LYNCH, Chief Judge.

Over seven days in May 2009, Ocean Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the perpetrators correctly supplied Patco's customized answers to security questions. Although the bank's security system flagged each of these transactions as unusually "high-risk" because they were inconsistent with the timing, value, and geographic location of Patco's regular payment orders, the bank's security system did not notify its commercial customers of this information and allowed the payments to go through. Ocean Bank was able to block or recover $243,406.83, leaving a residual loss to Patco of $345,444.43.

Patco brought suit, setting forth six counts against People's United Bank, a regional bank which had acquired Ocean Bank. The suit alleged, inter alia, that the bank should bear the loss because its security system was not commercially reasonable under Article 4A of the Uniform Commercial Code ("UCC"), as codified under Maine Law at Me.Rev.Stat. Ann. tit. 11, § 4-1101 et seq., and that Patco had not consented to the procedures.

On cross-motions for summary judgment,1 the district court held that the bank's security system was commercially reasonable and on that basis entered judgment in favor of the bank on the first count. Patco Constr. Co. v. People's United Bank, No. 09-cv-503, 2011 WL 3420588 (D.Me. Aug. 4, 2011). The district court also granted summary judgment in favor of the bank on the remaining counts, holding that they were either dependent on or displaced by the analysis and law underlying the first count. Id.

We reverse the district court's grant of summary judgment in favor of the bank and affirm its denial of Patco's motion for summary judgment on the first count. In particular, we leave open the question of what, if any, obligations or responsibilities Article 4A imposes on Patco. We also reinstate certain other claims dismissed by the district court, and remand for proceedings consistent with this opinion.

I.

The facts, which are largely undisputed, are as follows. Where the facts remain in dispute, we relate them in the light most favorable to Patco, the non-moving party. See Valley Forge Ins. Co. v. Field, 670 F.3d 93, 96-97 (1st Cir.2012).

A. The Parties

Patco is a small property development and contractor business located in Sanford, Maine. Patco began banking with Ocean Bank in 1985. Ocean Bank was acquired by the Chittenden family of banks, which was later acquired by People's United Bank, a regional bank based in Bridgeport, Connecticut. People's United Bank operates other local Maine banks such as Maine Bank & Trust, where Patco also had an account in May 2009. Ocean Bank was a division of People's United at the time of the fraudulent withdrawals at issue in this case.

In September 2003, Patco added internet banking-also known as "eBanking" — to its commercial checking account at Ocean Bank. Ocean Bank allows its eBanking commercial customers to make electronic funds transfers through Ocean Bank via the Automated Clearing House ("ACH") network, a system used by banks to transfer funds electronically between accounts. Patco used eBanking primarily to make regular weekly payroll payments. These regular payroll payments had certain repeated characteristics: they were always made on Fridays; they were always initiated from one of the computers housed at Patco's offices in Sanford, Maine; they originated from a single static Internet Protocol ("IP") address;2 and they were accompanied by weekly withdrawals for federal and state tax withholding as well as 401(k) contributions. The highest payroll payment Patco ever made using eBanking was $36,634.74. Until October of 2008, Patco also used eBanking to transfer money from the accounts of Patco and related entities at Maine Bank & Trust, which maintains a branch in Sanford, Maine, into its Ocean Bank checking account.

In September 2003, when it added eBanking services, Patco entered into several agreements with Ocean Bank.3 Most significantly, Patco entered into the eBanking for Business Agreement. The eBanking agreement stated that "use of the Ocean National Bank's eBanking for Business password constitutes authentication of all transactions performed by you or on your behalf." The eBanking agreement stated that Ocean Bank did not "assume[] any responsibilities" with respect to Patco's use of eBanking, that "electronic transmission of confidential business and sensitive personal information" was at Patco's risk, and that Ocean Bank was liable only for its gross negligence, limited to six months of fees. The eBanking agreement also provided that:

The agreement provided that Patco had to contact the bank immediately upon discovery of an unauthorized transaction.

The bank also reserved the right to modify the terms and conditions of the eBanking agreement at any time, effective upon publication. The bank claims that at some point before May 2009, it modified the eBanking agreement to state:

The bank claims that it published this modified eBanking agreement on its website before May 2009. Patco disputes that this agreement was modified and/or published on the bank's website before May 2009, and argues that the modified agreement was therefore not effective as between the parties.

B. Ocean Bank's Security Measures

In 2004, Ocean Bank began using Jack Henry & Associates to provide its core online banking platform, known as "NetTeller." Jack Henry provides the NetTeller product to approximately 1,300 of its 1,500 bank customers.

In October 2005, the agencies of the Federal Financial Institutions Examination Council4 ("FFIEC"), responding to increased online banking fraud, issued guidance titled "Authentication in an Internet Banking Environment." See Fed. Fin. Insts. Examination Council, Authentication in an Internet Banking Environment (Aug. 8, 2001), available at http:// www.ffiec.gov/pdf/authentication_guidance. pdf [hereinafter "FFIEC Guidance"]. The Guidance was intended to aid financial institutions in "evaluating and implementing authentication systems and practices whether they are provided internally or by a service provider." Id. at 1. The Guidance provides that "financial institutions should periodically ... [a]djust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information." Id. at 2.

The Guidance explains that existing authentication methodologies involve three basic "factors": (1) something the user knows (e.g., password, personal identification number); (2) something the user has (e.g., ATM card, smart card); and (3) something the user is (e.g., biometric characteristic, such as a fingerprint). Id. at 3. It states:

Id. The Guidance also states:

Id. at 1-2.

Following publication of the FFIEC Guidance, Ocean Bank worked with Jack Henry to conduct a risk assessment and institute appropriate authentication protocols to comply with the Guidance. The bank determined that its eBanking product was a "high risk" system that required enhanced security, and in particular, multifactor authentication.

Jack Henry entered into a re-seller agreement with Cyota, Inc., an RSA Security Company ("RSA/Cyota"), for a multifactor authentication system to integrate into its NetTeller product so that it could offer security solutions compliant with the FFIEC Guidance. Through collaboration with RSA/Cyota, Jack Henry made two multifactor authentication products available to its customers to meet the FFIEC Guidance: the "Basic" package and the "Premium" package.

Ocean Bank selected the Jack Henry "Premium" package, which it implemented by January 2007. The system, as implemented by Ocean Bank, had six key features:

1. User IDs and Passwords: The system required each authorized Patco employee to use both a company ID and password and a user-specific ID and password to access online banking.

2. Invisible Device Authentication: The system placed a "device cookie" onto customers' computers to identify particular computers used to access online banking. The device cookie would be used to help establish a secure communication session with the NetTeller environment and to contribute to the component risk score. Whenever the cookie was changed or was new, that impacted the risk score and potentially triggered challenge questions.

3. Risk Profiling: The system entailed the building of a risk profile for each customer by RSA/Cyota based on a number of different factors, including the location from which a user logged in, when/how often a user logged in, what a user did while on the system, and the size, type, and frequency of payment orders normally issued by the customer to the bank. The Premium Product noted the IP address that the customer typically used to log into online banking and added it to the customer profile.

RSA/Cyota's adaptive monitoring provided a risk score to the bank for every log-in attempt and transaction based on a multitude of data, including but not limited to IP address, device cookie ID, Geo location, and transaction activity. If a user's transaction differed from its normal profile, RSA/Cyota reported to the bank an elevated risk score for that transaction. RSA/Cyota considered transactions generating risk scores in excess of 750, on a scale from 0 to 1,000, to be high-risk transactions. "Challenge questions," described below, were prompted any time the risk score for a transaction exceeded 750.

4. Challenge Questions: The system required users, during initial log-in, to select three challenge questions and responses. The challenge questions might be prompted for various reasons. For example, if the risk score associated with a particular transaction exceeded 750, the challenge questions would be triggered. If the challenge question responses entered by the user did not match the ones originally provided, the customer would receive an error message. If the customer was unable to answer the challenge questions in three attempts, the customer was blocked from online banking and would be required to contact the bank.

5. Dollar Amount Rule: The system permitted financial institutions to set a dollar threshold amount above which a transaction would automatically trigger the challenge questions even if the user ID, password, and device cookie were all valid. In August 2007, Ocean Bank set the dollar amount rule to $100,000. On June 6, 2008, Ocean Bank lowered the dollar amount rule from $100,000 to $1. After the Bank lowered the threshold to $1, Patco was prompted to answer challenge questions every time it initiated a transaction. In May 2009, when the fraud at issue in this case occurred, the dollar amount rule threshold remained at $1.

6. Subscription to the eFraud Network: The Jack Henry Premium Product provided Ocean Bank with a subscription to the eFraud Network, which compared characteristics of the transaction (such as the IP address of the user seeking access to the Bank's system) with those of known instances of fraud. The eFraud Network allowed financial institutions to report IP addresses or other discrete identifying characteristics identified with instances of fraud. An attempt to access a customer's NetTeller account initiated by someone with that characteristic would then be automatically blocked. The individual would not even be prompted for challenge questions.

Ocean Bank asserts that on December 1, 2006, as it began to implement the Jack Henry system, it also began to offer the option of e-mail alerts to its eBanking customers. If the customer chose to receive such alerts, the bank would send the customer e-mails regarding incoming/outgoing transactions, changes to the customer's balance, the clearing of checks, and/or alerts on certain customer-specified dates. Patco claims it did not receive notice that e-mail alerts were available and this is a disputed issue of fact. It appears that notice of the availability of e-mail alerts was not readily visible. To set up alerts through the eBanking system, a user would have to first click the "Preferences" tab on the eBanking webpage, then click on a second tab labeled "Alerts," and then follow several additional steps to activate individual alerts. Patco claims it never saw anything on the website indicating that e-mail alerts were available, and it therefore never set up e-mail alerts.

C. Security Measures Available Which Ocean Bank Chose Not to Implement

There were several additional security measures that were available to Ocean Bank but that the bank chose not to implement:

1. Out-of-Band Authentication: Jack Henry offered Ocean Bank a version of the NetTeller system that included an out-of-band authentication option. Out-of-band authentication "generally refers to additional steps or actions taken beyond the technology boundaries of a typical transaction." Id. at 3 n.5. Examples of out-of-band authentication include notification to the customer, callback (voice) verification, e-mail approval from the customer, and cell phone based challenge/response processes. The FFIEC Guidance identifies out-of-band authentication as a useful method of risk mitigation. See id. at 11-12.

2. User-Selected Picture: Ocean Bank's security procedures did not include the user-selected picture function that was available through Jack Henry's Premium option. Ocean Bank states that it did not utilize the user-selected picture function because it already utilized other anti-phishing5 controls.

3. Tokens: Tokens are physical devices (something the person has), such as a USB token device, a smart card, or a password-generating token. The FFIEC Guidance identifies tokens as a useful part of a multifactor authentication scheme. See id. at 8. Tokens were not available from Jack Henry when Ocean Bank implemented its system in 2007, but were readily available to financial institutions at that time through other sources. Although People's United Bank has used tokens since at least January of 2008, Ocean Bank did not do so until after the fraud in this case occurred.

4. Monitoring of Risk-Scoring Reports: In May 2009, bank personnel did not monitor the risk-scoring reports received as part of the Premium Product package, nor did the bank conduct any other regular review of transactions that generated high risk scores. In May 2009, the bank had the capability to conduct manual review of high-risk transactions through its transaction-profiling and risk-scoring system, but did not do so. The bank also had the ability to call a customer if it detected fraudulent activity, but did not do so. The bank began conducting manual reviews of high-risk transactions in late 2009, after the fraud in this case occurred. Since then, the bank has instituted a policy of calling the customer in the case of uncharacteristic transactions to inquire if the customer did indeed initiate the transaction.

D. The Fraudulent Transfers

Beginning on May 7, 2009, a series of withdrawals were made on Patco's account over the course of several days.

On May 7, unknown third parties initiated a $56,594 ACH withdrawal from Patco's account. The perpetrators supplied the proper credentials of one of Patco's employees, including her ID, password, and answers to her challenge questions. The payment on this withdrawal was directed to go to the accounts of numerous individuals, none of whom had previously been sent money by Patco. The perpetrators logged in from a device unrecognized by Ocean Bank's system, and from an IP address that Patco had never before used. The risk-scoring engine generated a risk score of 790 for the transaction, a significant departure from Patco's usual risk scores, which generally ranged from 10 to 214. There is no evidence that Patco's risk scores prior to the fraudulent transfers in this case ever exceeded 214. The risk-scoring engine reported the following contributors to the risk score for that transaction: (1) "Very high risk non-authenticated device"; (2) "High risk transaction amount"; (3) "IP anomaly"; and (4) "Risk score distributor per cookie age." An RSA manual describing risk score contributors states that any transaction triggering the contributor "Very high risk non-authenticated device" is "a very high-risk transaction." Despite this high risk score, Patco was not notified. Moreover, it appears no one at the bank monitored these high-risk transactions. Bank personnel did not manually review the May 7, 2009 transaction. The bank batched and processed the transaction as usual, and it was paid the next day.

The activities of May 7 having successfully resulted in payment, on Friday, May 8, 2009, unknown third parties again successfully initiated an ACH payment order from Patco's account, this time for $115,620.26. As before, the perpetrators wired money to multiple individual accounts to which Patco had never before sent funds. The perpetrators again used a device that was not recognized by Ocean Bank's system. The payment order originated from the same IP address as the day before. The transaction was larger by several magnitudes than any ACH transfer Patco had ever made to third parties. Despite these unusual characteristics, the bank again took no steps to notify Patco and batched and processed the transaction as usual, which was paid by the bank on Monday, May 11, 2009.

On May 11, 12, and 13, unknown third parties initiated further withdrawals from Patco's account in the amounts of $99,068, $91,959, and $113,647, respectively. Like the prior fraudulent transactions, these transactions were uncharacteristic in that they sent money to numerous individuals to whom Patco had never before sent funds, were for greater amounts than Patco's ordinary third-party transactions, were sent from computers that were not recognized by Ocean Bank's system, and originated from IP addresses that were not recognized as valid IP addresses of Patco. As a result of these unusual characteristics, the transactions continued to generate higher than normal risk scores. The May 11 transaction generated a risk score of 720, the May 12 transaction triggered a risk score of 563, and the transaction on May 13 generated a risk score of 785. The Bank did not manually review any of these transactions to determine their legitimacy or notify Patco.

Portions of the transfers, beginning with the first transfer initiated on May 7, 2009, were automatically returned to the bank because certain of the account numbers to which the money was slated to be transferred were invalid. As a result, the bank sent limited "return" notices to the home of Mark Patterson, one of Patco's principals, via U.S. mail. Patterson received the first such notice after work on the evening of May 13, six days after the allegedly fraudulent withdrawals began.

The next morning, on May 14, 2009, Patco called the bank to inform it that Patco had not authorized the transactions. Also on the morning of May 14, another alleged fraudulent transaction was initiated from Patco's account in the amount of $111,963. Despite the information from Patco, the bank initially processed this payment order on May 15, 2009. However, because of the alert from Patco of the ongoing fraud, the bank then took steps to block completion of a portion of this transaction and recovered a portion of the transferred funds shortly thereafter.

At the end of the string of thefts, the amount of money fraudulently withdrawn from Patco's account totaled $588,851.26, of which $243,406.83 was automatically returned or blocked and recovered.

According to Ocean Bank, on May 14, 2009, immediately after the allegedly fraudulent withdrawals occurred, the bank gave instructions to Patco. It instructed Patco to disconnect the computers it used for electronic banking from its network; to stop using these computers for work purposes; to leave the computers turned on; and to bring in a third-party forensic professional or law enforcement to create a forensic image of the computers to determine whether a security breach had occurred. Ocean Bank claims, and Patco disputes, that Patco did not isolate its computers or forensically preserve the hard drives; and that Patco employees continued to use their computers during the week following the alleged fraud. In another dispute of fact, Patco states that Ocean Bank recommended only that Patco check its system for a security breach using a third-party forensic professional, which Patco did.

Shortly after the fraudulent transfers, Patco hired an IT consultant, who ran anti-malware scans on the computers. A remnant of a Zeus/Zbot malware was found. However, the Zeus/Zbot malware, which contained the encryption key for the Zeus/ Zbot configuration file, was quarantined and then deleted by the anti-malware scan. Without the encryption key, it is impossible to decrypt the configuration file and identify what information, if any, the Zeus/ Zbot malware would have captured, if in fact it was of a type that would have intercepted authentication credentials.

II.

On September 18, 2009, Patco filed suit against People's United in Maine Superior Court, York County. The complaint included six counts: (I) liability under Article 4A of the Uniform Commercial Code ("UCC"); (II) negligence; (III) breach of contract; (IV) breach of fiduciary duty; (V) unjust enrichment; and (VI) conversion. On October 9, 2009, People's United removed the case to the United States District Court for the District of Maine.

On August 27, 2010, Patco moved for summary judgment on Count I, its claim under Article 4A of the UCC. That same day, the bank moved for summary judgment on all six counts. On May 27, 2011, the magistrate judge issued a recommended decision on the cross-motions for summary judgment. Patco Constr. Co. v. People's United Bank, No. 09-cv-503, 2011 WL 2174507 (D.Me. May 27, 2011). The magistrate judge determined both that the bank's security procedures were commercially reasonable, id. at *32-34, and that Patco had agreed to those procedures, id. at *24-25. Therefore, the magistrate concluded, Patco — not the bank — bore the loss of the fraudulent transfers. Id. at *34. The magistrate also determined that Counts II-IV of Patco's complaint were displaced by the provisions of Article 4A, and that Counts V and VI failed along with Count I because the bank could not have been unjustly enriched, or have wrongly converted Patco's funds, if it employed commercially reasonable security procedures. Id. at *34-35. Accordingly, the magistrate recommended that the district court grant the bank's motion for summary judgment and deny that of Patco. Id. at *35.

Patco objected to the recommended decision on June 13, 2011, and People's United responded to Patco's objection on June 27, 2011. On August 4, 2011, the district court adopted the magistrate's recommendation in full. It granted People's United's motion for summary judgment, denied Patco's motion for summary judgment, and found the parties' outstanding motions to be moot. On September 6, 2011, Patco appealed.

III.

We review orders granting or denying summary judgment de novo. Certain Interested Underwriters at Lloyd's, London v. Stolberg, 680 F.3d 61, 65 (1st Cir.2012). In doing so, we consider the record and all reasonable inferences in the light most favorable to the non-moving party. Id.

We affirm only if there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law. Id. "A dispute is genuine if the evidence about the fact is such that a reasonable jury could resolve the point in the favor of the non-moving party." Rodríguez-Rivera v. Federico Trilla Reg'l Hosp. of Carolina, 532 F.3d 28, 30 (1st Cir.2008) (quoting Thompson v. Coca-Cola Co., 522 F.3d 168, 175 (1st Cir.2008)). "A fact is material if it has the potential of determining the outcome of the litigation." Id. (quoting Maymí v. P.R. Ports Auth., 515 F.3d 20, 25 (1st Cir.2008)).

A. Article 4A of the UCC

The claim under Count I is governed by Article 4A of the UCC, which was meant to govern the rights, duties, and liabilities of banks and their commercial customers with respect to electronic funds transfers. See Me.Rev.Stat. Ann. tit. 11, § 4-1102 cmt. Article 4A was enacted in toto by Maine in 1991, well before the transfers at issue in this case.6 Id. § 4-1101.

Article 4A was developed to address wholesale wire transfers and commercial ACH transfers, generally between businesses and their financial institutions.7 Id. § 4-1102 cmt. Before Article 4A was drafted, "there was no comprehensive body of law — statutory or judicial — that defined the juridical nature of a [commercial] funds transfer or the rights and obligations flowing from payment orders." Id. Instead, judges relied on general principles of common law, sought guidance from other provisions of the UCC, or analogized to laws applicable to other payment methods. Id. The drafters of Article 4A sought to deliver clarity to this area of law by "us[ing] precise and detailed rules to assign responsibility, define behavioral norms, allocate risks and establish limits on liability" in order to allow parties to predict and insure against risk with greater certainty, given the very large amounts of money involved in commercial funds transfers. Id.

Importantly, the drafters also sought to clarify the interaction between the new provisions of Article 4A and existing remedies under the common law:

Id. The drafters "intended that Article 4A would be supplemented, enhanced, and in some places, superceded by other bodies of law ... [T]he Article is intended to synergize with other legal doctrines," so long as those doctrines are not inconsistent with the rights, duties, and liabilities established in Article 4A. Regions Bank v. Provident Bank, Inc., 345 F.3d 1267, 1275 (11th Cir.2003) (omission in original) (quoting Baxter & Bhala, The Interrelationship of Article 4A with Other Law, 45 Bus. Law. 1485, 1485 (1990)) (internal quotation mark omitted). Article 4A further provides that, in general, the parties may not vary by agreement any rights and obligations arising under Article 4A. See Me. Rev.Stat. Ann. tit. 11, § 4-1202(6).

Under Article 4A, a bank receiving a payment order ordinarily bears the risk of loss of any unauthorized funds transfer. Id. § 4-1204. The bank may shift the risk of loss to the customer in one of two ways, one of which involves the commercial reasonableness of security procedures and one of which does not. First, the bank may show that the "payment order received... is the authorized order of the person identified as sender if that person authorized the order or is otherwise bound by it under the law of agency." Id. § 4-1202(1). But, as the Article 4A commentary explains, "[i]n a very large percentage of cases covered by Article 4A, ... [c]ommon law concepts of authority of agent to bind principal are not helpful" because the payment order is transmitted electronically and the bank "may be required to act on the basis of a message that appears on a computer screen." Id. § 4-1203 cmt. 1.

If the sender of the payment order had no authority to act for the customer, and there are no additional facts on which estoppel might be found, the "Customer is not liable to pay the order and [the] Bank takes the loss." Id. cmt. 2. In such cases, "these legal principles [of agency] give the receiving bank very little protection.... The only remedy of [the] Bank is to seek recovery from the person who received payment as beneficiary of the fraudulent order." Id. cmts. 1, 2.

Accordingly, the drafters provided a second way by which a bank may shift the risk of loss and protect itself whether or not the payment order is authorized. This, in turn, has several components:

Id. § 4-1202(2).

In turn, Article 4A defines a security procedure as:

Id. § 4-1201. One question raised in this appeal is the scope of any agreement reached.

The UCC explains that the "[c]ommercial reasonableness of a security procedure is a question of law" to be determined by the court. Id. § 4-1202(3). There are two ways by which a security procedure may be shown to be commercially reasonable. First is by reference to:

Id. § 4-1202(3). The Article is explicit that "[t]he standard is not whether the security procedure is the best available. Rather it is whether the procedure is reasonable for the particular customer and the particular bank...." Id. § 4-1203 cmt. 4. The UCC explains that "[t]he burden of making available commercially reasonable security procedures is imposed on receiving banks because they generally determine what security procedures can be used and are in the best position to evaluate the efficacy of procedures offered to customers to combat fraud." Id. cmt. 3.

Secondly, the Article creates a presumption of reasonableness under certain circumstances, not applicable here. A security procedure is deemed to be commercially reasonable if:

Id. § 4-1202(3). Of course, if the security procedure offered by the bank was not commercially reasonable, then the provision does not apply. Id. § 4-1203 cmt. 4.

If the bank shows both that its security procedure was commercially reasonable and that it accepted the payment order "in good faith and in compliance with the security procedure," the payment order is effective as an authorized order of the customer. Id. §§ 4-1202(2)(b), 4-1203(1). In such a case, the bank may, "[b]y express written agreement, ... limit the extent to which it is entitled to enforce or retain payment of the payment order." Id. § 4-1203(1)(a).

Once the bank has shown commercial reasonableness, the customer may shift the risk of loss back to the bank if the customer proves that the order was not "caused, either directly or indirectly, by a person":

Id. § 4-1203(1)(b). As the commentary explains, this section of the UCC places a burden on the customer, when the security procedure is commercially reasonable, "to supervise its employees to assure compliance with the security procedure and to safeguard confidential security information and access to transmitting facilities so that the security procedure cannot be breached." Id. § 4-1203 cmt. 3.

If the bank does not make its showing of commercial reasonableness, then the analysis goes back to the question of agency under § 4-1202(a), described above. If the court determines, under any of these provisions, that the bank bears the risk of loss, "the bank shall refund any payment of the payment order received from the customer to the extent the bank is not entitled to enforce payment and shall pay interest on the refundable amount calculated from the date the bank received payment to the date of the refund." Id. § 4-1204(1).

B. Ocean Bank's Motion for Summary Judgment

Ocean Bank argues that because Patco agreed to the security system in use, and because the security system was commercially reasonable, it is entitled to summary judgment.

Patco counters that the bank's security system was not commercially reasonable, that it did not agree to all of the procedures, and that the bank did not comply with its own procedures.

As to commercial reasonableness, Patco argues the bank's decision to lower the dollar amount rule to $1 increased the risk of compromised security, and that the bank's failure in light of this increased risk to monitor and immediately notify customers of abnormal transactions which met high risk criteria was not commercially reasonable. Patco also argues that it was not offered and it did not decline an e-mail notice system for transactions.

Essentially, Patco argues that when Ocean Bank decided in June of 2008 to trigger challenge questions for any transaction over $1, the bank increased the frequency with which a user was required to enter the answers to his or her challenge questions. Indeed, at a $1 threshold, the frequency as to Patco became 100%, covering every transaction. For customers like Patco who made regular ACH transfers, the risks were even greater than for customers who rarely made such transfers. This, in turn, also increased the risk that such answers would be compromised by keyloggers8 or other malware that would capture that information for unauthorized uses. By thus increasing the risk of fraud through unauthorized use of compromised security answers, Patco argues, Ocean Bank's security system failed to be commercially reasonable because it did not incorporate additional security measures, at the very least monitoring of high risk score transactions, use of e-mail alerts and inquiries, or other immediate notice to customers of high-risk transactions.

In our view, Ocean Bank did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular, and high dollar transfers. Then, when it had warning that such fraud was likely occurring in a given transaction, Ocean Bank neither monitored that transaction nor provided notice to customers before allowing the transaction to be completed. Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable. We emphasize that it was these collective failures taken as a whole, rather than any single failure, which rendered Ocean Bank's security system commercially unreasonable.

The Jack Henry Premium Product was designed to harness the power of the risk-scoring system and included a device identification system to trigger an additional layer of authentication — challenge questions — whenever the bank's system detected unusual or suspicious transactions. In May of 2009, bank personnel did not monitor the risk-scoring reports, nor did the bank conduct any other regular review of transactions that generated high risk scores. Thus, the only result of a high risk score or an unidentified device was that a customer would be prompted to answer his or her challenge questions.

When Ocean Bank lowered the dollar amount rule from $100,000 to $1, it essentially deprived the complex Jack Henry risk-scoring system of its core functionality. The $1 dollar amount rule guaranteed that challenge questions would be triggered on every transaction unless caught by a separate eFraud network which depended on the use of known fraudulent IP addresses. The eFraud network was of no use if the address and like information were not already known to law enforcement. Accordingly, cyber criminals equipped with keyloggers had the much more frequent opportunity to capture all information necessary to compromise an account every time the customer initiated an ACH transaction. In Patco's case, ACH transactions were initiated at least weekly, and often several times per week. In the event a customer's computer became infected with a keylogger, it was likely that the customer would be prompted to answer its challenge questions before the malware was discovered and removed from the customer's computer.

Patco's argument is supported both by evidence and by common sense. Patco's expert testified that at the times in question, keylogging malware was a persistent problem throughout the financial industry. It was foreseeable, against this background, that triggering the use of the same challenge questions for high-risk transactions as were used for ordinary transactions, was ineffective as a stand-alone backstop to password/ID entry. Indeed, it was well known that setting challenge questions to be asked on every transaction greatly increases the risk that a fraudster equipped with a keylogger would be able to access the answers to a customer's challenge questions because it increases the frequency with which such information is entered through a user's keyboard.

As early as 2005, RSA/Cyota cautioned against the regular and frequent use of challenge questions as a stand-alone backstop to the exclusion of further controls, stating that challenge questions were "quicker and simpler to adopt" but were "less secure," and should be used only "in the short term, as the first phase of a full project." According to RSA/Cyota, challenge questions should be triggered only selectively, when unusual or suspicious activity is detected, so that they are less likely to be asked after a keylogger is installed on a customer's computer and before it can be removed. When asked frequently, they should not be used as the only line of defense beyond a password/ID, since a password/ID and answers to challenge questions could all be simultaneously captured by a keylogger.

Ocean Bank's decision to set the dollar amount rule at $1 for all of its customers also ignored Article 4A's mandate that security procedures take into account "the circumstances of the customer" known to the bank. Id. § 4-1202(3). Article 4A directs banks to consider such circumstances as "the size, type and frequency of payment orders normally issued by the customer to the bank." Id. In Patco's case, these characteristics were regular and predictable. Patco used eBanking primarily to make payroll payments to employees. These payments were made weekly, generally on Fridays; they originated from a single static IP address; and they were always made from the same set of computers at Patco's offices in Sanford, Maine. The highest such payment Patco ever made was $36,634.74, well below the former $100,000 threshold. The bank does not assert that it ever offered to adjust the threshold amount for particular customers. Instead, the bank adopted a "one-size-fits-all" dollar amount rule of $1 for its customers.

Ocean Bank argues that it did take Patco's circumstances into account by building a risk profile based on Patco's eBanking habits, such that the security system could compare the characteristics of each transaction against those in Patco's profile.9 This argument misses the mark because, in fact, the risk profile information played no role. It triggered no additional authentication requirements, and the bank did nothing with the information generated by comparing the fraudulent transactions against Patco's profile.

Ocean Bank also argues that it was commercially reasonable for it to universally lower the dollar amount rule to $1 in order to target low-dollar fraud. Whether or not that is true for certain customers, it is beside the point. Here, the increase in risk to the consumer who engaged in regular high dollar transfers, such as Patco, was sufficiently serious to require a corollary increase in security measures for a security system to remain commercially reasonable. The bank's generic "one-size-fits-all" approach to customers violates Article 4A's instruction to take the customer's circumstances into account. Further, the reduction of the dollar amount rule to $1 was for commercial customers, who are quite unlikely to have transfers of less than $1.

Ocean Bank introduced no additional security measures in tandem with its decision to lower the dollar amount rule, despite the fact that several such security measures were not uncommon in the industry and were relatively easy to implement. Patco's expert testified that all of her other banking clients using the same Jack Henry Premium Product employed manual reviews or some other additional security measure to protect against the type of fraud that occurred in this case.

For example, by May 2009, internet banking security had largely moved to hardware-based tokens and other means of generating "one-time" passwords.10 As of People's United Bank (which had acquired Ocean Bank), several national banks, and many New England community banks were using tokens for commercial accounts. Of those banks that did not use tokens in May 2009, New England community banks commonly used some form of manual review or customer verification to authenticate uncharacteristic or suspicious transactions. Such security procedures self-evidently would not have been difficult to implement.11

This failure to implement additional procedures was especially unreasonable in light of the bank's knowledge of ongoing fraud. As early as 2008, Ocean Bank had received notification of substantial increases in internet fraud involving keylogging malware. By May 2009, Ocean Bank had itself experienced at least two incidents of fraud on the bank's system which it attributed to either keylogging malware or internal fraud. In both instances, the perpetrators had acquired and successfully applied the customer's passwords, IDs, and answers to challenge questions.

Thus, by May 2009, when the fraud in this case occurred, it was commercially unreasonable for Ocean Bank's security system to trigger nothing more than what was triggered in the event of a perfectly ordinary transaction in response to the high risk scores that were generated by the withdrawals from Patco's account. The payment orders at issue were entirely uncharacteristic of Patco's ordinary transactions: they were directed to accounts to which Patco had never before transferred money; they originated from computers Patco had never before used; they originated from an IP address that Patco had never before used; and they specified payment amounts significantly higher than the payments Patco ordinarily made to third parties. As a result, the security system flagged these transactions as uncharacteristic, highly suspicious, and potentially fraudulent from a "very high risk non-authenticated device." The transactions generated unprecedentedly high risk scores ranging from 563 to 790, well above Patco's regular risk scores which ranged from 10 to 214.

These collective failures, taken as a whole, rendered Ocean Bank's security procedures commercially unreasonable. We reverse the district court's grant of summary judgment as to Count I.

That does not, however, end the matter, even as to Count I. The issues briefed to us on appeal have largely involved commercial reasonableness. Our conclusion that the security procedures were not commercially reasonable does not end the analysis of the Article 4A issues. Our conclusion as to Count I and commercial reasonableness does, though, also lead us to vacate the district court's grant of summary judgment on the two claims — Count V (unjust enrichment) and Count VI (conversion) — which the district court considered to be dependent on the success of Count I.

C. Patco's Motion for Summary Judgment

We affirm the district court's decision to deny Patco's motion for summary judgment. There remain several genuine and disputed issues of fact which may be material to the question of whether Patco has satisfied its obligations and responsibilities under Article 4A, or at least to the question of damages. The district court did not reach, and the parties have not briefed, the question of what, if any, obligations or responsibilities Article 4A imposes on a commercial customer even where a bank's security system is commercially unreasonable. We leave these questions open on remand so that the district court may, after briefing, assess whether such obligations exist, either for liability purposes or for mitigation of damages.

As to the genuine and disputed issues of fact, the parties dispute the facts surrounding Patco's lack of e-mail alerts. Patco alleges that it requested e-mail alerts from the bank, but that the bank ignored these requests and never notified Patco when e-mail alerts became available to bank customers. The bank counters with its own allegation that it sent out a general e-mail to customers that it would make e-mail alerts available. Patco states that it received no such e-mail, and that instead, a customer would have had to follow a complicated series of steps to find an "Alerts" tab on the bank's website in order to learn that such e-mail alerts had become available. Moreover, Patco alleges that its account was not even set up with an "Alerts" tab; that the account only features a "Preferences" tab. While one of Patco's employees did successfully navigate to the "Preferences" tab, she alleges she never saw an "Alerts" tab. Additionally, neither party has submitted into the record an example of such an e-mail alert or specified when such an e-mail alert would have been sent, such that it is unclear what Patco would have learned from such an e-mail alert and whether and when such an e-mail would have placed Patco on notice of the fraudulent transfer.

The parties also disagree as to whether the fraud in this case was caused by malware and keylogging in the first place, or whether Patco shares some responsibility. Ocean Bank argues that because Patco irreparably altered the evidence on its hard drives by using and scanning its computers before making forensic copies, it is unclear whether keylogging malware existed on Patco's computers and enabled the alleged fraud. These disputed issues of fact may be material.

Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well, under at least § 4-1204. See Me.Rev.Stat. Ann. tit. 11, § 4-1204; but see id. § 4-1102 cmt. ("Resort to principles of law or equity outside of Article 4A is not appropriate to create rights, duties and liabilities inconsistent with those stated in this Article."). Section 4-1204, entitled "Refund of payment and duty of customer to report with respect to unauthorized payment order," provides:

Id. § 4-1204(1).12 It is unclear, however, what, if any, obligations a commercial customer has when a bank's security system is found to be commercially unreasonable.

In short, we leave open for the parties to brief on remand the question of what, if any, obligations or responsibilities are imposed on a commercial customer under Article 4A even where a bank's security system is commercially unreasonable. The record requires further development on these issues, precluding summary judgment at this stage.

D. Dismissal of Counts II-IV

The district court concluded that Article 4A "preempts"13 Patco's remaining common law claims: Count II (negligence), Count III (breach of contract), and Count IV (breach of fiduciary duty). The district court based its analysis on the commentary to § 4-1102, which provides:

Id. § 4-1102 cmt.

This language does not, on its face, displace Patco's Count III for breach of contract or Count IV for breach of fiduciary duty.14 We adopt the test, as set forth in the commentary, that Article 4A embodies an intent to restrain common law claims only to the extent that they create rights, duties, and liabilities inconsistent with Article 4A. See Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 89 (2d Cir.2010); Regions Bank, 345 F.3d at 1275.

The common law claims of breach of contract and breach of fiduciary duty are not inherently inconsistent with Patco's Article 4A claim. At least in theory, there could be, either by contract or through assumption of fiduciary duties,15 higher standards which are imposed on the bank. Indeed, courts have held that plaintiffs may turn to common law remedies to seek redress for an alleged harm arising from a funds transfer where Article 4A does not protect against the underlying injury or misconduct alleged. See, e.g., Ma, 597 F.3d at 89-90; Regions Bank, 345 F.3d at 1275; see also White & Summers, Uniform Commercial Code §§ 1-2, at 132 (1993 pocket part) ("With the adoption of Article 4A, electronic funds transactions are governed not only by Article 4A, but also common law...."). We vacate the dismissal and leave the issue of these two causes of action open on remand to be considered anew.

The closer question is whether Article 4A, on the facts of this case,16 displaces the claim for negligence. That is, are the negligence claims inconsistent with the duties and liability limits set forth in Article 4A. We think they are, inasmuch as the standard for the duty of care as to both sides is set forth in Article 4A and its limitation of liability. See Ma, 597 F.3d at 89-90 (interpreting Article 4A to displace common law claims, such as negligence, where Article 4A has already specified the relevant duties and "protect[ions] against the type of underlying injury or misconduct alleged in a claim"); Donmar Enters., Inc. v. S. Nat'l Bank of N.C., 64 F.3d 944, 949-50 (4th Cir.1995) (holding that negligence claims are in conflict with, and therefore displaced by, Article 4A); cf. Anderson v. Hannaford Bros. Co., 659 F.3d 151, 161 (1st Cir.2011) (where Maine law is clear that certain damages on given facts are not available regardless of theory pled, Maine law will not under new cause of action allow such damages). So we affirm the dismissal of the negligence claims.

IV.

We reverse the district court's grant of summary judgment in favor of the bank, and affirm the district court's denial of Patco's motion for summary judgment. We remand for further proceedings in accordance with this opinion. On remand the parties may wish to consider whether it would be wiser to invest their resources in resolving this matter by agreement.

No fees are awarded; each side shall bear its own costs.