PATCO ACH Fraud Ruling Reversed Appeals Court Calls Bank's Security 'Commercially Unreasonable'

A federal appeals court has reversed a lower court's ruling in the ACH/wire fraud dispute between PATCO Construction Inc. and the former Ocean Bank, now People's United.

See Also: Cybersecurity, Digital Transformation and Resiliency - A Lesson for Financial Services Institutions

In a decision issued July 3, the First Circuit Court of Appeals in Boston ruled in favor of PATCO, reversing a district court's 2011 judgment that favored the bank, and further recommended that the two parties pursue an out-of-court settlement of the case.

The 43-page ruling describes the bank's security procedures as "commercially unreasonable," saying the institution should have detected and stopped the fraudulent transactions that drained more than $500,000 from PATCO's commercial account in 2009.

The ruling goes on to state Ocean Bank actually increased the Maine-based construction company's fraud risk by relying on what the court calls a "one-size-fits-all" approach to monitoring and authenticating high-dollar transactions.

The court does leave open for further litigation the question of whether PATCO fulfilled its own obligations spelled out by Article 4A of the Uniform Commercial Code.

"We remand for further proceedings in accordance with this opinion," the ruling states. "On remand, the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement."

Original Ruling

This ruling reverses a June 2011 U.S. District Court decision that favored Ocean Bank.

In the case, PATCO argued that Ocean Bank's use of only log-in and password credentials for transaction verification did not comply with the FFIEC's requirements for multifactor authentication. That deficiency, PATCO argued, allowed cyberfraudsters in May 2009 to drain more than $500,000 from its account.

A District Court magistrate disagreed, finding that Ocean Bank met legal requirements for multifactor authentication. The magistrate recommended the court deny PATCO's motion for a jury trial.

According to the magistrate's order, Ocean Bank fulfilled its contractual obligations for security and authentication. (See ACH Fraud: Judge Denies PATCO Motion.)

The PATCO/Ocean Bank dispute is one of two landmark court cases revolving around which party bears responsibility when financial losses result from online compromises. The other case involves Michigan-based Experi-Metal Inc. and Comerica Bank. Like PATCO, EMI saw more than $560,000 drained from its account after fraudulent transactions exceeding $1.9 million were approved by Comerica. In 2009, EMI sued Comerica and won. (See Court Favors EMI in Fraud Suit.)

'Commercially Unreasonable'

In the PATCO appeal, the court rules that Ocean Bank increased PATCO's risk of fraud by allowing wire transfers to be approved through only the answering of challenge questions for any transaction exceeding $1.

The ruling goes on to say that even when the bank had warnings that fraud events were likely, as in the PATCO case, it "neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed."

The fraudulent wire transfers that hit PATCO's account should have raised red flags and triggered extra security measures to validate the transactions, the court says. "The payment orders at issue were entirely uncharacteristic of PATCO's ordinary transactions," the ruling states. "These collective failures, taken as a whole, rendered Ocean Bank's security procedures commercially unreasonable."

Mark Patterson, co-owner of PATCO, says he hopes the court's ruling sends a message to banking institutions and other corporate victims of account takeover events that have been reluctant to pursue legal action. "It is great news for victims out there who are going after banks that have not been keeping their customers' money secure," Patterson says. "(It's) a wake up call."

People's United was unavailable to comment immediately following the ruling.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network