PATCO ACH Fraud Ruling ReversedAppeals Court Calls Bank's Security 'Commercially Unreasonable'
A federal appeals court has reversed a lower court's ruling in the ACH/wire fraud dispute between PATCO Construction Inc. and the former Ocean Bank, now People's United.
See Also: 2016 State of Threat Intelligence Study
In a decision issued July 3, the First Circuit Court of Appeals in Boston ruled in favor of PATCO, reversing a district court's 2011 judgment that favored the bank, and further recommended that the two parties pursue an out-of-court settlement of the case.
The 43-page ruling describes the bank's security procedures as "commercially unreasonable," saying the institution should have detected and stopped the fraudulent transactions that drained more than $500,000 from PATCO's commercial account in 2009.
The ruling goes on to state Ocean Bank actually increased the Maine-based construction company's fraud risk by relying on what the court calls a "one-size-fits-all" approach to monitoring and authenticating high-dollar transactions.
The court does leave open for further litigation the question of whether PATCO fulfilled its own obligations spelled out by Article 4A of the Uniform Commercial Code.
"We remand for further proceedings in accordance with this opinion," the ruling states. "On remand, the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement."
This ruling reverses a June 2011 U.S. District Court decision that favored Ocean Bank.
In the case, PATCO argued that Ocean Bank's use of only log-in and password credentials for transaction verification did not comply with the FFIEC's requirements for multifactor authentication. That deficiency, PATCO argued, allowed cyberfraudsters in May 2009 to drain more than $500,000 from its account.
A District Court magistrate disagreed, finding that Ocean Bank met legal requirements for multifactor authentication. The magistrate recommended the court deny PATCO's motion for a jury trial.
The PATCO/Ocean Bank dispute is one of two landmark court cases revolving around which party bears responsibility when financial losses result from online compromises. The other case involves Michigan-based Experi-Metal Inc. and Comerica Bank. Like PATCO, EMI saw more than $560,000 drained from its account after fraudulent transactions exceeding $1.9 million were approved by Comerica. In 2009, EMI sued Comerica and won. (See Court Favors EMI in Fraud Suit.)
In the PATCO appeal, the court rules that Ocean Bank increased PATCO's risk of fraud by allowing wire transfers to be approved through only the answering of challenge questions for any transaction exceeding $1.
The ruling goes on to say that even when the bank had warnings that fraud events were likely, as in the PATCO case, it "neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed."
The fraudulent wire transfers that hit PATCO's account should have raised red flags and triggered extra security measures to validate the transactions, the court says. "The payment orders at issue were entirely uncharacteristic of PATCO's ordinary transactions," the ruling states. "These collective failures, taken as a whole, rendered Ocean Bank's security procedures commercially unreasonable."
Mark Patterson, co-owner of PATCO, says he hopes the court's ruling sends a message to banking institutions and other corporate victims of account takeover events that have been reluctant to pursue legal action. "It is great news for victims out there who are going after banks that have not been keeping their customers' money secure," Patterson says. "(It's) a wake up call."
People's United was unavailable to comment immediately following the ruling.