On July 3, 2012, the First Circuit Court of Appeals (the “Court of Appeals”), in Patco Constr. Co. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012), reversed the decision of the District Court of Maine (the “District Court”) granting summary judgment in favor of People’s United Bank regarding the implementation of “commercially reasonable security procedures” for funds transfers under Article 4A of the Uniform Commercial Code (the “UCC”). While the Court of Appeals’ decision may not have substantially raised the bar for banks’ security systems to be “commercially reasonable” under Article 4A, it does suggest some areas where banks may need to focus to insure that their funds transfer security procedures are commercially reasonable.
Over the course of seven days in May 2009, Ocean Bank (the “Bank”), at the time a division of People’s United Bank, processed six fraudulent funds transfer withdrawals from the account of Patco Construction Company (“Patco”). The transactions were made after the perpetrators correctly supplied Patco’s customized answers to security questions. Although the Bank’s security system flagged each withdrawal as unusually “high-risk” due to the timing, value and geographic source of the withdrawals, the Bank failed to notify Patco of the potentially fraudulent withdrawals and allowed the payments to be processed. The Bank was able to block or recover $243,406.83, but $345,444.43 was not recovered.
Patco filed suit against the Bank arguing that the Bank should bear the loss from the fraudulent withdrawals because its security system was not “commercially reasonable” under Article 4A of the UCC, as codified under Maine law. The District Court granted the Bank’s summary judgment motion based on its determination that the Bank’s security system was commercially reasonable.
The Court of Appeals reversed the District Court’s decision and found that the Bank’s security measures were commercially unreasonable. However, the Court of Appeals left open the question of how the loss should be allocated. On remand, the Court of Appeals asked the District Court to consider what Patco’s mitigation responsibilities were, if any, under Article 4A where the Bank failed to apply commercially reasonable security procedures.
UCC Article 4A
Article 4A, adopted by Maine and also adopted with substantial uniformity in all other U.S. states, was created to address wholesale wire transfers (so-called “funds transfers”) between businesses and their financial institutions. Article 4A was instituted to assign responsibility, define behavioral norms, allocate risks and establish limits on liability to allow parties to funds transfers to predict and insure against risk with greater certainty. As a general matter, a bank receiving a payment order from one of its customers for a funds transfer bears the risk of loss if that the payment order was not authorized by the customer. However, the bank may shift the risk of loss to the customer for a payment order not authorized by the customer by using a commercially reasonable security procedure to verify that the payment order was authorized.
UCC § 4A-202 provides:
If a bank and its customer have agreed that the authenticity of payment orders . . . will be verified pursuant to a security procedure, a payment order . . . is effective as the order of the customer . . .if:
(a) The security procedure is a commercially reasonable method of providing security against unauthorized payment orders; and
(b) The bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer . . .
The commercial reasonableness of a security procedure is to be determined by the court. See UCC § 4A-202(c).
The Bank’s Security Measures and the Fraudulent Withdrawals
The Bank utilized a “Premium” security package offered by its service provider. This package included six key features:
Invisible Device Authentication: “Cookies” were placed onto computers that correctly logged into an account to flag certain computers as low risks when logged in.
Risk Profiling: A risk score was provided based on numerous factors such as user activity and patterns of use.
Challenge Questions: Three user-selected challenge questions were asked to verify users.
Dollar Amount Rule: When a certain dollar figure transaction was entered, challenge questions were automatically asked.
Subscription to the eFraud Network: Compared characteristics of the transactions (such as the IP address of the user seeking access) with those of known instances of fraud and restricted access to accounts from computers with such characteristics.
Although the Bank used the “dollar amount rule” as a security measure, the Bank had lowered the trigger amount for challenge questions from $100,000 to $1.00 before the fraudulent withdrawals were made;
The withdrawals triggered many of the security measures used by the Bank, notably: (i) the use of a non-authenticated device, (ii) high risk dollar amount, (iii) an IP address anomaly and (iv) a “risk score distributor per cookie age.” Together, these triggers amounted to a “very high-risk transaction” under the Bank’s security system, but the transactions were not monitored by the Bank. Patco was not notified of the high risk transfers until six days later. Even after Patco notified the Bank that it had not authorized the transactions, the Bank initially processed the final transfer before attempting to recover the funds.
Court of Appeals Analysis
The Court of Appeals found that the Bank’s security procedures were not commercially reasonable. The Court of Appeals emphasized that it was not the failure of one specific security measure that caused it to find the Bank’s security system to be commercially unreasonable — rather, it was a collective failure on the part of the Bank. One key factor identified by the Court of Appeals was the Bank’s lowering the dollar amount rule to $1.00, thereby triggering the challenge questions on every transaction. That action in turn increased the frequency by which the user was required to input the challenge question answers, thereby increasing the likelihood of successful fraudulent capturing of these answers by unauthorized users (i.e., the more times the challenge questions were asked, the more opportunities arose for an unauthorized person fraudulently capturing the responses). In the Court of Appeals’ view, the use of challenge questions as a stand-alone backup to user identification and password entry is in and of itself not sufficient for the security procedure to be commercially reasonable.
The Court of Appeals also based its decision on the Bank’s lack of monitoring when other risk factors were triggered. The Court of Appeals found that the payment orders in question were “entirely uncharacteristic of Patco’s ordinary transactions; they were directed to accounts to which Patco had never before transferred money; they originated from an IP address that Patco had never before used; and they specified payment amounts significantly higher than the payments Patco ordinarily made to third parties.” The Bank’s security system flagged each transaction as a very high risk, but the transactions were not monitored by the Bank. As a result, the Bank could not suspend the transaction and seek verification from the customer that the transaction was authorized.
Moreover, the Court of Appeals criticized the Bank’s use of a “one-size-fits-all” approach to security procedures and indicated that the Bank should have tailored its procedures more specifically to its individual customers. In this situation, monitoring the account when unusually high risk transfers were made could have resulted in better protection for the Bank.
Although the Court of Appeals found that the Bank’s security system was commercially unreasonable under Article 4A of the UCC, banks should take note that a key reason the Bank’s security package was found to be unreasonable was that the Bank did not take any actions once the high risk transfers were flagged. The Bank’s security system correctly flagged each transaction as a high risk transfer, but the Bank failed to review the transfers or contact the customer. Simple monitoring and customer notification regarding uncharacteristic transactions could have made it much more likely that the Bank’s security system would have been viewed to be commercially reasonable.
The bottom line is that flagging high risk transactions is not enough for the security procedure to be commercially reasonable. There must also be procedures for the customer to be notified and to verify authorization before the funds transfer is completed. This approach must be tailored to each customer, taking into account each customer’s needs and patterns of use and avoiding a “one-size-fits-all” solution.
Additionally, the Court of Appeals left open for review, on remand, how the loss should be allocated in the absence of commercially reasonable security procedures being provided by the Bank and, in particular, the responsibility of Patco to mitigate and limit any potential losses due to fraudulent transactions. As the Court of Appeals noted, “Article 4A does not appear to be a one-way street,” and commercial customers may owe some responsibility under Article 4A even when a bank’s security system is found to be commercially unreasonable.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:Smith-Edwin
This article was originally published by Bingham McCutchen LLP.