Whether a general counsel’s company and its bank are large or small, technology can help manage their financial relationships. Both businesses want convenient, flexible services delivered as securely as possible. Services previously offered primarily to sophisticated business customers are commonplace for all businesses, at least in part due to the increased use of online banking services. Here’s a review of certain financial products along with a brief discussion of the emerging legal issues.
Remote deposit capture is a technique that allows bank customers to leverage technology to deposit checks in a convenient, efficient manner. Basically, the customer uses a scanner to capture the check image (front and back) and then transmits that image to its bank for electronic deposit.
This approach to check processing became possible after passage of the Check Clearing for the 21st Century Act, which was promoted by the Federal Reserve. Rather than ship paper checks around the United States for presentment and payment, the Fed sought to have checks clear electronically through the use of digital documents.
The scanned image should meet certain quality criteria, so many banks provide the scanner to the customer. Also, these scanners will “frank” the check (i.e. spray it to include “Scanned for Deposit; [date]; [ID]). This is intended to prevent customers from depositing the same check multiple times.
Bank customers gain the advantage of being able to deposit checks on their schedules rather than hurrying to a bank facility before it closes. Typically, the bank significantly extends the cutoff hour for crediting the deposit, which gives the customer quicker access to the funds. The remote deposit capture agreement will spell this out, along with the allocation of risk between the bank and the customer.
Online banking capabilities have significantly expanded in the last decade. Although businesses still tend to produce more paper checks than any other customer type, many businesses also are signing up for an array of online banking products, including online bill payment and online initiation of wire transfers and automated clearinghouse transactions. These services provide quicker, more flexible access to the payments system. However, they significantly increase the risk profile for the customer.
In an online payment arrangement, the business customer must identify who is authorized to initiate transactions, including the types of transactions and the dollar limitations. Some customers also want to be their own “administrator” for these authorizations so that the access permissions are managed internally. While this is more flexible for the customer, it also creates more risk that a hacker will steal the identity of the administrator and then give authorizations to bad guys to access the account and transfer funds.
Thus, security procedures are extremely important to the customer and the bank. There is a newly developing area of case law with regard to what constitutes “commercially reasonable” security procedures. This determination is critical in allocating liability under Chapter 4A of the Uniform Commercial Code. On July 3 in Patco Construction Co. Inc. v. People’s United Bank, the 1st U.S. Circuit Court of Appeals reversed the trial court decision, with the appellate court concluding in part that setting the parameters for confirmations of transactions too low was not commercially reasonable.
Layers of Security
In addition, courts are wrestling with the impact of Federal Financial Institutions Examination Council guidance, “Authentication in an Internet Banking Environment,” which was issued in 2005 and updated recently. Basically, the federal regulators recommend a multifactor or multilayered approach to authentication of online transactions, depending on the risk assessment of the transaction.
There are three different types of factors used in authentication: something the customer knows (e.g. a password), something the customer is (e.g. fingerprint or retina scan), and something the customer has (e.g. token). For a high-risk transaction, it is appropriate to require the customer to use two or more factors before the transaction is completed. Lower-risk transactions might use a multilayered approach that involves two or more processes of the same sort (e.g. login and one or more passwords).
Other security techniques are also available. First, a bank’s software program should profile a customer’s characteristics, such as IP address, device cookie ID, geo location and transaction activity. If a transaction differed from the normal profile, then this would be considered an “out of band” action. Before permitting a logon, the system might prompt a challenge question. Further, a large transaction that is outside the norms of the customer’s profile might result in a notification to the customer, callback (voice) verification, email approval from the customer or cell phone-based challenge/response process.
Customers are expected to maintain good firewalls at their end. They should establish their own risk profile and require dual controls on transactions (typically based on the size of the transaction).
In addition, customers should practice responsible access procedures themselves, and the legal department should play a role in developing such policies. For example, customers have had their credentials hijacked when logging on at insecure wifi locations and then accessing the company online banking account to transact business.
Bottom line: Opportunities for more efficient, flexible banking services are widely available. However, the bank offering the products and the business accessing them need to be aware of the emerging legal and practical issues — particularly with regard to allocation of responsibility for strong security systems.