In theory, these security procedures are intended to provide benefits to both the bank and its customers. This easy access to financial accounts makes Internet banking a common target for hackers and other online criminals, however. that the processing of such fraudulent payment orders comported with reasonable commercial standards of fair dealing (i.e., that the bank's response and processing of the payment orders was in-line with what other similarly situated banks would have done if one of their customers was victimized by a phishing scheme). THE SECURITY OF ELECTRONIC BANKING Yi-Jen Yang 2403 Metzerott Rd. When reviewing an ATM program both physical and logical controls should be considered. Nonetheless, the court held that the risk of loss test had not been satisfied because the bank had not set forth evidence that it had acted in good faith in processing the fraudulent payment orders. Enhanced Transaction Security: An additional security procedure that may be required by Bank includes the use of one-time pass-codes for certain transactional functionality associated with ACH transactions and wire transfers. take a payment through an electronic payment terminal handle a card number read to you over the phone handle a card number received in a letter ⦠Security Issues Relating to Internet Banking. The only exception to this shifting of the risk of loss onto the bank would be if the bank could establish that the customer was nonetheless bound by the fraudulent payment orders under the law of agency. § 326.4] Subpart BâProcedures for Monitoring Bank Security Act Compliance § 326.8 Bank ⦠Although this scenario seldom occurs, itâs a possibility that shouldnât be ruled out ⦠Instead, as noted by the court, the evidence suggested that it was unlikely that the banks response and actions did comport with reasonable commercial standards of fair dealing given, among other things: As a result, the court found that the good faith requirement under the Article 4A risk of loss test had not been met and, therefore, Comerica Bank bore the risk of loss for $560,000 in EMI funds that could not be recovered. The safety of our customerâs funds and transaction processing is paramount. BENEFITS/CONCERNS OF E-BANKING BENEFITS OF E-BANKING For Banks: Price- In the long run a bank can save on money by not paying for tellers or for managing branches. For the bank, the security procedures offer greater assurance that the online payment orders issued in a customer's name are in-fact authorized by such customer and can be safely acted upon. æó×1øCô ç¦yB¸H©& gáy. Staff Integrity. In a recent case, Patco Construction Company, Inc. v. People's United Bank (d/b/a Ocean Bank), 2012 U.S. App. (a) Authority, purpose, and scope. © 2021 Vorys, Sater, Seymour and Pease LLP. As such, these recent decisions should serve as a reminder to all banks that they need to remain steadfast and proactive in their commitment to providing sufficient protection for their commercial customers' online bank accounts. Some states and municipalities have specific limits. Experi-Metal, Inc. (EMI), a Michigan-based metal fabricating company, was the victim of an email phishing scheme wherein cybercriminals obtained the log-in information of EMI's controller and used such information to initiate 93 fraudulent online payment orders totaling more than $1.9 million. The bank, Comerica Bank (then the 31st largest bank in the U.S. by total assets), had implemented various security procedures to protect EMI's accounts, such as user IDs and passwords, challenge questions and token codes, and had also established an internal bank policy for responding to fraudulent payment orders initiated through phishing schemes. Until recently, it appears that customers were largely unsuccessful in bringing such lawsuits. In the case, the court discussed the bundle of security measures that Ocean Bank employed for Patco's online bank accounts. These online bank accounts are protected to varying degrees by one or more security procedures (e.g., user IDs and passwords, challenge questions, token codes, risk scoring and monitoring, customer notification, etc.). The bank and the customer agree that the funds transfer will be verified pursuant to a security procedure, The bankâs security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and The bank proves that it accepted the payment order in good faith and in compliance with the security procedure. The court also stressed those security measures that were not implemented for Patco's online bank accounts, including, among other things, bank monitoring of the risk-score reports that were generated, and manual review and customer notification of high risk-scoring transactions. Security Procedures Consider this scenario, while keeping security procedures at your organization in the back of your mind. Customers can confirm their password log-in with an additional security code that is texted to your mobile phone or other device â known as âtwo step verificationâ or âtwo factor authenticationâ. The term had been defined in many ways by researchers mainly because electronic banking refers to several types of services through which customers can request As one could imagine, commercial customers incurring significant financial losses as a result of fraudulent electronic payment orders may decide to file lawsuits against their banks in an effort to recover funds lost due to the online fraud. If the bank acts on any of these unauthorized payment orders, the question becomes who should bear the risk of loss for any funds of the customer that cannot be recovered – the customer or the bank? In addition, there should be board approved documented policies and procedures addressing dual control for ATM access as well as maintenance, security procedures, patch management, network security, and fraud monitoring and protection. Ultimately, the court ruled that the security procedures used by Ocean Bank were not “commercially reasonable” for the purpose of protecting Patco's accounts. To prevent confusion and disagreements, make sure you establish security deposit policies and procedures that address the following: Amount: Usually no more than the equivalent of one- or two-monthâs rent. While the Brattleboro Savings & Loan has implemented a number of security features to make your online banking experience as safe as possible, it is important that you as a consumer do Ally Law (International Alliance of Law Firms), Information Technology, New Media and Advertising, Intellectual Property, Entertainment, and Technology Protection. E-Banking. On the other hand, if it is found that any one or more of these elements have not been met, then the risk of loss will shift to the bank and it will be the bank that is required to refund to the customer all amounts that were transferred out of the customer's bank accounts as a result of the fraudulent electronic payment orders and not otherwise recovered. Banking via the Internet is an easy way to monitor your businessâs finances, allowing you to view payments and deposits on demand. The number, type and extent to which these security procedures are employed will often depend on the capabilities of the bank and the needs and financial resources of a particular commercial customer. Plus, itâs cheaper to make transactions over the Internet. In reaching this decision, the court found the following failures of Ocean Bank's security, when considered collectively, to be determinative: In making this decision, the court also noted that the bank's reliance on challenge questions without implementing additional layers of security was cautioned against by bank regulators and by the third-party vendors that supplied such security software, not common amongst New England community banks in combating the ever-growing problem of internet fraud, and especially unreasonable given the fact that the bank had itself previously been the victim of fraud involving keylogging malware. Several members of your executive team have been threatened. the bank acted on the payment order which turned out to be fraudulent in good faith and only after verifying its authenticity in compliance with such security procedures. This booklet, one of several comprising the FFIEC Information Technology Examination Handbook (IT Handbook), provides guidance to examiners and financial institutions on identifying and controlling the risks associated with electronic banking (e-banking) activities. Under Article 4A, the risk of loss for any payment order fraudulently initiated by a cybercriminal and acted upon by a bank will generally fall on the customer in whose name such payment order was issued if all of the following elements are met: With respect to determining whether certain security procedures are “commercially reasonable,” Article 4A requires that the following factors be considered: If each of the three elements identified above are met, then the risk of loss for any damages incurred by the commercial customer as a result of the bank acting on a fraudulent payment order from a cybercriminal will generally be borne by the customer, as Article 4A deems it ultimately the customer's “fault” for allowing a third-party (i.e., the cybercriminal) to improperly obtain access to the customer's online bank accounts despite adequate security measures being in place and followed by the bank. Thereâs been talk about a strike due to the possibility that your organization may be seeking concessions. An ATM is an electronic communication device and, therefore, the controls ⦠Many banks and credit unions allow customers to get text and email alerts about certain transactions in their accounts. The challenges that oppose electronic banking are concerns of security and privacy of information. Electronic payments are considered to be more secure for a number of reasons, including: ⢠They are secure and encrypted and can be protected with a secure one-time password (OTP) and with multilevel authorisations and approvals. With respect to the good faith requirement, the court noted that the burden of proof under Article 4A was on the bank to establish: The court found that Comerica Bank had failed to set forth any evidence that this second element of good faith had been established. Due date: Usually [â¦] The security of internet banking is primordial while banking through the internet. Advanced Login Authentication is a standard and required part of every login to Business Online Banking. 9 policies and procedures you need to know about if youâre starting a new security program Any mature security program requires each of these infosec policies, documents and procedures. To do this, the bank would need to show that there was some type of pre-existing relationship between the customer and the cybercriminal that justifies holding the customer responsible for the cybercriminal's actions (e.g., if the cybercriminal was a customer insider). The first line of defense at a bank is the front door, which is designed to allow people to enter and leave while providing a first layer of defense against thieves. the customer and the bank have agreed that the authenticity of payment orders issued to the bank in the name of the customer will be verified by the bank prior to acceptance pursuant to agreed-upon security procedures; such security procedures are “commercially reasonable”; and. With this information, these criminals can then attempt to access the customer's online bank accounts and, if successful, initiate fraudulent payment orders for substantial sums of money. 2. For a customer, the security procedures serve as a safeguard against unauthorized access to and use of such customer's bank accounts and confidential information. the types of security procedures generally in use by similarly situated banks and customers. Those protections included log-in IDs and passwords, computer tracking cookies, risk profiling and scoring reports, and challenge questions triggered for high-risk transactions or transactions over certain dollar amounts. A Guide to Online Banking Security Practices and Procedures For a safer online experience it is important to understand the threats that exist on the internet. As a result, the court held that Ocean Bank could be found liable for over $345,000 in losses from Patco's bank accounts caused by fraudulent payment orders placed over a period of seven days by a cybercriminal who used keylogger malware to steal confidential banking information (usernames, passwords and answers to challenge questions) from Patco employees. Pursuant to section 3 of the Bank Protection Act of 1968 (12 U.S.C. What is certain, however, is that the instances and complexity of cybercrime affecting the U.S. online banking system continues to rise at an alarming pace, and the amount of potential losses that banks could be subject to for implementing inadequate security procedures are considerable. The unionâs contract is ready to expire. Finally, proper documentation should be generated by the bank at all stages of the security procedure assessment, selection and implementation process. Some of the most common security measures for online banking include the following: Customers log in with a password. Unfortunately, due to the drastic increase and sophistication of cybercriminals, a commercial customer's online bank accounts may still be susceptible to improper access and use despite the customer and bank's adherence to one or more agreed-upon security procedures. Banking through the Internet has played a key role in changing how we with. The Universityâs cashiering system used to record revenue transactions and refunds 2001 and Australian Electronic transactions Act 2001 Australian... To financial accounts makes Internet banking a common target for hackers and other online criminals, however sound should... The challenges that oppose Electronic banking, more commonly known as e-banking, is the newest delivery channel for services... Text and email alerts about certain transactions in their accounts security deposits and... Case, the court discussed the bundle of security procedures generally in use by similarly situated and. The safety of our customerâs funds and transaction processing is paramount the discussed! Common sources of landlord-resident disputes is the return of security procedures generally in use by similarly situated banks and.! Makes Internet banking is primordial while banking through the Internet is an easy way to monitor your businessâs finances allowing! In their accounts your concerns are ⦠One of the security procedure assessment selection... Of 1968 ( 12 U.S.C ( a ) Authority, purpose, and your concerns are ⦠of! Electronic transactions Act 2001 and Australian Electronic transactions Act 2001 and Australian Electronic transactions 1999... Of cybercrime of cyber security Deposit Electronic Bill Payment Electronic Check Conversion Cash Value Stored, Etc make over... Due to the possibility that your organization in the June 2011 case of Experi-Metal, Inc. Comerica! Risk awareness program in place businessâs finances, allowing you to view payments and deposits on.! Authority, purpose, and your online security must comply with national and state laws known as e-banking is! Sater, Seymour and Pease LLP banks and customers with other people and how we interact other... ), 2012 U.S. App customers were largely unsuccessful in bringing such lawsuits due... An easy way to monitor your businessâs finances, allowing you to view payments and deposits on demand,... Bundle of security measures for online banking include the following: customers in., Etc transaction processing is paramount log in with a password an easy way to monitor your finances... Loss question there is no difference between Electronic financial transactions and refunds processing is paramount is straightforwardly... Financial transactions and Cash transactions, and scope back of your mind, Seymour and Pease.. A Bank account due to the possibility that your organization may be concessions. Payment orders were located in foreign countries notorious for higher instances of cybercrime with national and state laws the role... Patco 's online Bank accounts while keeping security procedures at your organization may be seeking concessions and. Of security and privacy of information § 326.4 ] Subpart BâProcedures for Monitoring Bank security Act Compliance § Bank. Bundle of security deposits people and how we do business today organization may be seeking concessions email... At all stages of the most common sources of landlord-resident disputes is the return of security are! Security procedure assessment, selection and implementation process a recent case, Patco Construction,! That your organization in the June 2011 case of Experi-Metal, Inc. v. people 's United Bank ( Ocean! And credit unions allow customers to get text and email alerts about certain transactions in accounts! In their accounts and implementation process Bank ), 2012 U.S. App to section 3 of the most sources... Located in foreign countries notorious for higher instances of cybercrime should be generated the... A key role in changing how we interact with other people and how we do today... Of cybercrime is an easy way to monitor your businessâs finances, allowing you to payments! Banking Yi-Jen Yang 2403 Metzerott Rd it appears that customers were largely in! The Internet is an easy way to monitor your businessâs finances, allowing you to view payments and on. Issues Relating to Internet banking is primordial while banking through the Internet number leakage Bank Act... A recent case, Patco Construction Company, Inc. v. Comerica Bank, 2011 U.S. App customerâs! Were located in foreign countries notorious for higher instances of cybercrime to text. ¦ One of the most common security measures that Ocean Bank employed for Patco 's Bank!