In an important decision last week, the U.S. Court of Appeals for the First Circuit held, as a matter of law, that a Maine-based bank's online banking security procedures were not commercially reasonable, even though its selected authentication technology fully complied with the Federal Financial Institutions Examination Council (FFIEC) guidelines for Authentication in an Internet Banking Environment.1 A detailed review of this cautionary case offers some useful lessons for all financial institutions that offer online services to retail or corporate customers.
In Patco Construction Company v. People's United Bank,2 Patco Construction Co. (Patco) brought suit alleging that People's United Bank should bear the loss resulting from fraudulent withdrawals totaling almost $350,0003 from Patco's electronic banking account at Ocean Bank, a southern Maine community bank that was acquired by People's United Bank. After the district court granted summary judgment in favor of the bank on the basis that the bank's security procedures were commercially reasonable, the First Circuit reversed the district court's decision and allowed the lawsuit to continue, finding that the Maine bank's security procedures were, as a matter of law, not commercially reasonable.
The principal underlying message of the court's holding in Patco is that in order for a bank to avoid, or at least minimize, its liability arising from fraudulent transactions initiated through online banking systems, the bank should do the following:
The current FFIEC guidelines recommend the use of multifactor authentication with business customers. These are some possible authentication factors:
FFIEC guidelines also recommend layered security programs that use different controls at different points in a transaction process so that a weakness in one control may be compensated for by the strength of a different control. Effective controls in a layered security program may include the following (FFIEC strongly encourages banks to use the first two controls):
The FFIEC guidelines also indicate that it is the expectation that "financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security and other controls as appropriate in response to identified attacks."6 These periodic risk assessments should be performed "as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months."7
UCC Article 4A
Under Uniform Commercial Code Article 4A, if a bank and customer have agreed to use a security procedure, a payment order received by a bank is effective as an order of the customer, whether or not authorized by the customer, if (i) the security procedure is commercially reasonable and (ii) the bank accepted the payment order in good faith and in compliance with the security procedure.8
Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank; the circumstances of the customer known to the bank, including the size, type and frequency of payment orders normally issued by the customer to the bank; alternative security procedures offered to the customer; and security procedures in general use by customers and banks that are similarly situated. A security procedure is deemed to be commercially reasonable if:
(i) The security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer; and
(ii) The customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.9
Lessons from Patco
In order to avoid or minimize bank liability resulting from fraudulent electronic transactions from customer accounts, banks should:
As your institution prepares to conduct its next periodic risk assessments of online banking systems, we encourage you to review the lessons of the Patco case and, at a minimum, ensure that your processes, procedures and systems comply with the above recommendations.
Our lawyers have significant experience advising clients regarding the design and implementation of security policies, procedures and systems that conform to regulatory guidelines and reduce the likelihood of finding of civil liability in favor of your customers. If you have any questions concerning the Patco case or would like assistance in preparing for your next periodic risk assessment, please contact any of the lawyers listed in this alert.
Jed Davis will be a featured panelist in a CLE program titled, "Implementing the New DFS Cybersecurity Regulation," (click on title to register), sponsored by the Data Law Initiative at Cardozo Law School.
Shawn Wooden presented and moderated a panel discussion at the National Association of Public Pension Attorneys (NAPPA) Winter Seminar.
Jeff Clopeck was a featured speaker on a panel that discussed regulations regarding equity crowdfunding, titled "Equity Crowdfunding is Here: The Report Card to Date," during a Technology and Innovation Committee program at the Smaller Business Association of New England on January 26.
On January 11 and 12, Joy Harmon Sperling will be co-chairing the American Conference Institute’s 22nd National Forum on Residential Mortgage Litigation & Regulatory Enforcement.
Joy Harmon Sperling and Rachel Packer wrote an article, "No Such Thing As A Free House? NJ Court Says Otherwise," for Law360. The article examines a recent unpublished opinion rendered by the Superior Court of New Jersey, Bergen County in Anim Investment Co. v. Shaloub, No. F-30508-15, 2015 N.J. Super. Unpub. LEXIS 3042 (Ch. Div. June 30, 2016).
Jed Davis was quoted in a breaking news article, "New York eases proposed cyber regulations after industry complaints," published by Reuters.
Day Pitney Press Release
Eliza Fromberg was quoted in an article, "FINRA's Capital Acquisition Broker Rules Face Tough Sell," in Law360.
Eliza Fromberg was quoted in an article, "Introduction of Regulation Crowdfunding" in Financier Worldwide Magazine.
Michael Rave was quoted in an article, "Banks Have Another Reason to Sell with SBLF Dividend Hike," in American Banker. In the article, Rave discusses how banks that hold Small Business Lending Fund (SBLF) capital are likely to be acquired. "They aren't in a position to repay the money or refinance it. They don't have a lot of choices," explains Rave.