As bankers, we all know that trust is at the core of the bank-customer relationship. Without the trust and confidence of our customers, we don’t have customers. It’s that simple. That said, there’s something else that can come between banks and their customers, a little something called “good faith”.
According to one U.S. District Judge, the inability to act in good faith by adhering to requirements under Uniform Commercial Code (UCC) Article 4A for accepting and processing fraudulent payment transfers has cost a bank substantial financial loss, and could ultimately cost them customers and future profits as a result of damage to the bank’s reputation.
In the article, “Court Says Bank Must Pay After Customer Is Hacked,” a Michigan judge ruled that a bank did not carry its burden of proving that it acted in “good faith” in acting in accordance with reasonable commercial standards of fair dealing in processing fraudulent transactions. As a result, the court ruled that the bank had to pay the Plaintiff $560,000 in damages.
While the bank did satisfy several UCC requirements for authenticating transfers through a security procedure that was commercially reasonable, it failed to provide enough evidence of meeting reasonable commercial standards for responding to phishing-related fraud, in which the Plaintiff lost $1.9 million from 93 fraudulent transfers after an employee was tricked into entering their confidential security token identification and other online credentials.
Had the financial institution acted in accordance with the reasonable standards, the judge said it would have been able to identify the fraudulent transactions based on the customer’s volume and frequency of orders, the large overdraft, and the destination and identities of the beneficiaries.
“A bank dealing fair with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”
With so much attention on meeting the updated Federal Financial Institutions Examination Council (FFIEC) authentication guidelines, banking institutions need to ask themselves if their current authentication strategy is putting their business, customers and reputation at risk. If so, they may be legally liable, even if the fraudulent payment transfers submitted to the bank are initiated by valid customer credentials.
Today, it is more important than ever that financial institutions take a proactive, multi-layered approach against bank fraud across all banking channels, including the telephone channel. Doing so helps ensure their bank is in accordance with the required standards for identifying fraudulent transactions, and is essential for building and maintaining a high level of trust and confidence with their customers.
An identity authentication solution such as the TrustID® network-based Physical Caller Authentication tool helps banks protect the telephone channel by making the phone number a valid “Something you have” authentication credential, an essential piece of the FFIEC’s multi-factor authentication paradigm for identifying customers. By automatically validating the physical location of the caller before the phone is answered, banks proactively identify fraudulent calls and address good customer inquiries faster, all without putting them through burdensome telephone interrogations that are required by other knowledge-based authentication (KBA) solutions.
While TrustID’s automatic caller authentication secures the telephone channel and helps bank’s meet the FFIEC’s requirements for increased multi-factor authentication, financial institutions are better equipped to protect their business, shareholders’ investments and customer accounts from fraudulent transactions, which as we know can result in long-term reputation damage and significant financial losses.Tags: bank fraud, customer authentication, Federal Financial Institutions Examination Council, FFIEC guidance, FFIEC requirements, fraudulent bank transfers, fraudulent payment transfers, KBA, knowledge-based authentication, multi-factor authentication, Physical Caller Authentication, TrustID