What we can learn from the Patco Case.

November 28, 2012 at 6:47 am 3 comments

Suppose hackers take advantage of a credit union’s inadequate online security to steal member passwords and wire several hundred thousand dollars out of a member’s business account.  The credit union is going to have to make up some of the loss but should it matter that the company’s negligence contributed to the theft?  That is the legal question that will be left unanswered now that PATCO construction company and People’s United Bank recently announced the settlement of their increasingly high-profile and extremely important litigation centered on the question of what constitutes a commercially reasonable standard of protection for financial institutions offering online banking services to businesses under Article 4A of the Uniform Commercial Code.

When I last posted a blog about the case, which involved a construction company that was victimized by a series of unauthorized electronic funds transfer out of its account, the Court of Appeals for the First Circuit had just reversed a lower court ruling and held that the bank’s security procedures were commercially unreasonable, in part because it relied   too heavily on the use of challenge questions to deny access to accounts.  The bank overlooked the fact that the answers to these questions could be captured by malware software designed to read a person’s keystrokes.  The Court held that whether or not a financial institution’s online security is commercially reasonable is based on a case-by-case evaluation of the customer’s needs, the security procedures put in place and the implementation of these procedures by bank personnel.

The standard set for commercial reasonableness makes the case a must read for anyone involved with online services and compliance, but the decision got even more interesting — at least in a legal geek kind of way — when the Court mused even though the bank’s protections may not have been adequate Article 4A “does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well… It is unclear, however, what, if any, obligations a commercial customer has when a bank’s security system is found to be unreasonable.”  Both of the parties were instructed to prepare arguments on this issue for the court to consider.  The Court also urged both sides to consider settling, and not surprisingly, that’s what they did.

So where does this leave credit unions developing their online procedures for business accounts?

  • Most importantly, when entering into an agreement to provide online banking services to a business, document that the business in question has been involved in the decision-making process regarding appropriate security procedures and agrees that the procedures to be used are commercially reasonable. As with all your contracts, save e-mail and make sure that all components of the agreement are reflected in the contract.
  • Avoid cookie-cutter procedures.  The Patco bank’s security procedures were inadequate because they did not reflect the unique characteristics of the company.  For example, had the bank had individuals review transaction reports, it would have been better able to spot the series of abnormal account transfer requests from the hackers.
  • Assume, as the court seems to suggest, that proper online security is a responsibility shared by the member business with the credit union.  Make sure the member’s obligations are documented in the contract.
  • Finally, what constitutes a commercially reasonable protection today may be antiquated by tomorrow afternoon.  Your contract has to be flexible enough to change as conditions warrant.  Specify how the contract is going to be amended and how changes in security procedures are going to be communicated and agreed upon.

 CFPB Delays Implementation of Regulations for International Remittances

 Speaking of wire transfers, the CFPB announced that it will be coming out with additional amendments to international remittances.  As a result, the effective date of the regulation will be pushed back to the Spring of 2013 but nothing is definite.

According to a bulletin released by the CFPB, the amendments:

  • Provide where a remittance sender can demonstrate that it sent money to a wrong account based on information provided by the consumer, a credit union would still have to try to get the money back but would not have to repay the member for the lost funds;
  • Provide flexibility on what information a credit union sending a remittance can rely on when disclosing information about fees charged by the receiving institution; and
  • Clarify that information provided to the consumer about taxes charged by the country to which a remittance is being sent is limited to taxes imposed on a national level.

Proposed regulations will be coming out sometime next month.

Entry filed under: Compliance, Legal Watch, Regulatory. Tags: , , , , , , .

What the Jets, the SEC, and Credit Unions have in common. Eat, Drink and Be Merry. . .to a Point.

3 Comments Add your own

  • 1. Michael Luckin  |  November 28, 2012 at 10:34 am

    Excellent recap. One can only imagine what the courts will decide in the future about what’s a “commercially reasonable standard of protection” notwithstanding what systems/deterrents FI’s put in place. The old phrase “you can take a horse to water but you can’t make him drink” seems appropriate here given the reluctance of members/business members to take precautions of their own.

    • 2. The avenger  |  November 28, 2012 at 11:15 am

      There has to be legal recognition that the member-business has an obligation to act prudently or we will have a defacto strict liability system that makes business accounts prohibitive for all but the largest institutions-Henry

  • 3. Ara  |  August 7, 2013 at 5:08 pm

    Greetings there, I just wanted to give you a quick heads up to help you recognize
    that numerous illustrations or photos are not loading properly on your website.
    I have no idea the reasons why however I suppose it can be a
    linking complication. I have even tried this in 2
    various web browsers and both still provide a comparable final result.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 484 other followers