In Patco Construction Company, Inc. v. People’s United Bank, the First Circuit Court of Appeals found that a Maine bank’s collective security failures in connection with a customer’s ACH transfers were commercially unreasonable under Article 4A of the UCC. The customer, Patco Construction Company, characterized the decision as a “wake up call” to banks. While “wake up call” might be too strong, the decision will have implications for bank security measures.
Patco made regular ACH transfers using online banking for weekly payroll payments. Since 2003, when it first enrolled in the online banking program, Patco always made these transfers on a Friday from a computer at its office from a single ISP address with an accompanying withdrawal for state and federal income tax. The highest amount of withdrawals during this period had been approximately $37,000.
In 2007, the bank implemented a vendor’s “premium” security package, which included requiring company and individual IDs and passwords to access the account, placing device “cookies” on customer computers, risk profiling, challenge questions, the ability of the bank to set a dollar threshold for challenge questions and subscription to an eFraud network that compared characteristics of the transaction with known frauds.
In June 2008, the bank changed its security procedures to trigger challenge questions for any transaction over $1. In May 2009, the bank’s security system flagged six withdrawals from the Patco account totaling almost $600,000 as high risk because the withdrawals were inconsistent with the timing, value and geographic location of the typical Patco withdrawals. Each transaction was significantly more than $37,000 and was directed to accounts to which Patco had never before transferred money. Despite being flagged as high risk by the bank’s security system, it appears that no one at the bank monitored the suspicious transactions. The bank allowed the transactions to go through and failed to notify the customer. Six days after the first transaction, portions of the original transfers were returned to the bank because of invalid account numbers. At this point, the bank notified the customer, who informed the bank that the transactions were not authorized. Shortly after being notified, Patco conducted a forensic review of its system and learned that malware had been installed on its network, which allowed a perpetrator to intercept log in credentials such as responses to challenge questions.
The Court’s Decision
In granting summary judgment in favor of Patco, the court found that the decision to ask for security answers for every transaction substantially increased the risk of fraud (by increasing the risk of interception from malware), particularly for a customer like Patco who had regular high dollar transfers. In determining that the bank’s security system was not commercially reasonable, the court also focused on the bank’s failure to monitor the transactions and to warn Patco of transactions that its own security procedures identified as suspicious. The court added that the decision to change the challenge question threshold from $100,000 to one dollar for all customers ignored UCC Article 4A’s mandate that security procedures take into account “the circumstances of the customer known to the bank.” Section 4-1202 (3). The court criticized the bank for not introducing additional security measures, such as manual review or customer verification, despite the fact that such procedures were “not uncommon in the industry and were relatively easy to implement.” Especially troubling to the court was the fact that by May 2009, the bank had already experienced two incidents of similar fraud, which it had concluded were attributable to malware or internal fraud.
The Court remanded the case so the parties could address Article 4A’s obligation on commercial customers, noting that customers have "obligations and responsibilities as well."
The Impact of the Patco Decision
High level security technology is simply not enough to survive a commercial reasonableness analysis if a bank does not have the personnel available to monitor the reports produced by the technology and to promptly report to customers any suspicious transactions. The following are lessons banks can take away from the Patco decision:
- How well a bank keeps abreast of the latest technologies and adapts them to its business will be considered when assessing commercial reasonableness, if there are technologies available that are common and easy to implement, and especially if they are part of the very technology the bank has employed but has not fully availed itself.
- Receiving a warning of possible fraud while simultaneously failing to effectively monitor transactions and notify customers makes it easy for a court to conclude that a bank’s security procedures are not commercially reasonable.
- Know your customer, in the practical sense. The Patco court criticized the bank for its “generic one-size-fits-all” approach to customers as a violation of Article 4A.
- Train and keep your customer regularly informed about bank’s fraud alerts and keep records of doing so.
- Make sure agreements are up-to-date.
Should you need assistance in connection with security measures, or if you would like to learn more about this case or our experience with similar issues, please do not hesitate to contact us.