PATCO Constructions Company, Inc., v. People’s United Bank, d/b/a Ocean Bank
In May 2009, Ocean Bank authorized six ACH transfers totaling $588,851.26 from PATCO’s account. The transfers were fraudulently ordered using Ocean Bank’s internet banking portal and PATCO’s office computer, which had been compromised by unidentified cybercriminals. The criminals were able to correctly supply access credentials and customized answers to security challenge questions. The bank’s security system flagged the six transactions as “high-risk” because they were inconsistent with the timing, value, and geographic location of PATCO’s regular payment orders, but neither the system nor the bank notified PATCO of the alert and the payments were allowed to be processed. Although some of the funds were returned, there was a loss of $345,444.43.
PATCO sued Ocean Bank, alleging that the bank should bear the loss because its security system was not commercially reasonable under UCC Article 4A, and that PATCO had not consented to the procedures. The district court ruled in 2011 that the security system was commercial reasonable (because it met the customer verification standards in the then-current guidance from federal regulators (“Authentication in an Internet Banking Environment,” 2005). The U.S. Court of Appeals for the First Circuit. in its July 3, 2012, decision, found that Ocean Bank increased the risk of fraudulent transactions by asking for security answers for all transactions over $1, by failing to monitor its security system reports for transactions flagged as “high-risk,” and failing to provide notice to customers before high-risk transactions were allowed to be completed, and therefore the court could not consider the bank’s security system to be commercially reasonable under Article 4A. The case was remanded to the district court for further deliberations on the responsibilities of the parties when the bank’s security measures are not considered commercially reasonable, with a suggestion that the parties “may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.”