On July 3, 2012, the United States Court of Appeals for the Third Circuit ruled that a commercial customer could proceed against its bank for $345,000 in losses that the customer suffered in a cyber fraud attack. The Third Circuit based its decision on the bank’s failure to maintain "commercially reasonable" security procedures. The case, Patco Construction Co., Inc. v. People’s United Bank,1 reversed a lower court’s grant of summary judgment in favor of the bank.2 This is the first time a federal appeals court has addressed the sensitive issue of bank liability for account losses resulting from cyber fraud.
Under the facts of the case, Patco, a family-owned construction company, maintained a commercial deposit account at the bank from which it routinely initiated electronic funds transfers through the account’s Internet banking ("eBanking") function. Patco primarily used the account to make payroll payments. The highest payment Patco ever made using eBanking was approximately $36,000. Such payments were always made on Fridays, and were initiated from one of the business computers at Patco’s offices. The origination of such transfers was always from a single static Internet Protocol ("IP") address.
The bank used a vendor, Jack Henry & Associates, to help implement security procedures in accordance with the Guidance from the Federal Financial Institutions Examination Council ("FFIEC") entitled "Authentication in an Internet Banking Environment."3 Based on the FFIEC’s Guidance, the bank determined that its eBanking product was a "high risk" system that called for greater security, and, in particular, multifactor authentication. Under Jack Henry’s multifactor authentication program provided to the bank, when a customer logged in, it was required to enter an ID and password for the company and an ID and password for the individual user. The program also included, among other things, challenge questions that were triggered when a transaction was more than a certain amount, and "risk scoring," which relied on a number of different factors, including the location from which a user logged in, and the size, type, and frequency of payment orders normally issued by the customer. Importantly, about a year before the transactions at issue in the case, the bank lowered the dollar amount threshold for challenge questions from $100,000 to $1.
A series of unauthorized withdrawals was made from Patco’s account over several days in May 2009. Cyber criminals had apparently hacked into Patco’s computer system to obtain login and password information, along with answers to challenge questions, and then used this information to withdraw more than $588,000 from the account. Of this amount, the bank was able to block $243,000 of the transfers.
The withdrawals were directed to go to accounts of numerous individuals, none of whom had previously been sent money by Patco. The perpetrators logged in from a device unrecognized by the bank and from an IP address that Patco had never used. The risk-scoring engine the bank maintained generated a substantially higher risk-score in connection with the transactions because they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders. Nevertheless, the bank failed to monitor these transactions or notify Patco.
In addressing the question of the bank’s liability, the court looked to Article 4A of the Uniform Commercial Code ("UCC"), which governs the rights, duties, and liabilities of banks and their commercial customers with respect to electronic funds transfers. Section 4A-1203 of UCC Article 4A provides that if a bank and its customer agree that the authenticity of payment orders issued by the customer will be verified pursuant to a security procedure, then a payment made in accordance with such security procedure shall be effective provided the security procedure is "commercially reasonable" and the bank accepts any such payment order in good faith.
The eBanking Agreement between the bank and Patco generally provided that the use of the password with the account constituted authentication for all transactions initiated on the account, and that the bank did not "assume[ ] any responsibilities" with respect to Patco’s use of eBanking.
Despite the protection afforded the bank under the eBanking Agreement, the Third Circuit ruled against the bank based on its failure to employ commercially reasonable security procedures. The court held that the bank’s lowering of the challenge-questions threshold to $1 substantially increased the risk of fraud, particularly for a customer like Patco that initiated frequent transfers, since it meant that the bank’s customer would be entering answers to the challenge questions on virtually every transaction, thereby giving fraudsters using key logging devices more opportunities to steal log-in information. In this regard, the court focused on the commentary to section 4A-1202(3) that requires banks to consider "the circumstances of the customer" known to the bank, such as "the size, type and frequency of payment orders normally issued by the customer to the bank." In Patco’s case, according to the court, "these characteristics were regular and predictable," in that Patco used its account primarily for payroll. The bank apparently never offered customers, like Patco, the option to adjust the threshold amount for challenge questions. The court found that the use of a "one-size-fits-all" approach to customers with respect to the challenge questions violated Article 4A’s mandate to take into account the unique circumstances of a particular customer.
In addition, the bank failed to respond to the high risk-score when the fraudulent transactions were occurring by closely monitoring those transactions and notifying Patco before allowing them to take place. These transactions were completely uncharacteristic of Patco’s normal transactions in that they originated from computers and IP addresses that Patco had never used and were for amounts significantly higher than Patco’s normal funds transfers. And yet the bank failed to take advantage of its security program, which identified these discrepancies, by immediately alerting Patco.
The court noted that Jack Henry’s risk-scoring system was designed to trigger an additional layer of authentication, such as challenge questions, in the event of a high score indicating unusual or suspicious transactions. Because the challenge questions in this instance were already used, the risk-scoring system was deprived of its core functionality.
In addition, the court noted that the bank’s security measures fell below industry standards, such as manual review, tokens, or some other additional security measure.
The case has important lessons for banks seeking to have commercially reasonable security procedures in connection with their Internet banking services:
- Banks may not be able to simply rely on customer agreements that shift the risk of loss to the customer, to avoid liability for cyber attacks
- Banks should consider additional security measures and procedures, including an effective plan to communicate with customers, such as by red-flag emails, when there is suspicious activity
- Banks need to develop and adjust security procedures based on current risks and industry standards
- Banks need to take the individual circumstances of a particular customer into account in its security measures
- Once banks have put in place security measures, they need to take care to follow them