When Business Banking Goes Wrong: A Tennessee Construction Company’s Fight

According to an article in the Credit Union Times, Tennessee Electric’s lawsuit against its bank “could change the fundamental relationship between business customers and their banks.”

It all started when Tennessee Electric (TEC), a construction company, was hit with a $327,000 cyber heist. The company claimed the fault was that of the bank – TriSummit – and filed suit. It also has asked the court to award $2 million in punitive damages, according to the article.

According to the Credit Union Times, usually in cases involving businesses, people presume that the bank will prevail.

The article states: “That is very different than with consumer fraud cases which fall under Regulation E, federal doctrine that limits the banking losses consumers may suffer. Businesses, by contrast, fall under the Universal Commercial Code, which offers much more protection to banks and correspondingly little to businesses. But the TEC case may turn that assumption on its ear.”

So how does this connect to credit unions?

Francois Henriquez, a lawyer with Shutts and Bowen in Miami, told the Credit Union Times that every large credit union he works with is in member business services or is looking to get into it.

He said it’s an attractive revenue stream, and many credit unions appear to believe they can very capably serve small and mid-sized businesses.

The details of the case are intriguing. The article states:

“Both sides of this story in Tennessee are not yet known. What TEC has said is damning, indicated multiple experts, assuming the facts are not later shown to be different by TriSummit. Apparently, Russian hackers dipped into the TEC account and stole $327,000. Roughly $135,000 was ‘clawed back by TriSummit,’ reported security blogger Brian Klebs, who broke this story. Best guesses are that malware was downloaded to TEC’s computers and the criminals got the login credentials that way. Either way, TriSummit paid out 55 ACH transfers, according to TEC’s complaint, and – in a departure from norm – TriSummit did not seek verbal confirmation of the transfers in a phone call. The phone call is key.”

As of February 2012, TriSummit and TEC had made an agreement to use telephone verification prior to the processing of ACH payments. According to the Credit Union Times, that call was supposed to come in on a recorded line, but no such call came in, at least that’s what TEC says in its complaint.

“TriSummit is toast,” said Aite analyst Julie Conroy. “There was a written agreement that the bank will do XYZ and it didn’t.”

Conroy told the Credit Union Times that in her opinion, this case will not affect future cybersecurity litigation.

The bank has not presented its side of the story, and it remains to be seen what the outcome of this case will be.

According to the article, “if the decision goes against the financial institution, it can be presumed it would be because of the bungling, not because of any shift in perception of the legal protection enjoyed by financial institutions under the Universal Commercial Code.”

Regardless of what happens with this case or changes in future litigation, Conroy warns against the risks small financial institutions are facing.

“We have seen a shift. Criminals are putting more focus on small and mid-sized businesses and also financial institutions,” she told the Credit Union Times.

The article notes that since bigger banks are putting in better defenses, criminals will likely go to smaller financial institutions.

“The odds shifted a long time ago. They now are solidly in favor of the criminals,” said Conroy.

 

For more information, see the original article: https://www.cutimes.com/2014/08/15/when-business-banking-goes-bad-threat-of-the-week