The ongoing dispute between PATCO Construction Inc. and People's United, formerly Ocean Bank, over a $500,000 account takeover incident dating back to 2009 has finally come to a close.
The two parties agreed in mid-November to settle their differences. People's United will pay PATCO for the losses the construction company suffered after a series of fraudulent wire transfers hit the company's commercial account, says Mark Patterson, co-owner of PATCO.
On July 3, the First Circuit Court of Appeals in Boston reversed a lower court's judgment from 2011, which favored the bank. The appeals court also recommended that the two parties pursue an out-of-court settlement (see PATCO ACH Fraud Ruling Reversed).
Originally, PATCO was seeking damages and legal fees in addition to compensation for the fraudulent losses it suffered.
But Patterson says settlement was the only recourse. "We took the court's advice," he says.
Patterson would not offer further comment about the settlement, and People's United did not respond to a request for comment.
Avivah Litan, a fraud analyst with consulting firm Gartner, says the settlement should serve as a lesson for other institutions. "An ounce of prevention is worth a pound of cure," she says. "The banks are clearly better equipped to prevent account takeover than their customers are, although certainly customers should institute whatever security measures they have access to."
Unreasonable Security Cited
In its 43-page ruling, the appellate court described the bank's security procedures as "commercially unreasonable," and said the bank should have detected and stopped the fraudulent transactions that hit PATCO's account. The ruling also claimed the former Ocean Bank increased PATCO's fraud risk by relying on what it referred to as a "one-size-fits-all" approach to monitoring and authentication of high-dollar transactions.
David Navetta, founding partner of the Information Law Group, says the PATCO case and others like it illustrate the increasing challenge banks face in the courts. "I think these cases ultimately hurt the negotiating position of banks involved in an ACH fraud situation arising out of online banking," he says.
As a result, Navetta suggests that, in many cases, banks might be better off if they simply cover the losses linked to account takeovers rather than risk losing a court battle.
The appellate ruling in the PATCO case, however, opened the door for future cases to explore the obligation commercial customers have for ensuring their own security. Pointing to Article 4A of the Uniform Commercial Code, which provides protections to commercial customers similar to those provided for consumers under Regulation E, the court suggested commercial customers have some responsibilities.
Under Article 4A, a bank typically bears the risk of loss when unauthorized funds transfers are approved. The bank may shift that risk of loss onto the customer by either proving the commercial reasonableness of its offered security procedures or by proving that it approved the fraudulent payment or transfer on good faith and in compliance with security procedures noted in its contract with the customer. But in its July ruling, the appeals court said: "Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well."
Had the parties not settled, their ongoing legal dispute likely would have involved a review of whether PATCO fulfilled its own obligations under the Uniform Commercial Code.
Litan says a simple rules-based fraud prevention system likely would have prevented Patco's account from being breached. But the larger question of customer obligations remains to be determined. "We are really no closer to knowing that then we were before," she says.
Other Fraud Cases
The PATCO case is the second high-profile dispute over an account takeover event to be settled out of court this year. In June, California-based Village View Escrow settled with its former bank, Professional Business Bank, for more than the $400,000 drained from its account in March 2010.
In May 2010, PlainsCapital Bank and Texas-based Hillary Machinery settled their legal differences over an ACH/wire fraud incident that cost Hillary Machinery more than $800,000 for an undisclosed amount. The case was the first to draw attention to account takeover risks posed by lax online security.
So far, of the incidents that have hit the headlines, only the ACH/wire fraud case between Michigan-based Experi-Metal Inc. and Comerica Bank was resolved in court. In June 2011, a district court ruled in favor of EMI and ordered Comerica to reimburse the business for the more than $560,000 drained from its account via fraudulent transactions.