A BBA Discussion of Patco Construction Company, Inc. v. People’s United Bank

Friday, January 11, 2013

By Robert Tammero

I. Introduction

On September 24, 2012, Stanley Ragalevsky and Sean Mahoney, partners in the Boston office of K&L Gates LLP, led a discussion of Patco Construction Company, Inc. v. People’s United Bank, a case decided by the U.S. District Court for the District of Maine and subsequently appealed to the U.S. Court of Appeals for the First Circuit.[1] The First Circuit’s decision in Patco, published July 3, 2012, received national attention and formed the basis of Messrs. Ragalevsky’s and Mahoney’s presentation. The Financial Services Section of the BBA sponsored the September 24th discussion, and Kevin Handly, Co-Chair of the Financial Services Section, moderated it.

II. Summary of the Facts Giving Rise to the Case

Patco is based on six transactions in 2009 in which funds were fraudulently withdrawn from an account held by Patco Construction Company, Inc. (“Patco”) at Ocean Bank (the “Bank”), then a division of People’s United Bank, in Maine. The fraudsters made the withdrawals through the Bank’s eBanking platform using the login credentials, including the correct password and answers to security questions, of a Patco employee.

Patco used the Bank’s eBanking service primarily to meet its weekly payroll obligations, initiating transactions on generally the same day each week, from the same computer and IP address, and in similar amounts. The fraudulent transactions were uncharacteristic of Patco’s usual transactions in that they were initiated on consecutive days, from different computers and a different IP address, and in amounts substantially greater than Patco’s typical transactions, and involved payees to whom Patco had never before sent funds from its account at the Bank. The Bank’s eBanking security system, provided by Jack Henry & Associates, detected that the transactions were potentially fraudulent, but the Bank failed to manually monitor the system’s fraud detection reports. Patco eventually discovered the fraud six days after the first transaction when the Bank notified it that one of the payments had been automatically returned because the payee’s account number was invalid. In total, $588,851.26 was fraudulently withdrawn from Patco’s account, though $243,406.83 was recovered.

III. The District Court and First Circuit Decisions

Patco claimed that the Bank should bear the loss of the unrecovered funds, among other reasons, because the Bank’s eBanking security procedures were not commercially reasonable. Under Article 4A-201 of the Uniform Commercial Code, a bank generally bears the risk of loss with respect to an electronic payment order that is not authorized by its commercial customer.[2] However, a bank may shift the risk of loss to its customer if the bank accepts the payment order in compliance with commercially reasonable, mutually-agreed-upon security procedures.

Patco argued that the Bank’s security procedures were not commercially reasonable, mainly because (i) the Bank required users of its eBanking platform to answer security questions before initiating any transaction of at least $1, which increased the risk that a fraudster using “keylogger” software could intercept the answers to the security questions, and (ii) the Bank failed to implement other available security measures which would have made its security procedures more effective.  The district court rejected these arguments, finding that the security procedures were commercially reasonable notwithstanding the $1 threshold, as they were designed to comply with applicable guidance issued by the Federal Financial Institutions Examination Council (the “FFIEC Guidance”) and, though not optimal, were in line with the security features used by other banks with a Jack Henry eBanking security system.[3]  

The First Circuit reversed the district court’s grant of summary judgment in favor of the Bank on the issue of liability under Article 4A-201, concluding that the Bank’s security procedures were not commercially reasonable. The First Circuit based its holding on its findings that (i) setting the security question threshold at $1 substantially increased the risk of fraud, particularly for a customer like Patco which made frequent, regular, high-dollar electronic funds transfers, because it provided fraudsters with more frequent opportunities to capture bank customers’ login credentials; (ii) the Bank was on notice of the risks posed by frequent use of challenge questions as a standalone security procedure as early as 2005 but nonetheless failed to implement supplemental security features, even though similarly situated banks had done so; and (iii) the Bank failed to manually monitor the Jack Henry security system’s risk scoring reports that indicated that the transactions in question were fraudulent. In the First Circuit’s view, “These collective failures, taken as a whole, rendered Ocean Bank’s security procedures commercially unreasonable.”[4]

The First Circuit remanded the case for the district court to consider, among other things, Patco’s obligations and responsibilities under Article 4A, if any, notwithstanding that the Bank’s security procedures were not commercially reasonable.

On July 17th, the Bank filed a petition for rehearing en banc, which the First Circuit denied on July 26th.

IV. BBA Discussion and Lessons Learned                                                        

The September 24th program began with Messrs. Ragalevsky and Mahoney summarizing the issues presented in the case, the courts’ holdings, and the differences between the First Circuit’s and the district court’s reasoning. The presenters then offered thoughts on lessons learned from the decisions. Questions from the attendees and open discussion of the case followed.

Both presenters noted that the district court and the First Circuit cited the FFIEC Guidance in their discussion of commercial reasonableness, which, they suggested, underscores the importance of compliance with the FFIEC Guidance. Mr. Ragalevsky also observed that the First Circuit made much of the Bank’s failure to monitor the risk scoring reports that would have alerted the Bank to the fraud, suggesting that banks which fail to utilize their security systems are at heightened risk of being found to have security procedures which are not commercially reasonable. Mr. Mahoney observed that the First Circuit seemed to emphasize that other community banks were using additional security measures that were relatively easy to implement, indicating that commercial reasonableness is based, in part, on the practices of peer institutions. These themes – observing regulatory guidelines, taking full advantage of one’s own security systems, and updating security procedures based on peer banks’ practices – are, in the presenters’ view, the central lessons to be learned from Patco.

[1] See 2011 U.S. Dist. LEXIS 58112 (D. Me., May 27, 2011) and 684 F.3d 197 (2012), respectively.

[2] As to consumer transactions, the Electronic Funds Transfer Act and Regulation E apply. 

[3] See Fed. Fin. Insts. Examination Council, Authentication in an Internet Banking Environment, available at http://www.ffiec.gov/pdf/authentication_guidance.pdf. The FFIEC regulatory agencies updated the FFIEC Guidance in 2011. See Fed. Fin. Insts. Examination Council, Supplement to Authentication in an Internet Banking Environment, available at http://www.fdic.gov/news/news/press/2011/pr11111a.pdf.

[4] 684 F.3d at 213.