Small business owners have new hope that they may be on the same
footing as individuals when it comes to cybertheft from their bank
The First Circuit Court of Appeals has reversed a district court
case over what is "commercially reasonable" under UCC Article 4A. Under Article 4A, banks
bear the risk for unauthorized transfers unless they can show that
either the payment order was sent by an authorized person or that
that they have commercially reasonable security procedures and they
followed those procedures.
The case, Patco Construction Company v. Ocean Bank,
involves a Maine construction company and Ocean Bank, a regional
bank that has since been acquired by People's United
Bank. Patco, a customer of Ocean Bank, used the eBanking
feature which allowed them to make electronic funds transfers via
the Automated Clearing House (ACH). Patco
used this service primarily for its payroll payments. These
payments were made on the same day of the week by computers Patco
has in its Sanford, Maine office, from the same IP address and they
all had federal and state tax withholdings. No payment was
for more than $37,000. In May 2009, six fraudulent transfers
occurred over a seven-day period. The transfers occurred from
an IP address Patco had never used, a device unrecognized by the
bank's system, were sent to individuals that Patco had never
sent transfers to and were for amounts between $56,000 and
The first transfer generated a "high risk" score of
790. Patco's usual risk scores were between 10 and
214. Unfortunately, Ocean Bank did not review or monitor
their risk reports. Some of the fraudulent accounts were
invalid and a portion of the transfers was returned to the
bank. The bank then sent Patco a limited return notice
notifying them of the incomplete transfers. Patco then
notified the bank that these were fraudulent transfers. If
the transactions had been fully completed Patco would have never
received a notification from the bank.
Over a year before these fraudulent transfers, Ocean Bank had
decreased the amount needed in a transfer to trigger the security
questions from $100,000 to $1. This lead to security
questions being asked every time Patco made a transfer.
According to the court decision, answering security questions for
each transaction "increased the risk that such answers would
be compromised by keyloggers or other malware that would capture
that information for unauthorized users." The court
asserts that malware is common place enough to be expected and
security measures need to be implemented to protect against such
The court reasoned that the increased risk of frequently
answering the security questions, coupled with the fact that Ocean
Bank did not monitor or provide notice about suspicious activity,
was not commercially reasonable under Article 4A. The court
discusses the various security procedures that were available to
Ocean Bank and industry standard security measures such as access tokens that Ocean Bank did not
This ruling affords businesses more protection and requires
those covered by Article 4A to ensure their security procedures are
more robust and take into account the industry standards.
While changing the landscape in regards to
the determination of what is "commercially
reasonable," this does not mean a win for Patco. The
case has been remanded to district court where issues of fact need
to be decided.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A senior SEC lawyer has recently encouraged the private equity and hedge fund communities to consider whether certain practices of private fund managers could subject these firms to SEC registration as broker-dealers.
In November 2012, the U.S. District Court for the Eastern District of New York preliminarily approved a settlement agreement in the In re Payment Card Interchange Fee and Merchant Discount Antitrust Litigation.