          United States Court of Appeals
                        For the First Circuit


No. 11-2031

                   PATCO CONSTRUCTION COMPANY, INC.,

                         Plaintiff, Appellant,

                                  v.

                PEOPLE'S UNITED BANK, d/b/a Ocean Bank,

                         Defendant, Appellee.


          APPEAL FROM THE UNITED STATES DISTRICT COURT
                    FOR THE DISTRICT OF MAINE

              [Hon. D. Brock Hornby, U.S. District Judge]


                                Before

                          Lynch, Chief Judge,
                   Lipez and Howard, Circuit Judges.



          Daniel J. Mitchell, with whom Eben M. Albert-Knopp and
Bernstein Shur were on brief, for appellant.
          Brenda R. Sharton, with whom Don M. Kennedy, Katherine A.
Borden, and Goodwin Procter LLP were on brief, for appellee.



                             July 3, 2012
           LYNCH, Chief Judge.       Over seven days in May 2009, Ocean

Bank, a southern Maine community bank, authorized six apparently

fraudulent withdrawals, totaling $588,851.26, from an account held

by Patco Construction Company, after the perpetrators correctly

supplied   Patco's    customized   answers     to   security   questions.

Although   the   bank's   security    system    flagged   each    of    these

transactions     as   unusually      "high-risk"     because     they    were

inconsistent with the timing, value, and geographic location of

Patco's regular payment orders, the bank's security system did not

notify its commercial customers of this information and allowed the

payments to go through.     Ocean Bank was able to block or recover

$243,406.83, leaving a residual loss to Patco of $345,444.43.

           Patco brought suit, setting forth six counts against

People's United Bank, a regional bank which had acquired Ocean

Bank.   The suit alleged, inter alia, that the bank should bear the

loss because its security system was not commercially reasonable

under Article 4A of the Uniform Commercial Code ("UCC"), as

codified under Maine Law at Me. Rev. Stat. Ann. tit. 11, § 4-1101

et seq., and that Patco had not consented to the procedures.




                                     -2-
               On cross-motions for summary judgment,1 the district

court       held   that   the   bank's   security   system   was   commercially

reasonable and on that basis entered judgment in favor of the bank

on the first count. Patco Constr. Co. v. People's United Bank, No.

09–cv–503, 2011 WL 3420588 (D. Me. Aug. 4, 2011).                  The district

court also granted summary judgment in favor of the bank on the

remaining counts, holding that they were either dependent on or

displaced by the analysis and law underlying the first count.               Id.

               We reverse the district court's grant of summary judgment

in favor of the bank and affirm its denial of Patco's motion for

summary judgment on the first count.           In particular, we leave open

the question of what, if any, obligations or responsibilities

Article 4A imposes on Patco.              We also reinstate certain other

claims dismissed by the district court, and remand for proceedings

consistent with this opinion.

                                         I.

               The facts, which are largely undisputed, are as follows.

Where the facts remain in dispute, we relate them in the light most

favorable to Patco, the non-moving party.              See Valley Forge Ins.

Co. v. Field, 670 F.3d 93, 96-97 (1st Cir. 2012).


        1
         The parties dispute whether Maine or Connecticut law
governs this case. We need not decide this question here as both
states have enacted UCC Article 4A, and thus, under either state's
laws, the outcome is the same. Compare Me. Rev. Stat. Ann. tit.
11, § 4-1101 et seq. with Conn. Gen. Stat. Ann. § 42a-4A-101 et
seq.   The parties do not identify any difference in the two
enactments that would affect our analysis.

                                         -3-
A.             The Parties

               Patco is a small property development and contractor

business located in Sanford, Maine. Patco began banking with Ocean

Bank in 1985.      Ocean Bank was acquired by the Chittenden family of

banks, which was later acquired by People's United Bank, a regional

bank based in Bridgeport, Connecticut.                 People's United Bank

operates other local Maine banks such as Maine Bank & Trust, where

Patco also had an account in May 2009.            Ocean Bank was a division

of People's United at the time of the fraudulent withdrawals at

issue in this case.

               In September 2003, Patco added internet banking -- also

known as "eBanking" -- to its commercial checking account at Ocean

Bank.       Ocean Bank allows its eBanking commercial customers to make

electronic funds transfers through Ocean Bank via the Automated

Clearing House ("ACH") network, a system used by banks to transfer

funds       electronically    between   accounts.      Patco   used   eBanking

primarily to make regular weekly payroll payments.                These regular

payroll payments had certain repeated characteristics: they were

always made on Fridays; they were always initiated from one of the

computers       housed   at   Patco's   offices   in   Sanford,    Maine;   they

originated from a single static Internet Protocol ("IP") address;2


        2
        "An IP address is the unique address assigned to every
machine on the internet. An IP address consists of four numbers
separated by dots, e.g., 166.132.78.215."        United States v.
Kearney, 672 F.3d 81, 84 n.1 (1st Cir. 2012) (quoting United States
v. Vázquez–Rivera, 665 F.3d 351, 354 n.5 (1st Cir. 2011)).

                                        -4-
and they were accompanied by weekly withdrawals for federal and

state tax withholding as well as 401(k) contributions. The highest

payroll payment Patco ever made using eBanking was $36,634.74.

Until October of 2008, Patco also used eBanking to transfer money

from the accounts of Patco and related entities at Maine Bank &

Trust, which maintains a branch in Sanford, Maine, into its Ocean

Bank checking account.

             In September 2003, when it added eBanking services, Patco

entered    into   several     agreements      with    Ocean     Bank.3       Most

significantly,     Patco    entered    into   the    eBanking    for     Business

Agreement.     The eBanking agreement stated that "use of the Ocean

National     Bank's   eBanking   for     Business     password     constitutes

authentication of all transactions performed by you or on your

behalf."     The eBanking agreement stated that Ocean Bank did not

"assume[] any responsibilities" with respect to Patco's use of

eBanking, that "electronic transmission of confidential business




     3
         These include the Investment and Line of Credit Sweep
Account (Managed Balance Agency Agreement), which authorized Ocean
Bank to transfer funds from Patco's account as needed to maintain
a target balance in Patco's separate investment account. Patco
also signed the Ocean Bank Automated Clearing House Agreement,
which provided that Patco was responsible for electronic transfers
"purport[ed] to have been transmitted or authorized" by Patco, even
if a transfer was not actually authorized by Patco, "provided Bank
acted in compliance with the security procedure referred to in
Schedule A." Patco asserts that the security procedures provided
in Schedule A do not, by their express terms, apply to eBanking
transactions such as those here.

                                      -5-
and sensitive personal information" was at Patco's risk, and that

Ocean Bank was liable only for its gross negligence, limited to six

months of fees.     The eBanking agreement also provided that:

           [U]se of Ocean National Bank's eBanking for
           Business by any one owner of a joint account
           or by an authorized signor on an account,
           shall be deemed an authorized transaction on
           an account unless you provide us with written
           notice that the use of Ocean National Bank's
           eBanking for Business is terminated or that
           the joint account owner or authorized signor
           has been validly removed form [sic] the
           account.

The   agreement    provided   that   Patco   had   to   contact   the   bank

immediately upon discovery of an unauthorized transaction.

           The bank also reserved the right to modify the terms and

conditions of the eBanking agreement at any time, effective upon

publication.      The bank claims that at some point before May 2009,

it modified the eBanking agreement to state:

           If   you   choose   to  receive   ACH   debit
           transactions on your commercial accounts, you
           assume all liability and responsibility to
           monitor those commercial accounts on a daily
           basis. In the event that you object to any
           ACH debit, you agree to notify us of your
           objection on the same day the debit occurs.

The bank claims that it published this modified eBanking agreement

on its website before May 2009. Patco disputes that this agreement

was modified and/or published on the bank's website before May

2009, and argues that the modified agreement was therefore not

effective as between the parties.



                                     -6-
B.          Ocean Bank's Security Measures

            In 2004, Ocean Bank began using Jack Henry & Associates

to provide its core online banking platform, known as "NetTeller."

Jack Henry provides the NetTeller product to approximately 1,300 of

its 1,500 bank customers.

            In October 2005, the agencies of the Federal Financial

Institutions    Examination     Council4   ("FFIEC"),     responding    to

increased    online   banking     fraud,    issued      guidance   titled

"Authentication in an Internet Banking Environment." See Fed. Fin.

Insts. Examination Council, Authentication in an Internet Banking

Environment (Aug. 8, 2001), available at http://www.ffiec.gov/pdf/

authentication_guidance.pdf [hereinafter "FFIEC Guidance"].            The

Guidance was intended to aid financial institutions in "evaluating

and implementing authentication systems and practices whether they

are provided internally or by a service provider."         Id. at 1.   The

Guidance provides that "financial institutions should periodically

. . . [a]djust, as appropriate, their information security program

in light of any relevant changes in technology, the sensitivity of

its customer information, and internal or external threats to

information."   Id. at 2.




     4
        The FFIEC is an interagency body created by statute and
charged with "establish[ing] uniform principles and standards and
report forms for the examination of financial institutions which
shall be applied by the Federal financial institutions regulatory
agencies." 12 U.S.C. § 3305(a).

                                   -7-
             The   Guidance    explains    that   existing   authentication

methodologies involve three basic "factors": (1) something the user

knows    (e.g.,    password,   personal    identification    number);   (2)

something the user has (e.g., ATM card, smart card); and (3)

something the user is (e.g., biometric characteristic, such as a

fingerprint).      Id. at 3.    It states:

             Authentication methods that depend on more
             than one factor are more difficult to
             compromise than single-factor methods.
             Accordingly, properly designed and implemented
             multifactor authentication methods are more
             reliable and stronger fraud deterrents. For
             example, the use of a logon ID/password is
             single-factor authentication (i.e., something
             the user knows); whereas, an ATM transaction
             requires multifactor authentication: something
             the user possesses (i.e., the card) combined
             with something the user knows (i.e., PIN). A
             multifactor authentication methodology may
             also include "out-of-band" controls for risk
             mitigation.

Id.     The Guidance also states:

             The     agencies     consider     single-factor
             authentication, as the only control mechanism,
             to be inadequate for high-risk transactions
             involving access to customer information or
             the movement of funds to other parties. . . .
             Account    fraud   and   identity    theft   are
             frequently the result of single-factor (e.g.,
             ID/password) authentication exploitation.
             Where risk assessments indicate that the use
             of single-factor authentication is inadequate,
             financial    institutions    should    implement
             multifactor authentication, layered security,
             or other controls reasonably calculated to
             mitigate those risks.

Id. at 1-2.



                                     -8-
            Following publication of the FFIEC Guidance, Ocean Bank

worked with Jack Henry to conduct a risk assessment and institute

appropriate authentication protocols to comply with the Guidance.

The bank determined that its eBanking product was a "high risk"

system   that   required   enhanced   security,   and   in   particular,

multifactor authentication.

            Jack Henry entered into a re-seller agreement with Cyota,

Inc., an RSA Security Company ("RSA/Cyota"), for a multifactor

authentication system to integrate into its NetTeller product so

that it could offer security solutions compliant with the FFIEC

Guidance.    Through collaboration with RSA/Cyota, Jack Henry made

two multifactor authentication products available to its customers

to meet the FFIEC Guidance: the "Basic" package and the "Premium"

package.

            Ocean Bank selected the Jack Henry "Premium" package,

which it implemented by January 2007.     The system, as implemented

by Ocean Bank, had six key features:

            1. User IDs and Passwords: The system required each

authorized Patco employee to use both a company ID and password and

a user-specific ID and password to access online banking.

            2. Invisible Device Authentication: The system placed a

"device cookie" onto customers' computers to identify particular

computers used to access online banking.     The device cookie would

be used to help establish a secure communication session with the


                                  -9-
NetTeller environment and to contribute to the component risk

score.   Whenever the cookie was changed or was new, that impacted

the risk score and potentially triggered challenge questions.

           3. Risk Profiling: The system entailed the building of a

risk profile for each customer by RSA/Cyota based on a number of

different factors, including the location from which a user logged

in, when/how often a user logged in, what a user did while on the

system, and the size, type, and frequency of payment orders

normally issued by the customer to the bank.    The Premium Product

noted the IP address that the customer typically used to log into

online banking and added it to the customer profile.

           RSA/Cyota's adaptive monitoring provided a risk score to

the bank for every log-in attempt and transaction based on a

multitude of data, including but not limited to IP address, device

cookie ID, Geo location, and transaction activity.       If a user's

transaction differed from its normal profile, RSA/Cyota reported to

the bank an elevated risk score for that transaction.      RSA/Cyota

considered transactions generating risk scores in excess of 750, on

a scale from 0 to 1,000, to be high-risk transactions.    "Challenge

questions," described below, were prompted any time the risk score

for a transaction exceeded 750.

           4. Challenge Questions: The system required users, during

initial log-in, to select three challenge questions and responses.

The challenge questions might be prompted for various reasons. For


                                -10-
example, if the risk score associated with a particular transaction

exceeded 750, the challenge questions would be triggered.    If the

challenge question responses entered by the user did not match the

ones originally provided, the customer would receive an error

message.   If the customer was unable to answer the challenge

questions in three attempts, the customer was blocked from online

banking and would be required to contact the bank.

           5. Dollar Amount Rule: The system permitted financial

institutions to set a dollar threshold amount above which a

transaction would automatically trigger the challenge questions

even if the user ID, password, and device cookie were all valid.

In August 2007, Ocean Bank set the dollar amount rule to $100,000.

On June 6, 2008, Ocean Bank lowered the dollar amount rule from

$100,000 to $1.   After the Bank lowered the threshold to $1, Patco

was prompted to answer challenge questions every time it initiated

a transaction.    In May 2009, when the fraud at issue in this case

occurred, the dollar amount rule threshold remained at $1.

           6. Subscription to the eFraud Network: The Jack Henry

Premium Product provided Ocean Bank with a subscription to the

eFraud Network, which compared characteristics of the transaction

(such as the IP address of the user seeking access to the Bank's

system) with those of known instances of fraud. The eFraud Network

allowed financial institutions to report IP addresses or other

discrete identifying characteristics identified with instances of


                                -11-
fraud.      An attempt to access a customer's NetTeller account

initiated    by   someone   with   that    characteristic   would   then   be

automatically blocked.      The individual would not even be prompted

for challenge questions.

            Ocean Bank asserts that on December 1, 2006, as it began

to implement the Jack Henry system, it also began to offer the

option of e-mail alerts to its eBanking customers. If the customer

chose to receive such alerts, the bank would send the customer e-

mails regarding incoming/outgoing transactions, changes to the

customer's balance, the clearing of checks, and/or alerts on

certain customer-specified dates.          Patco claims it did not receive

notice that e-mail alerts were available and this is a disputed

issue of fact.     It appears that notice of the availability of e-

mail alerts was not readily visible.         To set up alerts through the

eBanking system, a user would have to first click the "Preferences"

tab on the eBanking webpage, then click on a second tab labeled

"Alerts," and then follow several additional steps to activate

individual alerts.      Patco claims it never saw anything on the

website indicating that e-mail alerts were available, and it

therefore never set up e-mail alerts.

C.          Security Measures Available Which Ocean Bank Chose Not to
            Implement

            There were several additional security measures that were

available to Ocean Bank but that the bank chose not to implement:



                                    -12-
          1. Out-of-Band Authentication: Jack Henry offered Ocean

Bank a version of the NetTeller system that included an out-of-band

authentication    option.      Out-of-band   authentication     "generally

refers to additional steps or actions taken beyond the technology

boundaries of a typical transaction."        Id. at 3 n.5.    Examples of

out-of-band authentication include notification to the customer,

callback (voice) verification, e-mail approval from the customer,

and cell phone based challenge/response processes.              The FFIEC

Guidance identifies out-of-band authentication as a useful method

of risk mitigation.    See id. at 11-12.

          2.       User-Selected    Picture:   Ocean   Bank's     security

procedures did not include the user-selected picture function that

was available through Jack Henry's Premium option.            Ocean Bank

states that it did not utilize the user-selected picture function

because it already utilized other anti-phishing5 controls.

          3.     Tokens:    Tokens are physical devices (something the

person has), such as a USB token device, a smart card, or a

password-generating token. The FFIEC Guidance identifies tokens as

a useful part of a multifactor authentication scheme.           See id. at

8.   Tokens were not available from Jack Henry when Ocean Bank

     5
       Phishing involves an attempt to acquire information such as
usernames, passwords, or financial data by a perpetrator
masquerading as a legitimate enterprise.           Typically, the
perpetrator will provide an e-mail or link that directs the victim
to enter or update personal information at a phony website that
mimics an established, legitimate website which the victim either
has used before or perceives to be a safe place to enter
information.

                                   -13-
implemented its system in 2007, but were readily available to

financial   institutions    at   that   time   through   other   sources.

Although People's United Bank has used tokens since at least

January of 2008, Ocean Bank did not do so until after the fraud in

this case occurred.

            4. Monitoring of Risk-Scoring Reports: In May 2009, bank

personnel did not monitor the risk-scoring reports received as part

of the Premium Product package, nor did the bank conduct any other

regular review of transactions that generated high risk scores. In

May 2009, the bank had the capability to conduct manual review of

high-risk    transactions   through     its    transaction-profiling   and

risk-scoring system, but did not do so.           The bank also had the

ability to call a customer if it detected fraudulent activity, but

did not do so.      The bank began conducting manual reviews of

high-risk transactions in late 2009, after the fraud in this case

occurred.   Since then, the bank has instituted a policy of calling

the customer in the case of uncharacteristic transactions to

inquire if the customer did indeed initiate the transaction.

D.          The Fraudulent Transfers

            Beginning on May 7, 2009, a series of withdrawals were

made on Patco's account over the course of several days.

            On May 7, unknown third parties initiated a $56,594 ACH

withdrawal from Patco's account.          The perpetrators supplied the

proper credentials of one of Patco's employees, including her ID,


                                   -14-
password, and answers to her challenge questions.           The payment on

this withdrawal was directed to go to the accounts of numerous

individuals, none of whom had previously been sent money by Patco.

The perpetrators logged in from a device unrecognized by Ocean

Bank's system, and from an IP address that Patco had never before

used.   The risk-scoring engine generated a risk score of 790 for

the transaction, a significant departure from Patco's usual risk

scores, which generally ranged from 10 to 214.                 There is no

evidence that Patco's risk scores prior to the fraudulent transfers

in this case ever exceeded 214.       The risk-scoring engine reported

the following contributors to the risk score for that transaction:

(1) "Very high risk non-authenticated device"; (2) "High risk

transaction   amount";   (3)   "IP    anomaly";    and   (4)   "Risk   score

distributor per cookie age."       An RSA manual describing risk score

contributors states that any transaction triggering the contributor

"Very high risk non-authenticated device" is "a very high-risk

transaction."     Despite   this     high   risk   score,   Patco   was   not

notified.   Moreover, it appears no one at the bank monitored these

high-risk transactions. Bank personnel did not manually review the

May 7, 2009 transaction.       The bank batched and processed the

transaction as usual, and it was paid the next day.

            The activities of May 7 having successfully resulted in

payment, on Friday, May 8, 2009, unknown third parties again

successfully initiated an ACH payment order from Patco's account,


                                   -15-
this time for $115,620.26. As before, the perpetrators wired money

to multiple individual accounts to which Patco had never before

sent funds.     The perpetrators again used a device that was not

recognized by Ocean Bank's system.         The payment order originated

from the same IP address as the day before.          The transaction was

larger by several magnitudes than any ACH transfer Patco had ever

made to third parties.       Despite these unusual characteristics, the

bank again took no steps to notify Patco and batched and processed

the transaction as usual, which was paid by the bank on Monday, May

11, 2009.

            On May 11, 12, and 13, unknown third parties initiated

further withdrawals from Patco's account in the amounts of $99,068,

$91,959, and $113,647, respectively.         Like the prior fraudulent

transactions, these transactions were uncharacteristic in that they

sent money to numerous individuals to whom Patco had never before

sent   funds,   were   for    greater   amounts   than   Patco's   ordinary

third-party transactions, were sent from computers that were not

recognized by Ocean Bank's system, and originated from IP addresses

that were not recognized as valid IP addresses of Patco.              As a

result of these unusual characteristics, the transactions continued

to generate higher than normal risk scores. The May 11 transaction

generated a risk score of 720, the May 12 transaction triggered a

risk score of 563, and the transaction on May 13 generated a risk




                                    -16-
score of 785.      The Bank did not manually review any of these

transactions to determine their legitimacy or notify Patco.

             Portions of the transfers, beginning with the first

transfer initiated on May 7, 2009, were automatically returned to

the bank because certain of the account numbers to which the money

was slated to be transferred were invalid.      As a result, the bank

sent limited "return" notices to the home of Mark Patterson, one of

Patco's principals, via U.S. mail.      Patterson received the first

such notice after work on the evening of May 13, six days after the

allegedly fraudulent withdrawals began.

             The next morning, on May 14, 2009, Patco called the bank

to inform it that Patco had not authorized the transactions.          Also

on the morning of May 14, another alleged fraudulent transaction

was initiated from Patco's account in the amount of $111,963.

Despite the information from Patco, the bank initially processed

this payment order on May 15, 2009.     However, because of the alert

from Patco of the ongoing fraud, the bank then took steps to block

completion of a portion of this transaction and recovered a portion

of the transferred funds shortly thereafter.

             At the end of the string of thefts, the amount of money

fraudulently withdrawn from Patco's account totaled $588,851.26, of

which   $243,406.83   was   automatically   returned   or   blocked    and

recovered.




                                 -17-
            According to Ocean Bank, on May 14, 2009, immediately

after the allegedly fraudulent withdrawals occurred, the bank gave

instructions to Patco.        It instructed Patco to disconnect the

computers it used for electronic banking from its network; to stop

using these computers for work purposes; to leave the computers

turned on; and to bring in a third-party forensic professional or

law enforcement to create a forensic image of the computers to

determine whether a security breach had occurred.                  Ocean Bank

claims,   and   Patco   disputes,   that    Patco   did   not   isolate   its

computers or forensically preserve the hard drives; and that Patco

employees   continued    to   use   their   computers     during    the   week

following the alleged fraud.        In another dispute of fact, Patco

states that Ocean Bank recommended only that Patco check its system

for a security breach using a third-party forensic professional,

which Patco did.

            Shortly after the fraudulent transfers, Patco hired an IT

consultant, who ran anti-malware scans on the computers. A remnant

of a Zeus/Zbot malware was found.      However, the Zeus/Zbot malware,

which contained the encryption key for the Zeus/Zbot configuration

file, was quarantined and then deleted by the anti-malware scan.

Without the encryption key, it is impossible to decrypt the

configuration file and identify what information, if any, the

Zeus/Zbot malware would have captured, if in fact it was of a type

that would have intercepted authentication credentials.


                                    -18-
                                     II.

           On September 18, 2009, Patco filed suit against People's

United in Maine Superior Court, York County.                    The complaint

included six counts: (I) liability under Article 4A of the Uniform

Commercial Code ("UCC"); (II) negligence; (III) breach of contract;

(IV) breach of fiduciary duty; (V) unjust enrichment; and (VI)

conversion.    On October 9, 2009, People's United removed the case

to the United States District Court for the District of Maine.

           On August 27, 2010, Patco moved for summary judgment on

Count I, its claim under Article 4A of the UCC.            That same day, the

bank moved for summary judgment on all six counts.                 On May 27,

2011, the magistrate judge issued a recommended decision on the

cross-motions for summary judgment.          Patco Constr. Co. v. People's

United Bank, No. 09–cv–503, 2011 WL 2174507 (D. Me. May 27, 2011).

The magistrate judge determined both that the bank's security

procedures were commercially reasonable, id. at *32-34, and that

Patco had agreed to those procedures, id. at *24-25.               Therefore,

the magistrate concluded, Patco -- not the bank -- bore the loss of

the fraudulent transfers.          Id. at *34.           The magistrate also

determined that Counts II-IV of Patco's complaint were displaced by

the provisions of Article 4A, and that Counts V and VI failed along

with   Count   I   because   the   bank    could   not   have   been   unjustly

enriched, or have wrongly converted Patco's funds, if it employed

commercially reasonable security procedures.                Id. at *34-35.


                                     -19-
Accordingly, the magistrate recommended that the district court

grant the bank's motion for summary judgment and deny that of

Patco.    Id. at *35.

              Patco objected to the recommended decision on June 13,

2011, and People's United responded to Patco's objection on June

27, 2011.       On August 4, 2011, the district court adopted the

magistrate's recommendation in full.      It granted People's United's

motion for summary judgment, denied Patco's motion for summary

judgment, and found the parties' outstanding motions to be moot.

On September 6, 2011, Patco appealed.

                                  III.

              We review orders granting or denying summary judgment de

novo.     Certain Interested Underwriters at Lloyd's, London v.

Stolberg, 680 F.3d 61, 65 (1st Cir. 2012).           In doing so, we

consider the record and all reasonable inferences in the light most

favorable to the non-moving party.       Id.

              We affirm only if there is no genuine dispute as to any

material fact and the movant is entitled to judgment as a matter of

law.    Id.   "A dispute is genuine if the evidence about the fact is

such that a reasonable jury could resolve the point in the favor of

the non-moving party."      Rodríguez-Rivera v. Federico Trilla Reg'l

Hosp. of Carolina, 532 F.3d 28, 30 (1st Cir. 2008) (quoting

Thompson v. Coca-Cola Co., 522 F.3d 168, 175 (1st Cir. 2008)).     "A

fact is material if it has the potential of determining the outcome


                                  -20-
of the litigation."        Id. (quoting Maymí v. P.R. Ports Auth., 515

F.3d 20, 25 (1st Cir. 2008)).

A.          Article 4A of the UCC

            The claim under Count I is governed by Article 4A of the

UCC, which was meant to govern the rights, duties, and liabilities

of banks and their commercial customers with respect to electronic

funds transfers.      See Me. Rev. Stat. Ann. tit. 11, § 4-1102 cmt.

Article 4A was enacted in toto by Maine in 1991, well before the

transfers at issue in this case.6          Id. § 4-1101.

            Article   4A   was   developed    to   address   wholesale   wire

transfers    and   commercial     ACH   transfers,      generally   between

businesses and their financial institutions.7           Id. § 4-1102 cmt.



     6
         In its enactment of Article 4A, the Maine legislature
provided that while "the text of that uniform act has been changed
to conform to Maine statutory conventions[, . . . u]nless otherwise
noted in a Maine comment, the changes are technical in nature and
it is the intent of the Legislature that this Act be interpreted as
substantively the same as the uniform act." 1992 Me. Legis. Serv.
ch. 812, § 3.
     7
           By   contrast,   consumer   payments   that   are   made
electronically, such as through direct wiring or the use of a debit
card, are covered by a separate federal statute, the Electronic
Fund Transfer Act (EFTA), 15 U.S.C. § 1693 et seq. Article 4A does
not apply to any funds transfer that is covered by the EFTA; the
two are mutually exclusive. Me. Rev. Stat. Ann. tit. 11, § 4-1108
& cmt. The drafters of Article 4A felt that a separate framework,
apart from the more consumer-focused EFTA, was needed to cover
electronic transfers between commercial institutions because of the
sheer volume and magnitude of such transfers. Id. Art. 4-A, Refs.
& Annots. cmt. At the time of Article 4A's drafting, the volume of
payments by non-consumer wire transfer exceeded well over one
trillion dollars per day and the dollar volume of payments made by
wire transfer far exceeded the dollar volume of payments made by
other means. Id.

                                    -21-
Before Article 4A was drafted, "there was no comprehensive body of

law -- statutory or judicial -- that defined the juridical nature

of a [commercial] funds transfer or the rights and obligations

flowing from payment orders."      Id.   Instead, judges relied on

general principles of common law, sought guidance from other

provisions of the UCC, or analogized to laws applicable to other

payment methods. Id.   The drafters of Article 4A sought to deliver

clarity to this area of law by "us[ing] precise and detailed rules

to assign responsibility, define behavioral norms, allocate risks

and establish limits on liability" in order to allow parties to

predict and insure against risk with greater certainty, given the

very large amounts of money involved in commercial funds transfers.

Id.

          Importantly, the drafters also sought to clarify the

interaction between the new provisions of Article 4A and existing

remedies under the common law:

          Funds transfers involve competing interests --
          those of the banks that provide funds transfer
          services and the commercial and financial
          organizations that use the services, as well
          as the public interest.       These competing
          interests were represented in the drafting
          process and they were thoroughly considered.
          The rules that emerged represent a careful and
          delicate balancing of those interests and are
          intended to be the exclusive means of
          determining the rights, duties and liabilities
          of the affected parties in any situation
          covered by particular provisions of the
          Article. Consequently, resort to principles
          of law or equity outside of Article 4A is not
          appropriate to create rights, duties and

                                 -22-
            liabilities inconsistent with those stated in
            this Article.


Id.   The drafters "intended that Article 4A would be supplemented,

enhanced, and in some places, superceded by other bodies of law

. . . [T]he Article is intended to synergize with other legal

doctrines," so long as those doctrines are not inconsistent with

the rights, duties, and liabilities established in Article 4A.

Regions Bank v. Provident Bank, Inc., 345 F.3d 1267, 1275 (11th

Cir. 2003) (omission in original) (quoting Baxter & Bhala, The

Interrelationship of Article 4A with Other Law, 45 Bus. Law. 1485,

1485 (1990)) (internal quotation mark omitted). Article 4A further

provides that, in general, the parties may not vary by agreement

any rights and obligations arising under Article 4A.    See Me. Rev.

Stat. Ann. tit. 11, § 4-1202(6).

            Under Article 4A, a bank receiving a payment order

ordinarily bears the risk of loss of any unauthorized funds

transfer.    Id. § 4-1204.   The bank may shift the risk of loss to

the customer in one of two ways, one of which involves the

commercial reasonableness of security procedures and one of which

does not.     First, the bank may show that the "payment order

received . . . is the authorized order of the person identified as

sender if that person authorized the order or is otherwise bound by

it under the law of agency."   Id. § 4-1202(1).   But, as the Article

4A commentary explains, "[i]n a very large percentage of cases


                                 -23-
covered by Article 4A, . . . [c]ommon law concepts of authority of

agent to bind principal are not helpful" because the payment order

is transmitted electronically and the bank "may be required to act

on the basis of a message that appears on a computer screen."    Id.

§ 4-1203 cmt. 1.

          If the sender of the payment order had no authority to

act for the customer, and there are no additional facts on which

estoppel might be found, the "Customer is not liable to pay the

order and [the] Bank takes the loss."    Id. cmt. 2.   In such cases,

"these legal principles [of agency] give the receiving bank very

little protection . . . .   The only remedy of [the] Bank is to seek

recovery from the person who received payment as beneficiary of the

fraudulent order."   Id. cmts. 1, 2.

          Accordingly, the drafters provided a second way by which

a bank may shift the risk of loss and protect itself whether or not

the payment order is authorized.        This, in turn, has several

components:

          If a bank and its customer have agreed that
          the authenticity of payment orders issued to
          the bank in the name of the customer as sender
          will be verified pursuant to a security
          procedure, a payment order received by the
          receiving bank is effective as the order of
          the customer, whether or not authorized, if:

               (a)   The   security   procedure   is  a
               commercially    reasonable   method   of
               providing security against unauthorized
               payment orders; and



                                -24-
                (b) The bank proves that it accepted the
                payment order in good faith and in
                compliance with the security procedure
                and any written agreement or instruction
                of the customer restricting acceptance of
                payment orders issued in the name of the
                customer. The bank is not required to
                follow an instruction that violates a
                written agreement with the customer or
                notice of which is not received at a time
                and in a manner affording the bank a
                reasonable opportunity to act on it
                before the payment order is accepted.

Id. § 4-1202(2).

          In turn, Article 4A defines a security procedure as:

          [A] procedure established by agreement of a
          customer and a receiving bank for the purpose
          of: (1) Verifying that a payment order or
          communication amending or cancelling a payment
          order is that of the customer; or (2)
          Detecting error in the transmission or the
          content of the payment order or communication.

Id. § 4-1201.   One question raised in this appeal is the scope of

any agreement reached.

          The UCC explains that the "[c]ommercial reasonableness of

a security procedure is a question of law" to be determined by the

court.   Id. § 4-1202(3).   There are two ways by which a security

procedure may be shown to be commercially reasonable.   First is by

reference to:

          [T]he wishes of the customer expressed to the
          bank, the circumstances of the customer known
          to the bank, including the size, type and
          frequency of payment orders normally issued by
          the customer to the bank, alternative security
          procedures offered to the customer and
          security   procedures   in   general  use   by


                               -25-
             customers   and    receiving    banks      similarly
             situated.

Id. § 4-1202(3).     The Article is explicit that "[t]he standard is

not whether the security procedure is the best available.              Rather

it is whether the procedure is reasonable for the particular

customer and the particular bank . . . ."             Id. § 4-1203 cmt. 4.

The   UCC    explains    that   "[t]he    burden   of       making   available

commercially reasonable security procedures is imposed on receiving

banks because they generally determine what security procedures can

be used and are in the best position to evaluate the efficacy of

procedures offered to customers to combat fraud."              Id. cmt. 3.

             Secondly,   the    Article     creates     a    presumption     of

reasonableness under certain circumstances, not applicable here.

A security procedure is deemed to be commercially reasonable if:

             (a) The security procedure was chosen by the
             customer after the bank offered and the
             customer refused, a security procedure that
             was commercially reasonable for that customer;
             and

             (b) The customer expressly agreed in writing
             to be bound by any payment order, whether or
             not authorized, issued in its name and
             accepted by the bank in compliance with the
             security procedure chosen by the customer.

Id. § 4-1202(3).     Of course, if the security procedure offered by

the bank was not commercially reasonable, then the provision does

not apply.     Id. § 4-1203 cmt. 4.

             If the bank shows both that its security procedure was

commercially reasonable and that it accepted the payment order "in

                                   -26-
good faith and in compliance with the security procedure," the

payment order is effective as an authorized order of the customer.

Id. §§ 4-1202(2)(b), 4-1203(1).              In such a case, the bank may,

"[b]y express written agreement, . . . limit the extent to which it

is entitled to enforce or retain payment of the payment order."

Id. § 4-1203(1)(a).

            Once the bank has shown commercial reasonableness, the

customer may shift the risk of loss back to the bank if the

customer proves that the order was not "caused, either directly or

indirectly, by a person":

            (i) Entrusted at any time with duties to act
            for the customer with respect to payment
            orders or the security procedure or who
            obtained access to transmitting facilities of
            the customer; or

            (ii) Who obtained from a source controlled by
            the customer and without authority of the
            receiving bank information facilitating breach
            of the security procedure, regardless of how
            the information was obtained or whether the
            customer was at fault. Information includes
            any access device, computer software or the
            like.

Id. § 4-1203(1)(b).       As the commentary explains, this section of

the   UCC   places   a   burden   on   the    customer,   when    the   security

procedure is commercially reasonable, "to supervise its employees

to assure compliance with the security procedure and to safeguard

confidential    security    information       and   access   to   transmitting

facilities so that the security procedure cannot be breached." Id.

§ 4-1203 cmt. 3.

                                       -27-
           If the bank does not make its showing of commercial

reasonableness, then the analysis goes back to the question of

agency   under    §   4-1202(a),       described     above.       If   the    court

determines, under any of these provisions, that the bank bears the

risk of loss, "the bank shall refund any payment of the payment

order received from the customer to the extent the bank is not

entitled   to    enforce     payment    and    shall     pay   interest      on   the

refundable amount calculated from the date the bank received

payment to the date of the refund."            Id. § 4-1204(1).

B.         Ocean Bank's Motion for Summary Judgment

           Ocean Bank argues that because Patco agreed to the

security system in use, and because the security system was

commercially reasonable, it is entitled to summary judgment.

           Patco counters that the bank's security system was not

commercially reasonable, that it did not agree to all of the

procedures,     and   that   the   bank      did   not   comply    with   its     own

procedures.

           As to commercial reasonableness, Patco argues the bank's

decision to lower the dollar amount rule to $1 increased the risk

of compromised security, and that the bank's failure in light of

this increased risk to monitor and immediately notify customers of

abnormal   transactions       which    met    high   risk      criteria   was     not

commercially reasonable. Patco also argues that it was not offered

and it did not decline an e-mail notice system for transactions.


                                       -28-
                Essentially, Patco argues that when Ocean Bank decided in

June of 2008 to trigger challenge questions for any transaction

over $1, the bank increased the frequency with which a user was

required to enter the answers to his or her challenge questions.

Indeed, at a $1 threshold, the frequency as to Patco became 100%,

covering every transaction.                 For customers like Patco who made

regular ACH transfers, the risks were even greater than for

customers who rarely made such transfers.                     This, in turn, also

increased the risk that such answers would be compromised by

keyloggers8 or other malware that would capture that information

for unauthorized uses.               By thus increasing the risk of fraud

through unauthorized use of compromised security answers, Patco

argues, Ocean Bank's security system failed to be commercially

reasonable because it did not incorporate additional security

measures,        at     the   very   least    monitoring     of    high    risk   score

transactions,           use   of   e-mail    alerts   and    inquiries,      or   other

immediate notice to customers of high-risk transactions.

                In our view, Ocean Bank did substantially increase the

risk       of   fraud    by   asking   for     security     answers   for    every    $1

transaction,          particularly     for    customers     like   Patco    which    had


       8
        A "keylogger" is a form of computer malware, or malicious
code, capable of infecting a user's system, secretly monitoring the
user's Internet activity, recognizing when the user has browsed to
the website of a financial institution, and recording the user's
key strokes on that website. In this way, the keylogger is able to
capture a user's authentication credentials, which the keylogger
then transmits to a cyber thief.

                                             -29-
frequent, regular, and high dollar transfers.                      Then, when it had

warning    that      such    fraud       was    likely     occurring    in    a    given

transaction, Ocean Bank neither monitored that transaction nor

provided notice to customers before allowing the transaction to be

completed.      Because it had the capacity to do all of those things,

yet failed to do so, we cannot conclude that its security system

was commercially reasonable.                   We emphasize that it was these

collective failures taken as a whole, rather than any single

failure, which rendered Ocean Bank's security system commercially

unreasonable.

               The Jack Henry Premium Product was designed to harness

the    power    of   the    risk-scoring        system     and    included   a    device

identification        system        to   trigger     an     additional       layer    of

authentication -- challenge questions -- whenever the bank's system

detected unusual or suspicious transactions.                     In May of 2009, bank

personnel did not monitor the risk-scoring reports, nor did the

bank    conduct      any    other    regular      review    of    transactions       that

generated high risk scores.              Thus, the only result of a high risk

score or an unidentified device was that a customer would be

prompted to answer his or her challenge questions.

               When Ocean Bank lowered the dollar amount rule from

$100,000 to $1, it essentially deprived the complex Jack Henry

risk-scoring system of its core functionality.                         The $1 dollar

amount rule guaranteed that challenge questions would be triggered


                                           -30-
on every transaction unless caught by a separate eFraud network

which depended on the use of known fraudulent IP addresses.         The

eFraud network was of no use if the address and like information

were not already known to law enforcement.         Accordingly, cyber

criminals equipped with keyloggers had the much more frequent

opportunity to capture all information necessary to compromise an

account every time the customer initiated an ACH transaction.        In

Patco's case, ACH transactions were initiated at least weekly, and

often several times per week.    In the event a customer's computer

became infected with a keylogger, it was likely that the customer

would be prompted to answer its challenge questions before the

malware was discovered and removed from the customer's computer.

           Patco's argument is supported both by evidence and by

common sense.     Patco's expert testified that at the times in

question, keylogging malware was a persistent problem throughout

the   financial   industry.     It   was   foreseeable,   against   this

background, that triggering the use of the same challenge questions

for high-risk transactions as were used for ordinary transactions,

was ineffective as a stand-alone backstop to password/ID entry.

Indeed, it was well known that setting challenge questions to be

asked on every transaction greatly increases the risk that a

fraudster equipped with a keylogger would be able to access the

answers to a customer's challenge questions because it increases




                                 -31-
the frequency with which such information is entered through a

user's keyboard.

          As early as 2005, RSA/Cyota cautioned against the regular

and frequent use of challenge questions as a stand-alone backstop

to the exclusion of further controls, stating that challenge

questions were "quicker and simpler to adopt" but were "less

secure," and should be used only "in the short term, as the first

phase of a full project."           According to RSA/Cyota, challenge

questions should be triggered only selectively, when unusual or

suspicious activity is detected, so that they are less likely to be

asked after a keylogger is installed on a customer's computer and

before it can be removed.      When asked frequently, they should not

be used as the only line of defense beyond a password/ID, since a

password/ID    and   answers   to   challenge   questions   could   all   be

simultaneously captured by a keylogger.

          Ocean Bank's decision to set the dollar amount rule at $1

for all of its customers also ignored Article 4A's mandate that

security procedures take into account "the circumstances of the

customer" known to the bank.        Id. § 4-1202(3).   Article 4A directs

banks to consider such circumstances as "the size, type and

frequency of payment orders normally issued by the customer to the

bank."   Id.   In Patco's case, these characteristics were regular

and predictable.      Patco used eBanking primarily to make payroll

payments to employees.     These payments were made weekly, generally


                                     -32-
on Fridays; they originated from a single static IP address; and

they were always made from the same set of computers at Patco's

offices in Sanford, Maine.          The highest such payment Patco ever

made was $36,634.74, well below the former $100,000 threshold. The

bank does not assert that it ever offered to adjust the threshold

amount for particular customers. Instead, the bank adopted a "one-

size-fits-all" dollar amount rule of $1 for its customers.

            Ocean Bank argues that it did take Patco's circumstances

into account by building a risk profile based on Patco's eBanking

habits,     such    that    the   security      system    could       compare   the

characteristics      of    each   transaction    against      those    in   Patco's

profile.9    This argument misses the mark because, in fact, the risk

profile information played no role.              It triggered no additional

authentication requirements, and the bank did nothing with the

information generated by comparing the fraudulent transactions

against Patco's profile.

            Ocean    Bank    also    argues     that     it   was     commercially

reasonable for it to universally lower the dollar amount rule to $1

in order to target low-dollar fraud.            Whether or not that is true

for certain customers, it is beside the point.                Here, the increase


     9
        The bank also argues that it took Patco's circumstances
into account by setting Patco's ACH withdrawal limit based on its
specific needs. As the district court correctly noted, however,
ACH limits do not constitute a "security procedure" under Article
4A and thus have no bearing on the commercial reasonableness
analysis.    Patco Constr. Co. v. People's United Bank, No.
09–cv–503, 2011 WL 2174507, at *28 n.131 (D. Me. May 27, 2011).

                                      -33-
in    risk     to   the   consumer   who    engaged    in   regular     high     dollar

transfers, such as Patco, was sufficiently serious to require a

corollary increase in security measures for a security system to

remain commercially reasonable. The bank's generic "one-size-fits-

all" approach to customers violates Article 4A's instruction to

take the customer's circumstances into account.                       Further, the

reduction of the dollar amount rule to $1 was for commercial

customers, who are quite unlikely to have transfers of less than

$1.

                Ocean Bank introduced no additional security measures in

tandem with its decision to lower the dollar amount rule, despite

the fact that several such security measures were not uncommon in

the industry and were relatively easy to implement. Patco's expert

testified that all of her other banking clients using the same Jack

Henry        Premium   Product   employed     manual   reviews     or     some   other

additional security measure to protect against the type of fraud

that occurred in this case.

                For example, by May 2009, internet banking security had

largely        moved   to   hardware-based        tokens    and   other    means     of

generating "one-time" passwords.10 As of then, People's United Bank

        10
        Although tokens can be compromised, bypassing them requires
greater sophistication than is needed to obtain challenge
questions. The perpetrator must use the information within seconds
of acquiring it, before the system generates a new password to
replace the old. The answers to challenge questions, by contrast,
may be used at the perpetrator's leisure, particularly when, as was
the case at Ocean Bank, the answers are static. Even if a token
had been used and compromised in this case, the magnitude of the

                                           -34-
(which had acquired Ocean Bank), several national banks, and many

New England community banks were using tokens for commercial

accounts.    Of those banks that did not use tokens in May 2009, New

England community banks commonly used some form of manual review or

customer     verification    to     authenticate       uncharacteristic    or

suspicious transactions.         Such security procedures self-evidently

would not have been difficult to implement.11

             This failure to implement additional procedures was

especially unreasonable in light of the bank's knowledge of ongoing

fraud.     As early as 2008, Ocean Bank had received notification of

substantial    increases    in    internet     fraud   involving   keylogging

malware.    By May 2009, Ocean Bank had itself experienced at least

two incidents of fraud on the bank's system which it attributed to

either keylogging malware or internal fraud.             In both instances,

the   perpetrators    had   acquired     and    successfully   applied    the

customer's passwords, IDs, and answers to challenge questions.

             Thus, by May 2009, when the fraud in this case occurred,

it was commercially unreasonable for Ocean Bank's security system

to trigger nothing more than what was triggered in the event of a




resulting fraud would have been greatly reduced because the
captured password could not have been used after the initial
transaction.
      11
         Indeed, shortly after the fraud in this case occurred,
Ocean Bank began conducting manual reviews of suspect transactions.
Now, transactions that generate high risk scores are personally
reviewed by Ocean Bank personnel to determine their legitimacy.

                                     -35-
perfectly ordinary transaction in response to the high risk scores

that were generated by the withdrawals from Patco's account.               The

payment orders at issue were entirely uncharacteristic of Patco's

ordinary transactions: they were directed to accounts to which

Patco had never before transferred money; they originated from

computers Patco had never before used; they originated from an IP

address that Patco had never before used; and they specified

payment    amounts   significantly    higher    than     the   payments   Patco

ordinarily made to third parties. As a result, the security system

flagged these transactions as uncharacteristic, highly suspicious,

and potentially fraudulent from a "very high risk non-authenticated

device."     The transactions generated unprecedentedly high risk

scores ranging from 563 to 790, well above Patco's regular risk

scores which ranged from 10 to 214.

            These collective failures, taken as a whole, rendered

Ocean Bank's security procedures commercially unreasonable.                 We

reverse the district court's grant of summary judgment as to Count

I.

            That does not, however, end the matter, even as to Count

I.   The issues briefed to us on appeal have largely involved

commercial    reasonableness.    Our        conclusion    that   the   security

procedures were not commercially reasonable does not end the

analysis of the Article 4A issues.           Our conclusion as to Count I

and commercial reasonableness does, though, also lead us to vacate


                                     -36-
the district court's grant of summary judgment on the two claims --

Count V (unjust enrichment) and Count VI (conversion) -- which the

district court considered to be dependent on the success of Count

I.

C.        Patco's Motion for Summary Judgment

          We affirm the district court's decision to deny Patco's

motion for summary judgment.    There remain several genuine and

disputed issues of fact which may be material to the question of

whether Patco has satisfied its obligations and responsibilities

under Article 4A, or at least to the question of damages.      The

district court did not reach, and the parties have not briefed, the

question of what, if any, obligations or responsibilities Article

4A imposes on a commercial customer even where a bank's security

system is commercially unreasonable. We leave these questions open

on remand so that the district court may, after briefing, assess

whether such obligations exist, either for liability purposes or

for mitigation of damages.

          As to the genuine and disputed issues of fact, the

parties dispute the facts surrounding Patco's lack of e-mail

alerts.   Patco alleges that it requested e-mail alerts from the

bank, but that the bank ignored these requests and never notified

Patco when e-mail alerts became available to bank customers.   The

bank counters with its own allegation that it sent out a general

e-mail to customers that it would make e-mail alerts available.


                               -37-
Patco states that it received no such e-mail, and that instead, a

customer would have had to follow a complicated series of steps to

find an "Alerts" tab on the bank's website in order to learn that

such e-mail alerts had become available.        Moreover, Patco alleges

that its account was not even set up with an "Alerts" tab; that the

account only features a "Preferences" tab.           While one of Patco's

employees did successfully navigate to the "Preferences" tab, she

alleges she never saw an "Alerts" tab. Additionally, neither party

has submitted into the record an example of such an e-mail alert or

specified when such an e-mail alert would have been sent, such that

it is unclear what Patco would have learned from such an e-mail

alert and whether and when such an e-mail would have placed Patco

on notice of the fraudulent transfer.

            The parties also disagree as to whether the fraud in this

case was caused by malware and keylogging in the first place, or

whether Patco shares some responsibility.        Ocean Bank argues that

because Patco irreparably altered the evidence on its hard drives

by using and scanning its computers before making forensic copies,

it   is   unclear   whether   keylogging   malware   existed   on   Patco's

computers and enabled the alleged fraud.       These disputed issues of

fact may be material.

            Article 4A does not appear to be a one-way street.

Commercial customers have obligations and responsibilities as well,

under at least § 4-1204.       See Me. Rev. Stat. Ann. tit. 11, § 4-


                                   -38-
1204; but see id. § 4-1102 cmt. ("Resort to principles of law or

equity outside of Article 4A is not appropriate to create rights,

duties and liabilities inconsistent with those stated in this

Article.").        Section 4-1204, entitled "Refund of payment and duty

of customer to report with respect to unauthorized payment order,"

provides:

              The customer is not entitled to interest from
              the bank on the amount to be refunded if the
              customer fails to exercise ordinary care to
              determine that the order was not authorized by
              the customer and to notify the bank of the
              relevant facts within a reasonable time not
              exceeding 90 days after the date the customer
              received notification from the bank that the
              order was accepted or that the customer's
              account was debited with respect to the order.

Id.   §    4-1204(1).12        It    is   unclear,     however,    what,   if   any,

obligations a commercial customer has when a bank's security system

is found to be commercially unreasonable.

              In short, we leave open for the parties to brief on

remand       the    question        of    what,   if     any,     obligations    or

responsibilities are imposed on a commercial customer under Article

4A    even     where    a   bank's        security     system     is   commercially




      12
        The commentary describes this burden on the customer as a
duty of ordinary care which is designed to encourage the customer
to promptly notify the bank about any instances of fraud so that
the bank can minimize its losses. Me. Rev. Stat. Ann. tit 11, § 4-
1204 cmt. 2. The commentary clarifies that a breach of this duty
results only in a loss of the interest on the refund payable by the
bank, but not a loss of the refund itself. Id.

                                          -39-
unreasonable.   The record requires further development on these

issues, precluding summary judgment at this stage.

D.        Dismissal of Counts II-IV

          The district court concluded that Article 4A "preempts"13

Patco's remaining common law claims: Count II (negligence), Count

III (breach of contract), and Count IV (breach of fiduciary duty).

The district court based its analysis on the commentary to § 4-

1102, which provides:

          Funds transfers involve competing interests --
          those of the banks that provide funds transfer
          services and the commercial and financial
          organizations that use the services, as well
          as the public interest.       These competing
          interests were represented in the drafting
          process and they were thoroughly considered.
          The rules that emerged represent a careful and
          delicate balancing of those interests and are
          intended to be the exclusive means of
          determining the rights, duties and liabilities
          of the affected parties in any situation
          covered by particular provisions of the
          Article. Consequently, resort to principles
          of law or equity outside of Article 4A is not
          appropriate to create rights, duties and
          liabilities inconsistent with those stated in
          this Article.

Id. § 4-1102 cmt.

          This language does not, on its face, displace Patco's

Count III for breach of contract or Count IV for breach of



     13
        This use of the term has nothing to do with the standard
legal use of "preemption," which involves the question of whether
federal law precludes a state from regulating on the same topic.
See, e.g., Kurns v. R.R. Friction Prods. Corp., 132 S. Ct. 1261,
1265-66 (2012). We prefer different terminology.

                               -40-
fiduciary   duty.14   We   adopt   the    test,   as   set   forth   in   the

commentary, that Article 4A embodies an intent to restrain common

law claims only to the extent that they create rights, duties, and

liabilities inconsistent with Article 4A. See Ma v. Merrill Lynch,

Pierce, Fenner & Smith, Inc., 597 F.3d 84, 89 (2d Cir. 2010);

Regions Bank, 345 F.3d at 1275.

            The common law claims of breach of contract and breach of

fiduciary duty are not inherently inconsistent with Patco's Article

4A claim.    At least in theory, there could be, either by contract

or through assumption of fiduciary duties,15 higher standards which

are imposed on the bank.    Indeed, courts have held that plaintiffs

may turn to common law remedies to seek redress for an alleged harm

arising from a funds transfer where Article 4A does not protect

against the underlying injury or misconduct alleged.            See, e.g.,

Ma, 597 F.3d at 89-90; Regions Bank, 345 F.3d at 1275; see also

White & Summers, Uniform Commercial Code §§ 1-2, at 132 (1993

pocket part) ("With the adoption of Article 4A, electronic funds


     14
         We do not address whether Patco otherwise states a claim
for breach of fiduciary duty under Maine Law, see, e.g., Stewart v.
Machias Sav. Bank, 762 A.2d 44, 46 & n.1 (Me. 2000), or for that
matter, breach of contract, see, e.g., Seashore Performing Arts
Ctr., Inc. v. Town of Old Orchard Beach, 676 A.2d 482, 484 (Me.
1996).
     15
         We disagree with the district court's conclusion that
inconsistency is demonstrated merely because "[t]he gravamen of all
three counts is precisely the same as that of Count I: that the
Bank failed to employ proper security procedures, as a result of
which Patco suffered the loss in question." Patco Constr. Co.,
2011 WL 2174507, at *35.

                                   -41-
transactions are governed not only by Article 4A, but also common

law . . . .").   We vacate the dismissal and leave the issue of

these two causes of action open on remand to be considered anew.

          The closer question is whether Article 4A, on the facts

of this case,16 displaces the claim for negligence.     That is, are

the negligence claims inconsistent with the duties and liability

limits set forth in Article 4A.    We think they are, inasmuch as the

standard for the duty of care as to both sides is set forth in

Article 4A and its limitation of liability.      See Ma, 597 F.3d at

89-90 (interpreting Article 4A to displace common law claims, such

as negligence, where Article 4A has already specified the relevant

duties and "protect[ions] against the type of underlying injury or

misconduct alleged in a claim"); Donmar Enters., Inc. v. S. Nat'l

Bank of N.C., 64 F.3d 944, 949-50 (4th Cir. 1995) (holding that



     16
        This case is not like Regions Bank in the sense that there
a beneficiary bank accepted funds it knew or had reason to know
were fraudulently obtained, and the court held other state law
remedies for fraud were not inconsistent with Article 4A. As the
court said:
          Interpreting Article 4A in a manner that would
          allow a beneficiary bank to accept funds when
          it knows or should know that they were
          fraudulently obtained, would allow banks to
          use Article 4A as a shield for fraudulent
          activity.    It could hardly have been the
          intent of the drafters to enable a party to
          succeed in engaging in fraudulent activity, so
          long as it complied with the provisions of
          Article 4A.
Regions Bank v. Provident Bank, Inc., 345 F.3d 1267, 1276 (11th
Cir. 2003).



                                  -42-
negligence claims are in conflict with, and therefore displaced by,

Article 4A); cf. Anderson v. Hannaford Bros. Co., 659 F.3d 151, 161

(1st Cir. 2011) (where Maine law is clear that certain damages on

given facts are not available regardless of theory pled, Maine law

will not under new cause of action allow such damages).      So we

affirm the dismissal of the negligence claims.

                               IV.

          We reverse the district court's grant of summary judgment

in favor of the bank, and affirm the district court's denial of

Patco's motion for summary judgment.       We remand for further

proceedings in accordance with this opinion. On remand the parties

may wish to consider whether it would be wiser to invest their

resources in resolving this matter by agreement.

          No fees are awarded; each side shall bear its own costs.




                               -43-
