14 DAY TRIAL // The Court of Appeals for the Eight Circuit has denied an escrow firm, Choice Escrow, recovery of $440,000/323,000 EUR from the bank BancorpSouth, which approved a fraudulent wire transfer request.
Back in 2010, Choice Escrow lost the money because an attacker managed to get their hands on the online banking credentials for the company’s bank account. The cybercriminal initiated the transfer to a bank account in Cyprus.
They filed a lawsuit against BancorpSouth in order to recover the loss on the grounds that the bank had not had commercially reasonable security measures in place.
Article 4A of the Uniform Commercial Code (UCC) allows banks an exemption from liability in cases of online account takeover if security practices are deemed commercially reasonable.
However, the bank accused Choice Escrow of not following the security precautions they imposed, which would have prevented the incident. These consisted of setting a restriction for the upper limit in the case of wire transfers and the adoption of a dual-control procedure.
Dual-control would have proven a reliable safety measure since it involves authentication of two users for the money transfer to be conducted.
Since accessing the account was done with valid authentication credentials, BancorpSouth authorized the illegal transfer, even if it was initiated from outside the US.
Complying to the security protocols recommended by the banks may not always be possible, but the protection of financial assets cannot be carried out by a single party.
The Court of Appeals’ ruling is in agreement with a lower court’s decision and allows the bank to seek recovery of attorney fees from the escrow firm.