Inside the Comerica/Experi-Metal Case Court Filings Offer New Details on Customer vs. Bank Lawsuit
In just a matter of hours on Jan. 22, 2009, Experi-Metal Inc., a Michigan manufacturer, saw $1,901,269 pilfered from its Comerica Bank commercial account by fraudsters who systematically transferred the funds to accounts in Russia, Estonia and elsewhere. In response to this fraudulent activity, Dallas-based Comerica was able to freeze the account, recall some of the wire transfers and recover all but $560,000 of Experi-Metal's money.

These are the facts that nobody disputes in the Experi-Metal vs. Comerica legal battle over responsibility for the fraud losses.

But beyond those basic facts, there is little agreement in this case, which now seems headed for a courtroom showdown over who is responsible for the remaining fraud losses. A close examination of court documents, in fact, sheds new light on the events of this case and where the bank and its customer differ most on the question of "What is reasonable security?"

Timeline: What Happened

Judge Patrick Duggan of Michigan's Eastern District Court in Detroit recently rejected Comerica's motion for summary judgment in this case. In reviewing Duggan's 16-page opinion, this timeline emerges:

Experi-Metal, or EMI, began banking with Comerica upon incorporating in September 2000. It entered into agreements with Comerica to permit the business to access its bank accounts via the Internet using Comerica's online banking system.

In November 2003, EMI's President, Valiena Allison, signed an agreement with Comerica to send payment orders or receive incoming funds transfers using Comerica's NetVision Wire Transfer Service. The business did not sign up for the dual control feature that Comerica offered on wire transfers.

From 2001 until May 2008, Comerica employed a security process known as digital certificates for its wire transfer service. Users had to routinely renew these digital certificates in order to initiate monetary transfers for their accounts. To do this, Comerica sent emails to users and made them click on a link in the email. Once on the linked website, users were required to log in and enter certain information to obtain the renewal of the digital certificate.

In April 2008, Comerica notified the administrators for all online banking accounts that, though it still would be providing online banking services through TM Connect Web, it was switching its security process from digital certificates to secure token technology. Comerica then sent account administrators a list of the users for their accounts who had been active for the last six months, user IDs, and a secure token for each user. Comerica asked account administrators to notify Comerica if the registration for any user should be removed. EMI received this information from Comerica on April 25, 2008.

On January 22, 2009, Keith Maslowski, EMI's controller, received an email purported to be from Comerica. Maslowski says the email was similar to previous emails that he got from Comerica, prompting him to renew EMI's digital certificates. As in previous emails sent by Comerica, he was directed to click on a link specified in the email. After clicking on the link, he was diverted to a website that appeared to be a Comerica website. He was then prompted to log in and enter his confidential customer ID number and password and EMI's confidential customer ID number and password. When he did this, he unknowingly gave an unauthorized third party access to EMI's account through Comerica's wire transfer service, from which this third party began transferring funds out of EMI's account to various accounts in Russia, Estonia, Scotland, Finland, and China, and U.S.-based accounts.

A total of 47 wire transfers were initiated from EMI's account between 7:30 a.m. and 10:50 a.m. on January 22, 2009. Sometime between 11:39 a.m. and 12:04 p.m., Comerica's wire transfer room called its Treasury Management Relationship Center regarding the activity in EMI's account. A representative of Comerica's Treasury Management Services reviewed the activity, and then called EMI at approximately 12:05 p.m. EMI's president informed Comerica that EMI had not made any wire transfers that day and instructed the bank that it should not honor any requested wire transfers or other transfers until further notice.

After speaking with EMI, Comerica immediately notified its wire transfer room and asked that all wires out of EMI's account be recalled and future wires stopped.

Within 24 minutes, most wire transfer activity on EMI's account was stopped, and Comerica began recalling the wire transfers that it was able to recall. But between 10:53 a.m. and 2:02 p.m., another 46 additional wire transfers were initiated from EMI's account. In total, $1,901,269 was wire transferred from EMI's account. Comerica was able to recover all but $560,000 that was charged to EMI's account.

In December 2009, EMI filed its lawsuit against Comerica, claiming that the bank exposed its own customers - including EMI - to phishing attacks.

The bank, in response, countered that the EMI credentials used to initiate the wire transfers and were valid, and the phishing website the employee went to would have been discovered as fake, "to any reasonably alert person who was responsible for safeguarding EMI's financial records and digital credentials."

Beyond 'He Said, She Said'

Outside of the judge's opinion, a review of Comerica's and EMI's individual filings shows diametrically opposed views of how the events should be interpreted. The motions go beyond a "he said-vs.-she said" dispute, says Christopher Loeffler, an attorney in the Privacy and Information Security practice at Kelley Drye & Warren LLP. The pleadings are "clearly more sophisticated than the Hillary Machinery pleadings," he says, referencing the other noted legal dispute between bank and customer, and show a much deeper understanding of the issues by both parties.

In its response to Comerica's recent motion for summary judgment, EMI attempts to distinguish the services provided by Comerica into two distinct time periods: From 2001 to May 2008 (when Comerica used the NetVision funds transfer system); and from May 2008 to the current date (when Comerica used the TM Connect Web system).

Alternatively, Comerica, in its response to EMI, argues that these temporal distinctions do not matter, because although the technical system used by Comerica changed over time, the agreement in place between the parties is based on the fund transfer services offered by Comerica - not the individual system used to provide such services.

EMI raises several factual questions about the adequacy of Comerica's updated security procedures and whether they satisfy the test for commercial reasonableness under the Uniform Commercial Code, says Loeffler.

Comerica, on the other hand, argues that such factual inquiries do not raise any material issues, as the reasonableness of Comerica's security procedures was contractually agreed to by the parties, and is settled as a matter of law.

This case will likely come down to how the court interprets the contracts in place between the parties. "While the affidavit evidence submitted to date by EMI includes a compelling story, especially for those who have suffered a loss at the hands of a fraudster," Loeffler says, "for EMI to be successful, it will have to convince the court that the two systems offered by Comerica should be seen as different and unique, each of which requires its own contract."

Comerica also benefits, he says, from the direct source of the breach being EMI's disclosure of its security information to a fraudster.

The Deciding Factor?

While this case initially stirred controversy regarding the commercial reasonableness of one type of security procedure versus another, "Ultimately, the [court] is unlikely to decide this case on the basis of technical security," says Loeffler. By its very nature, he explains, the UCC is designed to require the parties to contractually agree upon the reasonableness of security procedures put in place. The court's focus on the original contracts executed by the parties will likely favor Comerica.

Charisse Castaganoli, a security and legal IT expert, says when looking at what is "commercially reasonable," the fact that there is existing, cost effective (on the banking side) technology to identify and manage these types of fraudulent transfers does not favor the bank.

The case underscores the need for businesses to provide robust information about security practices and security needs to their partners. "Had a stronger dialogue been in place between the parties during both the system name change and the rollout of new security procedures, much of the current dispute may have been avoided," Loeffler says. Enhanced communication could have also helped EMI avoid falling victim to the phishing attack.

Still, Castaganoli says she can't quite see a court agreeing 100 percent with Comerica's position. "Comerica did not address the violations of the online service agreement with respect to amounts and bank process that EMI originally raised," she says.

Unless this case is settled earlier, it is scheduled to be heard after mid-November, with Nov. 16 being set as the final pre-trial conference date.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.





Around the Network