Many contractors enjoy the advantages of online banking. Like companies in other industries, contractors use e-banking to make payroll payments and to pay other obligations. They appreciate the ease, speed, and paperless efficiency of electronically transferring funds from the business’s bank account to other accounts. Cyberthieves also appreciate the ease, speed, and efficiency of electronic funds transfers. Recent news stories have called attention to the persistent threat posed by malicious software. Once installed on a computer, some malware programs called keyloggers are capable of stealing a user’s keystrokes, including the keystrokes for the user’s identification (“id’s”) and passwords to access the online banking services. A common attack is for a cyberthief to send a deceptive email with an innocuous looking attachment containing a hidden keylogger program. If the recipient opens the attachment, the malware is secretly installed and begins tracking and reporting the recipient’s key strokes.
When cyberthieves hack a firm’s online banking service and drain its checking account, significant legal issues arise. Does the bank, the safekeeper of the funds in the account, bear the loss or does the loss fall on the business customer, the safekeeper of passwords and personal id’s for online access to the funds? A recent opinion by the United States Court of Appeals for the First Circuit in Patco Construction v. Peoples United Bank, 684 F.3d 197 (1st Cir. 2012) sorted through the legal obligations and responsibilities of banks and their business customers in dealing with cybertheft. The facts and the court’s decision illustrate a potentially expensive lesson for everyone.
Patco Construction (“Patco”) is a small general contractor business located in Sanford, Maine. It banked with a division of Peoples United Bank. Patco used online banking to transfer funds electronically each Friday for regular payroll payments. The e-banking payroll payments were always on Fridays, always from a computer at Patco’s offices, always from a single static internet protocol (“IP”) address, and always accompanied by a withdrawal for tax withholding and 401(k) contributions. No transfer was ever more than $37,000.
Patco’s e-banking agreement with Peoples United stated that use of Patco’s e-banking credentials (its password and user id) constituted authentication of all online transactions, that Peoples United assumed no responsibilities with respect to Patco’s use of e-banking, and that Patco was to contact the bank immediately upon discovering an unauthorized transaction. For its online banking platform, Peoples United used a system that provided user authentication through user id’s and passwords, “device cookies” that identified particular computers used by customers for online banking, and challenge questions to which only the customer knew the answers. The bank’s system also used risk profiling based on the size, type, and frequency of the electronic payment orders to score unusual online transactions by the customer.
Peoples United chose not to implement “out-of-band” verification (voice callback or email verification) or “tokens” (a separate smart card or comparable device possessed only by the customer) to authenticate users or confirm authorization of suspect transactions. It did not monitor the risk scoring reports that were part of its online banking system.
Over seven days in May, 2009, an unknown party using the online banking credentials of a Patco employee ordered six separate electronic funds transfers totaling nearly $600,000 to various individuals. The cyberthief apparently had tricked a Patco employee into unknowingly installing a malicious keylogger program on a Patco computer. None of the recipients had previously received payments from Patco. The unknown party logged in from an IP address that Patco had never used.
Peoples United processed the transactions without notifying Patco. The cybertheft came to light only when the thieves ordered electronic transfers to invalid account numbers. Peoples United notified Patco by U.S. mail of the“returns” from the invalid accounts only to be informed Patco had not ordered the payments. Peoples United blocked or recovered some of the unauthorized funds transfers, but it was not able to recover about $350,000 of the losses.
Patco sought a refund from Peoples United of the lost funds. Peoples United refused and Patco ultimately filed suit. Patco based its claim for a refund primarily on Article 4A of the Uniform Commercial Code, a uniform law adopted in all fifty states which applies to electronic funds transfers. Article 4A was codified under Maine law as Me. Rev. Stat. Ann. Tit. 11, §4-1101, et seq. At the trial court level, both Patco and Peoples United moved for summary judgment. The trial court ruled against Patco and in favor of the bank, and Patco appealed.
“Commercially Reasonable” Methods of Security
On appeal, the First Circuit reversed the trial court. The First Circuit noted that Article 4A was drafted specifically to clarify commercial funds transfers. Article 4A used precise, detailed rules to assign responsibilities, allocate risks, and establish limits of liability between banks and their commercial customers. Under Article 4A, a bank ordinarily bears the risk of fraudulent funds transfers.
Banks, however, can shift the risk of loss to their customers by entering an agreement that payment orders verified by a security procedure will be effective whether or not authorized by the customer if:
- The security procedure is a commercially reasonable method of security; and
- The bank proves it accepted the payment order in compliance with the security procedure and with any written agreement or instruction from the customer restricting acceptance.
If the bank shows that its security procedure for online electronic funds transfers was reasonable and that it accepted a payment order in good faith and in compliance with the security procedure, the payment order stands even if it was not made by the customer.
On appeal, Patco argued that Peoples United’s online security system was not commercially reasonable. The First Circuit agreed. The bank’s security system had been set to require customers to answer challenge questions every time they logged on and thus the bank had increased the risk that the answers would be compromised. Additionally, the bank had the capacity to flag unusual electronic funds transfers, but Peoples United neither monitored such reports nor notified customers of suspect transactions.
Article 4A mandates that the commercial reasonableness of a security procedure may be shown by circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer. The First Circuit pointed out that Patco’s payment orders were predictable – they were made on Fridays, originated from a single static IP address, and were never more than $37,000. Although Peoples United knew these facts, it had not introduced added security measures commonly used by other banks, such as manually reviewing reports of suspect electronic funds transfers or obtaining customer verification of suspicious transactions.
The payment orders in question were uncharacteristic of Patco’s normal online banking transactions. The payments were directed to accounts to which Patco had never transferred funds, originated from a computer and IP address that Patco had never used, and were for amounts significantly higher than Patco’s normal electronic payments. The First Circuit concluded that the collective failures of the bank’s online banking system rendered the security procedures commercially unreasonable.
Patco’s Obligations and Responsibilities for Electronic Funds Transfers
The First Circuit’s reversal did not resolve the case in Patco’s favor as there remained genuine issues whether Patco had satisfied its obligations and responsibilities under Article 4A. For instance, it was unclear whether Peoples United had offered or Patco had asked for email alerts from the bank. It also was not clear whether Patco had exercised ordinary care to determine that the payment orders were not authorized and to notify the bank. Even if the bank’s security system was commercially unreasonable, it was unclear what responsibilities Article 4A imposed on Patco. The First Circuit remanded the case to the trial court with the pointed suggestion that Patco and Peoples United “consider whether it would be wiser to invest their resources in resolving this matter by agreement.” The parties heeded the suggestion and ultimately settled the case.
Construction businesses that use online banking should not assume that any loss of bank funds due to cybertheft will be refunded by the bank. Unlike the e-banking security system used by Peoples United, a bank’s method of securing online transactions may be commercially reasonable and thus shift the risk of loss to its commercial customers.
Any contractor certainly should take reasonable steps to protect online access to its bank accounts. Online banking access can be protected by limiting the number of the company’s authorized e-banking users and by dedicating one standalone device for online banking. Regularly checking for malware and educating users to recognize and avoid computer scams and deceptive emails also may help protect a business against cybertheft of its bank funds. Finally, a construction business can shift the risk of loss from cybertheft to the bank. The business can instruct its bank to observe limits on electronic funds transfers that exceed a given frequency or amount or are to recipients outside the country. The business can instruct the bank to obtain separate verification by phone or email of suspicious transactions. Taking these precautions is certainly the wisest investment of resources to combat cybertheft.