Fraud Case May Go to Supreme CourtFirm Considers Final Appeal of Liability Ruling
Choice Escrow and Land Title LLC says it's now considering an appeal to the U.S. Supreme Court after an appellate court ruled against rehearing its case involving a $440,000 account takeover loss dating back to 2010. And some security and legal experts say they believe the Missouri-based escrow firm might have a shot at success.
See Also: How to Defend Your Attack Surface
Last week, the Eighth Circuit Court of Appeals denied Choice Escrow's request for a rehearing of its case against Mississippi-based BancorpSouth over wire fraud liability (see Firm: ACH Fraud Ruling Sets Bad Precedent).
Choice Escrow co-owner Jim Payne says his company has no other choice but to move forward. "We are very disappointed in the ruling by the Eighth Circuit," Payne says. "We are considering our options for seeking a writ of certiorari from the United States Supreme Court."
A writ of certiorari is used by higher courts to review rulings handed down by lower courts. According to Legal Information Institution at Cornell University Law School, the U.S. Supreme Court uses writs of certiorari to pick most of the cases that it hears.
Eighth Circuit's Appellate Ruling
In June, a panel of Eighth Circuit judges ruled that Choice Escrow was responsible for the losses it suffered in March 2010. The panel found that the liability for account takeover losses shifted when the escrow company declined to use a two-person authorization security feature offered by the bank (see Bank Wins Account Takeover Loss Case).
The court also ordered that Choice Escrow pay BancorpSouth's legal fees, dating back to November 2010, when the Missouri escrow firm initially filed its suit (see Wire Fraud Victim Sues Bank).
Choice Escrow argued that the court's order to cover the bank's legal fees essentially rendered meaningless Article 4A of the Uniform Commercial Code, which provides fraud protections for commercial customers as well as defines what constitutes reasonable security offered by a bank.
The company requested that the case be reheard en banc, meaning before the entire appellate bench rather than just a panel of judges. But the appellate court on July 17 denied that request.
Since the denial of that request, Payne says his company has no choice but to pursue other options. And in looking at other appellate rulings in cases involving account takeover losses, he contends the Eighth Circuit's ruling appears out of line.
Choice Escrow is considering an appeal to the U.S. Supreme Court, Payne says, because the appellate court's decision appears to be in conflict with the only other appellate ruling involving an account takeover dispute between a bank and a former commercial customer - the PATCO Construction Inc. vs. People's United Bank ruling.
In the PATCO ruling, the First Circuit Court of Appeals in Boston ruled in favor of PATCO, reversing a district court's 2011 judgment that favored the bank, and further recommended that the two parties pursue an out-of-court settlement of the case (see PATCO ACH Fraud Ruling Reversed).
The First Circuit's ruling described the bank's security procedures as "commercially unreasonable," saying People's United Bank, formerly Ocean Bank, should have detected and stopped the fraudulent transactions that drained more than $500,000 from PATCO's commercial account in 2009.
The ruling went on to state Ocean Bank actually increased PATCO's fraud risk by relying on what the court called a "one-size-fits-all" approach to monitoring and authenticating high-dollar transactions.
"We are familiar with the opinion of the First Circuit in PATCO Construction v. People's United Bank, which found in favor of the customer," Payne says. "It appears the Eighth Circuit opinion conflicts with the PATCO opinion in key respects.
The one-size-fits-all approach to security is one the Federal Financial Institutions Examination Council has explicitly instructed banking institutions to avoid, says financial fraud expert Avivah Litan, vice president at Gartner Research.
According to preliminary results from Information Security Media Group's 2014 Faces of Fraud Survey, banking institutions and their commercial customers continue to suffer losses related to ACH and wire fraud, in spite of investments in FFIEC conformance.
Investment Impact on Account Takeover Losses?
SOURCE: ISMG Faces of Fraud 2014
"What strikes and irks me is that none of the lawyers or judges referred to the FFIEC guidance, which clearly and rightly calls for a layered security approach as well as clear and visible warnings to corporate customers about the risks they face," Litan adds. "It would seem to me that Choice's bank [BancorpSouth] was not compliant with FFIEC guidance around a multilayered security approach and extra anomaly detection around money transfers. What this ruling seems to tell us is that the guidance has no teeth and does a poor job of protecting customer accounts and funds."
Additionally, Payne says the Eighth Circuit's decision to order that Choice Escrow pay BancorpSouth's legal fees will prevent commercial customers from pursuing legal action over wire fraud disputes in the future.
"The opinion allowing the bank to seek its attorneys' fees under the indemnity clause will cause future customer victims to choose not to file suit," he says. "They will conclude, and rightly so, that the attorneys' fees will often be greater than the amount lost to the cyber=criminals. The UCC grants customers a right to sue, and the opinion will essentially take it away. We think this matter deserves a review."
Reactions to Eighth Circuit's Ruling
Choice Escrow says it's considering a review of the Eighth Circuit's ruling because the ruling sets a bad precedent, Payne says. And some security and legal experts agree.
"I hope they can continue to appeal," Litan says of Choice Escrow's efforts.
George Tubin, a banking expert at anti-malware provider Trusteer, says the decision to order Choice Escrow to pay BancorpSouth's legal fees is "quite harsh," and is likely to have a negative impact on future account takeover cases.
"The lawsuit was not frivolous," Tubin says. "It will definitely discourage other fraud victims from seeking compensation. It will encourage many banks to offer inconvenient and questionably effective solutions to their customers as a route to indemnity. And it may start encouraging customers to change banks due to the security offerings provided."
George Tubin in early 2012 on FFIEC requirements for anomaly detection.
Amy McHugh, an attorney and former FDIC IT examination analyst who now works as a banking adviser for professional services firm CliftonLarsonAllen, says the court's ruling to order payment of the bank's legal fees was unusual.
She also argues that the appellate court's justification for why BancorpSouth's security measures were deemed "reasonable," as Litan points out, has left room for further debate.
"The escrow firm stated that dual control would not be appropriate, due to its small staff, and I questioned why a $13 billion bank was not able or willing to provide another security procedure to fit the customer's circumstances," McHugh says (see Fraud: Defining 'Reasonable Security').