Pub. 5 2015-2016 Issue 2

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S September • October 2015 17 the courts use the FFIEC guidance to determine whether the bank's security procedure was commercially reasonable and in good faith. Courts sometimes confuse commercially reasonable and good faith. By employing layered security and complying with the FFIEC Guidance, banks can show their security procedures were commercially reasonable and in good faith. Layered security is one of the best ways to protect a financial institution from civil liability as well as protect customers' assets from the threats of deposit account takeover. How the courts are resolving cyberattack disputes: the two key cases. There are two key federal appel- late decisions in this area—one in favor of the customer and the other in favor of the bank. In 2012, the First Circuit held that a bank's security procedure was not commercially reasonable even though it used dual-factor authentication. In Patco Construction Co., Inc. v. People's United Bank, 684 F.3d 197 (1st Cir. 2012), the bank employedmultiple security procedures to comply with the 2005 FFIEC guidance, but it lost the case because at least one procedure was counter-productive. Most notably, the security company's software allowed banks to set a threshold amount for transactions that would trigger a security challenge question to authenti- cate the transaction. Initially, the bank in Patco set the threshold at $100,000. The bank later lowered the threshold to $1, effectively requiring security challenge questions on every internet transaction. The First Circuit held that the lower threshold of $1 triggering the challenge questions hurt customers by increasing the risk of fraud. The court's rationale was that requiring challenge questions on every transaction gave hackers more op- portunity to capture the vital information. The court also held that the bank did not have a practice of closely monitoring all transactions, even if it had warning that fraud was occurring. The court held that these failures, taken as a whole, showed that the bank's security procedure was not commercially reasonable. This First Circuit case is significant because it shows that employing multi-layered authen- tication may still not insulate financial institutions from liability. In contrast to the First Circuit's deci- sion, a 2014 case from the Eighth Circuit ruled in favor of the bank. In Choice Escrow and Land Title, LLC. v. Bancorp- South Bank, 754 F.3d 611 (8th Cir. 2014), the Eighth Circuit ruled that the bank's security procedure was commercially rea- sonable and the bank acted in good faith. The bank provided four securitymeasures for its customers. The Eighth Circuit held that the bank's four levels of security authentication were commercially rea- sonable, even though the customer in the case had rejected two of them. The court noted that the UCCC releases a bank from liability if a security procedure is offered to a customer and the customer declines the procedure in writing and agrees to a different procedure. This effectively shifts the liability to the customer. Importantly, the Eighth Circuit relied on the FFIEC guidance as a test for deter- mining what is a commercially reasonable security procedure. The court called the FFIEC guidance the "primary authority" in measuring the reasonableness of a security measure. This is important for financial institutions to note, since the courts are relying heavily upon the FFIEC guidelines when considering liability in cases of cyberattacks. Conclusion. One of the best ways for a bank to protect itself against liability is to take action and measures that are in accord with the FFIEC guidance, includ- ing the 2015 version. The best course of action for financial institutions is to work with legal counsel to insure the institution is up-to-date with the guidance issued by the FFIEC. Although the 2015 guidance attests that it "does not contain any new regulatory expectations," experience shows that bank compliance with the new guidance is the best way to manage the risk of deposit account takeover.  CEDCO Small Business Finance Corporation Your Best Soursce for SBA Real Estate Loans New Easier Qualification Uninterrupted access to money through a monthly SBA-backed bond auction Low fixed-rate financing Low down payments CEDCO Small Business Finance Corporation Colorado’s SBA 504 Loan Expert TM 1175 Osage Street, Suite 110 Denver CO 80204 Denver 303-893-8989 Grand Junction 970-243-1852 www.cedco.org  More stability for your operation  A stronger balance sheet  An asset to sell when you’re ready AS A LEADING SBA 504 LENDER WE MAKE IT EASY FOR YOU  Buy, Build, Remodel or Expand Real Estate  Purchase and install long-lasting equipment  Fast, expert processing - with low loan costs  Refinance may be an option  We lend up to $5 million: borrow up to $20 million when combined with bank financing  Interest rate as low as 5.25%, fixed for 20 years  Down payments range from 10% to 20%  Most small Businesses are Eligible STREAMLINED PROCESSING  Front Range and mid-mountains call Jeff or Mary Jane 303-893-8989  Western Colorado call Pat 970-243-1861