APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MAINE [Hon. D. Brock Hornby, U.S. District Judge]
The opinion of the court was delivered by: Lynch, Chief Judge.
Before Lynch, Chief Judge, Lipez and Howard, Circuit Judges.
Over seven days in May 2009, Ocean Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the perpetrators correctly supplied Patco's customized answers to security questions. Although the bank's security system flagged each of these transactions as unusually "high-risk" because they were inconsistent with the timing, value, and geographic location of Patco's regular payment orders, the bank's security system did not notify its commercial customers of this information and allowed the payments to go through. Ocean Bank was able to block or recover $243,406.83, leaving a residual loss to Patco of $345,444.43.
Patco brought suit, setting forth six counts against People's United Bank, a regional bank which had acquired Ocean Bank. The suit alleged, inter alia, that the bank should bear the loss because its security system was not commercially reasonable under Article 4A of the Uniform Commercial Code ("UCC"), as codified under Maine Law at Me. Rev. Stat. Ann. tit. 11, § 4-1101 et seq., and that Patco had not consented to the procedures.
On cross-motions for summary judgment,*fn1 the district court held that the bank's security system was commercially reasonable and on that basis entered judgment in favor of the bank on the first count. Patco Constr. Co. v. People's United Bank, No. 09-cv-503, 2011 WL 3420588 (D. Me. Aug. 4, 2011). The district court also granted summary judgment in favor of the bank on the remaining counts, holding that they were either dependent on or displaced by the analysis and law underlying the first count. Id.
We reverse the district court's grant of summary judgment in favor of the bank and affirm its denial of Patco's motion for summary judgment on the first count. In particular, we leave open the question of what, if any, obligations or responsibilities Article 4A imposes on Patco. We also reinstate certain other claims dismissed by the district court, and remand for proceedings consistent with this opinion.
The facts, which are largely undisputed, are as follows. Where the facts remain in dispute, we relate them in the light most favorable to Patco, the non-moving party. See Valley Forge Ins. Co. v. Field, 670 F.3d 93, 96-97 (1st Cir. 2012).
Patco is a small property development and contractor business located in Sanford, Maine. Patco began banking with Ocean Bank in 1985. Ocean Bank was acquired by the Chittenden family of banks, which was later acquired by People's United Bank, a regional bank based in Bridgeport, Connecticut. People's United Bank operates other local Maine banks such as Maine Bank & Trust, where Patco also had an account in May 2009. Ocean Bank was a division of People's United at the time of the fraudulent withdrawals at issue in this case.
In September 2003, Patco added internet banking -- also known as "eBanking" -- to its commercial checking account at Ocean Bank. Ocean Bank allows its eBanking commercial customers to make electronic funds transfers through Ocean Bank via the Automated Clearing House ("ACH") network, a system used by banks to transfer funds electronically between accounts. Patco used eBanking primarily to make regular weekly payroll payments. These regular payroll payments had certain repeated characteristics: they were always made on Fridays; they were always initiated from one of the computers housed at Patco's offices in Sanford, Maine; they originated from a single static Internet Protocol ("IP") address;*fn2 and they were accompanied by weekly withdrawals for federal and state tax withholding as well as 401(k) contributions. The highest payroll payment Patco ever made using eBanking was $36,634.74. Until October of 2008, Patco also used eBanking to transfer money from the accounts of Patco and related entities at Maine Bank & Trust, which maintains a branch in Sanford, Maine, into its Ocean Bank checking account.
In September 2003, when it added eBanking services, Patco entered into several agreements with Ocean Bank.*fn3 Most significantly, Patco entered into the eBanking for Business Agreement. The eBanking agreement stated that "use of the Ocean National Bank's eBanking for Business password constitutes authentication of all transactions performed by you or on your behalf." The eBanking agreement stated that Ocean Bank did not "assume any responsibilities" with respect to Patco's use of eBanking, that "electronic transmission of confidential business and sensitive personal information" was at Patco's risk, and that Ocean Bank was liable only for its gross negligence, limited to six months of fees. The eBanking agreement also provided that:
[U]se of Ocean National Bank's eBanking for Business by any one owner of a joint account or by an authorized signor on an account, shall be deemed an authorized transaction on an account unless you provide us with written notice that the use of Ocean National Bank's eBanking for Business is terminated or that the joint account owner or authorized signor has been validly removed form [sic] the account.
The agreement provided that Patco had to contact the bank immediately upon discovery of an unauthorized transaction.
The bank also reserved the right to modify the terms and conditions of the eBanking agreement at any time, effective upon publication. The bank claims that at some point before May 2009, it modified the eBanking agreement to state:
If you choose to receive ACH debit transactions on your commercial accounts, you assume all liability and responsibility to monitor those commercial accounts on a daily basis. In the event that you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs.
The bank claims that it published this modified eBanking agreement on its website before May 2009. Patco disputes that this agreement was modified and/or published on the bank's website before May 2009, and argues that the modified agreement was therefore not effective as between the parties.
B. Ocean Bank's Security Measures
In 2004, Ocean Bank began using Jack Henry & Associates to provide its core online banking platform, known as "NetTeller." Jack Henry provides the NetTeller product to approximately 1,300 of its 1,500 bank customers.
In October 2005, the agencies of the Federal Financial Institutions Examination Council*fn4 ("FFIEC"), responding to increased online banking fraud, issued guidance titled "Authentication in an Internet Banking Environment." See Fed. Fin. Insts. Examination Council, Authentication in an Internet Banking Environment (Aug. 8, 2001), available at http://www.ffiec.gov/pdf/ authentication_guidance.pdf [hereinafter "FFIEC Guidance"]. The Guidance was intended to aid financial institutions in "evaluating and implementing authentication systems and practices whether they are provided internally or by a service provider." Id. at 1. The Guidance provides that "financial institutions should periodically . . . [a]djust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information." Id. at 2.
The Guidance explains that existing authentication methodologies involve three basic "factors": (1) something the user knows (e.g., password, personal identification number); (2) something the user has (e.g., ATM card, smart card); and (3) something the user is (e.g., biometric characteristic, such as a fingerprint). Id. at 3. It states:
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include "out-of-band" controls for risk mitigation.
Id. The Guidance also states:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. . . . Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
Following publication of the FFIEC Guidance, Ocean Bank worked with Jack Henry to conduct a risk assessment and institute appropriate authentication protocols to comply with the Guidance. The bank determined that its eBanking product was a "high risk" system that required enhanced security, and in particular, multifactor authentication.
Jack Henry entered into a re-seller agreement with Cyota, Inc., an RSA Security Company ("RSA/Cyota"), for a multifactor authentication system to integrate into its NetTeller product so that it could offer security solutions compliant with the FFIEC Guidance. Through collaboration with RSA/Cyota, Jack Henry made two multifactor authentication products available to its customers to meet the FFIEC Guidance: the "Basic" package and the "Premium" package.
Ocean Bank selected the Jack Henry "Premium" package, which it implemented by January 2007. The system, as implemented by Ocean Bank, had six key features:
1. User IDs and Passwords: The system required each authorized Patco employee to use both a company ID and password and a user-specific ID and password to access online banking.
2. Invisible Device Authentication: The system placed a "device cookie" onto customers' computers to identify particular computers used to access online banking. The device cookie would be used to help establish a secure communication session with the NetTeller environment and to contribute to the component risk score. Whenever the cookie was changed or was new, that impacted the risk score and potentially triggered challenge questions.
3. Risk Profiling: The system entailed the building of a risk profile for each customer by RSA/Cyota based on a number of different factors, including the location from which a user logged in, when/how often a user logged in, what a user did while on the system, and the size, type, and frequency of payment orders normally issued by the customer to the bank. The Premium Product noted the IP address that the customer typically used to log into online banking and added it to the customer profile.
RSA/Cyota's adaptive monitoring provided a risk score to the bank for every log-in attempt and transaction based on a multitude of data, including but not limited to IP address, device cookie ID, Geo location, and transaction activity. If a user's transaction differed from its normal profile, RSA/Cyota reported to the bank an elevated risk score for that transaction. RSA/Cyota considered transactions generating risk scores in excess of 750, on a scale from 0 to 1,000, to be high-risk transactions. "Challenge questions," described below, were prompted any time the risk score for a transaction exceeded 750.
4. Challenge Questions: The system required users, during initial log-in, to select three challenge questions and responses. The challenge questions might be prompted for various reasons. For example, if the risk score associated with a particular transaction exceeded 750, the challenge questions would be triggered. If the challenge question responses entered by the user did not match the ones originally provided, the customer would receive an error message. If the customer was unable to answer the challenge questions in three attempts, the customer was blocked from online banking and would be required to contact the bank.
5. Dollar Amount Rule: The system permitted financial institutions to set a dollar threshold amount above which a transaction would automatically trigger the challenge questions even if the user ID, password, and device cookie were all valid. In August 2007, Ocean Bank set the dollar amount rule to $100,000. On June 6, 2008, Ocean Bank lowered the dollar amount rule from $100,000 to $1. After the Bank lowered the threshold to $1, Patco was prompted to answer challenge questions every time it initiated a transaction. In May 2009, when the fraud at issue in this case occurred, the dollar amount rule threshold remained at $1.
6. Subscription to the eFraud Network: The Jack Henry Premium Product provided Ocean Bank with a subscription to the eFraud Network, which compared characteristics of the transaction (such as the IP address of the user seeking access to the Bank's system) with those of known instances of fraud. The eFraud Network allowed financial institutions to report IP addresses or other discrete identifying characteristics identified with instances of fraud. An attempt to access a customer's NetTeller account initiated by someone with that characteristic would then be automatically blocked. The individual would not even be prompted for challenge questions.
Ocean Bank asserts that on December 1, 2006, as it began to implement the Jack Henry system, it also began to offer the option of e-mail alerts to its eBanking customers. If the customer chose to receive such alerts, the bank would send the customer e-mails regarding incoming/outgoing transactions, changes to the customer's balance, the clearing of checks, and/or alerts on certain customer-specified dates. Patco claims it did not receive notice that e-mail alerts were available and this is a disputed issue of fact. It appears that notice of the availability of e-mail alerts was not readily visible. To set up alerts through the eBanking system, a user would have to first click the "Preferences" tab on the eBanking webpage, then click on a second tab labeled "Alerts," and then ...