United States Court of Appeals
For the First Circuit
No. 11-2031
PATCO CONSTRUCTION COMPANY, INC.,
Plaintiff, Appellant,
v.
PEOPLE'S UNITED BANK, d/b/a Ocean Bank,
Defendant, Appellee.
APPEAL FROM THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF MAINE
[Hon. D. Brock Hornby, U.S. District Judge]
Before
Lynch, Chief Judge,
Lipez and Howard, Circuit Judges.
Daniel J. Mitchell, with whom Eben M. Albert-Knopp and
Bernstein Shur were on brief, for appellant.
Brenda R. Sharton, with whom Don M. Kennedy, Katherine A.
Borden, and Goodwin Procter LLP were on brief, for appellee.
July 3, 2012
LYNCH, Chief Judge. Over seven days in May 2009, Ocean
Bank, a southern Maine community bank, authorized six apparently
fraudulent withdrawals, totaling $588,851.26, from an account held
by Patco Construction Company, after the perpetrators correctly
supplied Patco's customized answers to security questions.
Although the bank's security system flagged each of these
transactions as unusually "high-risk" because they were
inconsistent with the timing, value, and geographic location of
Patco's regular payment orders, the bank's security system did not
notify its commercial customers of this information and allowed the
payments to go through. Ocean Bank was able to block or recover
$243,406.83, leaving a residual loss to Patco of $345,444.43.
Patco brought suit, setting forth six counts against
People's United Bank, a regional bank which had acquired Ocean
Bank. The suit alleged, inter alia, that the bank should bear the
loss because its security system was not commercially reasonable
under Article 4A of the Uniform Commercial Code ("UCC"), as
codified under Maine Law at Me. Rev. Stat. Ann. tit. 11, § 4-1101
et seq., and that Patco had not consented to the procedures.
-2-
On cross-motions for summary judgment,1 the district
court held that the bank's security system was commercially
reasonable and on that basis entered judgment in favor of the bank
on the first count. Patco Constr. Co. v. People's United Bank, No.
09–cv–503, 2011 WL 3420588 (D. Me. Aug. 4, 2011). The district
court also granted summary judgment in favor of the bank on the
remaining counts, holding that they were either dependent on or
displaced by the analysis and law underlying the first count. Id.
We reverse the district court's grant of summary judgment
in favor of the bank and affirm its denial of Patco's motion for
summary judgment on the first count. In particular, we leave open
the question of what, if any, obligations or responsibilities
Article 4A imposes on Patco. We also reinstate certain other
claims dismissed by the district court, and remand for proceedings
consistent with this opinion.
I.
The facts, which are largely undisputed, are as follows.
Where the facts remain in dispute, we relate them in the light most
favorable to Patco, the non-moving party. See Valley Forge Ins.
Co. v. Field, 670 F.3d 93, 96-97 (1st Cir. 2012).
1
The parties dispute whether Maine or Connecticut law
governs this case. We need not decide this question here as both
states have enacted UCC Article 4A, and thus, under either state's
laws, the outcome is the same. Compare Me. Rev. Stat. Ann. tit.
11, § 4-1101 et seq. with Conn. Gen. Stat. Ann. § 42a-4A-101 et
seq. The parties do not identify any difference in the two
enactments that would affect our analysis.
-3-
A. The Parties
Patco is a small property development and contractor
business located in Sanford, Maine. Patco began banking with Ocean
Bank in 1985. Ocean Bank was acquired by the Chittenden family of
banks, which was later acquired by People's United Bank, a regional
bank based in Bridgeport, Connecticut. People's United Bank
operates other local Maine banks such as Maine Bank & Trust, where
Patco also had an account in May 2009. Ocean Bank was a division
of People's United at the time of the fraudulent withdrawals at
issue in this case.
In September 2003, Patco added internet banking -- also
known as "eBanking" -- to its commercial checking account at Ocean
Bank. Ocean Bank allows its eBanking commercial customers to make
electronic funds transfers through Ocean Bank via the Automated
Clearing House ("ACH") network, a system used by banks to transfer
funds electronically between accounts. Patco used eBanking
primarily to make regular weekly payroll payments. These regular
payroll payments had certain repeated characteristics: they were
always made on Fridays; they were always initiated from one of the
computers housed at Patco's offices in Sanford, Maine; they
originated from a single static Internet Protocol ("IP") address;2
2
"An IP address is the unique address assigned to every
machine on the internet. An IP address consists of four numbers
separated by dots, e.g., 166.132.78.215." United States v.
Kearney, 672 F.3d 81, 84 n.1 (1st Cir. 2012) (quoting United States
v. Vázquez–Rivera, 665 F.3d 351, 354 n.5 (1st Cir. 2011)).
-4-
and they were accompanied by weekly withdrawals for federal and
state tax withholding as well as 401(k) contributions. The highest
payroll payment Patco ever made using eBanking was $36,634.74.
Until October of 2008, Patco also used eBanking to transfer money
from the accounts of Patco and related entities at Maine Bank &
Trust, which maintains a branch in Sanford, Maine, into its Ocean
Bank checking account.
In September 2003, when it added eBanking services, Patco
entered into several agreements with Ocean Bank.3 Most
significantly, Patco entered into the eBanking for Business
Agreement. The eBanking agreement stated that "use of the Ocean
National Bank's eBanking for Business password constitutes
authentication of all transactions performed by you or on your
behalf." The eBanking agreement stated that Ocean Bank did not
"assume[] any responsibilities" with respect to Patco's use of
eBanking, that "electronic transmission of confidential business
3
These include the Investment and Line of Credit Sweep
Account (Managed Balance Agency Agreement), which authorized Ocean
Bank to transfer funds from Patco's account as needed to maintain
a target balance in Patco's separate investment account. Patco
also signed the Ocean Bank Automated Clearing House Agreement,
which provided that Patco was responsible for electronic transfers
"purport[ed] to have been transmitted or authorized" by Patco, even
if a transfer was not actually authorized by Patco, "provided Bank
acted in compliance with the security procedure referred to in
Schedule A." Patco asserts that the security procedures provided
in Schedule A do not, by their express terms, apply to eBanking
transactions such as those here.
-5-
and sensitive personal information" was at Patco's risk, and that
Ocean Bank was liable only for its gross negligence, limited to six
months of fees. The eBanking agreement also provided that:
[U]se of Ocean National Bank's eBanking for
Business by any one owner of a joint account
or by an authorized signor on an account,
shall be deemed an authorized transaction on
an account unless you provide us with written
notice that the use of Ocean National Bank's
eBanking for Business is terminated or that
the joint account owner or authorized signor
has been validly removed form [sic] the
account.
The agreement provided that Patco had to contact the bank
immediately upon discovery of an unauthorized transaction.
The bank also reserved the right to modify the terms and
conditions of the eBanking agreement at any time, effective upon
publication. The bank claims that at some point before May 2009,
it modified the eBanking agreement to state:
If you choose to receive ACH debit
transactions on your commercial accounts, you
assume all liability and responsibility to
monitor those commercial accounts on a daily
basis. In the event that you object to any
ACH debit, you agree to notify us of your
objection on the same day the debit occurs.
The bank claims that it published this modified eBanking agreement
on its website before May 2009. Patco disputes that this agreement
was modified and/or published on the bank's website before May
2009, and argues that the modified agreement was therefore not
effective as between the parties.
-6-
B. Ocean Bank's Security Measures
In 2004, Ocean Bank began using Jack Henry & Associates
to provide its core online banking platform, known as "NetTeller."
Jack Henry provides the NetTeller product to approximately 1,300 of
its 1,500 bank customers.
In October 2005, the agencies of the Federal Financial
Institutions Examination Council4 ("FFIEC"), responding to
increased online banking fraud, issued guidance titled
"Authentication in an Internet Banking Environment." See Fed. Fin.
Insts. Examination Council, Authentication in an Internet Banking
Environment (Aug. 8, 2001), available at http://www.ffiec.gov/pdf/
authentication_guidance.pdf [hereinafter "FFIEC Guidance"]. The
Guidance was intended to aid financial institutions in "evaluating
and implementing authentication systems and practices whether they
are provided internally or by a service provider." Id. at 1. The
Guidance provides that "financial institutions should periodically
. . . [a]djust, as appropriate, their information security program
in light of any relevant changes in technology, the sensitivity of
its customer information, and internal or external threats to
information." Id. at 2.
4
The FFIEC is an interagency body created by statute and
charged with "establish[ing] uniform principles and standards and
report forms for the examination of financial institutions which
shall be applied by the Federal financial institutions regulatory
agencies." 12 U.S.C. § 3305(a).
-7-
The Guidance explains that existing authentication
methodologies involve three basic "factors": (1) something the user
knows (e.g., password, personal identification number); (2)
something the user has (e.g., ATM card, smart card); and (3)
something the user is (e.g., biometric characteristic, such as a
fingerprint). Id. at 3. It states:
Authentication methods that depend on more
than one factor are more difficult to
compromise than single-factor methods.
Accordingly, properly designed and implemented
multifactor authentication methods are more
reliable and stronger fraud deterrents. For
example, the use of a logon ID/password is
single-factor authentication (i.e., something
the user knows); whereas, an ATM transaction
requires multifactor authentication: something
the user possesses (i.e., the card) combined
with something the user knows (i.e., PIN). A
multifactor authentication methodology may
also include "out-of-band" controls for risk
mitigation.
Id. The Guidance also states:
The agencies consider single-factor
authentication, as the only control mechanism,
to be inadequate for high-risk transactions
involving access to customer information or
the movement of funds to other parties. . . .
Account fraud and identity theft are
frequently the result of single-factor (e.g.,
ID/password) authentication exploitation.
Where risk assessments indicate that the use
of single-factor authentication is inadequate,
financial institutions should implement
multifactor authentication, layered security,
or other controls reasonably calculated to
mitigate those risks.
Id. at 1-2.
-8-
Following publication of the FFIEC Guidance, Ocean Bank
worked with Jack Henry to conduct a risk assessment and institute
appropriate authentication protocols to comply with the Guidance.
The bank determined that its eBanking product was a "high risk"
system that required enhanced security, and in particular,
multifactor authentication.
Jack Henry entered into a re-seller agreement with Cyota,
Inc., an RSA Security Company ("RSA/Cyota"), for a multifactor
authentication system to integrate into its NetTeller product so
that it could offer security solutions compliant with the FFIEC
Guidance. Through collaboration with RSA/Cyota, Jack Henry made
two multifactor authentication products available to its customers
to meet the FFIEC Guidance: the "Basic" package and the "Premium"
package.
Ocean Bank selected the Jack Henry "Premium" package,
which it implemented by January 2007. The system, as implemented
by Ocean Bank, had six key features:
1. User IDs and Passwords: The system required each
authorized Patco employee to use both a company ID and password and
a user-specific ID and password to access online banking.
2. Invisible Device Authentication: The system placed a
"device cookie" onto customers' computers to identify particular
computers used to access online banking. The device cookie would
be used to help establish a secure communication session with the
-9-
NetTeller environment and to contribute to the component risk
score. Whenever the cookie was changed or was new, that impacted
the risk score and potentially triggered challenge questions.
3. Risk Profiling: The system entailed the building of a
risk profile for each customer by RSA/Cyota based on a number of
different factors, including the location from which a user logged
in, when/how often a user logged in, what a user did while on the
system, and the size, type, and frequency of payment orders
normally issued by the customer to the bank. The Premium Product
noted the IP address that the customer typically used to log into
online banking and added it to the customer profile.
RSA/Cyota's adaptive monitoring provided a risk score to
the bank for every log-in attempt and transaction based on a
multitude of data, including but not limited to IP address, device
cookie ID, Geo location, and transaction activity. If a user's
transaction differed from its normal profile, RSA/Cyota reported to
the bank an elevated risk score for that transaction. RSA/Cyota
considered transactions generating risk scores in excess of 750, on
a scale from 0 to 1,000, to be high-risk transactions. "Challenge
questions," described below, were prompted any time the risk score
for a transaction exceeded 750.
4. Challenge Questions: The system required users, during
initial log-in, to select three challenge questions and responses.
The challenge questions might be prompted for various reasons. For
-10-
example, if the risk score associated with a particular transaction
exceeded 750, the challenge questions would be triggered. If the
challenge question responses entered by the user did not match the
ones originally provided, the customer would receive an error
message. If the customer was unable to answer the challenge
questions in three attempts, the customer was blocked from online
banking and would be required to contact the bank.
5. Dollar Amount Rule: The system permitted financial
institutions to set a dollar threshold amount above which a
transaction would automatically trigger the challenge questions
even if the user ID, password, and device cookie were all valid.
In August 2007, Ocean Bank set the dollar amount rule to $100,000.
On June 6, 2008, Ocean Bank lowered the dollar amount rule from
$100,000 to $1. After the Bank lowered the threshold to $1, Patco
was prompted to answer challenge questions every time it initiated
a transaction. In May 2009, when the fraud at issue in this case
occurred, the dollar amount rule threshold remained at $1.
6. Subscription to the eFraud Network: The Jack Henry
Premium Product provided Ocean Bank with a subscription to the
eFraud Network, which compared characteristics of the transaction
(such as the IP address of the user seeking access to the Bank's
system) with those of known instances of fraud. The eFraud Network
allowed financial institutions to report IP addresses or other
discrete identifying characteristics identified with instances of
-11-
fraud. An attempt to access a customer's NetTeller account
initiated by someone with that characteristic would then be
automatically blocked. The individual would not even be prompted
for challenge questions.
Ocean Bank asserts that on December 1, 2006, as it began
to implement the Jack Henry system, it also began to offer the
option of e-mail alerts to its eBanking customers. If the customer
chose to receive such alerts, the bank would send the customer e-
mails regarding incoming/outgoing transactions, changes to the
customer's balance, the clearing of checks, and/or alerts on
certain customer-specified dates. Patco claims it did not receive
notice that e-mail alerts were available and this is a disputed
issue of fact. It appears that notice of the availability of e-
mail alerts was not readily visible. To set up alerts through the
eBanking system, a user would have to first click the "Preferences"
tab on the eBanking webpage, then click on a second tab labeled
"Alerts," and then follow several additional steps to activate
individual alerts. Patco claims it never saw anything on the
website indicating that e-mail alerts were available, and it
therefore never set up e-mail alerts.
C. Security Measures Available Which Ocean Bank Chose Not to
Implement
There were several additional security measures that were
available to Ocean Bank but that the bank chose not to implement:
-12-
1. Out-of-Band Authentication: Jack Henry offered Ocean
Bank a version of the NetTeller system that included an out-of-band
authentication option. Out-of-band authentication "generally
refers to additional steps or actions taken beyond the technology
boundaries of a typical transaction." Id. at 3 n.5. Examples of
out-of-band authentication include notification to the customer,
callback (voice) verification, e-mail approval from the customer,
and cell phone based challenge/response processes. The FFIEC
Guidance identifies out-of-band authentication as a useful method
of risk mitigation. See id. at 11-12.
2. User-Selected Picture: Ocean Bank's security
procedures did not include the user-selected picture function that
was available through Jack Henry's Premium option. Ocean Bank
states that it did not utilize the user-selected picture function
because it already utilized other anti-phishing5 controls.
3. Tokens: Tokens are physical devices (something the
person has), such as a USB token device, a smart card, or a
password-generating token. The FFIEC Guidance identifies tokens as
a useful part of a multifactor authentication scheme. See id. at
8. Tokens were not available from Jack Henry when Ocean Bank
5
Phishing involves an attempt to acquire information such as
usernames, passwords, or financial data by a perpetrator
masquerading as a legitimate enterprise. Typically, the
perpetrator will provide an e-mail or link that directs the victim
to enter or update personal information at a phony website that
mimics an established, legitimate website which the victim either
has used before or perceives to be a safe place to enter
information.
-13-
implemented its system in 2007, but were readily available to
financial institutions at that time through other sources.
Although People's United Bank has used tokens since at least
January of 2008, Ocean Bank did not do so until after the fraud in
this case occurred.
4. Monitoring of Risk-Scoring Reports: In May 2009, bank
personnel did not monitor the risk-scoring reports received as part
of the Premium Product package, nor did the bank conduct any other
regular review of transactions that generated high risk scores. In
May 2009, the bank had the capability to conduct manual review of
high-risk transactions through its transaction-profiling and
risk-scoring system, but did not do so. The bank also had the
ability to call a customer if it detected fraudulent activity, but
did not do so. The bank began conducting manual reviews of
high-risk transactions in late 2009, after the fraud in this case
occurred. Since then, the bank has instituted a policy of calling
the customer in the case of uncharacteristic transactions to
inquire if the customer did indeed initiate the transaction.
D. The Fraudulent Transfers
Beginning on May 7, 2009, a series of withdrawals were
made on Patco's account over the course of several days.
On May 7, unknown third parties initiated a $56,594 ACH
withdrawal from Patco's account. The perpetrators supplied the
proper credentials of one of Patco's employees, including her ID,
-14-
password, and answers to her challenge questions. The payment on
this withdrawal was directed to go to the accounts of numerous
individuals, none of whom had previously been sent money by Patco.
The perpetrators logged in from a device unrecognized by Ocean
Bank's system, and from an IP address that Patco had never before
used. The risk-scoring engine generated a risk score of 790 for
the transaction, a significant departure from Patco's usual risk
scores, which generally ranged from 10 to 214. There is no
evidence that Patco's risk scores prior to the fraudulent transfers
in this case ever exceeded 214. The risk-scoring engine reported
the following contributors to the risk score for that transaction:
(1) "Very high risk non-authenticated device"; (2) "High risk
transaction amount"; (3) "IP anomaly"; and (4) "Risk score
distributor per cookie age." An RSA manual describing risk score
contributors states that any transaction triggering the contributor
"Very high risk non-authenticated device" is "a very high-risk
transaction." Despite this high risk score, Patco was not
notified. Moreover, it appears no one at the bank monitored these
high-risk transactions. Bank personnel did not manually review the
May 7, 2009 transaction. The bank batched and processed the
transaction as usual, and it was paid the next day.
The activities of May 7 having successfully resulted in
payment, on Friday, May 8, 2009, unknown third parties again
successfully initiated an ACH payment order from Patco's account,
-15-
this time for $115,620.26. As before, the perpetrators wired money
to multiple individual accounts to which Patco had never before
sent funds. The perpetrators again used a device that was not
recognized by Ocean Bank's system. The payment order originated
from the same IP address as the day before. The transaction was
larger by several magnitudes than any ACH transfer Patco had ever
made to third parties. Despite these unusual characteristics, the
bank again took no steps to notify Patco and batched and processed
the transaction as usual, which was paid by the bank on Monday, May
11, 2009.
On May 11, 12, and 13, unknown third parties initiated
further withdrawals from Patco's account in the amounts of $99,068,
$91,959, and $113,647, respectively. Like the prior fraudulent
transactions, these transactions were uncharacteristic in that they
sent money to numerous individuals to whom Patco had never before
sent funds, were for greater amounts than Patco's ordinary
third-party transactions, were sent from computers that were not
recognized by Ocean Bank's system, and originated from IP addresses
that were not recognized as valid IP addresses of Patco. As a
result of these unusual characteristics, the transactions continued
to generate higher than normal risk scores. The May 11 transaction
generated a risk score of 720, the May 12 transaction triggered a
risk score of 563, and the transaction on May 13 generated a risk
-16-
score of 785. The Bank did not manually review any of these
transactions to determine their legitimacy or notify Patco.
Portions of the transfers, beginning with the first
transfer initiated on May 7, 2009, were automatically returned to
the bank because certain of the account numbers to which the money
was slated to be transferred were invalid. As a result, the bank
sent limited "return" notices to the home of Mark Patterson, one of
Patco's principals, via U.S. mail. Patterson received the first
such notice after work on the evening of May 13, six days after the
allegedly fraudulent withdrawals began.
The next morning, on May 14, 2009, Patco called the bank
to inform it that Patco had not authorized the transactions. Also
on the morning of May 14, another alleged fraudulent transaction
was initiated from Patco's account in the amount of $111,963.
Despite the information from Patco, the bank initially processed
this payment order on May 15, 2009. However, because of the alert
from Patco of the ongoing fraud, the bank then took steps to block
completion of a portion of this transaction and recovered a portion
of the transferred funds shortly thereafter.
At the end of the string of thefts, the amount of money
fraudulently withdrawn from Patco's account totaled $588,851.26, of
which $243,406.83 was automatically returned or blocked and
recovered.
-17-
According to Ocean Bank, on May 14, 2009, immediately
after the allegedly fraudulent withdrawals occurred, the bank gave
instructions to Patco. It instructed Patco to disconnect the
computers it used for electronic banking from its network; to stop
using these computers for work purposes; to leave the computers
turned on; and to bring in a third-party forensic professional or
law enforcement to create a forensic image of the computers to
determine whether a security breach had occurred. Ocean Bank
claims, and Patco disputes, that Patco did not isolate its
computers or forensically preserve the hard drives; and that Patco
employees continued to use their computers during the week
following the alleged fraud. In another dispute of fact, Patco
states that Ocean Bank recommended only that Patco check its system
for a security breach using a third-party forensic professional,
which Patco did.
Shortly after the fraudulent transfers, Patco hired an IT
consultant, who ran anti-malware scans on the computers. A remnant
of a Zeus/Zbot malware was found. However, the Zeus/Zbot malware,
which contained the encryption key for the Zeus/Zbot configuration
file, was quarantined and then deleted by the anti-malware scan.
Without the encryption key, it is impossible to decrypt the
configuration file and identify what information, if any, the
Zeus/Zbot malware would have captured, if in fact it was of a type
that would have intercepted authentication credentials.
-18-
II.
On September 18, 2009, Patco filed suit against People's
United in Maine Superior Court, York County. The complaint
included six counts: (I) liability under Article 4A of the Uniform
Commercial Code ("UCC"); (II) negligence; (III) breach of contract;
(IV) breach of fiduciary duty; (V) unjust enrichment; and (VI)
conversion. On October 9, 2009, People's United removed the case
to the United States District Court for the District of Maine.
On August 27, 2010, Patco moved for summary judgment on
Count I, its claim under Article 4A of the UCC. That same day, the
bank moved for summary judgment on all six counts. On May 27,
2011, the magistrate judge issued a recommended decision on the
cross-motions for summary judgment. Patco Constr. Co. v. People's
United Bank, No. 09–cv–503, 2011 WL 2174507 (D. Me. May 27, 2011).
The magistrate judge determined both that the bank's security
procedures were commercially reasonable, id. at *32-34, and that
Patco had agreed to those procedures, id. at *24-25. Therefore,
the magistrate concluded, Patco -- not the bank -- bore the loss of
the fraudulent transfers. Id. at *34. The magistrate also
determined that Counts II-IV of Patco's complaint were displaced by
the provisions of Article 4A, and that Counts V and VI failed along
with Count I because the bank could not have been unjustly
enriched, or have wrongly converted Patco's funds, if it employed
commercially reasonable security procedures. Id. at *34-35.
-19-
Accordingly, the magistrate recommended that the district court
grant the bank's motion for summary judgment and deny that of
Patco. Id. at *35.
Patco objected to the recommended decision on June 13,
2011, and People's United responded to Patco's objection on June
27, 2011. On August 4, 2011, the district court adopted the
magistrate's recommendation in full. It granted People's United's
motion for summary judgment, denied Patco's motion for summary
judgment, and found the parties' outstanding motions to be moot.
On September 6, 2011, Patco appealed.
III.
We review orders granting or denying summary judgment de
novo. Certain Interested Underwriters at Lloyd's, London v.
Stolberg, 680 F.3d 61, 65 (1st Cir. 2012). In doing so, we
consider the record and all reasonable inferences in the light most
favorable to the non-moving party. Id.
We affirm only if there is no genuine dispute as to any
material fact and the movant is entitled to judgment as a matter of
law. Id. "A dispute is genuine if the evidence about the fact is
such that a reasonable jury could resolve the point in the favor of
the non-moving party." Rodríguez-Rivera v. Federico Trilla Reg'l
Hosp. of Carolina, 532 F.3d 28, 30 (1st Cir. 2008) (quoting
Thompson v. Coca-Cola Co., 522 F.3d 168, 175 (1st Cir. 2008)). "A
fact is material if it has the potential of determining the outcome
-20-
of the litigation." Id. (quoting Maymí v. P.R. Ports Auth., 515
F.3d 20, 25 (1st Cir. 2008)).
A. Article 4A of the UCC
The claim under Count I is governed by Article 4A of the
UCC, which was meant to govern the rights, duties, and liabilities
of banks and their commercial customers with respect to electronic
funds transfers. See Me. Rev. Stat. Ann. tit. 11, § 4-1102 cmt.
Article 4A was enacted in toto by Maine in 1991, well before the
transfers at issue in this case.6 Id. § 4-1101.
Article 4A was developed to address wholesale wire
transfers and commercial ACH transfers, generally between
businesses and their financial institutions.7 Id. § 4-1102 cmt.
6
In its enactment of Article 4A, the Maine legislature
provided that while "the text of that uniform act has been changed
to conform to Maine statutory conventions[, . . . u]nless otherwise
noted in a Maine comment, the changes are technical in nature and
it is the intent of the Legislature that this Act be interpreted as
substantively the same as the uniform act." 1992 Me. Legis. Serv.
ch. 812, § 3.
7
By contrast, consumer payments that are made
electronically, such as through direct wiring or the use of a debit
card, are covered by a separate federal statute, the Electronic
Fund Transfer Act (EFTA), 15 U.S.C. § 1693 et seq. Article 4A does
not apply to any funds transfer that is covered by the EFTA; the
two are mutually exclusive. Me. Rev. Stat. Ann. tit. 11, § 4-1108
& cmt. The drafters of Article 4A felt that a separate framework,
apart from the more consumer-focused EFTA, was needed to cover
electronic transfers between commercial institutions because of the
sheer volume and magnitude of such transfers. Id. Art. 4-A, Refs.
& Annots. cmt. At the time of Article 4A's drafting, the volume of
payments by non-consumer wire transfer exceeded well over one
trillion dollars per day and the dollar volume of payments made by
wire transfer far exceeded the dollar volume of payments made by
other means. Id.
-21-
Before Article 4A was drafted, "there was no comprehensive body of
law -- statutory or judicial -- that defined the juridical nature
of a [commercial] funds transfer or the rights and obligations
flowing from payment orders." Id. Instead, judges relied on
general principles of common law, sought guidance from other
provisions of the UCC, or analogized to laws applicable to other
payment methods. Id. The drafters of Article 4A sought to deliver
clarity to this area of law by "us[ing] precise and detailed rules
to assign responsibility, define behavioral norms, allocate risks
and establish limits on liability" in order to allow parties to
predict and insure against risk with greater certainty, given the
very large amounts of money involved in commercial funds transfers.
Id.
Importantly, the drafters also sought to clarify the
interaction between the new provisions of Article 4A and existing
remedies under the common law:
Funds transfers involve competing interests --
those of the banks that provide funds transfer
services and the commercial and financial
organizations that use the services, as well
as the public interest. These competing
interests were represented in the drafting
process and they were thoroughly considered.
The rules that emerged represent a careful and
delicate balancing of those interests and are
intended to be the exclusive means of
determining the rights, duties and liabilities
of the affected parties in any situation
covered by particular provisions of the
Article. Consequently, resort to principles
of law or equity outside of Article 4A is not
appropriate to create rights, duties and
-22-
liabilities inconsistent with those stated in
this Article.
Id. The drafters "intended that Article 4A would be supplemented,
enhanced, and in some places, superceded by other bodies of law
. . . [T]he Article is intended to synergize with other legal
doctrines," so long as those doctrines are not inconsistent with
the rights, duties, and liabilities established in Article 4A.
Regions Bank v. Provident Bank, Inc., 345 F.3d 1267, 1275 (11th
Cir. 2003) (omission in original) (quoting Baxter & Bhala, The
Interrelationship of Article 4A with Other Law, 45 Bus. Law. 1485,
1485 (1990)) (internal quotation mark omitted). Article 4A further
provides that, in general, the parties may not vary by agreement
any rights and obligations arising under Article 4A. See Me. Rev.
Stat. Ann. tit. 11, § 4-1202(6).
Under Article 4A, a bank receiving a payment order
ordinarily bears the risk of loss of any unauthorized funds
transfer. Id. § 4-1204. The bank may shift the risk of loss to
the customer in one of two ways, one of which involves the
commercial reasonableness of security procedures and one of which
does not. First, the bank may show that the "payment order
received . . . is the authorized order of the person identified as
sender if that person authorized the order or is otherwise bound by
it under the law of agency." Id. § 4-1202(1). But, as the Article
4A commentary explains, "[i]n a very large percentage of cases
-23-
covered by Article 4A, . . . [c]ommon law concepts of authority of
agent to bind principal are not helpful" because the payment order
is transmitted electronically and the bank "may be required to act
on the basis of a message that appears on a computer screen." Id.
§ 4-1203 cmt. 1.
If the sender of the payment order had no authority to
act for the customer, and there are no additional facts on which
estoppel might be found, the "Customer is not liable to pay the
order and [the] Bank takes the loss." Id. cmt. 2. In such cases,
"these legal principles [of agency] give the receiving bank very
little protection . . . . The only remedy of [the] Bank is to seek
recovery from the person who received payment as beneficiary of the
fraudulent order." Id. cmts. 1, 2.
Accordingly, the drafters provided a second way by which
a bank may shift the risk of loss and protect itself whether or not
the payment order is authorized. This, in turn, has several
components:
If a bank and its customer have agreed that
the authenticity of payment orders issued to
the bank in the name of the customer as sender
will be verified pursuant to a security
procedure, a payment order received by the
receiving bank is effective as the order of
the customer, whether or not authorized, if:
(a) The security procedure is a
commercially reasonable method of
providing security against unauthorized
payment orders; and
-24-
(b) The bank proves that it accepted the
payment order in good faith and in
compliance with the security procedure
and any written agreement or instruction
of the customer restricting acceptance of
payment orders issued in the name of the
customer. The bank is not required to
follow an instruction that violates a
written agreement with the customer or
notice of which is not received at a time
and in a manner affording the bank a
reasonable opportunity to act on it
before the payment order is accepted.
Id. § 4-1202(2).
In turn, Article 4A defines a security procedure as:
[A] procedure established by agreement of a
customer and a receiving bank for the purpose
of: (1) Verifying that a payment order or
communication amending or cancelling a payment
order is that of the customer; or (2)
Detecting error in the transmission or the
content of the payment order or communication.
Id. § 4-1201. One question raised in this appeal is the scope of
any agreement reached.
The UCC explains that the "[c]ommercial reasonableness of
a security procedure is a question of law" to be determined by the
court. Id. § 4-1202(3). There are two ways by which a security
procedure may be shown to be commercially reasonable. First is by
reference to:
[T]he wishes of the customer expressed to the
bank, the circumstances of the customer known
to the bank, including the size, type and
frequency of payment orders normally issued by
the customer to the bank, alternative security
procedures offered to the customer and
security procedures in general use by
-25-
customers and receiving banks similarly
situated.
Id. § 4-1202(3). The Article is explicit that "[t]he standard is
not whether the security procedure is the best available. Rather
it is whether the procedure is reasonable for the particular
customer and the particular bank . . . ." Id. § 4-1203 cmt. 4.
The UCC explains that "[t]he burden of making available
commercially reasonable security procedures is imposed on receiving
banks because they generally determine what security procedures can
be used and are in the best position to evaluate the efficacy of
procedures offered to customers to combat fraud." Id. cmt. 3.
Secondly, the Article creates a presumption of
reasonableness under certain circumstances, not applicable here.
A security procedure is deemed to be commercially reasonable if:
(a) The security procedure was chosen by the
customer after the bank offered and the
customer refused, a security procedure that
was commercially reasonable for that customer;
and
(b) The customer expressly agreed in writing
to be bound by any payment order, whether or
not authorized, issued in its name and
accepted by the bank in compliance with the
security procedure chosen by the customer.
Id. § 4-1202(3). Of course, if the security procedure offered by
the bank was not commercially reasonable, then the provision does
not apply. Id. § 4-1203 cmt. 4.
If the bank shows both that its security procedure was
commercially reasonable and that it accepted the payment order "in
-26-
good faith and in compliance with the security procedure," the
payment order is effective as an authorized order of the customer.
Id. §§ 4-1202(2)(b), 4-1203(1). In such a case, the bank may,
"[b]y express written agreement, . . . limit the extent to which it
is entitled to enforce or retain payment of the payment order."
Id. § 4-1203(1)(a).
Once the bank has shown commercial reasonableness, the
customer may shift the risk of loss back to the bank if the
customer proves that the order was not "caused, either directly or
indirectly, by a person":
(i) Entrusted at any time with duties to act
for the customer with respect to payment
orders or the security procedure or who
obtained access to transmitting facilities of
the customer; or
(ii) Who obtained from a source controlled by
the customer and without authority of the
receiving bank information facilitating breach
of the security procedure, regardless of how
the information was obtained or whether the
customer was at fault. Information includes
any access device, computer software or the
like.
Id. § 4-1203(1)(b). As the commentary explains, this section of
the UCC places a burden on the customer, when the security
procedure is commercially reasonable, "to supervise its employees
to assure compliance with the security procedure and to safeguard
confidential security information and access to transmitting
facilities so that the security procedure cannot be breached." Id.
§ 4-1203 cmt. 3.
-27-
If the bank does not make its showing of commercial
reasonableness, then the analysis goes back to the question of
agency under § 4-1202(a), described above. If the court
determines, under any of these provisions, that the bank bears the
risk of loss, "the bank shall refund any payment of the payment
order received from the customer to the extent the bank is not
entitled to enforce payment and shall pay interest on the
refundable amount calculated from the date the bank received
payment to the date of the refund." Id. § 4-1204(1).
B. Ocean Bank's Motion for Summary Judgment
Ocean Bank argues that because Patco agreed to the
security system in use, and because the security system was
commercially reasonable, it is entitled to summary judgment.
Patco counters that the bank's security system was not
commercially reasonable, that it did not agree to all of the
procedures, and that the bank did not comply with its own
procedures.
As to commercial reasonableness, Patco argues the bank's
decision to lower the dollar amount rule to $1 increased the risk
of compromised security, and that the bank's failure in light of
this increased risk to monitor and immediately notify customers of
abnormal transactions which met high risk criteria was not
commercially reasonable. Patco also argues that it was not offered
and it did not decline an e-mail notice system for transactions.
-28-
Essentially, Patco argues that when Ocean Bank decided in
June of 2008 to trigger challenge questions for any transaction
over $1, the bank increased the frequency with which a user was
required to enter the answers to his or her challenge questions.
Indeed, at a $1 threshold, the frequency as to Patco became 100%,
covering every transaction. For customers like Patco who made
regular ACH transfers, the risks were even greater than for
customers who rarely made such transfers. This, in turn, also
increased the risk that such answers would be compromised by
keyloggers8 or other malware that would capture that information
for unauthorized uses. By thus increasing the risk of fraud
through unauthorized use of compromised security answers, Patco
argues, Ocean Bank's security system failed to be commercially
reasonable because it did not incorporate additional security
measures, at the very least monitoring of high risk score
transactions, use of e-mail alerts and inquiries, or other
immediate notice to customers of high-risk transactions.
In our view, Ocean Bank did substantially increase the
risk of fraud by asking for security answers for every $1
transaction, particularly for customers like Patco which had
8
A "keylogger" is a form of computer malware, or malicious
code, capable of infecting a user's system, secretly monitoring the
user's Internet activity, recognizing when the user has browsed to
the website of a financial institution, and recording the user's
key strokes on that website. In this way, the keylogger is able to
capture a user's authentication credentials, which the keylogger
then transmits to a cyber thief.
-29-
frequent, regular, and high dollar transfers. Then, when it had
warning that such fraud was likely occurring in a given
transaction, Ocean Bank neither monitored that transaction nor
provided notice to customers before allowing the transaction to be
completed. Because it had the capacity to do all of those things,
yet failed to do so, we cannot conclude that its security system
was commercially reasonable. We emphasize that it was these
collective failures taken as a whole, rather than any single
failure, which rendered Ocean Bank's security system commercially
unreasonable.
The Jack Henry Premium Product was designed to harness
the power of the risk-scoring system and included a device
identification system to trigger an additional layer of
authentication -- challenge questions -- whenever the bank's system
detected unusual or suspicious transactions. In May of 2009, bank
personnel did not monitor the risk-scoring reports, nor did the
bank conduct any other regular review of transactions that
generated high risk scores. Thus, the only result of a high risk
score or an unidentified device was that a customer would be
prompted to answer his or her challenge questions.
When Ocean Bank lowered the dollar amount rule from
$100,000 to $1, it essentially deprived the complex Jack Henry
risk-scoring system of its core functionality. The $1 dollar
amount rule guaranteed that challenge questions would be triggered
-30-
on every transaction unless caught by a separate eFraud network
which depended on the use of known fraudulent IP addresses. The
eFraud network was of no use if the address and like information
were not already known to law enforcement. Accordingly, cyber
criminals equipped with keyloggers had the much more frequent
opportunity to capture all information necessary to compromise an
account every time the customer initiated an ACH transaction. In
Patco's case, ACH transactions were initiated at least weekly, and
often several times per week. In the event a customer's computer
became infected with a keylogger, it was likely that the customer
would be prompted to answer its challenge questions before the
malware was discovered and removed from the customer's computer.
Patco's argument is supported both by evidence and by
common sense. Patco's expert testified that at the times in
question, keylogging malware was a persistent problem throughout
the financial industry. It was foreseeable, against this
background, that triggering the use of the same challenge questions
for high-risk transactions as were used for ordinary transactions,
was ineffective as a stand-alone backstop to password/ID entry.
Indeed, it was well known that setting challenge questions to be
asked on every transaction greatly increases the risk that a
fraudster equipped with a keylogger would be able to access the
answers to a customer's challenge questions because it increases
-31-
the frequency with which such information is entered through a
user's keyboard.
As early as 2005, RSA/Cyota cautioned against the regular
and frequent use of challenge questions as a stand-alone backstop
to the exclusion of further controls, stating that challenge
questions were "quicker and simpler to adopt" but were "less
secure," and should be used only "in the short term, as the first
phase of a full project." According to RSA/Cyota, challenge
questions should be triggered only selectively, when unusual or
suspicious activity is detected, so that they are less likely to be
asked after a keylogger is installed on a customer's computer and
before it can be removed. When asked frequently, they should not
be used as the only line of defense beyond a password/ID, since a
password/ID and answers to challenge questions could all be
simultaneously captured by a keylogger.
Ocean Bank's decision to set the dollar amount rule at $1
for all of its customers also ignored Article 4A's mandate that
security procedures take into account "the circumstances of the
customer" known to the bank. Id. § 4-1202(3). Article 4A directs
banks to consider such circumstances as "the size, type and
frequency of payment orders normally issued by the customer to the
bank." Id. In Patco's case, these characteristics were regular
and predictable. Patco used eBanking primarily to make payroll
payments to employees. These payments were made weekly, generally
-32-
on Fridays; they originated from a single static IP address; and
they were always made from the same set of computers at Patco's
offices in Sanford, Maine. The highest such payment Patco ever
made was $36,634.74, well below the former $100,000 threshold. The
bank does not assert that it ever offered to adjust the threshold
amount for particular customers. Instead, the bank adopted a "one-
size-fits-all" dollar amount rule of $1 for its customers.
Ocean Bank argues that it did take Patco's circumstances
into account by building a risk profile based on Patco's eBanking
habits, such that the security system could compare the
characteristics of each transaction against those in Patco's
profile.9 This argument misses the mark because, in fact, the risk
profile information played no role. It triggered no additional
authentication requirements, and the bank did nothing with the
information generated by comparing the fraudulent transactions
against Patco's profile.
Ocean Bank also argues that it was commercially
reasonable for it to universally lower the dollar amount rule to $1
in order to target low-dollar fraud. Whether or not that is true
for certain customers, it is beside the point. Here, the increase
9
The bank also argues that it took Patco's circumstances
into account by setting Patco's ACH withdrawal limit based on its
specific needs. As the district court correctly noted, however,
ACH limits do not constitute a "security procedure" under Article
4A and thus have no bearing on the commercial reasonableness
analysis. Patco Constr. Co. v. People's United Bank, No.
09–cv–503, 2011 WL 2174507, at *28 n.131 (D. Me. May 27, 2011).
-33-
in risk to the consumer who engaged in regular high dollar
transfers, such as Patco, was sufficiently serious to require a
corollary increase in security measures for a security system to
remain commercially reasonable. The bank's generic "one-size-fits-
all" approach to customers violates Article 4A's instruction to
take the customer's circumstances into account. Further, the
reduction of the dollar amount rule to $1 was for commercial
customers, who are quite unlikely to have transfers of less than
$1.
Ocean Bank introduced no additional security measures in
tandem with its decision to lower the dollar amount rule, despite
the fact that several such security measures were not uncommon in
the industry and were relatively easy to implement. Patco's expert
testified that all of her other banking clients using the same Jack
Henry Premium Product employed manual reviews or some other
additional security measure to protect against the type of fraud
that occurred in this case.
For example, by May 2009, internet banking security had
largely moved to hardware-based tokens and other means of
generating "one-time" passwords.10 As of then, People's United Bank
10
Although tokens can be compromised, bypassing them requires
greater sophistication than is needed to obtain challenge
questions. The perpetrator must use the information within seconds
of acquiring it, before the system generates a new password to
replace the old. The answers to challenge questions, by contrast,
may be used at the perpetrator's leisure, particularly when, as was
the case at Ocean Bank, the answers are static. Even if a token
had been used and compromised in this case, the magnitude of the
-34-
(which had acquired Ocean Bank), several national banks, and many
New England community banks were using tokens for commercial
accounts. Of those banks that did not use tokens in May 2009, New
England community banks commonly used some form of manual review or
customer verification to authenticate uncharacteristic or
suspicious transactions. Such security procedures self-evidently
would not have been difficult to implement.11
This failure to implement additional procedures was
especially unreasonable in light of the bank's knowledge of ongoing
fraud. As early as 2008, Ocean Bank had received notification of
substantial increases in internet fraud involving keylogging
malware. By May 2009, Ocean Bank had itself experienced at least
two incidents of fraud on the bank's system which it attributed to
either keylogging malware or internal fraud. In both instances,
the perpetrators had acquired and successfully applied the
customer's passwords, IDs, and answers to challenge questions.
Thus, by May 2009, when the fraud in this case occurred,
it was commercially unreasonable for Ocean Bank's security system
to trigger nothing more than what was triggered in the event of a
resulting fraud would have been greatly reduced because the
captured password could not have been used after the initial
transaction.
11
Indeed, shortly after the fraud in this case occurred,
Ocean Bank began conducting manual reviews of suspect transactions.
Now, transactions that generate high risk scores are personally
reviewed by Ocean Bank personnel to determine their legitimacy.
-35-
perfectly ordinary transaction in response to the high risk scores
that were generated by the withdrawals from Patco's account. The
payment orders at issue were entirely uncharacteristic of Patco's
ordinary transactions: they were directed to accounts to which
Patco had never before transferred money; they originated from
computers Patco had never before used; they originated from an IP
address that Patco had never before used; and they specified
payment amounts significantly higher than the payments Patco
ordinarily made to third parties. As a result, the security system
flagged these transactions as uncharacteristic, highly suspicious,
and potentially fraudulent from a "very high risk non-authenticated
device." The transactions generated unprecedentedly high risk
scores ranging from 563 to 790, well above Patco's regular risk
scores which ranged from 10 to 214.
These collective failures, taken as a whole, rendered
Ocean Bank's security procedures commercially unreasonable. We
reverse the district court's grant of summary judgment as to Count
I.
That does not, however, end the matter, even as to Count
I. The issues briefed to us on appeal have largely involved
commercial reasonableness. Our conclusion that the security
procedures were not commercially reasonable does not end the
analysis of the Article 4A issues. Our conclusion as to Count I
and commercial reasonableness does, though, also lead us to vacate
-36-
the district court's grant of summary judgment on the two claims --
Count V (unjust enrichment) and Count VI (conversion) -- which the
district court considered to be dependent on the success of Count
I.
C. Patco's Motion for Summary Judgment
We affirm the district court's decision to deny Patco's
motion for summary judgment. There remain several genuine and
disputed issues of fact which may be material to the question of
whether Patco has satisfied its obligations and responsibilities
under Article 4A, or at least to the question of damages. The
district court did not reach, and the parties have not briefed, the
question of what, if any, obligations or responsibilities Article
4A imposes on a commercial customer even where a bank's security
system is commercially unreasonable. We leave these questions open
on remand so that the district court may, after briefing, assess
whether such obligations exist, either for liability purposes or
for mitigation of damages.
As to the genuine and disputed issues of fact, the
parties dispute the facts surrounding Patco's lack of e-mail
alerts. Patco alleges that it requested e-mail alerts from the
bank, but that the bank ignored these requests and never notified
Patco when e-mail alerts became available to bank customers. The
bank counters with its own allegation that it sent out a general
e-mail to customers that it would make e-mail alerts available.
-37-
Patco states that it received no such e-mail, and that instead, a
customer would have had to follow a complicated series of steps to
find an "Alerts" tab on the bank's website in order to learn that
such e-mail alerts had become available. Moreover, Patco alleges
that its account was not even set up with an "Alerts" tab; that the
account only features a "Preferences" tab. While one of Patco's
employees did successfully navigate to the "Preferences" tab, she
alleges she never saw an "Alerts" tab. Additionally, neither party
has submitted into the record an example of such an e-mail alert or
specified when such an e-mail alert would have been sent, such that
it is unclear what Patco would have learned from such an e-mail
alert and whether and when such an e-mail would have placed Patco
on notice of the fraudulent transfer.
The parties also disagree as to whether the fraud in this
case was caused by malware and keylogging in the first place, or
whether Patco shares some responsibility. Ocean Bank argues that
because Patco irreparably altered the evidence on its hard drives
by using and scanning its computers before making forensic copies,
it is unclear whether keylogging malware existed on Patco's
computers and enabled the alleged fraud. These disputed issues of
fact may be material.
Article 4A does not appear to be a one-way street.
Commercial customers have obligations and responsibilities as well,
under at least § 4-1204. See Me. Rev. Stat. Ann. tit. 11, § 4-
-38-
1204; but see id. § 4-1102 cmt. ("Resort to principles of law or
equity outside of Article 4A is not appropriate to create rights,
duties and liabilities inconsistent with those stated in this
Article."). Section 4-1204, entitled "Refund of payment and duty
of customer to report with respect to unauthorized payment order,"
provides:
The customer is not entitled to interest from
the bank on the amount to be refunded if the
customer fails to exercise ordinary care to
determine that the order was not authorized by
the customer and to notify the bank of the
relevant facts within a reasonable time not
exceeding 90 days after the date the customer
received notification from the bank that the
order was accepted or that the customer's
account was debited with respect to the order.
Id. § 4-1204(1).12 It is unclear, however, what, if any,
obligations a commercial customer has when a bank's security system
is found to be commercially unreasonable.
In short, we leave open for the parties to brief on
remand the question of what, if any, obligations or
responsibilities are imposed on a commercial customer under Article
4A even where a bank's security system is commercially
12
The commentary describes this burden on the customer as a
duty of ordinary care which is designed to encourage the customer
to promptly notify the bank about any instances of fraud so that
the bank can minimize its losses. Me. Rev. Stat. Ann. tit 11, § 4-
1204 cmt. 2. The commentary clarifies that a breach of this duty
results only in a loss of the interest on the refund payable by the
bank, but not a loss of the refund itself. Id.
-39-
unreasonable. The record requires further development on these
issues, precluding summary judgment at this stage.
D. Dismissal of Counts II-IV
The district court concluded that Article 4A "preempts"13
Patco's remaining common law claims: Count II (negligence), Count
III (breach of contract), and Count IV (breach of fiduciary duty).
The district court based its analysis on the commentary to § 4-
1102, which provides:
Funds transfers involve competing interests --
those of the banks that provide funds transfer
services and the commercial and financial
organizations that use the services, as well
as the public interest. These competing
interests were represented in the drafting
process and they were thoroughly considered.
The rules that emerged represent a careful and
delicate balancing of those interests and are
intended to be the exclusive means of
determining the rights, duties and liabilities
of the affected parties in any situation
covered by particular provisions of the
Article. Consequently, resort to principles
of law or equity outside of Article 4A is not
appropriate to create rights, duties and
liabilities inconsistent with those stated in
this Article.
Id. § 4-1102 cmt.
This language does not, on its face, displace Patco's
Count III for breach of contract or Count IV for breach of
13
This use of the term has nothing to do with the standard
legal use of "preemption," which involves the question of whether
federal law precludes a state from regulating on the same topic.
See, e.g., Kurns v. R.R. Friction Prods. Corp., 132 S. Ct. 1261,
1265-66 (2012). We prefer different terminology.
-40-
fiduciary duty.14 We adopt the test, as set forth in the
commentary, that Article 4A embodies an intent to restrain common
law claims only to the extent that they create rights, duties, and
liabilities inconsistent with Article 4A. See Ma v. Merrill Lynch,
Pierce, Fenner & Smith, Inc., 597 F.3d 84, 89 (2d Cir. 2010);
Regions Bank, 345 F.3d at 1275.
The common law claims of breach of contract and breach of
fiduciary duty are not inherently inconsistent with Patco's Article
4A claim. At least in theory, there could be, either by contract
or through assumption of fiduciary duties,15 higher standards which
are imposed on the bank. Indeed, courts have held that plaintiffs
may turn to common law remedies to seek redress for an alleged harm
arising from a funds transfer where Article 4A does not protect
against the underlying injury or misconduct alleged. See, e.g.,
Ma, 597 F.3d at 89-90; Regions Bank, 345 F.3d at 1275; see also
White & Summers, Uniform Commercial Code §§ 1-2, at 132 (1993
pocket part) ("With the adoption of Article 4A, electronic funds
14
We do not address whether Patco otherwise states a claim
for breach of fiduciary duty under Maine Law, see, e.g., Stewart v.
Machias Sav. Bank, 762 A.2d 44, 46 & n.1 (Me. 2000), or for that
matter, breach of contract, see, e.g., Seashore Performing Arts
Ctr., Inc. v. Town of Old Orchard Beach, 676 A.2d 482, 484 (Me.
1996).
15
We disagree with the district court's conclusion that
inconsistency is demonstrated merely because "[t]he gravamen of all
three counts is precisely the same as that of Count I: that the
Bank failed to employ proper security procedures, as a result of
which Patco suffered the loss in question." Patco Constr. Co.,
2011 WL 2174507, at *35.
-41-
transactions are governed not only by Article 4A, but also common
law . . . ."). We vacate the dismissal and leave the issue of
these two causes of action open on remand to be considered anew.
The closer question is whether Article 4A, on the facts
of this case,16 displaces the claim for negligence. That is, are
the negligence claims inconsistent with the duties and liability
limits set forth in Article 4A. We think they are, inasmuch as the
standard for the duty of care as to both sides is set forth in
Article 4A and its limitation of liability. See Ma, 597 F.3d at
89-90 (interpreting Article 4A to displace common law claims, such
as negligence, where Article 4A has already specified the relevant
duties and "protect[ions] against the type of underlying injury or
misconduct alleged in a claim"); Donmar Enters., Inc. v. S. Nat'l
Bank of N.C., 64 F.3d 944, 949-50 (4th Cir. 1995) (holding that
16
This case is not like Regions Bank in the sense that there
a beneficiary bank accepted funds it knew or had reason to know
were fraudulently obtained, and the court held other state law
remedies for fraud were not inconsistent with Article 4A. As the
court said:
Interpreting Article 4A in a manner that would
allow a beneficiary bank to accept funds when
it knows or should know that they were
fraudulently obtained, would allow banks to
use Article 4A as a shield for fraudulent
activity. It could hardly have been the
intent of the drafters to enable a party to
succeed in engaging in fraudulent activity, so
long as it complied with the provisions of
Article 4A.
Regions Bank v. Provident Bank, Inc., 345 F.3d 1267, 1276 (11th
Cir. 2003).
-42-
negligence claims are in conflict with, and therefore displaced by,
Article 4A); cf. Anderson v. Hannaford Bros. Co., 659 F.3d 151, 161
(1st Cir. 2011) (where Maine law is clear that certain damages on
given facts are not available regardless of theory pled, Maine law
will not under new cause of action allow such damages). So we
affirm the dismissal of the negligence claims.
IV.
We reverse the district court's grant of summary judgment
in favor of the bank, and affirm the district court's denial of
Patco's motion for summary judgment. We remand for further
proceedings in accordance with this opinion. On remand the parties
may wish to consider whether it would be wiser to invest their
resources in resolving this matter by agreement.
No fees are awarded; each side shall bear its own costs.
-43-
Patco Construction Co., Inc. v. People's United Bank
Court: Court of Appeals for the First Circuit
Date filed: 2012-07-03
Citations: 684 F.3d 197
Copy CitationsCombined Opinion