The American Land Titles Assocation reported on a case invovling a U.S. escrow company that had its bank account hacked by cyber criminals. While Canada doesn’t have escrow companies of this kind, it still serves as a lesson in what can happen if law firms don’t take adequate steps to protect against cyber attacks on their trust account. This company is paying the price because it felt that additional cybersecurity steps weren’t convenient.
A Missouri-based title company may appeal to the U.S. Supreme Court after a federal appeals court denied a request to rehear a case involving the fraudulent transfers $440,000 from a trust account in 2010.
On July 17, the U.S. Court of Appeals for the Eighth Circuit denied Choice Escrow Land Title’s petition for a rehearing of its case against against Mississippi-based BancorpSouth. The court also rejected the title company’s request to have the case reviewed before the entire appellate bench rather than just a panel of judges.
In March 2010, hackers stole the title company’s online banking ID and password and made the unauthorized wire transfers to a corporate bank account in Cyprus.
Jim Payne, co-owner of Choice Escrow, said he is disappointed with the decision and that his company is considering options and may seek a writ of certiorari from the U.S. Supreme Court. A writ of certiorari is a decision by the Supreme Court to hear an appeal from a lower court.
Choice Escrow opened a trust account with BancorpSouth in 2009. The bank, at the time, encouraged customers to utilize Dual Control, which mandated that two individuals use separate user IDs and passwords to complete an electronic wire transfer. According to court documents, the title company twice declined this safety measure, citing a preference for convenience and that the employee who handled wire transfers was in the office by herself.
In June, a panel of Eighth Circuit judges ruled that Choice Escrow was responsible for the losses it suffered from the fraudulent transfer. The panel found that the liability for account takeover losses shifted when the escrow company declined to use a two-person authorization security feature offered by the bank. The court also ordered Choice Escrow pay to pay all the bank’s legal fees associated with the lawsuit.
In its appeal, Choice Escrow said that it sent an email in November 2009 to BancorpSouth instructing the bank to limit transfers to foreign banks. Attached to the email was a bulletin from Choice Escrow’s underwriter warning of the threat of foreign cyber-criminals stealing funds from escrow/trust accounts and advising that all wiring capabilities to foreign banks be disabled.
Choice Escrow contends that BancorpSouth’s verification procedures for wire transfers were not commercially reasonable under the Uniform Commercial Code’s Article 4A, which is adopted by the state. It also contends the procedures failed to meet the good faith standard outlined by the Federal Financial Institutions Examination Council in its 2005 guidance for Internet banking transactions by not meeting the multifactor authentication requirement.
In its 92-page appeal, Choice Escrow claimed that:
- BancorpSouth failed to provide adequate transactional analysis
- The bank should have granted Choice’s request to limit or block foreign transactions
- BancorpSouth’s use of only a username and password at login did not constitute multifactor verification
- The bank’s limited dual control offers were not reasonable for a business the size of Choice
According to Steve Gottheim, ALTA’s legislative and regulatory counsel, an instructive take away from the Escrow Choice decision is that unlike consumer accounts, banks have the ability to shift liability for fraudulent transfers out of a business account. The Eighth Circuit ruling highlights the importance of implementing ALTA’s “Title Insurance and Settlement Company Best Practices.” The second pillar of the Best Practices encourages appropriate and effective escrow controls and staff training to help title and settlement companies meet client and legal requirements for the safeguarding of client funds. These procedures help ensure accuracy and minimize the exposure to loss of client funds. In addition, the third pillar offers guidance to implement a written privacy and information security program.
“This is why proper network security is important, but also utilizing all the security processes offered by the bank and to encourage them to offer processes not currently available,” Gottheim said. “While international wire transfer blocks are included in the Best Practices, they are not universally available by all commercial banks. Interestingly, in this case there is a discussion of an email conversation between the escrow company and bank about the possibility of foreign wire blocks which were not available. Rather than press the issue with the bank, the escrow company dropped it. Part of the courts holding is that by dropping the issue, the email cannot be considered an instruction to the bank. If it had been an instruction then the bank would be liable.”
Payne said he’s considering an appeal because the ruling conflicts with a decision by the First Circuit Court of Appeals in PATCO Construction Inc. vs. People’s United Bank. In PATCO, the appeals court held the bank liable for fraudulent ACH transfers. In this situation, however, the commercial client used every security system the bank made available, unlike Choice Escrow, which declined dual control verification procedures for wire transfers.
The First Circuit held that under article 4 of the UCC the community bank could not shift the liability of loss to the commercial customer because the online banking security program was not commercially reasonably. Additionally, the court suggested that a bank’s security system should compare in sophistication to other similarly situated banks.
“This is another good reason for commercial clients such as title companies to push banks to adopt stronger security programs like international wire blocks, variants of positive pay and voice authentication,” Gottheim said.