A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. As described by the court in its opinion:
Over seven days in May 2009, [People's United] Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the perpetrators correctly supplied Patco’s customized answers to security questions. Although the bank’s security system flagged each of these transactions as unusually “high-risk” because they were inconsistent with the timing, value, and geographic location of Patco’s regular payment orders, the bank’s security system did not notify its commercial customers of this information and allowed the payments to go through. Ocean Bank was able to block or recover $243,406.83, leaving a residual loss to Patco of $345,444.43.
The opinion discusses the various security protocols put in place by the bank, and it provides a useful primer on how security can be technically sound and still fail in practice in the face of fraudulent activities:
Despite these unusual characteristics, the bank again took no steps to notify Patco and batched and processed the transaction as usual, which was paid by the bank. . . .
Despite the breach, the bank argued that argued that because Patco agreed to the security system in use by the bank, and because the security system was commercially reasonable, the bank should not be held liable for the loss. Patco countered that the bank’s security system was not commercially reasonable, that it did not agree to all of the bank’s procedures, and that the bank did not comply with its own procedures. The Court of Appeals concluded that the bank’s “collective failures taken as a whole, rather than any single failure,  rendered Ocean Bank’s security system commercially unreasonable.”