Last summer, the U.S. Court of Appeals for the First Circuit, in the case of Patco v. Peoples United Bank, 684 F.3d 197 (1st. Cir. 2012), weighed in on issues, involving a Maine construction company and its bank, that could have nationwide implications in determining who’s at fault when anonymous computer hackers steal money electronically.
Over a seven-day period in May 2009, Peoples United Bank, d/b/a Ocean Bank, authorized six apparently fraudulent withdrawals totaling $588,851.26 from an account held by Patco Construction Company after fraudsters correctly supplied Patco’s customized answers to security questions. Although the bank’s security system flagged each of these transactions as unusually “high risk” because they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders, the bank’s security system did not notify Patco and allowed the payments to go through. Ocean Bank was able to block or recover $243,406.83, leaving a loss to Patco of $345,444.43. Patco brought suit against the bank to recover its loss on the grounds that the bank’s security procedures were not commercially reasonable as defined by the Article 4(A) of the Uniform Commercial Code. The bank filed a motion for summary judgment and the federal Magistrate Judge determined that the bank’s security measures were commercially reasonable and that Patco had agreed to them. Thereafter, the district court adopted the magistrate’s findings and entered an order in favor of the bank. The bank appealed to the First Circuit.
The Court of Appeals found that the bank’s security procedures were not commercially reasonable. In reaching its holding, the Court noted that the parties’ contractual security procedures for authenticating cyber-payment orders included the following:
- User Id’s and passwords;
- Device authentication;
- Risk profiling to determine if a transaction differed from the user’s normal usage; and
- Challenge questions employed if the transaction was deemed high risk.
The Court of Appeals emphasized that it was not the failure of one specific security measure that caused it to find the bank’s security system to be commercially unreasonable rather, it was a collective failure on the part of the bank.
The Court of Appeals also based its decision on the bank’s lack of monitoring when other risk factors were triggered. The Court found that the payment orders in question were “entirely uncharacteristic of Patco’s ordinary transactions; they were directed to accounts to which Patco had never before transferred money; they originated from an IP address that Patco had never before used; and they specified payment amounts significantly higher than the payments Patco ordinarily made to third parties.” The bank’s security system flagged each transaction as a very high risk, but the transactions were not monitored by the bank. Moreover, the Court of Appeals criticized the bank’s use of a “one-size-fits-all” approach to security procedures and indicated that the bank should have tailored its procedures more specifically to its individual customers.
The First Circuit’s decision in Patco could have large implications for banks. Its interpretation of the “commercially reasonable” test is likely to reverberate across the country. For that reason, all commercial banks should take heed and review their security procedures. Security systems that merely rely on asking customers for IDs, passwords, and challenge questions are likely insufficient. Additional layers, such as password tokens and customer verification, should be considered. Above all, banks need to design platforms that seek input about each customer’s particular circumstances, and the available security procedures should effectively utilize that customer information.
— Junaid Odubeko