On July 3, the U.S. Court of Appeals for the First Circuit overturned a district court ruling and allowed a lawsuit by Patco Construction Co. (“Patco”) to proceed against Peoples United Bank (the “Bank”) over $345,000 that was stolen from Patco’s bank accounts through internet fraud in 2009.
The district court for the district of Maine had entered judgment in favor of the Bank, holding that the Bank’s security technology was commercially reasonable (and mentioning that the technology followed the Federal Financial Institutions Examination Council (FFIEC) 2005 authentication guidance). The Court of Appeals disagreed, holding that the Bank had collective security failures that, taken as a whole, rendered the Bank’s security system commercially unreasonable. The failures were that the Bank used a challenge question as second layer of authentication additional to a password but lowered the transaction threshold triggering such challenge questions to $1, increasing the number of times the answer would be typed in (and therefore potentially logged by malware). Further, the Bank failed to monitor the risk reports generated by its security system or implement any additional procedures, such as manual review when a transaction was flagged as suspicious, or deploy additional technology (out-of-band authentication, user selected pictures, or tokens).
The Court of Appeals remanded the case to the district court to assess the obligations and liabilities of the Bank and Patco under UCC Article 4A with respect to the stolen funds.
We have previously noted the potential for courts to look to the FFIEC guidance in assessing the reasonableness of security procedures. The FFIEC recommends multi-layered security processes, and issued supplemental guidance in 2011 (The appeals court’s ruling suggests that challenge questions as a second level of authentication may not be sufficient (the appeals court stated that they were easy to use but less secure than other customer verification procedures) in all circumstances (it indicated that the Bank’s across-the-board $1 trigger for challenge questions ignored the “circumstances of the customer” in violation of UCC Article 4A). The ruling also makes clear that having software that analyzes risk scores for transactions is not sufficient if no one is monitoring the reports or notifying customers of transactions with high risk scores. Indeed, a key component of the 2011 supplement is the requirement to monitor transactions as a means of detecting fraud. Notably, the conduct at issue in the Patco case took place while the 2005 authentication guidance was in place.
It remains to be seen to what extent other courts will find reasons to go behind the risk allocation provisions of the UCC, which generally shield the bank from liability if the customer agrees to reasonable security procedures, and find potential bank liability. Should this result become widespread, there may be a significant risk that banks will not offer easy to use, Internet-based funds transfer capabilities. The UCC’s risk allocation principles and the concept of the UCC displacing common law claims for various causes of action may be in danger of significant erosion if the jurisprudence continues to develop in the direction taken by the Court of Appeal in the Patco decision.
You can find additional materials we have prepared on the FFIEC authentication guidance at the following links: