NEW YORK– Because the sums were large and such attacks arerelatively new, the two Middle East banks hit in a $45 million ATMheist face an uncertain path in trying to recover their losses,financial, insurance and legal experts say.

Oman-based Bank of Muscat lost $40 million and United ArabEmirates-based National Bank of Ras Al Khaimah PSC (RAKBANK)lost $5 million in the global heist, U.S. prosecutors said onThursday. Hackers gained access through third-party companies thatprocessed transactions for prepaid debit cards issued by the banks,the prosecutors said.

While details of what happened are still sketchy, experts saidthe banks could bring claims against the processing companies incourt, or they could file claims with their own and the processingcompanies' insurers.

“There's no hard and fast rule,” said Dan Karson, theAmericaschairman of Kroll Advisory Solutions. “We're in very much a newcybersphere of finance, and allocating liability is still very muchevolving.”

Any claims by banks against the processing companies woulddepend on the contracts between the two parties, Karson and otherexperts said. Those contracts include industry security standards,which are required by the major credit card payment networks, inthis case MasterCard.

In most security breach cases, the processing company inquestion did not fully comply with the standards, said DougJohnson, vice president for risk management policy at the AmericanBankers Association.

However, even if the processor failed to comply with securitystandards, banks may still be unable to get back their money. Thatis because the contracts between processors and banks, under termsset by credit card companies like MasterCard or Visa, typicallylimit the processor's liability.

“They can't make everybody whole, or they'll be out ofbusiness,” said Michael Klaschka of Integro Insurance Brokers,which has many financial institutions as clients. “The bank mayhave very little recourse against the credit card processor.”

In the hit against Bank of Muscat, the processor is enStage Inc,based in Cupertino, California, a source close to the Bank ofMuscat said. Bank of Muscat has not commented on the attack.

Officials at enStage did not respond to requests for comment onSaturday. EnStage CEO Govind Setlur said in a statement inthe Timesof India his company had implemented security enhancements sincethe attack.

In the RAKBANK case, the processor is India's ElectraCardServices, according to people familiar with the situation.RAKBANKhas not confirmed that ElectraCard Services is thepayment processorand ElectraCard Services has not commented.

MasterCard has said it cooperated with law enforcement in theinvestigation and said its systems were not compromised in theattacks.

The banks can still try to sue the processors for negligence orother claims, but their success may be limited by their contracts,which include regulations that lay out specific fines and disputeresolution procedures mandated by the credit card companies.

Such lawsuits have proven difficult to win, according toJosephBurton of the law firm Duane Morris in San Francisco, an expert infinancial litigation. U.S. federal courts have generally, but notunanimously, found that banks are restricted to contractualremedies.

In one major case, card-issuing banks filed a class actionagainst Heartland Payment Systems after the processor announced in2009 that a hack had compromised the data for more than 100 millioncredit cards.

A federal judge in Houston, Texas, dismissed almost all of theclaims in 2011, finding that the banks were bound by theircontracts, which included regulations set by Visa and MasterCardthat govern how banks can seek relief after a breach. The banks'appeal is pending.

Bank of Muscat and RAKBANK could also seek payment from theirinsurers under their general policies.

Some banks also have additional security coverage for cybercrime, although experts said the market for such policies is stillrelatively immature. It is not known if Bank of Muscat orRAKBANKcarried cyber insurance.

The insurers, in turn, could also press claims against theprocessors, or the processors' own insurers.

“It's certainly possible that the bank could be left holding thebag,” said Frederick Rivera of the law firm Perkins Coie, an expertin financial services litigation in the United States.

A complicating factor is that the banks are located in theMiddleEast, while one of the processors is based in India, making itunclear which courts would have jurisdiction over any litigation.But experts said the requirements that credit card companies imposeon banks and processors are global in nature.

Federal prosecutors will also seek restitution for the banksfrom the defendants arrested in the case, though the amount offunds available likely won't approach the total amount of stolenmoney.

The U.S. Justice Department indicted eight people it said hadwithdrawn cash in New York, and prosecutors had seized hundreds ofthousands of dollars in cash and bank accounts, along with luxurywatches and a Mercedes sport utility vehicle. But the New York cellwas just one part of a coordinated global heist in which $45million was withdrawn from cash machines in 27 countries on Dec. 21last year and Feb. 19 this year. U.S. prosecutors have not saidwhere the ringleaders of the gang were based.

The prosecutors said the gang targeted prepaid debit cardsissued by the two banks, using hackers who broke into the paymentprocessing company to raise account balances and withdrawal limitsfor the cards.

The heist did not compromise the accounts of any individualcustomers, unlike in cases of identity theft. In those cases,customers are typically made whole by their financial institutionor credit card companies, which in turn seek to be made whole bythe company that was breached.