In analyzing a claim under Article 4A (Electronic Funds Transfers) of the Uniform Commercial Code, the U.S. Court of Appeals for the First Circuit determined that a bank did not utilize commercially reasonable security procedures when it failed to monitor risk reports and decreased the dollar threshold which triggered use of challenge questions by customers. Patco Construction Company, Inc. v. Peoples United Bank (July 3, 2012) . The practical take away from this ruling is that “commercially reasonable security” requires active monitoring and that the effectiveness and commercially reasonableness of security procedures can be impacted by treating all transactions as “high risk.”
In reaching its conclusion the court noted that the security procedures utilized by the bank were provided by a third party and included increased levels of risk for higher risk transactions. The third party security provider provided the bank with analytical tools to evaluate electronic transactions using multiple risk factors to identify high risk transactions. The bank personnel did not monitor the risk reports provided by the analytical tools. In addition, the bank modified the risk scoring function of the third party security system so that the threshold triggering challenge questions for high risk transactions was decreased from $100,000 to $1. The net result of the bank’s modification being that bank customers were required to utilize the answers to their challenge questions more frequently. The court reasoned that more frequent disclosure of the answers to the challenge questions increased the likelihood that the answers would be compromised and therefore reduced the security associated with their use. In conclusion, the court found that the failure of the bank to monitor the security system analytics in conjunction with a modification of the system which increased the likelihood that security controls would be compromised, did not meet the obligation of the bank arising under Article 4A of the UCC to maintain commercially reasonable security procedures.
Should you have any questions, please contact Michael Batt at 317.977.1417 or mbatt@wp.hallrender.com.
