The Federal District Court for the District of Maine’s August 3, 2011 decision to adopt U.S. Magistrate Judge John H. Rich III’s recommendation to grant summary judgment in Patco Construction Co., Inc. v. People’s United Bank, a case widely followed in the banking industry, was an important victory for the Bank. To summarize the background of the case, the dispute arose out of a series of unauthorized ACH debits from Patco Construction’s commercial deposit account with the Bank in 2009. Over the course of several days, unknown third parties using Patco’s online banking credentials initiated $588,851 in withdrawals from the account, although $243,406 in withdrawals were blocked by the Bank. In addition to a company ID and password, the Bank’s online authentication procedures included the use of a database of known fraudulent IP addresses and the answering of challenge questions triggered by risk profiling, dollar thresholds, and computer cookies. Numerous other security-related procedures were used or made available by the Bank, such as email alerts, although certain security procedures available in the industry at the time (such as out-of-band authentication and password tokens) were not utilized. The Magistrate Judge’s analysis describes the Bank’s security procedures in detail, and the central issue analyzed by the Magistrate Judge was whether the Bank’s security procedures were “commercially reasonable” under Article 4-A of Connecticut’s version of the U.C.C.
It should be noted that the plaintiff, Patco Construction, has appealed the District Court’s decision to the U.S. Court of Appeals for the First Circuit (case no. 11-2031). Although the decision should be read in its entirety, here are a few important take-aways from the Magistrate Judge’s analysis:
1. Agreements with the customer are important. The Magistrate Judge frequently refers to the written agreements between the parties and the respective obligations of the parties under those agreements. Written contracts regarding the use of security procedures play an important role in allocating liability under Article 4-A of the U.C.C. The fact that Patco explicitly agreed to use certain security procedures and was bound to certain obligations under the agreements (such as daily monitoring of its account) were key to the Magistrate Judge’s analysis.
2. Be careful when allowing customers to weaken security procedures. Regulators have stated that allocating risk to customers is not a substitute for commercially reasonable security procedures. Reputational and regulatory risks cannot be shifted to the customer. In Patco’s case, the customer was allowed to raise its daily ACH transaction limit up to $750,000, and the customer never enrolled in the Bank’s email alert system.
3. More than account funds are at stake. Although the result was favorable to the Bank (pending appeal), the costs of defense, as well as the publicity of the case, were unwelcome byproducts. Implementing a strong, updated security program and ensuring that customers actively protect their accounts are key elements in prevention.
4. Standards are going up. The Magistrate Judge flatly stated that the Bank’s security procedures in 2009, although commercially reasonable, were “not optimal.” Several security procedures not used in this case were discussed in length, including the use of token password technology, out-of-band authentication, and manual monitoring of high-risk scores. As banks adopt new measures to address the risks of online banking, the bar for commercially reasonable security procedures will increase.
5. Multi-factor v. layered authentication. Patco argued that the Bank did not utilize multi-factor authentication because the use of computer cookies and risk profiling (what the user has) only triggered challenge questions (what the user knows) used to authenticate the user. Thus, under Patco’s argument, the Bank essentially offered layered single-factor security. The Magistrate Judge determined that the Bank’s security procedures constituted both multi-factor and layered authentication. It will be interesting to see if the First Circuit weighs in on these arguments.
The District Court’s decision should be read in light of the FFIEC’s recent guidance regarding online banking security, which was released a month after the Magistrate Judge’s recommendation. The new guidance, which we discussed in an August blog entry, restated the importance of using both layered and multi-factor authentication in high-risk transactions, and also emphasized the importance of customer education, transaction monitoring, and enhanced administrative controls over account access.