What Experi-Metal v. Comerica tells us
There was another interesting ruling last week concerning who's responsible if fraudulent transactions are made using a business' Internet banking account. This time the ruling was in Experi-Metal v. Comerica Bank. The situation was very similar to Patco Construction v. People's United Bank that I recently commented on.
In Patco, malware was used to steal authentication credentials. In Experi-Metal, a phishing attack was used to steal authentication credentials. The courts ruled that the bank wasn't responsible for the fraudulent transactions in the case of Patco, but they were in the case of Experi-Metal.
The big difference was that in the case of Experi-Metal, the judge ruled that the behavior of Comerica didn't appear to be in "good faith:"
[After the phishing attack], the criminal initiated 97 wire transfer payment orders from Experi-Metal’s Sweep Account, totaling more than $1.9 million. There are a number of considerations relevant to whether Comerica acted in good faith with respect to this incident: the volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders; the $5 million overdraft created by those book transfers in what is regularly a zero balance account; Experi-Metal’s limited prior wire activity; the destinations and beneficiaries of the funds; and Comerica’s knowledge of prior and the current phishing attempts. This trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise.
So because the pattern of behavior for the fraudulent wire transfers was so different from the pattern of Experi-Metal's usual behavior, the bank should have noticed it if it was actually acting in good faith.
How does that differ from Patco?
Apparently in the case of Patco, the fraud wasn't quite as obvious, while in the case of Experi-Metal, the court ruled that it should have been obvious to the bank. And because there's still no clear definition of what level of fraudulent activity should be obvious to banks, we'll probably see more litigation in this area in the future. Maybe that's what Experi-Metal v. Comerica really tells us.