A Tennessee utility has sued its bank after a $327,000 account takeover incident. This new case shows why institutions must go above and beyond when it comes to detecting and thwarting fraud losses.

2014 Fraud Summit - a must have resource for all of your fraud education. Learn More >

Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee. The complaint alleges the bank is to blame for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.

This is but the latest in a series of high-profile account takeover cases, and experts say it is going to put the onus on the bank to prove it took every possible measure to protect its customer from fraud.

Onus is on the Institution

In the wake of the 2011, FFIEC authentication guidance update, Doug Johnson, senior vice president of risk management policy for the American Bankers Association, says banking regulators have made it clear that it is banking institutions' responsibility to ensure they are providing layers of security to protect their customers' accounts.

And George Tubin, a banking fraud expert at anti-malware provider Trusteer, says even if a commercial customer's account is taken over because of a phishing attack and subsequent malware infection that resulted because of the customer's negligence, the onus is on the banking institution to detect and stop suspicious transactions.

"A lot of banks think out-of-band, one-time passwords protect them from malware-based fraud - they don't," Tubin says.

In fact, unless a commercial customer explicitly declines to accept a certain security procedure offered by its bank, as was the case in the Choice Escrow and Land Title LLC account takeover incident, banks have struggled to prove their security measures were reasonable if fraud results, he explains.

"Based on the information presented, this case does not have a situation where the customer failed to use a certain security procedure or refused a security procedure," Tubin says. "The fact that the customer was infected by malware, which enabled this fraud, will not be viewed as something the customer did wrong. Anybody can get infected with malware, unless they're utilizing commercial-grade anti-malware software, which is usually only provided via the financial institution."

Julie Conroy, a financial fraud and security analyst at Aite, says TEC has a compelling case, but she sees nothing here that will help banking institutions better understand what constitutes "reasonable security" in the eyes of the courts.

"The confusion and mixed messages that we've received from the courts is around what levels of security qualify as 'commercially reasonable,'" Conroy says. "I don't see anything in this case that would help set a clear precedent in that regard."

TEC's Claims

According to the complaint, on May 10, 2012, 55 separate payroll orders totaling $327,804 were sent by TriSummit Bank to different accounts located throughout the U.S. The bank, however, failed to verify those orders with TEC, the utility claims.

Not only did the funds go to accounts that had not previously been paid by TEC, but the amounts, which ranged from $550 to $11,000, were not customary for the utility, the suit alleges.