The U.S. First District Court of Appeals issued a decision last month involving Connecticut-based People’s United Bank, effectively drawing a roadmap for bank account security.

People’s United has made a strong push into Eastern Massachusetts in the past few years, acquiring Danversbank and opening a number of branch offices in and around Boston.

In its decision, the First District Court reversed a Maine District Court judgment in favor of People’s United, in a case known as Patco Construction vs. People’s United Bank.

In the case, Patco accused Ocean Bank, a People’s United subsidiary, of authorizing six fraudulent withdrawals totaling $558,851 and change. Patco argued that People’s United should bear the loss because its security system was not “commercially reasonable” under Article 4A of the Uniform Commercial Code and that Patco had not consented to the withdrawals.

The Maine court sided with the bank, ruling that the security system used by People’s United was commercially reasonable. In summary judgment, the District Court also sided with the bank, ruling any remaining counts of the suit were dependent upon the commercial reasonableness of the bank’s security system.

But the Appeals Court, while affirming that the People’s United security system is indeed “commercially reasonable,” reversed the District Court’s ruling in favor of Patco on other aspects of the suit.

The District Court had concluded that Patco’s claims of negligence, breach of contract and breach of fiduciary duty were “preempted” by the fact that People’s United’s security system is commercially reasonable.

The Appeals Court ruled that while the negligence claim doesn’t hold up, the breach of contract and breach of fiduciary duty claims are worth another look.

Messy Situation

The situation is not anything that could be called clean, or cut-and-dried. And some say this is the kind of thing both banks and customers will be dealing with as each gets comfortable with new technologies customers are so eager to demand and banks are so eager to offer.

“You’re going to see a lot more litigation in this world,” Walt Paulekas, of Hartford-based law firm Ford Paulekas, told Banker & Tradesman. “Internet banking, the quality of it, even between banks, varies tremendously, and it’s under constant assault by hackers.”

It used to be simple. If someone forges a check, the customer is reimbursed. This internet stuff, however, “is going to be a mess,” Paulekas said.

“The common law claims of breach of contract and breach of fiduciary duty are not inherently inconsistent with Patco’s Article 4A claim,” The Appeals Court said in its decision. “At least in theory, there could be, either by contract or through assumption of fiduciary duties, higher standards which are imposed on the bank.”

Reading Fine Print

Over a week in May 2009, Ocean Bank authorized six apparently fraudulent withdrawals totaling $558,851 from a Patco commercial account to which more than one employee had access. Whoever was taking the money was providing the correct answer to the Patco account’s challenge questions, but was making unusual withdrawals.

Patco employees never transferred more than about $36,000 from the account at one time, but during the alleged fraud, money was withdrawn from the account in $56,000, $115,000, $99,000, $91,000 and $113,000 chunks.

As the transactions occurred, the “risk scoring engine” used by the bank warned of a “very high risk non-authenticated device,” a “high risk transaction amount,” an “IP anomaly” and “risk score distributor per cookie age.”

In the suit, Patco claimed it was never notified by the bank that anything suspicious was going on. The bank countered that it offered email security alerts to account holders, but that Patco hadn’t signed up for those alerts.

The bank also pointed to language in its security agreement with accountholders: “If you choose to receive ACH debit transactions on your commercial accounts, you assume all liability and responsibility to monitor those commercial accounts on a daily basis. In the event that you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs.”

People’s United did not respond to a Banker & Tradesman request to comment on the ruling. In its latest Form 10K filed with the U.S. Securities and Exchange Commission, it does not mention the Patco case

Of cases not mentioned by name, People’s United says, “based on the information currently available, advice of counsel, available insurance coverage and the recorded liability for probable legal settlements and costs, People’s United Financial believes that the eventual outcome of these matters will not (individually or in the aggregate) have a material adverse effect on its financial condition, results of operations or liquidity.”

Going Forward

That may be, but the Patco case “lays out a road map for what the issues are and what they will be going forward,” Stanley Ragalevsky, a Boston-based banking attorney, told the Banker & Tradesmen.

On one hand, simply having security systems in place may no longer be enough to satisfy the law.

“The bank has to at least take reasonable steps,” Ragalevsky said.

In the Patco case, Ocean Bank didn’t notice the fraud until it was well underway, and it was able to recover less than half of what Patco lost.

On the other hand, account holders are going to have to take more responsibility for their own security. “They bought all the right products, but they didn’t use them the right way,” Ragalevsky said of Patco. “If they had got emails for unusual activity, they would have at least been able to stop it.”

While the appeals court remanded the case for further consideration, it advised, “On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.”