While individuals whose bank accounts are hacked removing funds can recover their losses from banks, small businesses often cannot. Regulation E of the Electronic Fund Transfer Act requires banks to bear the burden of hacking losses for the most part. That’s not the case for small businesses. The only thing the law requires of banks is, under the Uniform Commercial Code, to offer business customers a “commercially reasonable” security protocol. If the bank follows that protocol, it can refuse to reimburse businesses that are victims of fraudulent money transfers.
This appears to be a major loophole in the law which Congress should fix.
Bankers say the best way to deal with this is for banks to inform customers about the dangers so they can take steps to prevent hacking including changing passwords and educating employees and requiring two person approvals for transfers.
More to come on this topic.
Jeffrey Newman represents whistleblowers.