FI Tech: bank sued for failing to protect internet banking account

Sitting in the District Court in Illinois, HHJ Pallmeyer heard argument from Citizens Bank in a case brought by Michael Shames-Yeakel and his wife Marsha.

The couple run a business from their home. They have both business and personal accounts with Citizens including a kind of revolving credit account secured on their home and linked to their business current account. At their home office they have a fixed IP address*. Although they live in Indiana, their accounts are held in Illinois.

In February 2007, a person or persons that the Shames-Yeakel's say is unknown, used Marsha Shames-Yeakel's username and password to access their accounts. In a series of transactions, USD26,500 was debited from the revolving credit account and credited to the business account. It was then transferred from that account to a bank in Hawaii and then onto a bank in Austria. The access was made from an IP address that was not the fixed IP address at the couple's home office.

Citizens demanded repayment under the revolving credit facility and began a recovery process, first reporting the loan as in default, and then threatening repossession of their house under the terms of the security.

Despite 19 letters disputing the debt, the bank did not tell credit reference agencies that the default notices were disputed. Late in 2007, the couple started making repayments against the loan to avoid recovery action.

But in parallel they sued the bank alleging that the bank failed to take all appropriate steps to protect their account. They accused the bank of negligence and, in particular, that it had failed to protect their account by failing to implement two-factor security on their accounts. In fact Citizens was in the process of rolling out a two-factor security process using random number generators, but the process was not complete and the Shames-Yeakels accounts had not been brought within the scheme at the time of the transfers.

The bank argued that it was putting the protections in place but it was not an overnight process. The Judge said "In [the] light of Citizens’ apparent delay in complying with Federal Financial Institutions Examination Council security standards [communicated to US banks in 2005], a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”

HHJ Pallmeyer rejected the bank's arguments that its liability was excluded by its standard terms of business which say "have no liability to you for any unauthorised payment or transfer made using your password that occurs before you have notified us of possible unauthorised use and we have had a reasonable opportunity to act on that notice."

Having regard to Indiana law, the Judge said that case law there places a common law duty on banks "not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest.” That, she said, means "if this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts."

Efforts to trace the money into the hands of the Austrian bank have met with a refusal to return the money, the parties agree. It appears that no action has been taken by Federal agencies to try to freeze the money in the hands of the Austrian bank.

Citizens says that, in any case, although its name is on the documents and website, that in fact its internet banking service, including the security is, and was at the time, outsourced to Fiserv, Inc., one of the market leaders in outsourced financial services tech. Citizens tried to use the "Big Blue" defence ("no one ever got fired for buying IBM") saying that it cannot be accused of negligence when it outsources to a recognised specialist.

The Judge's ruling rejects the bank's arguments for dismissal of the various heads of claim referred to.

The case raises fascinating questions: what happened to account monitoring: the transaction that took USD26,500 from a USD30,000 revolving credit account was unusual: in fact, the history of internet-conducted transactions between the current and credit accounts was usually in the other direction, as loans were paid off. The transfer of that same sum from the current account to an overseas bank was unusual. Were the two transactions identified as connected?

And why is the Austrian bank not co-operating as it is, surely, likely to do if presented with credible evidence of laundering?

The Judge in her written judgment gives indications that she has already reached certain conclusions: she says "[The] Defendant Citizens Financial Bank is a federally insured savings bank with branch locations
in northwest Indiana and the Chicago area. [The] Plaintiffs Marsha and Michael Shames-Yeakel were
customers of Citizens who fell victim to identity theft when an unknown person gained access to
their online account and stole USD26,500 from a home equity credit line."

The Shames-Yeakels, the Judge says, do not agree on certain facts: they both agree that they had used the revolving credit account on four occasions. But they could not agree upon the purposes to which those debits had been put - business or personal. As an accounting firm, "Best Practices," this might seem to raise at least doubts as to the couple's record keeping.

In fact, when the Shames-Yeakels informed the bank of the transfers, the bank tried to get the money back. It contacted the bank in Hawaii where the account was held in the name of JV Financial. Attempts by a Citizens' employee to contact JV Financial failed. The Hawaiin bank provided the information relating to the Austrian bank where the information trail went cold. It was only after that that Citizens sought payment from the Shames-Yeakels.

The couple referred their case to the Office of Thrift Supervision which said that no regulatory issues arose and therefore the bank was entitled to pursue recovery.

However, although the Judge dismissed most of the applications for summary dismissal of the claim, she did provide that parts of the claim should not be proceeded with and some should be limited.

In her conclusion, she wrote "[The] Defendant's motion for summary judgment [59] is granted in part and denied in part.

Summary judgment is denied on the Truth in Lending Act count. Summary judgment on the Fair
Credit Reporting Act count is denied insofar as [the] Plaintiffs argue that the bank willfully or negligently
breached the FCRA by reporting [the] Plaintiffs' account as delinquent and by omitting information from
those reports; however, the thoroughness of the bank's factual investigation is not genuinely at
issue. Summary judgment is granted on the Electronic Funds Transfer Act count. Finally, summary
judgment on the negligence count is denied, but only insofar as the claim does not rest on the
EFTA, the FCRA, or evidence of Citizens' credit reporting practices."

* an IP address is a series of numbers that identifies a particular computer to the internet. The IP address is allocated by the Internet Service Provider or ISP. Some users have "fixed IP address " which means that their ISP allocates them an address, or group of addresses, which never change. Fixed IP addresses are often used by subscription services as an additional form of identification check. However, many internet users do not have a fixed IP address. Their ISP allocates an IP address "dynamically." This means that an ISP can share IP addresses between users. The address is released back into the pool when a user goes off-line and another address is allocated when they return to their PC. Many small businesses and home users have dynamic IP addresses - they are normally attached to cheaper, consumer orientated accounts.