Printed from

Appeals court finds bank liable for $588,000 ACH theft

updated 07:30 pm EDT, Fri July 6, 2012

Security used 'commercially unreasonable,' didn't meet federal standards

The US Federal Court of Appeals for the First Circuit has reversed a lower court's decision, and found Ocean Bank (now People's United) at fault for a $588,000 "virtual robbery" in 2008 against Sandord, ME-based Patco Construction Company. Calling the bank's security systems "commercially unreasonable," the Boston-based appeals court returned some specific aspects back to the original court and judge for review, but is encouraging both parties to settle the matter out of court.

In September 2008, the construction company filed suit against the bank. Patco used online banking to make weekly payroll payments. The banking login credentials were stolen from Patco in May 2009 by the ZeuS trojan. Using the lifted data, thieves removed $588,000 in several batches from the account in automated clearing house (ACH) transfers over a week.

Ocean Bank was able to block or retrieve $243,406 of the stolen funds, leaving the construction company with a loss of $345,445. To make up for the difference between the retrieved funds, and the lost funds, Ocean Bank drew $223,237 on Patco's credit to cover the transfers. Patco sued shortly thereafter, arguing that the bank didn't provide multi-factor authentications, as laid out by theFederal Financial Institiution Examination Council (FFIEC).

In the court's 43-page decision, the appeals court found Ocean Bank's fraud monitoring lacking overall. The statement clarified that "when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable."

Charisse Castagnoli, a bank fraud expert and security consultant, said the decision could open the door to lawsuits from small businesses similarly robbed because of inadequate or outdated security procedures. Furthermore, she said that the appeals court didn't address what the victim's obligations for maintaining security in the case that bank security fails, such as a requirement for timely balance checks and responses to bank notifications. "At the same time, you can't be a sloppy or naive customer," added Castagnoli, "as the court is clearly looking for the customer to behave with some understanding of what the bank is doing with their money."

By Electronista Staff
Post tools:




Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Moshi iVisor AG and XT for iPad Air 2

Have you ever tried to put in a screen protector that relies on static to cling to the screen? How many bubbles and wrinkles does it h ...

Epson PowerLite Home Cinema 3500 projector

Trying to find the perfect projector for a home theater can be tricky, as there are bountiful options on the market from a large numbe ...

Thecus N2310 NAS

For every computer user, there comes a point of critical mass in data storage. When it hits, external hard drives, USB sticks and DVD ...



Most Commented


Popular News