Patco Construction used Ocean Bank’s online banking to make payroll transactions and other transfers. In May 2009, it appeared that unknown third parties had made $588,000 in unauthorised withdrawals. The bank managed to block $288,000 of these. Patco sued to recover the rest. There were some obstacles to overcome, including clauses in Patco’s customer agreement making e-banking at the risk of the customer, requiring the customer to monitor transfers daily and making the customer liable for all transfers ‘purportedly’ made by it. The real question for the US magistrate in Maine was, however, whether Ocean Bank had adopted ‘commercially reasonable’ security measures; where this is the case, article 4A of the Uniform Commercial Code (on funds transfers) will absolve the bank of liability, provided it also acted in good faith and in compliance with those measures and the relevant agreements with the customer. The magistrate concluded that while the bank’s security measures did not include everything available at the time and were therefore ‘not optimal’, they were nevertheless OK. The US District Court agreed on appeal in a two-page order: Patco Construction Co v Peoples United Bank dba Ocean Bank (D Me, 27 May 2011; aff’d D Me, 4 August 2011), reported in the BLG Monthly Update, October 2011.

The 1st Circuit has reversed the order for summary judgment in favour of the bank (3 July 2012). By requiring the customer to answer security questions for every transaction it made, but not monitoring high-risk transactions which it had been warned were probably fraudulent or undertaking security measures which could easily have been implemented, the bank did not act in a commercially reasonable manner. The bank’s collective failures in light of multiple incidents of fraud of which it was aware made its actions especially unreasonable. The frauds at issue triggered nothing more than an ordinary transaction would. The court did leave open the possibility that the customer had also acted in a commercially unreasonable manner in responding to inadequate security measures on the part of the bank, a question for remand.