Patco Constr. Co. v. People's United Bank

• Decision Date: 03 July 2012
• Docket Number: No. 11–2031.,11–2031.
• Parties: PATCO CONSTRUCTION COMPANY, INC., Plaintiff, Appellant, v. PEOPLE'S UNITED BANK, d/b/a Ocean Bank, Defendant, Appellee.
• Court: U.S. Court of Appeals — First Circuit

684 F.3d 197

PATCO CONSTRUCTION COMPANY, INC., Plaintiff, Appellant,

v.PEOPLE'S UNITED BANK, d/b/a Ocean Bank, Defendant, Appellee.

No. 11–2031.

United States Court of Appeals, First Circuit.

Heard April 5, 2012.

Decided July 3, 2012.

Daniel J. Mitchell, with whom Eben M. Albert–Knopp and Bernstein Shur were on brief, for appellant.

Brenda R. Sharton, with whom Don M. Kennedy, Katherine A. Borden, and Goodwin Procter LLP were on brief, for appellee.

Before LYNCH, Chief Judge, LIPEZ and HOWARD, Circuit Judges.

LYNCH, Chief Judge.

Over seven days in May 2009, Ocean Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the perpetrators correctly supplied Patco's customized answers to security questions. Although the bank's security system flagged each of these transactions as unusually “high-risk” because they were inconsistent with the timing, value, and geographic location of Patco's regular payment orders, the bank's security system did not notify its commercial customers of this information and allowed the payments to go through. Ocean Bank was able to block or recover $243,406.83, leaving a residual loss to Patco of $345,444.43.

Patco brought suit, setting forth six counts against People's United Bank, a regional bank which had acquired Ocean Bank. The suit alleged, inter alia, that the bank should bear the loss because its security system was not commercially reasonable under Article 4A of the Uniform Commercial Code (“UCC”), as codified under Maine Law at Me.Rev.Stat. Ann. tit. 11, § 4–1101 et seq., and that Patco had not consented to the procedures.

On cross-motions for summary judgment,¹ the district court held that the bank's security system was commercially reasonable and on that basis entered judgment in favor of the bank on the first count. Patco Constr. Co. v. People's United Bank, No. 09–cv–503, 2011 WL 3420588 (D.Me. Aug. 4, 2011). The district court also granted summary judgment in favor of the bank on the remaining counts, holding that they were either dependent on or displaced by the analysis and law underlying the first count. Id.

We reverse the district court's grant of summary judgment in favor of the bank and affirm its denial of Patco's motion for summary judgment on the first count. In particular, we leave open the question of what, if any, obligations or responsibilities Article 4A imposes on Patco. We also reinstate certain other claims dismissed by the district court, and remand for proceedings consistent with this opinion.

I.

The facts, which are largely undisputed, are as follows. Where the facts remain in dispute, we relate them in the light most favorable to Patco, the non-moving party. See Valley Forge Ins. Co. v. Field, 670 F.3d 93, 96–97 (1st Cir.2012).

A. The Parties

Patco is a small property development and contractor business located in Sanford, Maine. Patco began banking with Ocean Bank in 1985. Ocean Bank was acquired by the Chittenden family of banks, which was later acquired by People's United Bank, a regional bank based in Bridgeport, Connecticut. People's United Bank operates other local Maine banks such as Maine Bank & Trust, where Patco also had an account in May 2009. Ocean Bank was a division of People's United at the time of the fraudulent withdrawals at issue in this case.

In September 2003, Patco added internet banking-also known as “eBanking”—to its commercial checking account at Ocean Bank. Ocean Bank allows its eBanking commercial customers to make electronic funds transfers through Ocean Bank via the Automated Clearing House (“ACH”) network, a system used by banks to transfer funds electronically between accounts. Patco used eBanking primarily to make regular weekly payroll payments. These regular payroll payments had certain repeated characteristics: they were always made on Fridays; they were always initiated from one of the computers housed at Patco's offices in Sanford, Maine; they originated from a single static Internet Protocol (“IP”) address; ² and they were accompanied by weekly withdrawals for federal and state tax withholding as well as 401(k) contributions. The highest payroll payment Patco ever made using eBanking was $36,634.74. Until October of 2008, Patco also used eBanking to transfer money from the accounts of Patco and related entities at Maine Bank & Trust, which maintains a branch in Sanford, Maine, into its Ocean Bank checking account.

In September 2003, when it added eBanking services, Patco entered into several agreements with Ocean Bank.³ Most significantly, Patco entered into the eBanking for Business Agreement. The eBanking agreement stated that “use of the Ocean National Bank's eBanking for Business password constitutes authentication of all transactions performed by you or on your behalf.” The eBanking agreement stated that Ocean Bank did not “assume[ ] any responsibilities” with respect to Patco's use of eBanking, that “electronic transmission of confidential business and sensitive personal information” was at Patco's risk, and that Ocean Bank was liable only for its gross negligence, limited to six months of fees. The eBanking agreement also provided that:

[U]se of Ocean National Bank's eBanking for Business by any one owner of a joint account or by an authorized signor on an account, shall be deemed an authorized transaction on an account unless you provide us with written notice that the use of Ocean National Bank's eBanking for Business is terminated or that the joint account owner or authorized signor has been validly removed form [sic] the account.The agreement provided that Patco had to contact the bank immediately upon discovery of an unauthorized transaction.

The bank also reserved the right to modify the terms and conditions of the eBanking agreement at any time, effective upon publication. The bank claims that at some point before May 2009, it modified the eBanking agreement to state:

If you choose to receive ACH debit transactions on your commercial accounts, you assume all liability and responsibility to monitor those commercial accounts on a daily basis. In the event that you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs.

The bank claims that it published this modified eBanking agreement on its website before May 2009. Patco disputes that this agreement was modified and/or published on the bank's website before May 2009, and argues that the modified agreement was therefore not effective as between the parties.

B. Ocean Bank's Security Measures

In 2004, Ocean Bank began using Jack Henry & Associates to provide its core online banking platform, known as “NetTeller.” Jack Henry provides the NetTeller product to approximately 1,300 of its 1,500 bank customers.

In October 2005, the agencies of the Federal Financial Institutions Examination Council ⁴ (“FFIEC”), responding to increased online banking fraud, issued guidance titled “Authentication in an Internet Banking Environment.” See Fed. Fin. Insts. Examination Council, Authentication in an Internet Banking Environment (Aug. 8, 2001), available at http:// www. ffiec. gov/ pdf/ authentication_ guidance. pdf [hereinafter “FFIEC Guidance”]. The Guidance was intended to aid financial institutions in “evaluating and implementing authentication systems and practices whether they are provided internally or by a service provider.” Id. at 1. The Guidance provides that “financial institutions should periodically ... [a]djust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information.” Id. at 2.

The Guidance explains that existing authentication methodologies involve three basic “factors”: (1) something the user knows (e.g., password, personal identification number); (2) something the user has (e.g., ATM card, smart card); and (3) something the user is (e.g., biometric characteristic, such as a fingerprint). Id. at 3. It states:

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include “out-of-band” controls for risk mitigation.

Id. The Guidance also states:

The agencies consider single-factor authentication, as the only control mechanism,to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.... Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Id. at 1–2.

Following publication of the FFIEC Guidance, Ocean Bank worked with Jack Henry to conduct a risk assessment and institute appropriate authentication protocols to comply with the Guidance. The bank determined that its eBanking product was a “high risk” system that required enhanced security, and in particular, multifactor authentication.

Jack Henry entered into a re-seller agreement with Cyota, Inc., an RSA Security Company (“RSA/Cyota”), for a multifactor authentication system to integrate into its NetTeller product so that it could offer security solutions compliant with the FFIEC Guidance. Through collaboration with...