Account Takeover: Where's the Progress?Fraud Incidents Continue; Court Cases Still Pending
The spree, which involves numerous unauthorized transfers to China-based hackers, is but the latest in a long line of corporate account takeover incidents small and mid-sized banking institutions have battled since the summer of 2009.
And yet, nearly two years later, after press releases, bulletins, conferences and lawsuits, the industry continues to struggle - in communities, as well as in court - with how to address fraud related to unauthorized ACH and wire transactions.
New online authentication guidance from the Federal Financial Institutions Examination Council, aimed at curbing ACH fraud, is still pending. Doug Johnson, vice president of risk management policy at the American Bankers Association, says the new FFIEC guidance will help banks and their commercial customers, but they can't depend solely on the regulators for direction.
"We're in this for the long haul," he says. "The more involvement we have from banks, from law enforcement agencies and other entities in this, the better we are going to be."
Following is a look at progress various players have made in the battle against corporate account takeover.
The Courts: No Legal PrecedentThe high-profile legal disputes between Michigan-based Experi-Metal Inc. and Comerica Bank, as well as Missouri-based Choice Escrow and BankcorpSouth, are at a standstill.
The case between EMI and Comerica, the first corporate account takeover incident to actually go to trial, still awaits a verdict. The trial ended Jan. 26, and though a verdict was expected within 60 days, EMI attorney Richard Tomlinson says both parties continue to wait.
EMI lost more than $560,000 to ACH fraud, and then sued Comerica for not having adequate security measures in place to pick up on the fraud before approving the wire transactions that led to the loss.
"Had the bank had any sort of follow-up or backroom security in place, they would have picked up on the fact that these were fraudulent transactions," Tomlinson says. "The only thing the bank had was password authentication, and that was not enough."
Choice Escrow, which in November 2010 sued its former bank, BankcorpSouth, after losing $440,000 to corporate account takeover, has heard nothing from the court on its pending case. Jim Payne, owner of Choice Escrow, says new FFIEC guidance would help.
"We want to know what the FFIEC guidelines actually mean and who is responsible for enforcing audits and compliance," he says. "That would have helped us. ... We've had contact with several businesses in our area, and most of them are totally oblivious about the kinds of breaches that are out there, as well as about the fact that their accounts are not protected."
The Advocate: Burden is on VendorsJim Woodhill, an outspoken advocate of ACH protections for small businesses, says banks need more guidance not just from regulators, but from vendors and core processors as well. "Here we have bankers who have no background in cybersecurity, yet they are trying to understand the best steps to take," he says. "It's crazy for them to have liability for a crime they don't understand. They don't have the fraud controls, but the processors they work with do."
Once in support of amending Regulation E to include protections for commercial customers, Woodhill says his perspective has changed. "I am against Reg E including protections for commercial customers," he says. "That's horrible for the community banks; they are out there trying to make loans and build business. Something like that would kill them."
What he is in favor of is legislation that places the fraud control burden on core processors. "The processors are perfectly positioned to stop the crimes, and we know that stopping the crime is possible," Woodhill says. "Big banks don't suffer from these kinds of losses. If we hold the transaction processors accountable and have all of the fraud controls flow through them, we can stop this."
FS-ISAC: New AdvisoriesThe ABA's Johnson says banks also should look to recommendations from the FS-ISAC, which specifically address corporate account takeover.
In May 2010, FS-ISAC, established the corporate account takeover task force. The task force comprises 36 financial institutions, seven public sector agencies and seven banking associations. Errol Weiss, who heads the task force, says the group focuses on account takeover prevention, detection and response.
"We produced a paper with the FBI and FS-ISAC that we released in October about corporate-account-takeover fraud," Weiss says. "We want to get the word out about some of these tools, since we feel they answer many of the questions financial institutions have about ACH fraud and what they can do to protect themselves and their customers."
In addition to describing and diagramming how corporate account takeover is perpetrated, the FS-ISAC paper discusses steps banking institutions should take to ensure ACH and wire transfers are adequately authorized and account log-in credentials are authenticated.
The task force also is preparing to release an advisory about money mules - a timely complement to April's China ACH and wire fraud spree.
The two-page advisory, entitled "Alert for Financial Institutions: Anticipated Increase in Mule Activity Associated with Visiting Students and Tourists," also includes a list of red flags often associated with money mules as well as other tips for financial institutions, Weiss says. The advisory is expected to be released sometime in May.
Johnson says he is encouraged by the work of the FS-ISAC task force. "We think those [advisories] will be very beneficial in helping customers understand how to report fraud incidents in a unified fashion," he says. "The task force is doing quite a bit."