Online Commercial Banking: Risky But necessary — Is Your Bank Taking Some of the Risk?
Hackers have tools to facilitate theft from company bank accounts. They find ways to mimic the bank customer and put through bogus transactions.
The banks have security systems and protocols to prevent theft. We hope they work, but if they don’t, will the bank step up and take responsibility? Will your bank?
Reviews of bank agreements say “don’t be too sure!”
Bank Account Hacking
Want a clear and entertaining look into the hacker world? Read The Confessions of Marcus Hutchins by Andy Greenwald in the June issue of Wired. Marcus was a teenage computer savant in Devon, England who got caught up in the hacker world, eventually snagged by US authorities for his exploits.
The article takes it from his early, innocent/mischievous days, to his getting in deeper and deeper, to the point of being instrumental in bank fraud program development. You can see how the hacker community was working to and eventually succeeding in perfecting a way to defeat two- factor authentication (where the customer gets a code texted to his/her cell phone).
The story is a great read for the beach, but it will leave you with an uneasy conviction that the various types of bank security can be breached at some point In that gap between that point, and the creation of the next generation of security, our bank accounts will be at risk.
If that happens, what will our agreements with our banks say about the loss?
The Problem of Bank Contracts
Don’t count on your bank stepping up automatically to make good on any hack from your bank account. Here is troubling language from one major bank’s “Cash Management Terms & Conditions”:
- “Limitation of Liability: …aggregate liability to Customer for all losses …shall not exceed an amount equal to [service fees] for the twelve month period immediately preceding the date [of loss].”
So, the bank is effectively walking away from any responsibility!
They would also like to walk away from even those paltry monthly fee settlements in some cases:
2. “[bank] shall not be liable for any loss, cost, damage or injury caused by any act or omission of any third party, whether or not such third party was chosen by [bank].” (italics added).
Let’s not stop there, as long as no-one on the other side of this transaction is pushing back (or even reading the agreement); let’s go all the way:
3. “Indemnification: Customer shall indemnify [bank] from and against any and all liabilities, losses, damages, costs and expenses…which may be incurred by [bank] arising out of (a) any failure by Customer to observe and perform properly all of its obligations …”. (italics added).
Bottom line with bank contracts: read and negotiate reasonable terms. The larger you are the more leverage you will have. For residual exposure, and as a general rule, purchase crime insurance for the company.
Crime Insurance
Re coverage for theft of the company’s cash assets, it is Crime insurance that applies, not Cyber.
Make sure you have the following two coverage grants with sufficient limits:
- Computer Fraud
- Funds Transfer Theft
And be aware the limit needs to be high enough to cover a scheme that has been ongoing but undetected over time.
Watch the Insurance Application
Answer the application questions accurately and be scrupulous about it. What seems like a minor exaggeration, or an answer that’s “about right – close enough” will boomerang back to you in a claim denial.
These are just a few examples of crime application questions:
- Are bank account statements reconciled at least monthly?
- Does someone other than the person responsible for reconciling bank accounts: make deposits? Make withdrawals? Sign checks?
- Are the duties of computer programmers and computer operators separated?
- Is dual authorization required for all wire transfers?
Note these are yes or no questions! The word “all” appears. Sometimes the word “every” appears in the question. You don’t see “usually” or “customarily.” The insurance companies give no room for error or occasional deviation in the way they word the questions.
We always add safe harbor language to the applications our clients complete. This safe harbor language is to the effect that our answers are to give guidance into the company’s policies and procedures, not to guarantee that there will never be a deviation.
Bottom, bottom line:
- Apply the right computer security to all your financial dealings
- Negotiate your bank contracts
- Know and negotiate your insurance
- Be careful how you complete the applications
Have a risk manager on your side
The largest companies have entire risk management departments reporting to the CFO. You need risk management too.
(c ) Licata Risk & Insurance Advisors, Inc. 2020
Frank Licata
[email protected]; 617.718.5901
Jun 26, 2020