Pub. 6 2015 Issue 4

winter 2015 15 West Virginia Banker security system and focused on several features in particular. First, if a payment transfer exceeded a dollar threshold, the customer had to answer special security questions. For all of its customers, the bank set the threshold at $1.00, and, con- sequently, every transfer required answer- ing special security questions. If a user’s computer was infected with “keyloggers” or other malware that would capture key- strokes, the answers to the security ques- tions would be easy to obtain because the user would be entering the same answers at many points during the day. Additionally, the court found that the bank was not monitoring warnings from its software that showed the customer was making uncharacteristic transactions. Therefore, the bank did not stop the payment transfers or notify the customer. The court looked at similarly situated institutions and identified that they were using additional security procedures not implemented at Ocean Bank. Although the United States Court of Ap- peals for the First Circuit concluded that the bank’s security procedures were not reasonable, it also said that the customer had responsibilities for implementing certain security procedures. Therefore, the matter was remanded for further finds on this point. Notwithstanding, the case settled for the amount of the loss plus interest before the trial court could address the customer’s conduct. Best Practices As is evident from a review of these cases, the determination of commercially reason- ableness is the key to determining whether a financial institution or its commercial customer bears the risk of loss under UCC Article 4A. •The FFIEC guidelines are a standard and must be the cornerstone of secu- rity standards. • Shop around and document a deci- sion. Part of the process is assessing what similarly situated institutions are doing, so utilize vendors to help understand that aspect as well. • Security procedures can and should vary among customers. Analyze what the transfer habits and patterns are for given customers and work to implement an appropriate solution for that account. •Monitor security software notifi- cations. The UCC requires that the bank’s employees perform acts required by the security procedure. •Discuss the process with customers. Build the partnership with clients, and they can avoid such thefts. As this area of the law develops and as criminals become more sophisticated, it is imperative that banks and other financial institutions implement security proce- dures that are reasonable for the customer and the institution itself. The process of selecting and implementing the procedures should be thorough and well-documented. Investments on avoiding these issues will pay dividends in happy customers, safe deposits, and improving one’s institution’s capabilities. n Reach your target audience a ordably. advertise get results KRIS MONTIONE Advertising Sales 727.475.9827 or 855.747.4003 kris@thenewslinkgroup.com R. Scott Adams is a Member attorney in SpilmanThomas&Battle’sWinston-Salem, North Carolina office. His primary area of practice is consumer financial services law. He can be reached at 336.631.1055 or sadams@spilmanlaw.com.