Court ruling could leave bank on hook for online fraud

Patco Construction. v. People’s United Bank hasn’t made the mainstream evening news. But it is the top headline in the online banking world, thanks to a recent court decision in the case.

For the first time, a federal Court of Appeals has ruled that a bank’s electronic transaction security procedures failed to meet the standard required under the Uniform Commercial Code (UCC) as “commercially reasonable,” putting the bank on the hook for losses due to fraud.

Patco, a small property development and contractor in Sanford, Maine, sued People’s United for authorizing six fraudulent withdrawals from its account in May 2009, totaling $588,851, even after the bank’s security system had flagged each transaction as high-risk. The bank was able to block or recover $243,406 of that total.

[In depth: A directory of security-related regs, laws, and guidelines]

The July 3 ruling, by the First Circuit U.S. Court of Appeals, does not end the case — it denies a summary judgment to dismiss the suit sought by the bank, upholds the denial of a summary judgment sought by Patco and remands the case back to the district court level.

It also makes it unlikely that the case will ever be adjudicated in court. Chief Judge Sandra Lynch suggested at the end of the decision that, “on remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement,” a recommendation that William Repasky, a trial lawyer with Frost Brown Todd and an expert on online banking, called “most curious.”

But Repasky also said that even if the parties do reach a private settlement and no official case law results, the court decision will have precedent-setting impact. “This is the highest court in the land to rule this way on this kind of case,” he said.

Repasky will be cohosting a webinar on Wednesday at 11 a.m. EDT with George Tubin, security strategist and online banking fraud expert for security vendor Trusteer, to talk about how the case has changed the legal requirements for banks regarding their commercial customers.

Repasky said it is first important to understand the difference between individual and commercial banking customers. A bank’s responsibilities to the former are governed by the Electronic Fund Transfer Act, while its duties to commercial customers are governed by Article 4A of the UCC.

The two major responsibilities to commercial customers, he said, are that a bank’s security system must be “commercially reasonable,” and that electronic transactions must be made in “good faith.”

He said a separate case in Michigan last year, Experi-Metal v. Comerica, dealt with the good faith issue, when the bank authorized payments to hackers who had spoofed a bank employee into providing his credentials.

In that case, the hackers drained $1.9 million from Experi-Metal’s account with 97 transactions over several hours. U.S. District Court Judge Patrick Duggan found that the bank had failed to prove it had acted in good faith.

But that case also ended with a confidential settlement, Repasky said.

In the Patco case, the Appeals Court found that the bank’s system was commercially unreasonable, in part because it ignored multiple warnings from its own security system that the fraudulent transactions — six of them over seven days — were high risk: They came from a computer that had never been used before by Patco; from an IP address not recognized as from Patco; for amounts greater by several magnitudes than any Patco had made to third parties before; with the money going to people Patco had never before paid.

“Despite this high-risk score, Patco was not notified. Moreover, it appears no one at the bank monitored these high-risk transactions,” the court said.

A number of facts remain in dispute. The bank claims that it changed the agreement with its commercial customers to require that they monitor their own accounts daily, and if they saw any unauthorized activity, to notify the bank that day. Patco claimed it had never received that notification. The Appeals court remanded that and other disputes back to the District Court.

Both Repasky and Tubin say this ruling changes the legal landscape in commercial, online banking. Repasky said it takes recommendations made by the Federal Financial Institutions Examination Council (FFIEC) to improve security and, as a practical matter, makes them mandatory.

“Even though the FFIEC says they are recommendations,” Repasky said, “the court changed it from guidance to rules.”

Among those “recommendations” are that a bank impose multi-factor authentication, that it use “layered security” and also that it develop a risk profile of each of its customers, so its system will be able to tell more readily if transactions may be fraudulent.

But the Appeals Court definitely saw it as more than a recommendation. It faulted People’s United for a, “generic ‘one-size-fits-all’ approach to customers, (which) violates Article 4A’s instruction to take the customer’s circumstances into account.”

“Some of the legal experts I’ve spoken to feel that because there was no definitive judgment, it’s kind of a let down – not a lot of specificity,” Tubin said. “But it’s clear that the judge found (their system) to be commercially unreasonable.”

Repasky said he believes the Patco decision is “destructive to the process” of banks working with commercial customers to improve security. He said he thinks it is reasonable to require commercial customers to monitor their accounts daily. “Who knows the customer better than the customer itself?” he said. “But the real key is that there is a need for a team approach to security – and that has to include the customer and the bank.”

He called it a case of “Monday morning quarterbacking,” in which the court found, in hindsight, that the bank’s system was commercially unreasonable simply because it didn’t work in this case.

But he said even though he thinks the customer should be expected to play a part in the security of its accounts, “I tell banks to embrace the risk. When it (fraud) happens, it’s a terrible thing, but they need to let their customers know that their money is safer at the bank than it is at home, and that they will cover it (the loss)”

The damage to a bank of a case like Patco, he said, can go well beyond the money lost. “It’s the reputational damage. What is going to happen with every other customer, or potential customer, who reads about the case?

“There is too much involved not to have a better system,” he said.