Teaming Up to Fight ACH FraudTexas Banking Regulators Offer Account Takeover Prevention Tips
Banking regulators and law enforcement are collaborating to reduce losses linked to account takeover fraud. They say employee training at the branch level is a critical piece in the fraud fight. Why?
"Training the bank employee to work with that bank customer or that member is critical," says Dennis Simmons, president and CEO of SWACHA, the non-profit payments association that serves financial institutions throughout the Southwest United States. "We always recommend things like getting a full account number from the customer and having PIN or password authentication options on the phones."
Persistent and consistent information gathering is critical, and growing incidents of ACH and wire fraud are making information gathering increasingly important. "Obtaining the information from the customer, particularly during key parts of a transaction or when an account is first opened, is important," Simmons says during this interview with BankInfoSecurity's Tracy Kitten (transcript below). "You never know what seemingly innocuous piece of information that the bank employee gets from the customer that, during a criminal investigation, becomes crucial."
SWACHA recently hosted a one-day symposium about ACH fraud at the Houston Federal Reserve. Joined by the Federal Bureau of Investigation and the U.S. Secret Service, SWACHA opened the door for Texas bankers to share fraud-trend concerns and open dialogues with key financial fraud investigators. (See Four Steps for Fighting ACH Fraud.)
"It's not unusual for us to have 250, 300 financial-institution representatives present in one of these one-day seminars," Simmons says. "We have a long history of working with the FBI, and we've worked with them for many years to host these one-day symposiums."
The purpose: To educate financial institutions about current and emerging fraud trends.
For its part, the FBI finds value in gathering as much information as it can from banks and credit unions. Since banking institutions are the first ones to experience the fraud, it's important for them to share what they see with law enforcement, says FBI Special Agent Steve Dillon.
"These schemes and scams that are perpetrated by these types of criminals destroy companies and devastate families by milking them out of their life savings, and depleting millions and millions of dollars from the corporate Treasury at times," Dillon says. "These white collar crime investigations are one of the top priorities of the Bureau."
The year, the FBI actually increased its resources for financial- and mortgage-fraud investigations.
During this interview, Simmons and Dillon discuss:
- Curbing ACH fraud and losses;
- Engage staff to identify payments fraud;
- The critical role information sharing with law enforcement and other banking institutions plays.
As head of SWACHA, one of the largest not-for-profit electronic payment associations in the country, Simmons is a frequent speaker and recognized expert on payments issues. He is a member of the board of NACHA, servers as chairman of NACHA's Government Relations Committee, is past chairman of NACHA's Electronic Check Council and past co-chairman of NACHA's Risk Management Advisory Group. Currently, he serves as the chairman of the Payments Executives Leadership Forum.
Simmons also is a founding member of the board of directors of the Secure Remote Payment Council and a member of the advisory council and faculty of the Bank Operations Institute at Southern Methodist University.
FBI Special Agent Steven Dillon is based in Houston, where he has spent several years investigating white-collar financial crimes.
TRACY KITTEN: Dennis, can you tell our audience a bit about SWACHA and why it's taken an interest in corporate account takeover, which is linked to ACH and wire fraud?
DENNIS SIMMONS: SWACHA is a non-profit trade association, and our mission really is to provide education and training for financial institutions about electronic payments, including risk management and fraud prevention. So those two topics, risk management and fraud prevention, obviously, fall very nicely into the whole area of ACH/wire fraud and the so-called corporate account takeovers.
KITTEN: Now, when you host these symposiums, about how many financial institutions typically do you reach?
SIMMONS: It varies, of course, sometimes by the topic and the date and that sort of thing; but it's not unusual for us to have 250, 300 financial-institution representatives present in one of these one-day seminars.
KITTEN: Agent Dillon, I would like for you to give us a little background about the FBI's work and its interest in financial crimes?
STEVE DILLON: Sure. We investigate many federal law violations, and we tend to investigate very complex crime in order to go as high up the criminal chain as possible. The FBI's purview within financial crimes includes things like financial-institution fraud and failures, healthcare fraud, security fraud, mortgage fraud, complex money laundering schemes - what we classify as white-collar crime. The FBI's interest at the headquarter level in these types of crime is great. These schemes and scams that are perpetrated by these types of criminals destroy companies and devastate families by milking them out of their life savings, and depleting millions and millions of dollars from the corporate Treasury at times. These white collar crime investigations are one of the top priorities of the Bureau. In fact, in fiscal year 2012, the FBI actually decided to increase its resources in financial- and mortgage-fraud investigations to address these threats and enhance its ability to proactively meet any oncoming schemes.
KITTEN: What can each of you tell me about the recent symposium, the one that was held in March, which not only included the FBI and SWACHA, but also representatives from FS-ISAC and the U.S. Secret Service?
DILLON: As I mentioned, the FBI prefers, generally, to investigate the very complex crime, the white-collar crime. Our investigations often require many years of hard work before a successful result is obtained. Other law enforcement agencies, such as the Secret Service, have what we call "concurrent jurisdiction" to investigate similar violations, especially financial-institution fraud; but the focus of our investigations is slightly different.
SIMMONS: Tracy, from the financial institution perspective, sometimes they are not really sure who has jurisdiction, and so they'll often times contact us because of all the relationships that we have. The relationships they have developed over time helps, and allows institutions to quickly reach out to someone if they are suspecting criminal activity. SWACHA is a member of FS-ISAC, and because of that relationship, we were able to bring in folks from FS-ISAC to talk about what was happening, as far as threats are concerned, to financial institutions.
KITTEN: What advice do you offer, and are you continuing to offer banks and credit unions certain steps or best practices that they can take to curb financial losses that are linked to e-commerce and corporate account takeover?
SIMMONS: It's difficult for us in law enforcement, and we're sympathetic to some of the things that we ultimately recommend to banks and credit unions and other financial institutions. Many of the things we recommend are perceived as quite onerous and time-consuming. Never the less, it's important to consider the billions upon billions of dollars that are lost through these types of crimes; we keep driving home that training is probably the most important thing.
Training the bank employee to work with that bank customer or that member is critical, so we always recommend things like getting a full account number from the customer and having PIN or password authentication options on the phones. Having two phone numbers for contact information is another recommendation, as is extending holding periods before transfers go into foreign accounts. Persistently obtaining the information from the customer, particularly during key parts of a transaction or when an account is first opened, is important. You know, you never know what seemingly innocuous piece of information that the bank employee gets from the customer that, during a criminal investigation, becomes crucial.
DILLON: We also talked about the virtual perspective: making sure that the financial institutions and their employees and their customers keep their anti-malware or anti-virus software up to date, and that they install Windows updates.
SIMMONS: From an administration perspective, one of the things that we talk about with financial institutions is that if their online platforms are available 24/7, if someone is coming in to make an administrative change or add an administrator or add someone with capabilities to originate files, either through ACH or wire, we told our members to suspend transactions that require authorization until the next morning, so that someone can look at those transactions and verify them, preferably through an out-of-band channel, such as a fax or telephone call. And we talk about files coming in to the financial institution to use some sort of out-of-band authentication method.
A lot of institutions have gone back to old-school kinds of things, where the file is transmitted through an online portal and then a fax is sent through a separate channel to validate that the file was sent and to validate the file totals contained in the transmission. Those are some steps that can be taken, but one of the things I talk about is why it's important to be skeptical. Practice and preach to your staff and to your customers that they should be skeptical of things. I call it "healthy skepticism." If something is too good to be true it probably is. You didn't win the Canadian lottery; you didn't win the Irish sweepstakes, those kinds of things.
KITTEN: And before we close, I would just like for each of you to tell us a little bit about where institutions can get more information?
DILLON: From the FBI perspective, we actually have a great website, FBI.gov. You can click at the top of the page. There is a "Contact Us" tab, and you can get information about the field offices. Another item of interest I would like to quickly bring up is what we call the Internet Crime Complaint Center, and that website is IC3.gov. It's a partnership between the FBI and the National White Collar Crime Center. It's a great place for institutions or individuals to go to file a complaint. The homepage also has all kinds of other great information. There is a "What We Investigate" tab, which will take you to a white collar crime section, and there is a plethora of information there; they discuss major investigations and other types of white collar crime with which the FBI is involved.
SIMMONS: As far as the corporate account takeover issue, there is certainly a lot of information on NACHA's website, www.NACHA.org. Also, SWACHA has a lot of resources available on our website, SWACHA.org, about corporate account takeover and steps organizations can take to protect themselves in that environment.