents us with inconvenient truths.
It is true that, theoretically, all fraud that is anomalous can be identified correctly by a properly designed transaction-monitoring tool. What is not always true is that these tools are often unavailable (see point 1), are out of date (see point 1), and are not real-time (see point 1).
The ability for the legal system to adjudicate anything more than disputes related to fraud and breach of contract, in my opinion, are extremely limited. Banks must honor the agreements that they sign and utilize the controls that they deploy—that is a given. There is no standard of reasonableness for anti-fraud controls amongst even the most sophisticated banks, and especially not at the country’s smallest and most vulnerable institutions. I don’t expect any further clarity to emerge from this case, but rather a Ping-Pong game of verdicts and appeals searching for a more permanent resolution. In the meantime, regulators need to clearly define what is accepted as “reasonable” controls or these lawsuits will continue to make headlines. As for the Banks, it is critical that they keep assessing their growing risk of legal exposure under the current legal framework when planning the application and deployment of anti-fraud controls.