Skip to main content

The Tale of Two Banks: Final Settlement in Maine Bank Security Practices Case and a Failure of Bank Security Procedures in Florida

In a case that we have written about here and here, People's United Bank of Maine has agreed to pay about $ 390,000 to settle a claim that its security practices allowed unauthorized persons to withdraw funds from a construction company's account (Patco Construction Co. v. People's United Bank, D. Me., No. 09-503, agreed dismissal filed 11/19/12).

The agreement, which settles the suit brought by Patco Construction Co. against People's United Bank in the U.S. District Court for the District of Maine, came several months after the U.S. Court of Appeals for the First Circuit ruled that the bank's anti-fraud procedures were not reasonable in Patco Construction Co. v. People's United Bank, No. 11-2031 (1st. Cir. July 3, 2012).

The settlement amount includes the $ 345,000 that was not recovered from the theft along with interest. "They made my client as whole as they could possibly have been made," Patco attorney Daniel Mitchell said. Attorneys' fees and other expense are not recoverable in this type of action, he explained.   However, according to the attorney for Patco Construction, the settlement did not address the bank's security procedures.

Florida's UCC May Protect From Fraud Under Certain Circumstances

A bank in Florida may be liable for an allegedly fraudulent payment order, the U.S. Court of Appeals for the Eleventh Circuit held  in Chavez v. Mercantil Commercebank N.A. with one judge dissenting, saying the bank's security arrangements failed to qualify for a safe harbor under Article 4A of the Uniform Commercial Code as enacted in Florida. In general, Florida law protects a bank from liability for fraudulent transfers if the bank and the customer agree on a commercially reasonable "security procedure" as defined by Fla. Stat. 670.201, and the bank follows the procedure in good faith.

Although most wire transfers are handled electronically, in this case, the customer, Roger Chavez, claimed Mercantil Commercebank N.A. wrongly processed a $ 329,500 wire transfer by an imposter who walked into the bank and presented a payment order.    As a result,  a district court held the bank was not liable, saying the arrangement between the bank and Chavez met the requirements of UCC Article 4A-202, which governs authorized and verified payment orders.  The Eleventh Circuit reversed, holding that the bank used procedures that did not comply with the customer agreement.

Moreover, according to the opinion, the court added that even the agreed-upon procedures do not qualify for the safe harbor. For example, the court said, there was no requirement for a signature comparison, and no requirement for the bank to check the identification of the person presenting the payment order -- both key facts in this case because the transaction was handled on an in-person basis.

"Consequently, the parties' agreed-upon procedure is not in fact a security procedure as defined by § 201, and the bank failed to shift the risk of loss to Chavez pursuant to § 202(2)," Judge Timothy C. Batten, Sr., said for the majority. Batten, the United States District Judge for the Northern District of Georgia, sat by designation.

Judge William H. Pryor, Jr., dissented, saying Section 670.201's definition of "security procedure" should be given a broader reading that, if applied to this case, would establish that Chavez gave the bank discretion to use additional procedures.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.