You Can’t Outsource Cybersecurity to Your Bank

This blog has covered numerous cases of fraudsters tricking organizations into transferring funds. The scams often involve fraudsters portraying themselves as a senior executive in an organization either by hacking or spoofing the executive’s email.

Prima Donna Development v. Wells Fargo is a case like so many others previously covered by this blog. Prima Donna develops, builds, and manages hotel properties throughout the west coast. The company opened several bank accounts at Wells Fargo for its business. The Wells Fargo accounts allowed Prima Donna to initiate wire transfers through an online platform.

In order to initiate a wire through the online platform, Prima Donna had to use a token that generated a random security code.  Prima Donna would pair that code with a user-defined PIN to create a unique passcode. Wells Fargo used that passcode to authenticate Prima Donna’s identity before initiating a wire transfer. In addition, Wells Fargo provided optional dual control verification to Prima Donna. This process would require a second person to approve any wire transfer before it could be executed. Prima Donna declined to use dual control.

In January 2014, fraudsters obtained access to Prima Donna’s president’s email account. Fraudsters then began corresponding with Prima Donna’s CFO. At the fraudsters’ request, the CFO initiated wire transfers to overseas bank accounts for a total of $638,400.

Prima Donna and Wells Fargo went to arbitration, because the agreement between the company and bank contained an arbitration clause. The arbitrator concluded Wells Fargo provided Prima Donna with a commercially reasonable security procedure for verifying the authenticity of payment orders from Prima Donna. The arbitrator further found that Prima Donna had declined the dual control procedure, which could have prevented this kind of fraud loss. Prima Donna appealed the case to court, and the court affirmed the arbitrator’s award.

This case highlights the importance of having strong processes and controls inside an organization to minimize the risk of an unauthorized transaction. The arbitrator explained that “the security procedure is not required to be a commercially reasonable method of protecting the customer against being fraudulently induced into making a wire transfer to a third party.”

Organizations should consider taking advantage of every security option their financial institutions provide. If Prima Donna had done so, then the president and CFO would have had to authorize every wire transfer before it could occur. That would have reduced the possibility of a fraud like this one. Organizations should even consider adopting security procedures that may slow their business down. Prima Donna would likely have been willing to jump through an extra hoop to transfer funds if it meant keeping $638,400.