July 05, 2012, 1:32 AM — A U.S. construction company may stand a greater chance of recovering some of the US$345,000 it lost in fraudulent wire transfers that it blames on poor online banking practices of its bank.
Patco Construction Company, based in Sanford, Maine, sued Ocean Bank, now called People's United Bank, after fraudsters made six wire transfers using the Automated Clearing House (ACH) transfer system amounting to more than $588,000 in May 2009. About $243,000 was recovered.
In its suit, Patco alleged among other claims that Ocean Bank's online security was not commercially reasonable under Article 4A of the Uniform Commercial Code (UCC), a federal code governing contractual disputes that has been adopted into most U.S. states' laws.
The UCC does not allow claims such as negligence, fraud and breach of contract. The code makes it potentially costly for small businesses to sue financial institutions over cybercrime-related fraud. Even if a small business wins a lawsuit, under the code the financial damages are limited only to the money stolen plus interest.
In a significant twist, a three-judge federal appeals court panel found on Tuesday that Ocean Bank's online security measures were not "commercially reasonable," reversing a lower court ruling from May 2011.
It doesn't mean that Patco will be refunded. The appeals court said further hearings will be needed to determine what responsibilities Patco may have had to protect itself during online banking transactions. The court also advised that despite its ruling, Patco and Ocean Bank may want to try to settle the issue out of court.
Patco maintains the fraudulent transfers were caused by the Zeus malware, which can capture authentication credentials enabling fraudsters to initiate their own illegitimate transfers.
In its decision, the appeals court cited a critical mistake made by Ocean Bank as ACH fraud had become more prevalent. In June 2008, Ocean Bank decided to initiate "challenge questions" for any transactions for its customers valued at more than $1.
Challenge questions are often used in authentication systems and require a user to enter additional information aside from a login or password, such as the name of the first street a person lived on or the model of their first car.