In an important decision last week, the U.S. Court of Appeals for the First Circuit held, as a matter of law, that a Maine-based bank's online banking security procedures were not commercially reasonable, even though its selected authentication technology fully complied with the Federal Financial Institutions Examination Council (FFIEC) guidelines for Authentication in an Internet Banking Environment.1 A detailed review of this cautionary case offers some useful lessons for all financial institutions that offer online services to retail or corporate customers.
In Patco Construction Company v. People's United Bank,2 Patco Construction Co. (Patco) brought suit alleging that People's United Bank should bear the loss resulting from fraudulent withdrawals totaling almost $350,0003 from Patco's electronic banking account at Ocean Bank, a southern Maine community bank that was acquired by People's United Bank. After the district court granted summary judgment in favor of the bank on the basis that the bank's security procedures were commercially reasonable, the First Circuit reversed the district court's decision and allowed the lawsuit to continue, finding that the Maine bank's security procedures were, as a matter of law, not commercially reasonable.
The principal underlying message of the court's holding in Patco is that in order for a bank to avoid, or at least minimize, its liability arising from fraudulent transactions initiated through online banking systems, the bank should do the following:
The current FFIEC guidelines recommend the use of multifactor authentication with business customers. These are some possible authentication factors:
FFIEC guidelines also recommend layered security programs that use different controls at different points in a transaction process so that a weakness in one control may be compensated for by the strength of a different control. Effective controls in a layered security program may include the following (FFIEC strongly encourages banks to use the first two controls):
The FFIEC guidelines also indicate that it is the expectation that "financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security and other controls as appropriate in response to identified attacks."6 These periodic risk assessments should be performed "as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months."7
UCC Article 4A
Under Uniform Commercial Code Article 4A, if a bank and customer have agreed to use a security procedure, a payment order received by a bank is effective as an order of the customer, whether or not authorized by the customer, if (i) the security procedure is commercially reasonable and (ii) the bank accepted the payment order in good faith and in compliance with the security procedure.8
Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank; the circumstances of the customer known to the bank, including the size, type and frequency of payment orders normally issued by the customer to the bank; alternative security procedures offered to the customer; and security procedures in general use by customers and banks that are similarly situated. A security procedure is deemed to be commercially reasonable if:
(i) The security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer; and
(ii) The customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.9
Lessons from Patco
In order to avoid or minimize bank liability resulting from fraudulent electronic transactions from customer accounts, banks should:
As your institution prepares to conduct its next periodic risk assessments of online banking systems, we encourage you to review the lessons of the Patco case and, at a minimum, ensure that your processes, procedures and systems comply with the above recommendations.
Our lawyers have significant experience advising clients regarding the design and implementation of security policies, procedures and systems that conform to regulatory guidelines and reduce the likelihood of finding of civil liability in favor of your customers. If you have any questions concerning the Patco case or would like assistance in preparing for your next periodic risk assessment, please contact any of the lawyers listed in this alert.
On January 27, Michael Rave will be speaking on "Public & Private Capital Raising: How To Fund Your Bank for Growth and/or Change" at Bank Director's annual conference, Acquire or Be Acquired, in Phoenix, AZ.
On January 18, Michael Rave and Michael Dunne participated in the 2019 Economic Leadership Forum, presented by the New Jersey Bankers Association.
Day Pitney Alert
On April 9, Jed Davis was one of the presenters on a webinar, "Cybersecurity Regulation: Navigating the New DFS Cybersecurity Regulation," distributed through Thomson Reuters.
Jed Davis spoke on "Cybersecurity: Surveying Current State and Federal Regulatory Activity By The SEC and NYDFS," a webinar presented by Bloomberg and moderated by cybersecurity expert Daniel Garrie.
Mike Rave was quoted in an analysis article, "Reg Rollbacks Seen As Bit Player In $28B BB&T-SunTrust Deal," published by Law360.
On December 7, Day Pitney, ICSGroup and CohnReznick co-sponsored "Launching a Private Fund: What You Need to Know."
Jed Davis was quoted in a breaking news article, "New York eases proposed cyber regulations after industry complaints," published by Reuters.
Day Pitney Press Release
Eliza Fromberg was quoted in an article, "FINRA's Capital Acquisition Broker Rules Face Tough Sell," in Law360.