By Jake McGowan (with input from Venkat Balasubramani)
Patco v. Ocean Bank, 11-2031 (1st Cir. July 3, 2012)
When a scammer siphons money from a customer’s online bank account, should the bank or the customer bear the loss? Last year, we blogged about a pair of cases that considered this question and came to differing conclusions, albeit under slightly different portions of the Uniform Commercial Code.
Article 4A of the UCC states that the risk of loss falls on the banks by default, but banks can shift it back to the customer in two ways: (1) by showing the commercial reasonableness of the security procedures it offered, or (2) by showing that the payment was approved in good faith and in compliance with security procedures agreed to by the customer.
In Experi-Metal v. Comerica Bank, a district court in Michigan focused on whether the bank accepted suspicious transfers “in good faith.” The court sided with the customer, finding that Comerica did not act in good faith since it approved the fraudulent wire transfers despite several warning signs. In contrast, in the lower court opinion in Patco v. Ocean Bank, a district court in Maine focused on the other portion of Article 4A: whether the bank’s security procedures were “commercially reasonable.” That district court sided with Ocean Bank, ruling that the security procedures in question were commercially reasonable and thus insulated the bank from liability. Patco appealed the adverse ruling against it.
On July 3, the First Circuit reversed the district court decision and ruled in favor of Patco, holding that Ocean Bank’s online fraud security measures were not “commercially reasonable” under the UCC as codified under Maine law. The court, however, did leave room for Ocean Bank to argue that Patco might have been partially responsible for the loss.
After the First Circuit’s ruling, both this and the Experi-Metal decisions place the risk of loss (or in Patco’s case, proving the adequacy of security measures) on the bank. Still, questions linger how and when banks may successfully shift the risk of loss back to the customer.
Patco was a small business that maintained a business account with Ocean Bank’s predecessor. Ocean Bank (and its predecessor, who Ocean Bank acquired during the time period at issue) used a “Premium” multifactor authentication scheme devised by Jack Henry & Associates to protect customer funds from ACH fraud. Along with passwords and device-specific cookies, Ocean Bank utilized “challenge questions” created by the customer as a last line of defense. The questions could be triggered by transactions with high-risk profiles (e.g., unusual IP address or unusual time of withdrawal) or by a transaction exceeding a specified dollar amount. Ocean Bank controlled what types of transactions would trigger additional security measures.
The ACH fraud that resulted in loss of the funds occurred after the bank decided to lower the dollar amount triggering the extra security steps from $100,000.00 to $1.00, meaning all Patco transactions triggered the “challenge questions” line of defense against ACH fraud. This increased the challenge questions’ vulnerability to key-logging malware, and thus diluted its protective qualities. As Venkat explained in his initial post on this case, the wrongdoers gained access to the account by installing malware on Patco’s computers. The key question was whether the security measures employed by the bank were commercially reasonable.
The First Circuit’s Ruling
“Commercial Reasonableness” and the One-Size-Fits-All Approach
The First Circuit found that the bank’s security procedures must take into account “the circumstances of the customer” known to the bank. In this case, Ocean Bank did not comply with this mandate because it lowered the challenge question dollar-amount trigger to $1.00. The bank claimed that it lowered the amount to combat low-dollar fraud, but the Court didn’t see that as a valid excuse. Patco’s transfers were typically much larger, so the one-size-fits-all approach would have violated the “circumstances of the customer” requirement anyway.
Ocean Bank also tried to satisfy the requirement by trotting out its risk-profiling procedure, which provides a numeric score based on the risk of fraud associated with the circumstances of a particular transaction. But the court quickly dismissed this line of reasoning, pointing out that Ocean Bank failed to act upon the unusually high-risk profile scores for the specific fraudulent transactions in question.
Further, the Court went on to suggest that compliance with federal security guidelines would not necessarily qualify the procedures as “commercially reasonable.” While Ocean Bank’s multifactor authentication scheme complied with federal guidelines, its one-size-fits-all security measures were ineffective for Patco, and therefore were not commercially reasonable. In other words, the scheme has to be geared to work for the particular customer.
Together, these passages raise the already high standard set for “commercially reasonable,” and make it harder for banks to shift the risk of loss in ACH fraud cases.
Customers’ Responsibilities in a “Commercially Unreasonable” Security System
While the court held that Ocean Bank could not prove that its security measures were commercially reasonable—and in fact the court said they were unreasonable—the decision also noted that Patco (the customer) might bear some blame for the loss: “Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well[.]” The Court stopped short of stating what those responsibilities might look like, and left those questions for development on remand.
From the perspective of the banks, this passage in the Patco ruling may be a sign that they lost a battle but can win the war. Arguably the most important feature of this decision is that it opens the door for an analysis of the customer’s security obligations, even where the bank’s security system is “commercially unreasonable.” It is unclear how the court will handle such an analysis; an egregious example of employee negligence regarding passwords or challenge questions may shift liability entirely. For example, even though Ocean Bank’s system was “commercially unreasonable,” Patco may have been partially liable for the breach if its carelessness with a password or user ID led to the breach.
On the other hand, a breach of such an obligation might just be a way for banks to mitigate damages, in a contributory negligence style of defense. Until this question is fleshed out in further decisions, it will be too early for either customers or banks to point to this decision as an emphatic victory.
Two other notes: We’ve blogged ad nauseam about data breach plaintiffs who get kicked out of court for lack of standing (not being able to prove harm). This is an easy standing case for the plaintiff for the simple reason that it suffered out-of-pocket loss. It’s also worth pointing out that the risk of loss rules here apply to commercial accounts. As the court footnotes, Reg Z governs consumer accounts (consumers can more easily shift much of the loss to the bank by default). A final question that remains is whether the bank (or more likely insurance company) can go after the security consultant for its own role in advising the bank regarding its security measures—is “premium” protection a guarantee of commercial reasonableness?
As always, both banks and customers should educate themselves of the latest phishing tactics and try to minimize the potential of ACH fraud. It’s nearly impossible to legislate security. In the same vein, an off-the-shelf anti-fraud prevention program will not necessarily protect you against the type of fraud that occurred in this scenario.