For those practicing cyber-banking law, the First Circuit Court of Appeals’ July 3, 2012 ruling in Patco Construction Company, Inc. v. Peoples United Bank is important news. This decision reverses the District Court’s grant of summary judgment in a much studied case favorable to financial institutions.
In this Blog we reported on the two cases most closely followed in this area of the law, including the Patco case. See, June 21, 2011, “What the Patco and the Experi-Metals Cases Reveal about the Current State of On-Line Banking Law and Operational Risks.” To review the facts briefly, a commercial customer lost control of its on-line bank account in May of 2009 to an unknown hacker who initiated fraudulent ACH transfers of just over $588,000 during a 5-day period. The fraudster had gained access to the customer’s credentialing information and was also able to successfully answer the customized security question that were prompted when the on-line system flagged the originating devices as foreign, i.e., did not originate from a deivce containing a Bank imbedded “device cookie.” The Bank settled the subject cyber debit requests, even though the system both flagged each ACH as “high-risk” and noted that the transactions were inconsistent with the account owner’s prior electronic payment history.
In the court proceedings below, the Bank was granted summary judgment, with the District Court finding that the security system was commercially reasonable and thus the transactions were authorized. Patco’s cross-summary motions were denied. On July 3, 2012, the First Circuit Court of Appeals reversed that grant of summary judgment in favor of the Bank, and affirmed the District Court’s denial of Patco’s motion for summary judgment. The case will be remanded back to the lower court for further proceedings.
The First Circuit began its analysis with an examination of the contractual arrangements between the parties. The contract allocated responsibility to the customer for transactions initiated through use of an authenticated password. The e-banking contract also allocated the risk for Patco’s loss of its credentialing information to Patco. The on-line banking program’s security measures included (a) user ID’s and passwords, (b) device authentication, i.e., a cookie placed onto the customer’s computer to identify machines used to access the on-line account, (c) risk profiling to determine if a transaction differed from the user’s normal profile, (d) challenge questions employed if the risk transaction was deemed high risk, (e) a dollar amount rule, which in the case the bar was set at a threshold amount of $1, and (f) enrollment in a eFraud network sponsored by the vendor of the e-banking program purchased by the Bank. The Court also made special note of the security measures that the Bank elected not to employ, including out-of-band authentication, user-selected picture (an anti-phishing control), physical tokens, and monitoring of risk-scoring reports.
In the context of the above facts, the Court applied the controlling law as found in Article 4A of the Uniform Commercial Code (“UCC”). Article 4A generally places the risk of loss with the Bank whenever an unauthorized funds transfer occurs. There are two ways this risk of loss may be shifted away from the Bank. One, the Bank may show that the payment order is an authorized order of the customer, either in fact or under the law of agency. UCC 4A-202(a) [all UCC citations to West’s version of the Official Text And Comments]. The second way in which the risk of loss may be transferred is via the parties’ contract. This must be accomplished under the rules set forth in UCC 4A-202(b & c). In these sections lies the legal and technological minefield known as the “commercially reasonable method of providing security against unauthorized payment orders”.
The determination of whether such a commercially reasonable method is provided for under a contract is a question of law, i.e., for the Judge and not the jury to decide. There are two analytical approaches acceptable for determining whether a designated security procedure meets that UCC standard. The first is by study of the wishes of the customers, any circumstances of the customer known to the Bank (such as historic usage), alternative security procedures offered/rejected by the customer and by an analysis of the marketplace as what similarly situated banks are employing. The second approach is that the UCC creates a presumption of reasonableness, if the security procedure was accepted by the customer after the bank offered and the customer refused alternative commercially reasonable security procedures; and the customer thereafter by written contract agreed to be bound to payment orders accepted by the financial institution in compliance with the chosen security protocol.
Once the financial institution has shown commercial reasonableness of the contract’s security procedure and that it accepted the payment order “in good faith and in compliance with the security procedure,” the risk of loss is passed to the account customer. The customer may shift the risk of loss yet again back to the bank if the customer can demonstrate that the order was not “caused either directly or indirectly by a person” entrusted by the customer or who had obtained credentialing information from a source controlled by that customer. Essentially under a legally sufficient on-line bank account agreement, the account holder bears the risk of employee misconduct and it own failure to safeguard its credentialing information.
In the context of this UCC structure, the First Circuit first examined whether the Bank’s system provided for a commercially reasonable method for authenticating on-line transactions. Patco argued that in the Bank’s decision to lower the dollar threshold to the value of $1 was unreasonable. The Bank’s position was that this system wide low threshold was designed to combat low dollar on-line fraud. However, Patco argued that such a low threshold naturally increased the frequency when users became obligated to enter answers to the stated challenge questions, thus increasing the risk that a cyber-criminal might learn the answers. In the Court’s view, the Bank’s approach “did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular, and regularly high dollar transfers.”
Then, when the Bank had warning that such fraud was likely occurring, the Bank “neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable.”
The Court also noted that the Bank’s action in establishing a low threshold amount in practice worked against the contract’s other safeguards, particularly its risk scoring protocol. It was perceived that the Bank did not appropriately use the information resulting from risk scoring and that the only real consequence of a flagged transaction was the imposition of a challenge question to the originator. The Court found that challenge questions alone cannot generally serve as a backstop to the exclusion of further controls, for the purposes of legally sufficient security procedure. The First Circuit’s opinion does not reference the FFIEC’s most recent Supplement as a source for its highly technical opinion on this point, as that Supplement would not be relevant to the Patco events which occurred before the Supplement’s publication, but it is worth noting that the Court’s finding is in accord with the FFIEC’s Supplement. See, our Blog, July1, 2001, “FFIEC Formally Releases Its Supplemental Guidance Respecting On-Line Banking.”
The Court also took critical notice of the Bank’s perceived failure to comply with UCC 4A-202( c )’s requirement that the methodology take into account “circumstances of the customer” known to the bank. Patco’s regular and predictable historic usage of the on-line account for payroll purposes was at clear variance in comparison to 5 large dollar amount transactions initiated by the hacker. The Bank countered that argument by suggesting that its risk profile feature assigned a numerical risk factor to every transaction. “This argument misses the mark because, in fact, the risk profile information played no role. It triggered no additional authentication requirements, and the bank did nothing with the information generated by comparing the fraudulent transactions against Patco’s profile.” The Court further found from the evidence no proof that anyone inside the Bank monitored the risk scores associated with the contemplated transactions, even when the scores were high on the internally developed the risk scale.
The Court also found fault with the Bank’s failure to implement additional security procedures as they became available in the marketplace and through developing technology. “Ocean Bank [a division of the Defendant, People’s United Bank] introduced no additional security measures in tandem with its decision to lower the dollar amount rule, despite the fact that such security measures were not uncommon in the industry and relatively easy to implement.” In short, whether it arose from the Bank’s own unilateral action to change one aspect of the security procedure or because the Court viewed the Bank as the more sophisticated party, the Court implicitly suggests there is an implied duty of technological evolution in such terms of the parties’ contract.
“The collective failures, taken as a whole, rendered Ocean Bank’s security procedures commercially unreasonable” was the final holding of the Court. For this reason, the First Circuit Court of Appeals ruled that the Bank’s prior award of summary judgment was reversed and remanded the case to the District Court for further proceedings.
In the last part of the First Circuit’s decision, it affirmed the District Court’s decision to deny Patco’s own cross-motion for summary judgment. In summary the Court found that various issues of fact prevent the imposition of summary judgment in favor of the account holder. “The District Court did not reach, and the parties have not briefed, the question of what, if any, obligations or responsibilities Article 4A imposes on a commercial customer even where a bank’s security system is commercially unreasonable.”
The First Circuit did decisively rule that Patco’s negligence claim was inconsistent with the duties and the liability limits set forth in Article 4A of the UCC. For this reason, the District Court’s dismissal of the negligence cause of action was affirmed.
On a personal level, it is in the last sentences of the Court’s 43 page opinion that perhaps is found the opinion’s most unsettling language. “On remand, the parties may wish to consider whether it be wiser to invest their resources in resolving this matter by agreement.” While compromise is always a noble path, compromise is usually the product of a state of uncertainty of outcome affecting the concerned parties. If one is of the opinion that a central purpose of the Uniform Commercial Code is to create certainty for market participants, then such a strongly worded instruction to compromise is hard to reconcile. Patco presented a case of mature market participants who structured their commercial cyber-banking contract to allocate the known risks between themselves. The parties thus knew their obligation was to control the areas of risk each assumed, or to insure against the same if that was their preference. It was into one of the foreseen areas of risk that a cyber criminal intruded. In the larger picture, the Court’s instruction to the litigants to settle is disquieting from a philosophical standpoint, and if followed will provide little additional certainty for the countless other actors (and their lawyers) who are continuing to look for clarity to guide their own future dealings in this very important area of cyber-commerce dealings.