In a landmark decision, the 1st Circuit Court of Appeals held in "Patco Construction Company, Inc. v. People's United Bank", No. 11-2031 (1st Cir. July 3, 2012) that People's United Bank (d/b/a Ocean Bank) was required to reimburse its customer, PATCO Construction Co., for approximately $580,000 that had been stolen from PATCO'S bank account. In so doing, the court reversed the decision of the U.S. District Court for the District of Maine that had granted summary judgment in the bank's favor.
The dispute arose when Ocean Bank authorized six fraudulent withdrawals over seven days from an online account held by PATCO. While the bank's security system flagged each one of the transactions as "high risk" because they were inconsistent with the timing, value, and geographic location of PATCO's regular payment orders, the bank's security system did not notify PATCO of this information and allowed the payments to go through. In light of this omission, PATCO sued, alleging that Ocean Bank should bear responsibility for the loss because its security system was not "commercially reasonable" under the Uniform Commercial Code, as codified under Maine Law.
Ocean Bank moved for summary judgment on the basis that its use of a one-time log-in and password security requirement for transaction authentication was sufficient to comply with the "commercially reasonable" standards. The district court agreed and granted the bank's motion.
On appeal, the 1st Circuit reversed, based on its determination that the bank's "generic 'one-size-fits-all' approach to customers violates Article 4A's instruction to take the customer's circumstances into account." The court explained that Ocean Bank's failure to implement enhanced security procedures was unreasonable in light of its knowledge of ongoing fraud involving the same measures as had been used with respect to PATCO's account. When the fraud re-occurred in this "unordinary" situation, the court held that it was "commercially unreasonable" for Ocean Bank's security system to trigger only those security measures that were applicable to "ordinary" transactions. The court reasoned the "unprecedentedly high risk scores" on the potential transactions were well above PATCO's regular risk scores and therefore should have triggered extra security measures to authenticate the transactions. The Court stressed, however, that it was the bank's "collective failures" taken as a whole, rather than any single failure, that rendered its security system commercially unreasonable under the circumstances.
The PATCO decision could have significant implications for financial institutions and their insurers, as it has the potential to open the floodgates for businesses victimized by cyber fraudsters to sue their banks in order to recover misappropriated funds. It also could impact similar lawsuits currently pending, such as Choice Escrow and Land Title, LLC v. BancorpSouth Bank, Case No. 2010cv03531 (W.D. Miss.), which involves loss arising from ACH and wire fraud.
On the other hand, the 1st Circuit in PATCO suggested several proactive measures that might enable financial institutions to avoid the fate suffered by Ocean Bank. Among other things, the court identified the following enhanced security procedures: (i) manual reviews of suspect transactions by actual personnel to determine the legitimacy of a transaction, (ii) eschew a one-size-fits-all security approach for customers, and (iii) "customer verification" or notification to authenticate uncharacteristic or suspicious transactions.
At the same time, the court noted customers such as PATCO also might have certain responsibilities under Article 4A of the UCC, even when its bank's security measures are found to be "commercially unreasonable," although the court left open the question of what those obligations might be. Of course, whatever they may be, they did not exist on the facts presented.
PATCO is but one more example of the value and import of insurance products such as cyber, fidelity and related E&O coverages in an ever-changing virtual economy. Financial institutions, commercial entities and even individual account-holders cannot rely on others to protect them. Rather, they need to take proactive steps to secure their interests, including purchasing tailored insurance that responds to their changing needs. At the same time, the insurance industry must continue to stay ahead of the curve by anticipating the evolving risks and providing products that will address a rapidly evolving market.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.