• Cyber Crimes and a Bank's Liability for Unauthorized Transactions
  • September 20, 2011 | Author: Jeffrey T. Powell
  • Law Firm: Jones, Walker, Waechter, Poitevent, Carrère & Denègre L.L.P. - Birmingham Office
  • Last month, in Patco Construction Company, Inc. v. People's United Bank, the U.S. District Court of Maine granted summary judgment for People's United Bank, holding that its online security procedures and actions were commercially reasonable. In this case, Patco Construction Company, Inc. ("Patco"), filed suit against People's United Bank d/b/a Ocean Bank (the "Bank") seeking a refund of fraudulent transfers made from its commercial checking account by an unknown third party. Patco's account had been hacked into through the use of keylogging malware, and more than $500,000 was transferred from Patco's account. Patco claimed that, pursuant to Article 4A-202 of the Uniform Commercial Code, liability for the unauthorized transfers should be shifted to the Bank due to the Bank's failure to provide commercially reasonable security procedures.

    Patco argued that the Bank's security procedures were not commercially reasonable because, among other reasons, the Bank (i) failed to offer multi-factor authentication, (ii) failed to offer an IP block that would block transfer orders originating from unauthorized IP addresses, (iii) failed to detect the fraudulent transfers despite the fact that they were of an unusually large amount, sent to accounts to which Patco had never sent funds previously and were originated from an IP address never before utilized by Patco.

    The magistrate judge held that while the security and authentication procedures contained in the Bank's e-banking agreement were not optimal in hindsight, such procedures were commercially reasonable under Article 4A of the UCC. Last month, the U.S. District Court of Maine upheld the magistrate judge's decision and granted summary judgment in favor of the Bank.

    The Patco decision should be compared with the recent opinion rendered in Experi-Metal v. Comerica Bank. In Experi-Metal, the U.S. District Court in Michigan came to a different conclusion and found that Comerica Bank had not acted fairly in dealing with its customer and should have detected and/or stopped the unauthorized transfers. These two recent opinions highlight the fact that courts may take differing approaches in scrutinizing a bank's online security procedures if a bank fails to prevent and/or detect cyber-attacks.

    Notably, the recent supplement to the Federal Financial Institutions Examination Council's Guidance entitled Authentication in an Internet Banking Environment has established updated minimum expectations for certain online banking activities given the current cyber threats to internet based banking products. Given the growing presence of online banking services and the ever changing threats from criminals, it is important for all financial institutions to periodically review and update their online baking agreements and security procedures.