What Credit Unions Can Learn From the Patco Case
by Henry Meier
Suppose hackers take advantage of a credit union’s inadequate online security to steal member passwords and wire several hundred thousand dollars out of a member’s business account. The credit union is going to have to make up some of the loss but should it matter that the company’s negligence contributed to the theft? That is the legal question that will be left unanswered now that PATCO construction company and People’s United Bank recently announced the settlement of their increasingly high-profile and extremely important litigation centered on the question of what constitutes a commercially reasonable standard of protection for financial institutions offering online banking services to businesses under Article 4A of the Uniform Commercial Code.
When I last posted a blog about the case, which involved a construction company that was victimized by a series of unauthorized electronic funds transfer out of its account, the Court of Appeals for the First Circuit had just reversed a lower court ruling and held that the bank’s security procedures were commercially unreasonable, in part because it relied too heavily on the use of challenge questions to deny access to accounts. The bank overlooked the fact that the answers to these questions could be captured by malware software designed to read a person’s keystrokes. The Court held that whether or not a financial institution’s online security is commercially reasonable is based on a case-by-case evaluation of the customer’s needs, the security procedures put in place and the implementation of these procedures by bank personnel.
The standard set for commercial reasonableness makes the case a must read for anyone involved with online services and compliance, but the decision got even more interesting — at least in a legal geek kind of way — when the Court mused even though the bank’s protections may not have been adequate Article 4A “does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well… It is unclear, however, what, if any, obligations a commercial customer has when a bank’s security system is found to be unreasonable.” Both of the parties were instructed to prepare arguments on this issue for the court to consider. The Court also urged both sides to consider settling, and not surprisingly, that’s what they did.