Court ruling could leave bank on hook for online fraud

Patco Construction. v. People's United Bank hasn't made the mainstream evening news. But it is the top headline in the online banking world, thanks to a recent court decision in the case.

For the first time, a federal Court of Appeals has ruled that a bank's electronic transaction security procedures failed to meet the standard required under the Uniform Commercial Code (UCC) as "commercially reasonable," putting the bank on the hook for losses due to fraud.

Patco, a small property development and contractor in Sanford, Maine, sued People's United for authorizing six fraudulent withdrawals from its account in May 2009, totaling $588,851, even after the bank's security system had flagged each transaction as high-risk. The bank was able to block or recover $243,406 of that total.

The July 3 ruling, by the First Circuit U.S. Court of Appeals, does not end the case -- it denies a summary judgment to dismiss the suit sought by the bank, upholds the denial of a summary judgment sought by Patco and remands the case back to the district court level.

It also makes it unlikely that the case will ever be adjudicated in court. Chief Judge Sandra Lynch suggested at the end of the decision that, "on remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement," a recommendation that William Repasky, a trial lawyer with Frost Brown Todd and an expert on online banking, called "most curious."

But Repasky also said that even if the parties do reach a private settlement and no official case law results, the court decision will have precedent-setting impact. "This is the highest court in the land to rule this way on this kind of case," he said.

Repasky will be cohosting a webinar on Wednesday at 11 a.m. EDT with George Tubin, security strategist and online banking fraud expert for security vendor Trusteer, to talk about how the case has changed the legal requirements for banks regarding their commercial customers.

Repasky said it is first important to understand the difference between individual and commercial banking customers. A bank's responsibilities to the former are governed by the Electronic Fund Transfer Act, while its duties to commercial customers are governed by Article 4A of the UCC.

The two major responsibilities to commercial customers, he said, are that a bank's security system must be "commercially reasonable," and that electronic transactions must be made in "good faith."

He said a separate case in Michigan last year, Experi-Metal v. Comerica, dealt with the good faith issue, when the bank authorized payments to hackers who had spoofed a bank employee into providing his credentials.

In that case, the hackers drained $1.9 million from Experi-Metal's account with 97 transactions over several hours. U.S. District Court Judge Patrick Duggan found that the bank had failed to prove it had acted in good faith.

But that case also ended with a confidential settlement, Repasky said.

In the Patco case, the Appeals Court found that the bank's system was commercially unreasonable, in part because it ignored multiple warnings from its own security system that the fraudulent transactions -- six of them over seven days -- were high risk: They came from a computer that had never been used before by Patco; from an IP address not recognized as from Patco; for amounts greater by several magnitudes than any Patco had made to third parties before; with the money going to people Patco had never before paid.

"Despite this high-risk score, Patco was not notified. Moreover, it appears no one at the bank monitored these high-risk transactions," the court said.

A number of facts remain in dispute. The bank claims that it changed the agreement with its commercial customers to require that they monitor their own accounts daily, and if they saw any unauthorized activity, to notify the bank that day. Patco claimed it had never received that notification. The Appeals court remanded that and other disputes back to the District Court.

Both Repasky and Tubin say this ruling changes the legal landscape in commercial, online banking. Repasky said it takes recommendations made by the Federal Financial Institutions Examination Council (FFIEC) to improve security and, as a practical matter, makes them mandatory.

"Even though the FFIEC says they are recommendations," Repasky said, "the court changed it from guidance to rules."

Among those "recommendations" are that a bank impose multi-factor authentication, that it use "layered security" and also that it develop a risk profile of each of its customers, so its system will be able to tell more readily if transactions may be fraudulent.

But the Appeals Court definitely saw it as more than a recommendation. It faulted People's United for a, "generic 'one-size-fits-all' approach to customers, (which) violates Article 4A's instruction to take the customer's circumstances into account."

"Some of the legal experts I've spoken to feel that because there was no definitive judgment, it's kind of a let down - not a lot of specificity," Tubin said. "But it's clear that the judge found (their system) to be commercially unreasonable."

Repasky said he believes the Patco decision is "destructive to the process" of banks working with commercial customers to improve security. He said he thinks it is reasonable to require commercial customers to monitor their accounts daily. "Who knows the customer better than the customer itself?" he said. "But the real key is that there is a need for a team approach to security - and that has to include the customer and the bank."

He called it a case of "Monday morning quarterbacking," in which the court found, in hindsight, that the bank's system was commercially unreasonable simply because it didn't work in this case.

But he said even though he thinks the customer should be expected to play a part in the security of its accounts, "I tell banks to embrace the risk. When it (fraud) happens, it's a terrible thing, but they need to let their customers know that their money is safer at the bank than it is at home, and that they will cover it (the loss)"

The damage to a bank of a case like Patco, he said, can go well beyond the money lost. "It's the reputational damage. What is going to happen with every other customer, or potential customer, who reads about the case?

"There is too much involved not to have a better system," he said.

Read more about pci and compliance in CSOonline's PCI and Compliance section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts