Bank's Security Measures Held "Commercially "Un"reasonable"

It's Not Just About the Technology; It's Also About How You Deploy and Use It!

The Court of Appeals for the First Circuit last week held that Ocean Bank’s security measures for preventing fraudulent online customer transactions were not “commercially reasonable” at the time of the loss.  Although the case, Patco Construction v. People’s United Bank, arises under UCC Article 4A (relating to electronic funds transfers), the court’s analysis and determination have far-reaching implications for all businesses (not just banks) that hold customer data or conduct business online.

In May 2009, six fraudulent ACH transactions totaling nearly $600,000 were withdrawn from Patco’s bank account after the perpetrators correctly identified Patco’s passwords and the answers to its challenge questions.  Patco alleges that the theft was the result of Ocean Bank (which was later acquired by People’s United) inadequately protecting Patco’s funds, i.e., its failure to use commercially reasonable security procedures.

The Bank had procured the “Premium” version of a leading vendor’s eBanking technology platform, which met bank regulatory multifactor authentication standards.  The technology required Patco and other commercial customers to use usernames and passwords to initiate online ACH transactions.  The technology assigned each ACH transaction a risk score of 0 to 1,000, based on a number of factors, including the location from which a user logged in, when/how often the user logged in, and the size, type and frequency of the payment orders normally issued by the customer.  When the risk score deviated materially from the customer’s normal risk score, the system reported the elevated score to the Bank.  When the score was over 750, the system prompted the customer to answer challenge questions.

Although the system reported elevated scores to the Bank, it appears that the Bank did nothing with this information. It did not manually monitor the risk-scoring reports received from the system, nor did it conduct any other regular review of transactions that generated high risk scores.  Nor did the Bank call a customer if it detected fraudulent activity based on these reports.

The system also allowed the Bank to set an amount over which a customer would always be asked the challenge questions (in addition to supplying a password).  The Bank lowered the level from $100,000 to $1 for all commercial customers, so that a customer had to answer the challenge questions for virtually all transactions. 

The six fraudulent withdrawals were made from devices unrecognized by the Bank’s computers and from IP addresses not recognized by the Bank.  The withdrawals were in amounts substantially larger than Patco’s normal withdrawals and were sent to accounts of individuals who had never received transfers from Patco.  These factors led to risk scores above 750 for most of the fraudulent transactions; whereas Patco’s typical transactions resulted in risk scores from 10 to 214. 

Holding that the Bank’s security measures were not “commercially reasonable,” the Court noted that, by setting the challenge question threshold at $1 for all of its commercial customers, the Bank put Patco (and other customers that made frequent ACH transfers) at greater risk for fraud because keylogging viruses were more likely to log the answers to challenge questions.  In addition, it noted that the effectiveness of the system’s risk profiling security feature was based on it being a trigger for the challenge questions.  As the court said, “When Ocean Bank lowered the dollar amount rule from $100,000 to $1, it essentially deprived… the risk-scoring system of its core functionality.”   

Moreover, “when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed.  Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable.  We emphasize that it was these collective failures taken as a whole, rather than any single failure, which rendered Ocean Bank’s security system commercially unreasonable.”  (Emphasis added.)

One of the primary lessons to be learned from Patco is that procuring state of the art technology solutions alone is not sufficient.  It’s also critical to ensure that the technology is deployed and utilized in a manner that is reasonably appropriate.

For more information regarding the Patco case, please contact Peter Guffin or Kris Eimicke