A recent decision by the First Circuit Court of Appeals could have important implications for the liability of banks for fraudulent wire transfers perpetrated on their customers. The Court of Appeals reversed the district court’s finding that a Maine bank was entitled to summary judgment on five of six counts against it, holding that the bank’s security procedures had been “commercially unreasonable” under the Uniform Commercial Code (“UCC”). The court held that collective failures in the bank’s security procedures, such as its “one-size-fits all” approach to its customers, and its failure to implement additional security measures in light of the bank’s knowledge of ongoing fraud, violated the standards set out in Article 4A of the UCC. Patco Constr. Co., Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012).
Patco Construction Company (“Patco”) is a small property development and contractor business that conducted its banking with Ocean Bank, which was later acquired by People’s United Bank. In September 2003, Patco added internet banking or “eBanking” to its commercial checking account, which it used primarily to make regular weekly payroll payments via Ocean Bank’s Automated Clearing House (“ACH”) network, a system used by banks to transfer funds electronically between accounts. Patco entered into an agreement with Ocean Bank providing that Ocean Bank did not assume any responsibilities with respect to Patco’s use of eBanking, and that Patco had to contact the bank immediately upon discovery of an unauthorized transaction.
Ocean Bank hired an outside company to provide its core online banking platform, and selected its “premium” online security package. The system, as implemented by Ocean Bank, had six key security features: (1) user IDs and passwords, (2) invisible device authentication, (3) risk profiling, (4) challenge questions, (5) dollar amount rule, and (6) subscription to the eFraud Network. Ocean Bank asserted that it also offered the option of email alerts to its eBanking customers, but Patco claims it did not receive notice that these alerts were available. The bank was able to set a dollar threshold amount above which a transaction would automatically trigger challenge questions, even if the user ID, password, and device cookie were all valid. The bank initially set the dollar amount rule at $100,000, but it was later lowered to $1.
Beginning on May 7, 2009, a series of fraudulent withdrawals were made on Patco’s account over the course of several days. The perpetrators allegedly supplied the proper credentials of a Patco employee, including her ID, password, and answers to her challenge questions. They logged in from a device unrecognized by Ocean Bank’s system and from an IP address that Patco had never before used. Ocean Bank’s risk-scoring engine reported the transaction as a “very high risk non-authenticated device” and “high risk transaction amount,” but Patco was not notified and the transaction was processed as usual. These fraudulent withdrawals continued from May 7 through May 13 until, on May 14, Patco informed Ocean Bank that it had not authorized the transactions, at which point Patco blocked the completion of additional transactions. In total, $588,851 was fraudulently withdrawn from Patco’s account, of which $243,406 was automatically returned or blocked and recovered.
In September 2009, Patco brought claims against the People’s United Bank for liability for the fraudulent transactions under Article 4A of the Uniform Commercial Code (“UCC”), negligence, breach of contract, breach of fiduciary duty, unjust enrichment and conversion.
UCC Article 4A
Article 4A of the UCC was enacted to govern the rights, duties, and liabilities of banks and their commercial customers with respect to electronic funds transfers. Pursuant to Article 4A, a bank receiving a payment order ordinarily bears the risk of loss of any unauthorized transfer of funds. If the court determines that the bank bears the risk of loss, the bank must refund the payment to the customer with interest. The bank may shift the risk of loss to the customer if it can show that its security procedure was commercially reasonable. Once the bank has shown commercial reasonableness, the customer may shift the risk of loss back to the bank if it can prove that the order was not made by an authorized person, and that the person did not obtain the security information from a source controlled by the customer.
The Court of Appeals reversed the district court’s finding that the bank was entitled to summary judgment on five of six counts of against the bank, instead holding that the bank’s security procedures had been “commercially unreasonable” pursuant to the UCC. In particular, it held that the bank’s decision to lower the dollar amount rule from $100,000 to $1 deprived the security system of its core functionality by prompting the system to ask security questions for every transaction rather than for those singled out as high-risk, thus increasing the risk of fraud. The court explained that this system provided cyber criminals with a more frequent opportunity to capture all information necessary to compromise an account every time a customer initiated an ACH transaction. In the event a customer’s computer became compromised, it was likely the customer would be prompted to answer its challenge questions before the malware was discovered and removed from the customer’s computer.
The court agreed with Patco’s argument that at the time in question such malware was a persistent problem throughout the financial industry, and it was foreseeable that triggering the use of the same challenge questions for highrisk transactions as for ordinary transactions was ineffective as a stand-alone backstop to password/ID entry. The court looked to Article 4A’s mandate that the security procedures take into account the circumstances of the customer known to the bank and noted that the UCC directs banks to consider “the size, type and frequency of payment orders normally issued by the customer to the bank.” Ocean Bank’s “one-sizefits- all” policy as to its dollar amount rule did not take Patco’s unique characteristics into account to determine that the $1 challenge question threshold would provide cyber thieves with greater opportunity to access Patco’s secure information.
The court rejected Ocean Bank’s argument that the $1 threshold was meant to target low-dollar fraud, holding that a higher threshold for Patco and other commercial customers that engaged in regular high dollar transfers was still warranted. It also rejected Ocean Bank’s argument that it took Patco’s circumstances into account by building a risk profile based on its eBanking habits, holding that this was immaterial because the risk profile triggered no additional authentication requirements, and the bank did nothing with the information generated by comparing the fraudulent transactions against Patco’s profile. The court found that it was not uncommon in the industry for additional security measures, such as manual reviews, to be implemented where dollar amount rules were lowered. It found the failure to take additional security measures was particularly unreasonable in light of the bank’s knowledge of ongoing internet fraud.
The court ultimately held that, where Ocean Bank’s security system was such that although the fraudulent withdrawals to Patco’s account were directed to accounts to which Patco had never before transferred money, originated from computers Patco had never before used, originated from an IP address that Patco had never before used, and specified payment amounts significantly higher than the payments Patco ordinarily made to third parties, and yet no additional security measures were triggered than those during an ordinary transaction, it was commercially unreasonable.
The Court of Appeals also affirmed the district court’s decision denying Patco’s motion for summary judgment, holding that the parties should brief on remand the question of what, if any, obligations or responsibilities are imposed on a commercial customer under Article 4A, even where the bank’s security system is commercially unreasonable. The court also reversed the district court’s finding that the common law claims of breach of contract and breach of fiduciary duty were preempted by Patco’s Article 4A claim, holding that these were not inherently inconsistent with one another, as there could be, either by contract or through assumption of fiduciary duties, higher standards imposed on the banks through common law than the UCC.
The First Circuit’s decision provides guidance as to how courts will interpret Section 4A’s “commercially reasonable” online security standard. To avoid potential liability, banks should tailor their security approach to meet the varying needs of each customer, and employ additional security measures when a transaction is identified as high risk.