What is “commercially reasonable security?” In recent years, bank liability in the event of a malware attack on a commercial bank account has changed, with banks found not to have implemented commercially reasonable security practices being held liable for malware losses by customers. The court’s opinion is that banks should be anti-fraud experts and should implement controls to mitigate the likelihood of commercial account fraud loss, but are banks expected to provide perfect security against all types of fraud? What will likely become the new compliance standard for reasonable security?