Courts have focused on the “commercially reasonable” standard when deciding whether the bank or the customer would bear the risk of loss. Just like the tactics of fraudulent bad actors, the legal standard of what is considered “commercially reasonable” will evolve over time.
(1) Review and Document Current Security Procedures.
Before a bank can make a determination as to whether its security procedures are commercially reasonable, it has to know what its procedures are – which may be difficult to determine. An institution must first look at the products it offers that require security procedures. The major areas typically include access to:
This documentation process will ensure that banks have identified exactly what its procedures are before they attempt to determine whether the procedures are commercially reasonable. The documentation should be updated as the procedures change.
(2) Document Transaction Monitoring.
While one court has held that transaction monitoring is not a security procedure, another court held that a bank’s failure to review transactions that were identified by the monitoring system was a basis for the court’s ruling that the security procedure were not commercially reasonable. Therefore, an institution should document the various systems it uses to monitor transactions, the action that is required when the system flags a transaction, and who or what department has the responsibility for reviewing the various system reports.
(3) Compare security procedures with FFIEC Guidance.
Several courts have held that the FFIEC Guidance on Authentication in an Internet Environment is the security procedure that must be followed by a financial institution. Right or wrong, these courts have held that the FFIEC Guidance is the "commercially reasonable" security procedure. Therefore, after documenting security procedures, banks should compare their procedures to the procedures contained in the Guidance to ensure that procedures are in line with the Guidance. For example, the Guidance requires that a bank must use multifactor authentication when authenticating access to high risk information or when initiating transfers. So, if a bank’s security procedures only require the use of a password and User I.D. and answering challenge questions, the security procedures would not meet the Guidance requirements. Institutions should have their operations managers go through a step-by-step analysis to understand the Guidance requirements and then compare their procedures to the Guidance to ensure that they meet the basic requirements.
(4) Compare Security Procedures with Other Financial Institutions.
Most financial institutions are willing to share non-competitive information, especially if the organizations both belong to a user group sponsored by the same processor. Once a bank has documented its security procedures, it can compare them to similarly situated financial institutions. This is particularly effective because courts will compare a bank’s procedures to procedures generally used in the industry when determining whether its security procedures are commercially reasonable.
(5) Compare Security Procedures to Case Law.
Several courts have given opinions as to whether the financial institution’s security procedures are commercially reasonable. While some court holdings won’t be binding on courts in every jurisdiction, judges may still rely on these decisions. If anything, the factual circumstances in these cases provide examples of which banks should avoid or focus on. For example, at least two courts have held that Dual Control is a commercially reasonable security procedure. Dual Control is a procedure that requires one employee to initiate a transaction, such as a wire transfer, and for a second employee to verify and release the transaction. Several cases can be found by simply doing an Internet search.
(6) Review Agreements for Proper Language.
The UCC provides that a security procedure is an agreement between the financial institution and the customer. Therefore, the customer and the financial institution must agree that transactions will be authenticated in accordance with the security procedures. This can be accomplished through the various contracts between the financial institution and the customer. The primary agreements that should contain the proper language include the Internet Banking Agreement, the Wire Transfer Agreement, and the ACH Origination Agreement. Other agreements may be necessary, depending on the products and services offered by the bank.
If a financial institution is going to allow the customer to reject any of the security procedures, the agreement should include a provision that if the bank offers the customer a security procedure and the customer rejects the security procedure, that the customer agrees that the customer selected security procedure is commercially reasonable. The specific security procedures should either be included in an attachment to the agreement or referenced to another document or site that contains the security procedure. The customer’s rejection of the bank’s security procedure should be in writing and signed by the customer.