This case involves a construction company that utilized an online banking program for its weekly payroll. At the time that the company became a customer, the bank used an information security system that required customers to answer “challenge questions” for all transfers over $100,000. Several years later, the bank changed its security system to require that customers answer challenge questions for all transfers over $1. Prior to the change, none of the company’s transfers required challenge questions. After the change, all of the company’s transfers triggered the challenge questions. Computer hackers infiltrated the company’s account, bypassing its firewall and encryption protections, and initiated six fraudulent transfers totaling $588,850. The bank’s Internet security system flagged each of the six transactions as “high risk” because there were inconsistent with the timing, value, and geographic location of the company’s regular payment orders. In spite of this, the bank’s security system did not notify the company about the suspicious transactions and allowed the payments to go through. An expert witness in software development, digital forensics, computer consulting, and computer security were sought to opine on the issue.
Question(s) For Expert Witness
- 1. Can a bank be held liable if its security system fails to notify a commercial customer of suspicious transactions?
Expert Witness Response
Under Article 4A of the Uniform Commercial Code (UCC), a bank is generally responsible for the loss of any unauthorized funds transfer. However, a bank may shift the risk of loss to a commercial customer if the transfer followed commercially reasonable security procedures. Under Article 4A of the UCC, if a commercial customer and a bank have an agreement about security procedures for a business account, the bank cannot be held liable for a fraudulent transfer if the bank’s security system is commercially reasonable and if the bank authorized the transfer in good faith and in compliance with the security procedures. In this case, the change of security procedures by the bank definitely subjected the company’s account to fraud because thieves could use computer malware (i.e. malicious software) to steal the customized answers to the challenge questions. The requirement that the company answer challenge questions for transfers over $1 increased the frequency with which the company was required to enter the answers to their challenge questions. Since the company regularly made these types of transfers, this increased the risk that the answers would be compromised by malware that could capture the information for unauthorized users. Since the bank also failed to notify the company when the high-risk transfers were flagged, the bank probably used commercially unreasonable security procedures in this case.