ACH Fraud: 1 Year Later
What Results Have Come from Conflicts Between Banks, Businesses?By itself, this incident is a footnote among legal disputes. But seen in the context of similar incidents that have swept the country for the past year, the Hi-Line/Community Bank case is the latest in a series of troubling conflicts between banking institutions and business customers.
It's been almost exactly one year since the growing scourge of ACH/wire fraud was exposed by the Federal Deposit Insurance Corporation in a warning about fraudsters using the online channel to prey upon small and medium-sized businesses.
Since then, the industry has seen many incidents and several high-profile cases, including:
- Hillary Machinery vs. PlainsCapital Bank - the notorious case of a bank suing its own customer;
- Experi-Metal Inc. vs. Comerica Bank - the concurrent case of a customer suing its bank over fraud losses;
- PATCO vs. Ocean Bank - one of the more recent conflicts to emerge nationwide, impacting banks and businesses of all sizes.
The Federal Bureau of Investigation estimates that 205 separate businesses have reported incidents of corporate account takeover since 2004 - the bulk of them in the past year. And estimates fraud losses top $40 million.
The FDIC and other government agencies have issued additional alerts in this time, and in May the banking regulator convened a symposium on the topic. But what exactly has been done and will be done by the industry to prevent the epidemic from growing even more in the next year?
We spoke to several industry thought-leaders and got their insights.
What's Been Done
To combat these crimes, industry associations assembled an Account Takeover task force, headed by the Financial Services-Information Sharing and Analysis Center, to develop a list of recommendations, outreach programs and education efforts. According to Bill Nelson, CEO and president of the FS-ISAC, the May symposium brought many of the larger players in the industry together to talk strategy and defenses for institutions.Industry groups such as the U.S. Chamber of Commerce, the Association for Financial Professionals, the American Bankers Association and NACHA have also made efforts to educate their members about this threat. Nelson says he has presented 15 in-person and webinar talks to corporate and banking audiences since January, and more are planned through the end of the year. Further, individual banks and credit unions are actively educating their business customers about the threats.
"Banks have shared the FBI/FS-ISAC/NACHA bulletin with their business customers, and many have encouraged their customers to use a dedicated, locked-down computer for online banking where email and web browsing are not possible," Nelson says.
Some of the smaller institutions have implemented call-back procedures where they call their business customers for every ACH file that is submitted. Other mandatory out-of-band procedures such as SMS texting and faxing of control totals have also been implemented by many banks and credit unions.
So much of the solution, observers say, is about educating business customers about safe computing practices. According to Gartner analyst Avivah Litan, Bank of America is the best example of a large institution that "gets it."
"[BofA] has done a really good job in educating their business customers about fraud," Litan says. Example: The bank recently held a major educational webinar, heavily advertised, for all of its business customers. Litan says the bank used the webinar to: outline the existing and emerging threats to electronic banking, the solutions that the bank has recently introduced or already had in place, and the steps that customers can take to help prevent fraud.
Many other banks have pushed the problems over to their customers to resolve, Litan says. "Bank of America is not only educating customers on how they can help prevent fraud, but is also giving their customers several valuable and effective tools to help fight it," she says.
Other, smaller institutions have joined the fight and are trying to educate their business customers about the threat, including, Coppermark Bank, a community bank in Oklahoma that recently held seminars for its business customers.
What Needs to be Done
The education of banks and their business customers continues amidst talk of prospective legislation to amend Regulation E coverage to include business and commercial accounts.But what needs to happen now, Litan says, is bank regulators need to get serious about enforcing the FFIEC guidance already in place. "They need to devote more resources to this and need to let the banks they supervise know they will suffer putative consequences if they don't upgrade their security systems to effectively mitigate the sophisticated risks that have already emerged."
Troy Owen, a partner of Hillary Machinery, the Texas firm that settled its lawsuit against its bank earlier this summer, says less talk, more action is needed.
"Talk is cheap, as we say in Texas. And although it raises awareness when we 'talk' about corporate account takeover at symposiums and conferences, we need to ensure the right people are there and listening to what is being said by those in the know."
The ease at which international cyber criminals can tap commercial accounts and send millions of dollars to Eastern Europe is a national security issue, Owen says. "It's also a jobs issue, and I am disheartened at the lack of attention it's getting in Washington."
Owen says he knows that industry insiders are fighting and lobbying for more commercial protections, but doesn't understand why "banking groups such as the ABA are so resistant to something so blatantly logical."
Still, don't expect financial institutions to jump quickly to solve this problem, says Charisse Castaganoli, adjunct law professor at John Marshall Law School and an information security law expert. She still thinks banking institutions won't move on security improvements until they lose a major court case or the FFIEC makes them improve. The FFIEC was out ahead of identity theft by requiring two-factor authentication back in 2005, she says, but didn't consider the sophistication of malware in terms of its ability to interweave inside of a legitimate connection."
The Year Ahead?
FS-ISAC's Nelson believes that the rate of growth in these attacks "is leveling off." He says there are more vendor solutions, such as transaction profiling and predictive analytics, that are helping institutions detect and prevent losses. "Added with this is the fact that banks are more attuned to monitoring for money mule accounts," he says, which can help stop the funds from leaving the U.S.But despite these measures, experts say, lawsuits will continue to accumulate against banking institutions that are seen as not protecting their business customers. Litan also foresees more customer migration to banks with more protections, and "more costs for banks that don't have the superior security processes and technologies in terms of lost business, legal costs, and eventually tougher regulations," she says. Some of the lawsuits, if left to a judge to decide, could eventually hurt the banks by favoring the customers.
The litigation front for financial institutions doesn't look good, according to David Navetta, a lawyer at the InfoLaw Group, a law firm specializing in information security and privacy issues. "We have seen two high profile cases go beyond a motion for summary judgment (Shames-Yaekel and EMI v. Comerica), and that means that customers and their lawyers will view these situations as potentially amendable to successful resolution via litigation," Navetta says
He also believes there is a risk that more breaches and lawsuits could lead to a perception problem around online banking. "This could be a broader problem that could impact not only banks' business customers, but also potentially individual consumers that use online banking (a much larger group)," he says. But because of the significant cost savings associated with online banking, he anticipates banks have no desire to allow their individual customers to lose confidence in online banking.
The loss of confidence in online banking is palatable for many, including Hillary Machinery's Owen. He says that even after switching his business accounts to one of the world's "most secure online banks that we could find," his company still cut back on the number and type of online transactions it performs. "I guess you could call that losing confidence in the online banking system in general," Owen says.