People's United Bank Lawsuit and "Commercially Reasonable" Online Security
From time to time Credit Union National Association (CUNA) will post information on lawsuits that indicate legal trends or that result in an opinion of interest to credit unions. On July 3, 2012, the United States Court of Appeals for the First Circuit (Court) issued a ruling in the Patco Construction Company, Inc. v. People’s United Bank (Bank) lawsuit, and found that the bank did not have “commercially reasonable” online security measures under the Uniform Commercial Code (UCC), reversing the lower district court’s ruling in favor of the bank from May 2011. Under the Article 4A of the UCC, a financial institution would be able to shift liability to its customer if it uses a “commercially reasonable” security method. In the lawsuit, Patco alleged that the bank’s security measures were not “commercially reasonable,” which resulted in fraudulent transfers using the Automated Clearing House (ACH) network. The Court found that the bank’s “collective failures taken as a whole” rendered the bank’s online security system “commercially unreasonable.” For example, the Court found that the bank increased the risk of fraud and compromise when it displayed the answers to the challenge questions for each transfer, the transactions in dispute were uncharacteristic, and the bank did not monitor the transactions for fraud.