Regulatory Watch: Court Sides with Company in E-Banking Security Breach

December 3, 2019 Leave a comment
February 28, 2014
Failure to tell company of transaction alerts puts responsibility for big loss on bank.

Fri Reg and Accting - Law BooksCompanies that use e-banking services have to typically sign waivers that allow banks to avoid liability for losses due to fraudulent withdrawals if the banks’ security systems are “commercially reasonable.” A Federal court recently ruled that one bank that failed to tell its corporate client of repeated alerts kicked up by its security system was responsible for the losses, even though the system itself was reasonably standard.

The case was brought by Patco Construction Co. against People’s United Bank. In 2009 the bank allowed six fraudulent withdrawals totaling $588,851 to go through despite its system identifying them as high risk. The bank did not tell Patco of the transactions before clearing them.

Patco sued in Federal court, arguing that the bank’s system was not “commercially reasonable” as defined by the Uniform Commercial Code. People’s United argued that the e-banking agreement that Patco signed severely limited the bank’s liability for the fraud.

According to an article on the case by attorney Pedro Pavón of law firm Carlton Fields Jorden Burt, “In court, Patco argued that the bank’s security system was not commercially reasonable because the $1 threshold the bank set meant that Patco had to answer challenge questions on every transaction it made, thereby increasing the risk that the answers to its challenge questions would be compromised…. Patco also argued that the bank did not incorporate its security measures adequately by failing to monitor high risk score transactions, and did not provide email alerts or other immediate notices of suspicious activity. The bank argued that its security program was reasonable, and should be binding because Patco agreed to it.”

The lower court agreed with the bank, but the appeals court sided with Patco. The result should give comfort to corporates that incompetence by a bank’s security IT team or system can lead to the bank having responsibility for fraudulent activity, rather than it coming out of the pocket of the treasury group that assumed incorrectly that the bank’s security protocols were adequate.

Leave a Reply

Your email address will not be published. Required fields are marked *