Whoah. Hold on. Just because the bank runs a Java app on an Apache server running Linux does not make the bank just a Java app.
Hold the bank only as accountable as delicious or Digg for its website. But the security of the bank accounts needs to be held to a higher standard. Having worked with multiple banks on online security, I actually believe they are held to a higher standard (that of "due care"), but that there's a combination of "commercial account" and "insufficiently informed judge" acting against that standard in this case.
1. There was an agreement between the two parties to use this service to access the accounts; it specifically covered the liability of the bank regarding this very situation.
2. At no time where the bank's existing systems compromised technically.
3. The transactions were completed in a manner that the owner of the account themselves did not notice for a period of time. That alone suggests that they were sufficiently "normal" that the bank could not detect them.
4. When the bank did become aware of the unauthorized access, it immediately acted and froze transactions in place and prevented all further transactions from occurring.
Because of all of this, there is simply no way you can find the bank acted negligently unless you just have a hate on for the banks. The only negligent party here was the plaintiff, and that's who should eat the loss.
But first, let me help you out with some research. Here is the FIRST SENTENCE of the SUMMARY OF KEY POINTS section on the FIRST PAGE of the FFIEC's _Guidance on Authentication in Online Banking_. Wait for it. Wait... for... it...
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Now then:
(1) A fine-print clause waiving the banks responsibility for any protection of funds in an account beyond providing a working login prompt should be found unconscionable.
(2) That the compromise in question here didn't occur in a fashion that you recognize as a "technical compromise" doesn't actually make it not a security failure on the part of the bank. By creating a security system that revolved around a security mechanism that literally every bank of Keybank's size and above recognizes and loudly proclaims is inadequate, the bank fielded an inadequate technical countermeasure to attacks and cannot lean on semantic games to hide that fact.
(3) It seems obvious to me that customers should not be expected to be better at tracking anomalies than banks, who spend tens of millions of dollars every year on systems to profile and analyze transactions. Regardless, it does not follow from a customer delay in noticing fraud that the bank couldn't or shouldn't have been expected to see the fraud earlier!
(4) How does it change anything that, once fraud was detected, further fraud was halted? There'd be no dispute at all if the bank continued to allow online criminals to siphon out of a known compromised account. The entire debate is what the standard should be before all parties acknowledge fraud.
You say there's "simply no way I can find the bank acted negligently unless I have a hate on for the banks". Well, I don't have a hate on for the banks. We do work for banks. There are many banks I like. My comments are not motivated out of irrational bank hatred.
† They aren't, by the way, "facts of the case"; each is your interpretation of the facts we're aware of in the case. They are as "factual" as your bald assertion that disagreement with you must imply irrational hatred of banking.
2. At no time where the bank's existing systems compromised technically.
This isn't really true. Banks don't view their systems as servers -- rather a "system" is the technical bits, plus the controls and overall policies. If a bank allows someone else to use your credentials and transfer funds, it's a compromise. They have a responsibility to authenticate the user, not the credentials.
As tptacek points out, the bank was in violation of the FFIEC mandate for strong online authentication. They didn't have sufficient controls to correctly authenticate the client for this level of a transaction.
To be precise, I don't think the FFIEC has a "mandate" for two-factor auth, and I'm not sure how toothy any such mandate would be. But the bank is required by the UCC to exercise commercially reasonable controls, and I don't think you can consider "commercially reasonable" controls that are:
(a) Specifically called out by the FFIEC as inadequate to the task of protecting ACH transfers
(b) Roundly decried as inadequate by practically every large regional bank in the country
(c) The technical focus of massive deployments of reputational and two-factor systems at banks around the country.
Hold the bank only as accountable as delicious or Digg for its website. But the security of the bank accounts needs to be held to a higher standard. Having worked with multiple banks on online security, I actually believe they are held to a higher standard (that of "due care"), but that there's a combination of "commercial account" and "insufficiently informed judge" acting against that standard in this case.