Court ruling could leave bank on hook for online fraud
Federal case changes legal requirements for banks regarding commercial customers
By Taylor Armerding
August 21, 2012 — CSO — Patco Construction. v. People's United Bank hasn't made the mainstream evening news. But it is the top headline in the online banking world, thanks to a recent court decision in the case.
For the first time, a federal Court of Appeals has ruled that a bank's electronic transaction security procedures failed to meet the standard required under the Uniform Commercial Code (UCC) as "commercially reasonable," putting the bank on the hook for losses due to fraud.
Patco, a small property development and contractor in Sanford, Maine, sued People's United for authorizing six fraudulent withdrawals from its account in May 2009, totaling $588,851, even after the bank's security system had flagged each transaction as high-risk. The bank was able to block or recover $243,406 of that total.
[In depth: A directory of security-related regs, laws, and guidelines]
The July 3 ruling, by the First Circuit U.S. Court of Appeals, does not end the case -- it denies a summary judgment to dismiss the suit sought by the bank, upholds the denial of a summary judgment sought by Patco and remands the case back to the district court level.
It also makes it unlikely that the case will ever be adjudicated in court. Chief Judge Sandra Lynch suggested at the end of the decision that, "on remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement," a recommendation that William Repasky, a trial lawyer with Frost Brown Todd and an expert on online banking, called "most curious."
But Repasky also said that even if the parties do reach a private settlement and no official case law results, the court decision will have precedent-setting impact. "This is the highest court in the land to rule this way on this kind of case," he said.
Repasky will be cohosting a webinar on Wednesday at 11 a.m. EDT with George Tubin, security strategist and online banking fraud expert for security vendor Trusteer, to talk about how the case has changed the legal requirements for banks regarding their commercial customers.
Repasky said it is first important to understand the difference between individual and commercial banking customers. A bank's responsibilities to the former are governed by the Electronic Fund Transfer Act, while its duties to commercial customers are governed by Article 4A of the UCC.
The two major responsibilities to commercial customers, he said, are that a bank's security system must be "commercially reasonable," and that electronic transactions must be made in "good faith."
How to efficiently manage security compliance with PCI DSS and other laws and regulations
GRC: Trying to take a bite out of risk
PCI post-audit pain points
PCI shrugged: Debunking the criticisms
The art of the compensating control
SSAE - replacement for SAS 70 coming
A directory of security-related regs, laws, and guidelines
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Content Analytics Explained
- Modernizing Wireless Infrastructure for Today's Mobile and Data Driven Enterprise
- Best Practices Guide for IT Governance & Compliance
- How to Get Ahead of the Compliance Curve
- Exalogic and PCI Compliance - Implementing Oracle Exalogic in a Payment Card Environment
- CSO's Digital Spotlight on GRC
- Data loss prevention: Refreshing data security to meet an evolving threat environment
- Two-Factor Authentication
- #FFSec: Infosec pros who bring value to Twitter
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - B-Sides Boston is Saturday
- Leaving CSO, Heading to Akamai
More Salted Hash with Bill Brenner
