Fraud Victim Favors Draft GuidanceFFIEC Proposal Seeks to Prevent Corporate Account Takeover
Based on a preliminary draft of the new FFIEC guidance, which has been circulating throughout the industry, guidelines call for more stringent risk assessments, authentication and customer education. One of the major themes of the draft guidance, in fact, is how many recent incidents of corporate account takeover may have been avoidable.
"Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring/anomaly detection could have prevented many of the frauds," the draft says. "The ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior."
These words are welcome news to Jim Payne, owner of Choice Escrow. "We want to know what the FFIEC guidelines actually mean and who is responsible for enforcing audits and compliance. That would have helped us," he says. "We've had contact with several businesses in our area, and most of them are totally oblivious about the kinds of breaches that are out there, as well as about the fact that their accounts are not protected."
Addressing FraudThe current draft of the FFIEC's "Interagency Supplement to Authentication in an Internet Banking Environment" calls for:
- More risk assessments to better understand and respond to emerging threats, such as man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
- Increased multifactor authentication;
- Layered security controls;
- Improved device identification and protection;
- Improved customer and employee fraud awareness.
As part of the effort to educate commercial customers about fraud risks and security, the draft suggests financial institutions explain what protections are and are not provided under Regulation E. The draft also asks banking institutions to work with their commercial online banking customers to perform periodic risk assessment and controls evaluations.
It is important to note that this guidance, dated Dec. 13, 2010, is currently in draft form and may be amended significantly before final guidance is issued.
Corporate Customers RespondIn November 2010, Choice Escrow sued BankcorpSouth, the $14.3 billion bank that held Choice's breached commercial account. Choice's suit claims the bank failed to follow existing FFIEC guidelines to ensure security of online-initiated wire transfers.
"Knowing how much money we had in our account, they should have made some recommendations about security," Payne says. "But when we signed with them, they did not give us any recommendations about protections or multifactor authentication."
Valiena A. Allison, CEO and president of Michigan-based EMI, says commercial customer education regarding security risks and protections should be required of banks and credit unions. "Before this all happened, I never realized there was a difference between the laws and the protections (under Regulation E) for commercial businesses versus consumer accounts," she says. "The laws are not the same. That never occurred to me. That should have been something we were notified about by the bank."
EMI and Comerica faced off in U.S. district court earlier this year, and a verdict in that trial is expected soon.
Choice Escrow and EMI are but two of a handful of commercial customers who have fallen victim to recent incidents of corporate account takeover. Other high-profile corporate account takeover victims include:
- Village View Escrow of Redondo Beach, Calif., which in March2010 lost $465,000 to an online hack;
- Hillary Machinery, which in January 2010 was sued by its bank, PlainsCapital Bank, after a legal battle over ACH fraud liability. The suit was later settled for undisclosed terms;
- The Catholic Diocese of Des Moines, Iowa, which in August lost $600,000 in fraudulent ACH transactions.
Payne says the FFIEC has a lot to consider when weighing new guidance. "When we signed up for the online banking, we did not know anything about the risks," he says. "It was all new to us. We were probably only nine months in when we got breached." Had the bank explained more about the risks, or done more to assess Choice Escrow's risks, Payne says the breach may have been avoided.
"The way I see it, the industry has two choices: Either the FFIEC guidelines will require that banks do [more stringent] risk assessments, or Regulation E will have to be amended to protect commercial customers," he says. "Otherwise, there's no way the banks are going to change the way they do business."