ACH liability up for grabs as court finds against bank in second US cyber-heist suit

It appears the Michigan judge has either common sense or attended business school and a few classes in logical thinking vs the now more apparent clueless Portland, ME judge.  One would think if payments security is attempting to standardize using PCI, then acts of fraud would also have a set of standards or at least parameters.  Perhaps Durbin ought to spend time protecting the consumers and businesses against blatant fraud and not intervening in transactional fees that ultimately get offset by the introduction of new fees in other areas.  Just a thought!

This ruling applies to ACH, which is not a same-day settlement system. It's interesting to view its impact on realtime systems like Fed/CHAPS or near-realtime ones like FPS. Carrying out the required fraud detection checks takes a few minutes / hours, the payment misses the scheme roundtrip duration SLA (e.g. 2 hours in the case of FPS, a few seconds in the case of CHAPS) as a result. The bank is not guilty of wrongdoing but how will the court rule in case the corporate sues the bank for delaying the payment?

Worse still, what if banks sit on the payment and enjoy the float, acting out the pretense of carrying out fraud checks? They're clearly guilty of wrongdoing, but will it ever be possible to prove their guilt in any court of law?

By signing up with a bank, a corporate acknowledges the level of security provided and understands the level of concomittant risks involved. When the issue clearly lies on the corporate's side - like in this case where its Financial Controller opened a malware-laden email - a court-driven review of contractual roles and responsibilities can prove to be a double-edged sword.