Heightened FI Accountability Should Fuel Relationship Resurgence among Commercial Clients
The recent TRC Operating Co. Inc. case is only one of several creating a ripple of increased fraud awareness across businesses and their financial institutions (FIs). While it takes the vested interest of both parties to assess risk, build the fortress, and maintain safe-keeping, who’s to blame when security is compromised?
TRC’s claim of strictly being offered a username and password – and no further security controls – ultimately resulted in a $350K settlement paid by United Security Bank. So where is the line drawn?
Businesses do not receive the same protection against cyber fraud that are afforded to consumer banking customers under Reg E. While commercial customers are typically provided enhanced security solutions, they do not receive the loss protection piece that retail account holders do – limits losses to $50, if reported within two day. As such, it’s on FIs to provide “commercially reasonable security procedures” to their business clients.
Username and password clearly do not cut the mustard as a standalone security control for commercial customers – or for that matter, any customer. Institutions are not just accountable to provide strong security options; when litigation arises, they are now being asked to prove they have attempted to offer these solutions to customers, who can then decide their own fate. This was evidenced in the recent court ruling in St. Louis that found Missouri-based title company Choice Escrow responsible for over $400K in fraud losses, after it declined [in writing] to use the security controls offered by its bank.
That being said, fraud fault does not automatically fall on FIs alone. In reality the term “commercially reasonable” when referencing security procedures is subjective. Therein the shroud of blame should be shared – and preferably prevented or squashed through tightened business/banking partnerships.
In lieu of the recent lawsuits making headlines, business owners must remain vigilant and aware of the clear and present dangers that exist, and FIs must impart themselves as the trusted advisor. To help diminish some ambiguity for business and banking partners, the UCC provides the below guidelines as to the determining factors of the “commercial reasonableness” of a security procedure:
- What are the wishes of the customer expressed to the FI?
- What are the circumstances of the customer known to the bank – including size, type, and frequency of payment orders normally issued by the customer to the bank?
- What are the alternative security procedures offered to the customer?
- What security procedures in general use by customers and receiving banks can be updated?
While “commercially reasonable” will continue to evolve with the landscape, FIs need to make the leap to a proactive security approach. Not to mention, strengthening the relationships among FIs and their commercial customers will only reinforce the barriers we’re all building against potential fraudsters.