In its recent decision in Patco Construction Company v. People’s United Bank, the U.S. Court of Appeals for the First Circuit raised the stakes for those banks offering internet-based ACH fund transfer services. Patco, a small property development business, maintained an account with People’s United Bank which was accessible by means of internet banking services. Patco used the internet banking system primarily for purposes of making weekly payroll payments. These payments shared certain characteristics, including that they were all made on the same day of the week and originated from a single IP address.
Over a period of a week a series of fraudulent withdrawals occurred from Patco’s account by means of the bank’s internet banking system. The perpetrators used the proper credentials of one of Patco’s employees to access the internet banking system, including the employee’s ID, password and answers to challenge questions. The login occurred from an unrecognized device and from an IP address never used by Patco. The bank’s security system flagged the first transfer as a “high risk” transaction.
Over the course of the week, seven fraudulent transfers were made in a total amount of over $588,000.00. Patco was not notified of the warnings about these transfers and it appears that no one at the bank was monitoring these high risk transactions. The scheme unraveled because portions of the transfers were returned to the bank because some of the account numbers to which the money was sent were invalid. As a result, the bank sent a notice by U.S. Mail to one of Patco’s principals regarding the return of a portion of the transfers. The first written notice was received one week after the first fraudulent transfer was made.
The internet banking agreement between Patco and the bank provided, among other things, that the use of Patco’s password constituted authentication for all transactions and that the bank did not assume any responsibility related to Patco’s use of the internet banking system. Patco sued the bank to recover its losses and the bank asserted a number of defenses to the claims, including defenses under Article 4A of the UCC. Under Article 4A, a bank receiving a payment order bears the risk of loss for any unauthorized funds transfer unless the risk of loss is shifted to the account holder by either (1) the bank showing that the payment order was actually initiated by a duly authorized person, or (2) the bank and its customer (a) have agreed that the payment order will be verified pursuant to a security procedure, (b) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and (c) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure, the written agreement or an instruction of the customer restricting acceptance of payment orders consistent with the written agreement.
The issue of commercial reasonableness is determined by the courts. Whether a system is commercially reasonable is not based on whether the system is the best available but rather on whether it is reasonable for a particular customer based on factors that include the wishes of the customer expressed to the bank, the types of transfers (size, type, frequency, etc.) normally issued by the customer and security procedures in general use by customers and banks that are similarly situated. A security procedure may also be deemed commercially reasonable if the procedure was chosen by the bank’s customer (and the bank’s customer refused a procedure that was commercially reasonable) and the customer agreed in writing to be bound by payment orders issued in compliance with the procedure chosen by the customer.
The Court found that the bank’s security procedure was not commercially reasonable for a number of reasons, including:
The Court viewed these failures as a whole (in other words, any one of them was not determinative) in reaching its conclusion that the bank’s security procedure was not commercially reasonable. The Court’s decision did not reach the issue of whether the customer might still have some liability for the unauthorized transfers. The Court noted that Article 4A is not a one way street imposing liability on the bank. For example, the customer still has obligations to exercise reasonable care to discover and report unauthorized transactions within a reasonable time. It is also important to note that Article 4A does not apply to consumer electronic transfers, which are subject to Regulation E and the Electronic Funds Transfer Act.
What lessons should a bank take from this decision?
This article is provided for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You are urged to consult a lawyer concerning any specific legal questions you may have.
Gray Plant Mooty is recognized as one of the leading corporate law firms in Minnesota and one of the top franchise firms in the world. Our roots go back to 1866. Today, we are a full-service firm with nearly 180 attorneys and offices in Minneapolis and St. Cloud, Minnesota; Washington, D.C.; and Fargo, North Dakota.