A federal court of appeals has ruled that a bank did not take “commercially reasonable” security procedures to protect a customer business’s account, and might therefore not be entitled to compensation from the customer for funds lost due to fraudulent transactions.
Unlike consumers, businesses do not have blanket protections requiring banks to bear the risk of loss due to fraudulent transactions. Article 4A of the Uniform Commercial Code provides that, if a bank and a business customer have agreed upon procedures to provide security against unauthorized payments from an account, the bank is not responsible for unauthorized payments if (1) the security procedures are “commercially reasonable” and (2) the bank accepted the payment order in good faith and in compliance with the security procedures.
In this case, Patco Construction Co. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012), a construction company’s bank account was allegedly compromised after an employee fell victim to a Trojan attack. Keylogging software was installed on the employee’s computer, which allowed thieves to obtain the company’s bank account number and password, as well as the security questions used by the bank to verify wire transfers. Using the stolen information, the thieves completed six fraudulent wire transfers out of the company’s bank account, totaling almost $600,000.
The construction company sued its bank, arguing that the bank’s security procedures were not “commercially reasonable” under Article 4A. The company pointed to three flaws: (1) the bank required users to answer security questions for every wire transfer over $1, increasing the customer’s vulnerability to the keylogging attack; (2) although the bank had an electronic system to identify potentially fraudulent transactions, it did not inform account holders when the system flagged transactions; and (3) the bank did not offer account holders the opportunity to receive email notifications of transactions.
In light of these three flaws, the Court of Appeals for the First Circuit concluded that the bank’s security procedures were not “commercially reasonable.” The Court noted that it based its decision on the totality of the factors, and not on any particular flaw on its own. Notably, the Court looked to the Federal Financial Institutions Examination Council (“FFIEC”) guidance document, “Authentication in an Internet Banking Environment,” to aid its reasonableness determination. In addition, the Court pointed out that the bank had failed to heed the advice of RSA/Cyota, the company whose authentication product was used by the bank. RSA/Cyota had recommended using security questions to authenticate only high-risk transactions and using additional means of authentication besides security questions.
Instead of granting the customer’s motion for summary judgment, the First Circuit remanded the case to the district court so the parties could brief the issue of whether Article 4A imposes any requirements on a customer even when the bank’s procedures are commercially unreasonable. The Court noted that any such obligations could completely exempt the bank from liability or only partially mitigate the damages.
This is an early case interpreting Article 4A of the Uniform Commercial Code. It demonstrates that banks must implement security procedures that take into account the risk of cyberattacks against their business customers, and pay careful attention to regulatory guidance and the advice of authentication service providers, in order to avoid liability for fraudulent transactions.
