FFIEC: Impact on Account TakeoverFormer Examiner's Advice for Controlling Fraud Losses
What are the struggles facing smaller financial institutions when it comes to anomaly detection?
Large banks are implementing anomaly monitoring and detection solutions that are very costly and time-intensive to set up, says Amy McHugh, a former IT examination analyst for the Federal Deposit Insurance Corp. who now works as a bank adviser at CliftonLarsonAllen, a professional services firm.
"Smaller institutions just don't have the resources in order to implement those," she says in an interview with Information Security Media Group [transcript below].
"Those smaller institutions frequently have fewer people either performing online ACH or wire transfer origination, or they don't allow online ACH and wire transfer initiation," McHugh says.
The anomaly monitoring and detection solutions smaller banks do have in place are manually operated, she says, which can be a time-intensive process.
"With the manual system, it may be harder to detect patterns of behavior over the past few months," McHugh says.
During this second half of a two-part interview, McHugh discusses:
- Why account takeover fraud is increasing;
- Why smaller banking institutions are so dependent on third-party service providers, namely core banking providers;
- Why distributed-denial-of-service attacks should be a worry for community banks and credit unions.
In part one of the interview, McHugh reviews recent legal disputes involving incidents of corporate account takeover, highlighting that most settlements and judgments favor commercial customers (see ACH Fraud Cases: Lessons for Banks).
McHugh, an attorney and former regulatory examiner, is now a banking institution adviser for CliftonLarsonAllen. Her areas of specialization include Gramm-Leach-Bliley Act compliance; information systems review; risk assessments and policy development; information security program development and implementation; vendor management; cloud computing; and corporate account takeover fraud.
Embracing FFIEC Guidance
TRACY KITTEN: Based on what you're seeing, do you think that banking institutions are embracing this updated FFIEC guidance in the ways that regulators want? Are they doing enough?
AMY MCHUGH: It has been in effect since January 1, 2012. Beginning at that time, when the agencies would go in to financial institutions to perform an examination, they were assessing that institution's compliance with the 2011 supplement. What I'm seeing is a gradual implementation of the 2011 supplement requirements and guidelines. I'm wondering if financial institutions could do a little bit more, could improve their risk assessment process, maybe could communicate better with their Internet banking service providers to see how those providers' systems are addressing the 2011 supplement, and then integrating that information into their risk assessment and also into the controls that they have in place for their higher risk customers.
With customer awareness, I see banks are improving their customer awareness education efforts. Banks are putting good information on their websites. They do statement-stuffers and that kind of thing. I also see some banks actually having presentations that they either have on their websites, or that they send to their customers, about electronic funds transfer fraud, key logger and man-in-the-middle attacks. I think that those are all good efforts. I think the efforts could be enhanced.
Something with the banks that I see - which typically are smaller banks - is there's a fear that they may be causing undue burden to their customers by implementing these additional protections. What they want to do is serve their customers, which is what they should be doing. But they fear that if they place too many "burdens" on their customers as far as additional security procedures that the customers have to abide by in order to transmit these electronic funds transfers, they'll go elsewhere; the customers will go elsewhere. That's something that I'm seeing, regrettably, some financial institutions stepping back from enhancing their procedures in order to please the customer.
Evolution of ACH/Wire Fraud
KITTEN: How has ACH and wire fraud evolved in recent years based on what you've seen?
MCHUGH: The first thing I've seen is that there's an increased awareness, probably through these cases: PATCO, Experi-Metal and Choice Escrow. There's an increased awareness in electronic funds transfer fraud. There's also an increased push, shall we say, by the regulatory agencies to ensure that the financial institutions are aware and that the information is passed along to the customers. One thing I do see is that the very large institutions - Chase, Bank of America - have robust programs for anomaly monitoring of electronic funds transfers, making sure that the activity is typical for the customer, and increasing fraud awareness procedures. The fraudsters are kind of moving down to the smaller institutions where they may not have the level of awareness or the level of institutional experience and skills to implement an effective program to limit electronic funds transfer fraud.
I also see for some very small institutions that I've visited here in Iowa that they may not have online ACH wire transfer initiation, but they're still susceptible to fraudulent activities primarily through customers' e-mail being hacked. A fraudster then spoofs their e-mail address, sends an e-mail request for a wire transfer to an out-of-state account, stating that, "I'm not available for call-back; I'm out-of-state; I don't have access to a phone," and then the smaller banks believe they know the customer, which they usually do, and they just want to help that customer. They maybe don't pay as much attention as they should to their policies as far as processing funds transfers, and they actually assist with this fraud because they don't want to offend their customer. They want to help. They take it at face value that this e-mail request is coming from the customer and that they just want to help.
I see that quite frequently, especially with the smaller banks here in Iowa. That's something that I think can be remedied by having detailed implemented policies as far as, "We require that any wire-transfer request not received in person gets a call back to the phone number on record." That's one really basic control that I think could eliminate a lot of these less technological wire-transfer frauds.
Using DDoS to Distract from Fraud
KITTEN: Are institutions focusing on DDoS as a mode of distraction for ACH and wire fraud?
MCHUGH: No, not really; not the institutions that I've been to. Again, one or two of the largest institutions that I've been to have included some kind of acknowledgement and basic information maybe in their incident response plan and their business continuity plans about DDoS attacks maybe masking the additional underlining electronic funds transfer fraud.
In smaller institutions I don't see any evidence that they are maybe as aware that they have implemented that kind of information into their plans for their bank. I think that's just not something that has maybe filtered down to the smaller institutions at this point. It's definitely something that I believe they should integrate into their incident response and business continuity plans. They should talk with their Internet service providers regarding that provider's particular plans for addressing these attacks should they happen.
State of Account Takeover
KITTEN: What about the state of account takeover? Do you see these incidents growing?
MCHUGH: I do see them growing. Now whether that reflects increased account takeover fraud in general or increased reporting by financial institutions about these incidents, that I'm not clear about. But I do see more reports of at least attempted and successful electronic funds transfer fraud.
KITTEN: Would you say that the losses related to account takeover fraud have increased in the last 12 to 18 months?
MCHUGH: No. I don't see any real increase in any of the losses. The losses I see are smaller. They're usually maybe a few hundred dollars, maybe 40,000 or 50,000 I've seen. That in itself I don't necessarily see increasing. I see it maybe maintaining. However, I was at a bank performing an examination when I was notified that they had actually stopped a fraudulent ACH origination request in the amount of $2 million. They did that because they have implemented a couple of layers of anomaly monitoring and detection software in their system.
Improving Detection Techniques
KITTEN: Do you see banking institutions improving their detection notification techniques?
MCHUGH: I do see that, particularly in the larger institutions that I've been to. Anomaly monitoring and detection solutions that I have seen the larger banks implementing are very costly, first of all, and they're also very time-intensive in the sense of setting up the system and educating the system on the customers' behavior patterns. It's very costly as far as money and also for time. Smaller institutions just don't have either of those resources in order to implement those. Again, those smaller institutions frequently have fewer people either performing online ACH or wire transfer origination or they don't allow online ACH and wire transfer initiation, so any kind of anomaly monitoring and detection that they may have in place is manual, which again can be time intensive. With the manual system, it may be harder to detect patterns of behavior over the past maybe few months so those people who monitor those systems are aware that this actually is something out of characteristic for this customer.
Advice for Financial Institutions
KITTEN: What final thoughts or advice would you offer to banking institutions?
MCHUGH: First of all, they need to talk with their banking service providers, if they haven't already, to get information from those providers about the range of options that are available for online funds transfer security procedures. Then they need to perform a thorough risk assessment of their banking services to ensure that they have implemented the appropriate security procedures based upon their provider's offerings, and also based upon the particular circumstances of each customer - how many high-risk transactions they perform; frequency of those transactions; the amounts of those transactions - to make sure that the controls they have in place are sufficiently tailored to the particular customer.
I also think that they should push back on the clients and say, "These particular security procedures we're going to require for our protection and for your protection," such as the complex password, changing passwords periodically. If possible, I think dual control is very important; out-of-band confirmations so you initiate a wire transfer. We're going to call you to make sure that's appropriate and make sure that's done.
Also, the banks I believe should implement some kind of anomaly monitoring and detection system, be that manual if they're a smaller institution or automated, to ensure that there's some kind of awareness of the customer's pattern of behavior as far as electronic funds transfer requests, where they're sending their funds transfers, who they're sending them to, etc.
Then, set up some of kind of institutional reporting system. Periodically, maybe monthly, there's some kind of review and analysis of electronic funds transfer activity that's reported up through an appropriate committee, and then potentially to the board so that there's senior management awareness of these electronic funds transfer activities, trends, patterns, etc., so that they can make sure that they have implemented the appropriate security procedures for each particular customer's behavior.