By: Holly K. Towle
In 2010 we reported on the “Wave of Online Banking Fraud Targeting Businesses” that use online banking relationships to make electronic fund transfers by wire or ACH. The fraudsters use malware such as key-loggers to steal access credentials and then start draining the business’ account. In the U.S., the transfers are governed by Article 4A of the Uniform Commercial Code (“UCC”). Consumer accounts are not impacted by Article 4A: they are eligible for the consumer protections afforded by the federal Electronic Funds Transfer Act and Regulation E, which limit a consumer’s exposure to fraudulent transfers to a maximum of $50 as long as the consumer promptly reports the fraudulent activity.
The allocation of fraud losses under UCC Article 4A depends in large part on whether the bank or other financial institution holding the business’ account uses commercially reasonable security procedures. The First Circuit recently concluded that the bank at issue did not have commercially reasonable security procedures. The fact specific nature of the case makes it difficult to apply generally, but its themes will provide debate fodder for other circuit courts seeking to determine what UCC Article 4A does, or does not, require.
The case is Patco Const. Co., Inc. v. People’s United Bank and the court based its decision on the bank’s “collective failures, taken as a whole” in light of security knowledge in 2009. The facts involved a series of fraudulent wire transfers from a commercial customer’s account without the knowledge of that customer: in all $588,851.26 was fraudulently withdrawn, of which $243,406.83 was recovered.
At that time and in response to Federal Financial Institution Examination Council guidance regarding online access security the bank had been moving to a multi-factor authentication system that included, among many other features, challenge questions triggered for high dollar transactions. The bank reset the trigger threshold from $100,000 to $1, an act which the court viewed as substantially increasing the risk of fraud. This was because the low level meant that the static challenge questions would apply to every transaction, thereby increasing their exposure to seizure by key-loggers or other malware. The court also viewed the bank as essentially ignoring the “high risk” profile created by its system in light of the fact that the transfers were uncharacteristic of the customer’s ordinary pattern (e.g., the payment orders were for significantly higher amounts than usual, were directed to out-of-the-ordinary payees, and originated from computers and IP addresses never before used).
Some of the themes evident in this case are these:
One size does not fit all. The court concluded that a generic approach to Article 4A security procedures “violates Article 4A’s instruction to take the customer’s circumstances into account.” This is a reference to § 4–1202(3) (the codification in Maine) which the court explained as one of two ways by which a security procedure may be shown to be commercially reasonable under Article 4A. The court noted that the:
—Article is explicit that “[t]he standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank….” Id. § 4–1203 cmt. 4. The UCC explains that “[t]he burden of making available commercially reasonable security procedures is imposed on receiving banks because they generally determine what security procedures can be used and are in the best position to evaluate the efficacy of procedures offered to customers to combat fraud.” Id. cmt. 3.
- What the industry is doing matters. The court looked to the state of Internet banking security at the time of the fraudulent transfers, noting that by that time the industry (a) “had largely moved to hardware-based tokens and other means of generating “one-time” passwords, or (b) used some other form of manual review or customer verification to authenticate uncharacteristic or suspicious transactions. The court concluded that “by May 2009, when the fraud in this case occurred, it was commercially unreasonable for Ocean Bank’s security system to trigger nothing more than what was triggered in the event of a perfectly ordinary transaction in response to the high risk scores that were generated by the withdrawals from Patco’s account.” Interestingly and although the court discussed the Federal Financial Institution Examination Council guidance at length at the beginning of the opinion, it did not mention the guidance in the ruling itself and focused more on what the Internet banking industry was actually doing at the time of the fraud. Of course, what that industry was doing was influenced by the guidance.
- Level of implementation difficulty can matter. The court stated that the extra security procedures needed to respond to those high risk scores “were not uncommon in the industry and were relatively easy to implement” and that such procedures “self-evidently would not have been difficult to implement.” In other words, the court believed the bank could have prevented the fraud relatively easily.
- Knowledge of the risk can matter. The court noted that “[t]his failure to implement additional procedures was especially unreasonable in light of the bank’s knowledge of ongoing fraud.” About a year before the fraud, the bank had received notification of substantial increases in Internet fraud involving key-logging malware; by the time of the fraud the bank had itself experienced at least two similar situations (where “the perpetrators had acquired and successfully applied the customer’s passwords, IDs, and answers to challenge questions”).
- Customer action, or inaction, can also matter. The court noted that Article 4A is not necessarily a one-way street and remanded for consideration of what mitigation duties, responsibilities or liabilities a customer may have even if the bank’s security procedures are commercially unreasonable. For example, the parties disputed whether Patco had knowingly failed to take advantage of a fraud “alert” service allegedly offered by the bank and whether a poor forensic job by Patco’s consultant could impact damage and causation issues. Security procedures were not the only issue addressed by the First Circuit. As significantly, the court also tackled the question of whether UCC Article 4A supplants common law causes of action. It concluded that Article 4A restrains common law claims only to the extent that they create rights, duties, and liabilities inconsistent with Article 4A. The court concluded that a claim for negligence is inconsistent, but that claims for breach of contract or of fiduciary duty are not inherently inconsistent. For example, “there could be, either by contract or through assumption of fiduciary duties, higher standards which are imposed on the bank.”