Pub. 5 2015-2016 Issue 2

16 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S FEATURE ARTICLE The most common example of a single layer of authentication is requiring a customer’s username and login. Financial institutions should consult the FFIEC guidelines for examples of other layers of authentication. BRYCE LANGFORD SUMMER ASSOCIATE STINSON LEONARD STREET Limiting Bank Liability for Deposit Account Takeover by Following FFIEC Guidance T he most imminent threats facing banks today are not gun-wielding robbers like John Dillinger and Bonnie and Clyde. To- day's financial institutions face a different kind of threat— cyberattacks. The most signifi- cant type of cyberattack in the banking industry is called "corporate account takeover," which occurs when a computer hacker steals a depositor's online banking credentials and then, acting as the de- positor, makes fraudulent outgoing wire transfers. Laws and regulations in the last decade have increased the liability for banks who do not take the proper preventative measures to insure against corporate account takeover. This article examines those laws and regulations, and discusses how banks can best manage the risk of account takeovers. The UCC rules. Under Article 4A of the Uniform Commercial Code ("UCC"), the gen- eral rule is that the loss falls on the bank for an unauthorized outgoing wire, even if it appears to the bank that the transaction has been au- thorized. However, there are two exceptions to this rule: (1) the depositor fails to report the unauthorized debits to its account within one year and (2) the bank has in place a "com- mercially reasonable security procedure" to protect against hacking, the security procedure is embodied in a contract between bank and customer, and the bank accepted the outgoing wire in good faith and in compliance with the security procedure. The rules governing the second exception have been heavily litigated; they are codified in UCC 4A-201 through 4A- 204. The FFIEC guidance. To determine what is a commercially reasonable security procedure, the Federal Financial Institutions Examination Council ("FFIEC") periodically releases "guidance" to help banks to "identify and mitigate cyberattacks." The most recent guidance was issued on March 30, 2015. It in- cludes eight "riskmitigation" recommendations for financial institutions. This is a must-read for bankers. The expectation of layered security. The eight recommendations set out by the FFIEC in 2015 expand upon earlier recom- mendations issued in 2005 and 2011. One of the most important aspects of the earlier guidance was the FFIEC's recommendation of layered security. The FFIEC recommends that financial institutions use more than a single layer of customer authentication. The most common example of a single layer of authenti- cation is requiring a customer's username and login. Financial institutions should consult the FFIEC guidelines for examples of other layers of authentication. The FFIEC guidelines set forth two par- ticularly important types of layered security: (1) the use of dual-factor authentication such as usernames/passwords plus tokens, call- back or challenge questions and (2) the use of software to detect out-of-pattern transactions involving outgoing wires. Keep in mind that