Investors frequently talk in terms of trying to find the next unicorn, that small start-up company that is going to turn into a billion dollar valuation. Lawyers are like that as well, always looking for that new decision where a court opens a crack in the door of some long held legal theory. Something like this occurred in the 1980’s when the
HVCRE Loans are one of the areas of focus on regulatory exams, and we’re seeing increased attention to not only ensuring that a bank’s reported HVCRE loans are correct, but also that the bank has sufficient internal controls in place to monitor and track HVCRE lending.
Articles 3 and 4 of the UCC provide a roadmap for addressing how to allocate liability for the various mistakes, embezzlements and forgeries that have followed the payments system since its invention several centuries ago. While as a general rule a customer is not liable for forgeries and other fraud on its account there are several exceptions where the risk of loss can be shifted back to the customer. One of those situations is what practitioners refer to as the “same wrongdoer
A recent decision out of federal court arising out of litigation involving a Ponzi scheme has reinforced the principle that the lead in a loan participation does not owe a fiduciary duty to participants. The case of Finn v. Moyes (Finn v. Moyes, 2017 WL 1194192 (D Minn 2017)) arose from a Ponzi scheme whereby First United Funding, LLC (“First United”) defrauded numerous banks of over
We have writtenseveraltimes about the rules concerning the appropriate risk weighting for High Volatility Commercial Real Estate (“HVCRE”) loans. The interagency FAQ published on April 6, 2015 provided some guidance but many banks continue to have questions about fact situations that are not addressed under the regulation. Despite indications that an interagency task force was looking at
When negotiating bank third party vendor contracts it is not unusual to ask the vendor to acknowledge in the contract that bank regulators might exercise some sort of supervision over the vendor. Vendors will oftentimes push back on that point, claiming that since they are not a bank the FDIC has no jurisdiction over their affairs. We typically respond that “if the
Back in 2008 and 2009 Eddie Liles lent around $102,000 to his brother Dallas to purchase rental properties at 554 South Shore Drive and 540 South Shore Drive in Greenup County, Kentucky, as well as a 2008 Ford 4×4 truck. The brothers signed a Loan Agreement that provided the loan would be interest free and that the loan for 554 South Shore
Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.
Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.
In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.
Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.
The federal district court ultimately granted summary judgment in favor of Bellingham in the amount of $620,187.36. The court found that the proximate cause of the loss was the computer systems fraud and neither the employees’ violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the “efficient and proximate cause” of the bank’s loss.
BancInsure appealed to the 8th Circuit, arguing among other things, that the trial court should have left the question of proximate cause to a jury and reiterating its position that the true proximate cause of the loss was the bank and employee negligence.
The court concluded that an illegal wire transfer is not a “foreseeable and natural consequence” of the bank employees’ failure to follow proper computer security policies, procedures, and protocols. Even if the employees’ negligent actions “played an essential role” in the loss and those actions created a risk of intrusion into Bellingham’s computer system by a malicious and larcenous virus, the intrusion and the ensuing loss of bank funds was not “certain” or “inevitable.” The “overriding cause” of the loss Bellingham suffered remains the criminal activity of a third party and not any alleged negligence by the bank or the employee.
Bank Takeaway: The case illustrates the point that we have been making to financial institutions for some time now. Internal policies and procedures that have been implemented to reduce cyber fraud are there for a reason. Malware can infect a computer and lay there for an extended period of time just waiting for the opportunity to activate a fraudulent transfer. Requiring passwords to be updated on a regular basis and updating anti-virus software are vital to reducing risk. Finally, passwords should not be shared among employees.
Banks should also be sensitive to the fact that financial institution bonds are just like any other form contract that is continually being updated. Insurance companies know how to minimize their risk as well and one can assume that they will address this issue in the next version of the bond endorsement for computer system fraud. Similarly, never assume that all such endorsements are worded the same. Different companies may cover the same risks, but may do so with slightly different language. Even a slight variation in phrasing can have a major impact on whether a court determines that a claim is covered.
Finally, you should read new and renewal policies very carefully to make sure you understand where you are covered and where you are not. Policies evolve over time to meet emerging risks, there is no “standard” cyber risk policy as of yet and banks must understand the right questions to ask to make sure that the coverage they need is what they are actually being offered. Our Financial Services Corporate & Regulatory and Global Data Privacy Security Teams are well versed in bank insurance and the legal and regulatory risks presented by a data breach. We have assisted companies in analyzing the entirety of their insurance program and would be glad to assist you in reviewing existing coverage or guiding you as you look at future options.
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.