A bank that required a commercial customer to answer “challenge questions” for virtually all online payments and that did not implement other common security measures failed to provide a commercially reasonable level of security, the U.S. Court of Appeals for the First Circuit ruled this week.

The case arose when unknown hackers were able to make large electronic transfers over the course of seven days from Patco Construction’s accounts at Ocean Bank, a southern Maine community bank owned by People’s United Bank.  Patco lost more than $345,000. Patco sued People’s United, alleging that Ocean Bank’s security procedures were not “commercially reasonable,” and therefore the bank was liable for Patco’s loss under the Uniform Commercial Code.

Ocean Bank’s automated monitoring system assigned risk scores to online transactions based on customers’ patterns of use. Transactions with risk scores above a set threshold would require users to answer additional “challenge questions,” which were security questions and answers that the accountholder had chosen when setting up the online-banking account. However, Ocean Bank set up its system so that users would have to answer the challenge questions for any payment or transfer over $1. Patco used Ocean Bank’s online-banking feature for routine tasks such as making weekly payroll payments, and thus had to answer the challenge questions frequently. In May 2009, unknown hackers were able to use the online-banking system to transfer money from Patco’s account to numerous individuals whom Patco had never before paid.  The hackers apparently had obtained the answers to Patco’s challenge questions. The bank’s automated monitoring system flagged the fraudulent transactions as “high risk,” based on “the timing, value, and geographic location of Patco’s regular payment orders,” but “Ocean Bank neither [manually] monitored that transaction nor provided notice to customers before allowing the transaction to be completed.”

Patco argued that by asking users to answer the challenge questions so frequently, the bank increased the risk of fraud  by providing more opportunities for hackers to intercept the information using keyloggers or other malware that might have infected a customer’s computer. Patco later found remnants of the Zeus/Zbot malware on its computers, although it could not determine whether that malware had captured Patco’s banking credentials. The First Circuit agreed that lowering the dollar threshold for challenge questions without implementing additional, compensating security measures “rendered Ocean Bank’s security procedures commercially unreasonable.” Accordingly, the First Circuit reversed the district court’s decision to grant summary judgment to the bank.