The Legal Side to Risk AssessmentCourts Want to Know Banks Are Testing Technologies
Former federal banking examiner Amy McHugh says detailed risk assessments have to be a priority. And recent legal decisions handed down by courts in disputes involving incidents of corporate account takeover prove just how critical those assessments are, she adds.
See Also: How to Defend Your Attack Surface
Ongoing and regular risk assessment allows banking institutions to test their technologies and adjust to the changing threat landscape - two points to which regulators and the courts are holding banks and credit unions more accountable, says McHugh, a bank adviser and former IT examination analyst for the Federal Deposit Insurance Corp. during an interview with BankInfoSecurity [transcript below].
"The FFIEC agencies are requiring more of their financial institutions, as far as performing detailed annual risk assessments of their online banking services, making sure that - particularly for their business customers that perform higher-risk, electronic transactions online for ACH and wire transfer origination - they are really risk-assessing those products and ensuring that they have implemented appropriate security measures to address the increasing risks for those services, as well as the risks that are becoming more apparent in the industry," she says.
McHugh says the clear message from the courts is this: Ensure online controls align with the Federal Financial Institutions Examination Council's updated authentication guidance, as well as Article 4-A of the Uniform Commercial Code.
"What I see emerging is the court's increased reliance on guidance, particular the FFIEC's 2005 and 2011 guidance," she says. "I also see the fleshing out of the UCC's 4-A analysis of what constitutes a secure procedure."
Banking institutions must constantly re-evaluate whether they are adequately addressing their risks and meeting the minimal requirements of the FFIEC's guidance, McHugh says. That means they also must focus on customer education - an area where many institutions have, to date, been lacking, she adds.
"The 2011 supplement requires financial institutions to implement some types of customer security awareness education program, meaning that they should be informing their customers, particularly those that perform high-risk transactions, about the fraud environment," McHugh says. "Are they ensuring that they have up-to-date and effective antivirus and patch management procedures for their system, so that if they do get some kind of a virus or a keylogger, for example, they can catch it and neutralize it as soon as possible?"
During this interview, McHugh discusses:
- The role agreements with commercial banking customers are playing in court decisions and settlements over ACH and wire fraud incidents;
- Why the onus for security is increasingly falling on the shoulders of the banks;
- A review of recent ACH and wire fraud cases.
McHugh, an attorney and former regulatory examiner, is now a banking institution adviser for CliftonLarsonAllen, a professional services firm. Her areas of specialization include Gramm-Leach-Bliley Act compliance; information systems review; risk assessments and policy development; information security program development and implementation; vendor management; cloud computing; and corporate account takeover fraud.
Courts' Reliance on FFIEC
TRACY KITTEN: Amy, you've been closely watching some of the banking industry's most noteworthy account takeover cases, including those filed by Experi-Metal, PATCO Construction and Choice Escrow. What overall theme are you seeing emerge?
AMY MCHUGH: What I see emerging is the court's increasing reliance on regulatory guidance, particularly the FFIEC's 2005 and 2011 guidance on authentication in the Internet banking environment. And, also, the courts' reliance on the FFIEC's IT examination handbooks. These are kind of the de facto industry standards and are assisting the courts in their determination of what constitutes commercially reasonable security procedures. I also see developing kind of the fleshing out of the UCC 4A's analysis of what constitutes a commercially reasonable security procedure, as well as reliance on the good faith prong of UCC 4A. While the security procedures may be commercially reasonable, are the financial institutions acting in good faith in their dealings with their business customers?
KITTEN: What should banks and credit unions be focused on when it comes to some of these decisions and or settlements?
MCHUGH: Well, I think all financial institutions should be reviewing those two FFIEC guidance documents on authentication in the Internet banking environment, particularly the 2011 supplement, because of the increasing level of electronic funds transfer fraud in the industry. The FFIEC agencies are requiring more of their financial institutions, as far as performing detailed annual risk assessments of their online banking services, making sure that - particularly for their business customers that perform higher-risk, electronic transactions online for ACH and wire transfer origination - they are really risk assessing those products and ensuring that they have implemented appropriate security measures to address the increasing risks for those services, as well as the risks that are becoming more apparent in the industry.
And, also, the 2011 supplement requires financial institutions to implement some type of customer security awareness education program, meaning that they should be informing their customers, particularly those that perform high-risk transactions, about the fraud environment. What is existing out there? What additional steps should those particular business customers take in their own environment, meaning, how do they protect their computers? Are they limiting their electronic funds transfer operations to a particular computer? Are they limiting Web surfing on that computer? Are they ensuring that they have up-to-date and effective antivirus and patch management procedures for their system, so that if they do get some kind of a virus or a keylogger, for example, they can catch it and neutralize it as soon as possible?
Choice Escrow's Appeal?
KITTEN: The Choice Escrow ruling is likely to be appealed, you argue. Why?
MCHUGH: I think it will be appealed is based primarily on the court's analysis of PATCO. I think that in the Choice Escrow case it was a case of a small business that would initiate electronic funds transfers, and that because they only had two people who were doing these funds transfers, they did not want to implement a dual-control system. One of the two people may be out of the office and so it just wouldn't be feasible for that organization. And the court kind of relied on that in determining whether the bank had actually implemented commercially reasonable security procedures. UCC 4A talks about if a security procedure is considered commercially reasonable, and if a customer has been offered that feature and then turns down, then another security procedure must be used. So any security procedures that are still left in place, in this case the user ID and password, and I believe a secure device token, which is a cookie on their computers, would then be considered commercially reasonable. This kind of bothered me, in a sense, about whether or not this was an actual issue for Choice Escrow; meaning, we won't have both people in the office at the same time for most of the time to allow us to perform these electronic funds transfers. There are situations where you are going to have small business customers and that truly may not be a feasible option for them. Going back to the PATCO case, BancorpSouth kind of offered this one-size-fits-all solution. So you take dual control; if you can't use dual control, yet nothing else is offered, then how can that be reasonable? I found that kind of questionable in the sense that the UCC 4A and the FFIEC guidance both say that financial institutions, when determining what security procedures to offer their customers, have to consider the circumstances of that particular customer. So, I see that there might be an option here for a potential appeal, in the sense that these security procedures were not sufficiently tailored to this particular customer's circumstances and that something else, maybe, should have been offered.
Leaning on UCC 4A
KITTEN: And then what about some of the Article 4A implications here for commercial customers?
MCHUGH: This has been stated before - the increasing awareness that customers, business customers, definitely have some responsibility for protecting their own systems, which I totally agree with. While the bank is in what is considered the "better position" to be aware of these particular security procedures and risks, business customers still have some responsibilities, as far as being aware of basic security procedures for their location. Again, going back to effective antivirus maintenance, patch management on their systems, limiting, as much as possible, any kind of Internet activity on a particular PC that is used for online banking transactions. And basic things such as appropriate password configuration complexity. I definitely think that business customers differ from consumers, in the sense that they are in a slightly better position to be aware of general risks and things and should be able to implement security into their system. But, what I found, and again this is from smaller institutions, is that the banks themselves are not necessarily as aware as I think they should be about security procedures and risks to their Internet banking systems. That then kind of filters down then to the customers. I think that while banks definitely have a better position and should be able to communicate to their customers what they should be doing, the business customers should also start taking some responsibility for protecting their own systems.
Security at Smaller Institutions
KITTEN: What recommendations do you offer to some of these smaller banks and credit unions, when it comes to practices that they could implement that would not be tasking or a burden on their budget?
MCHUGH: The first thing is to communicate with their Internet banking service provider. The Internet banking service provider definitely should be aware of the additional FFIEC guidance and should be aware of industry risks. They can talk with their provider and say, "OK. What have you have implemented? What options do you have for us to help our customers address these risks?" I think that is the first thing: Talk with your service provider. I know they typically supply basic information about their systems, about all of the security procedures that they have that can then be offered to banking customers. The second thing is for institutions to take a good look at all of the online banking services they offer. Again, do the kind of time-tested risk assessment, where they list out every service and they think of every possible threat that could occur to these particular services. Make sure that those threats are mitigated as much as possible with implemented controls. Then, with their customers, when their customers come in to set up an online banking account with these higher-risk external transactions, they need to sit down and say, "These are the risks that are in play for your particular set-up. If you are performing online wire transfer origination, we want you to know that these are the things that can happen and that these are highly suggested and highly recommended controls that you need to put in place." For instance, I think dual-control definitely is a major control that business customers should have in place, whether that is feasible for their particular operation is a separate question. If they are too small, then another option might be available. But dual-control, first and foremost, I think, is very important, because it gives another set of eyes to any kind of transfers that are initiated. Getting somebody else verifying a transaction before you send it is important. So make sure the financial institutions really sit down with their customers and aren't afraid to say, "We're going to require you to change your Internet banking password every 90 days. We're going to require you to have at least two authorized people to perform these external funds transfers. We're also highly recommending that you have an independent person at your organization set up as an authorizer for these particular transactions." We'll use the example of wire transfer electronically. Say the bank receives it via secure e-mail through online banking. The bank would then send a confirmation back to that company, not only to the person who requested the transfer, but also to another independent person at that organization so that there is another person viewing this transfer and making sure that it is OK. Also consider implementing out-of-band confirmations or verifications, meaning that if a bank receives a wire transfer initiation request via e-mail, it will place a call to somebody at that organization to verify the e-mail. Don't necessarily respond back to that same e-mail, because if the e-mail address had been hacked, what you're doing is just sending a confirmation back to the fraudster; the customer is not getting it. So dual control, out-of-band confirmation and verification, I think, are very important. And, also, just talking with the customers about basic security procedures and saying these are the basic things that we're going to ask you to do. Not only is it protecting us, but it is protecting you, the customer. Institutions can't be afraid to keep encouraging customers to adopt these additional security procedures, even if they would rather not. I've heard many times about banks saying that their business customers refuse to change their passwords. They do not want to be forced to change their passwords every 90 days. Of course the banks don't want to lose that customer, so they won't force them to change your password every 90 days. But I think that is a really basic security control that financial institutions should kind of push-back on and that business customers should not consider onerous, because changing a password every 90 days, is not an excessive request. I think banks should keep reminding themselves that they are doing this for the customer and that they need to assist the customer in becoming more aware of their security procedures.
KITTEN: Are there any other cases worth noting that have not gotten a great deal of media attention, like the PATCO case and even the Choice Escrow case have?
MCHUGH: The Park Sterling Bank case is one that involves a bank that is suing a law firm for the return of approximately $338,000 lost because of a fraudulent wire transfer that originated through a hack into the law firm's system. What it sounds like, after reading the complaint and then the law firm's answer, the law firm's computer system was infected with what was probably with a keylogger through one of the fraudulent NACHA e-mails that went around last year. The fraudsters initiated an approximately $338,0000 dollar wire transfer to Russia on May 9th of 2012. The bank initially said that they were providing provisional credit to the law firm's trust account, so that it wouldn't have an overdraft while they were investigating whether they could get the funds back. But the bank was not get the stolen money back and the law firm got an injunction to keep the bank from taking the provisional credit back. Now the bank is suing the law firm to get the money back to cover the fraudulent wire transfer.
In this case, they are relying on UCC 4A and the FFIEC guidance. What I found interesting in this case that there seems to be more explicit and detailed reliance on the FFIEC guidance, as far as the law firm's argument that the security procedures that the bank had in place - username and password and what sounded like a device cookie on the machine - were not commercially reasonable, because they did not adhere to the 2011 supplement's requirements for multifactor authentication and layers of security for higher-risk transactions. What was interesting about this case is that the law firm alleges that while they did have the user ID and password, they also had a PIN to initiate these funds transfers and that there were two security questions that a person had to answer in order to effectuate the transfer. But the law firm says the bank only offered two security questions. They were not changed. They were the same questions each time, and that the bank pre-populated the answer. They also stated that the PIN was only four digits and it was something that was really intuitive relating to the bank. So those never changed. The responses were pre-populated, pre-programmed by the bank, so, in essence, looking at that just from the facts of the two documents that I read, that doesn't seem like any kind of a security control. I don't know if that would be considered part of a layered program. What it looks like is that the security procedures that the customer had, the law firm had, were user ID and password, which is single-factor authentication - not adequate, according the 2011 guidance. The law firm also alleges that it had found out that other customers of the bank who initiated online funds transfers also had the same two questions with the same answer pre-populated. If that is the case, I think the bank should change that immediately, because that is almost the same as having each customer have the same passwords that never change. I don't think that is a very effective security control. But I think this case will be really interesting, because it seems to rely more on the FFIEC guidance and what is actually required within that guidance for banks to follow in order for a control to be considered a commercially reasonable security procedure. And also whether the bank is actually acting in good faith. Are they providing adequate security procedures tailored, again, to the client? You know it relies a lot on the contractual agreements between the bank and firm, which are included as exhibits with the bank's complaint. There are a number of areas that are blank. For instance, there are signature lines that are blank. There are totals for limits on ACH and wire transfers. It just seems like the contract itself was not completed, maybe leaving some room open for what is actually required.
Communicating with Service Providers
KITTEN: What final thoughts or advice would you offer to banking institutions?
MCHUGH: First of all, they need to be in touch with their banking service providers, if they haven't already, to get information about the range of options that are available for online funds transfer security. Then they need to perform a thorough risk assessment of their banking services, to ensure that they have implemented the appropriate security procedures based on their provider's offerings and the particular circumstances of each customer. How many high-risk transactions do they perform? What is the frequency of those transactions; what are the amounts of those transactions, to make sure that the controls they have in place are sufficiently tailored to the particular customer? I also think that they should, again, push back on the clients and say. "We are going to require certain things for our protection and for your protection." Again, the complex password, changing passwords periodically and, if possible, I think dual control is very important, as are out-of-band confirmations. "If you initiate a wire transfer, we're going to call you to make sure that is appropriate." Also, the banks should implement some kind of anomaly monitoring and detection system - and a manual system could work at a smaller institution - to ensure that there is some kind of awareness of the customer's pattern of behavior, as far as electronic funds transfer requests go. If something is out of the ordinary, like in the Park Sterling Bank case, you catch it. The law firm states it had never ever sent a wire transfer out of the country and that it wouldn't have sent something from that particular account to Russia. So the bank should develop some kind of awareness of the customer's patterns of behavior. And then set up some kind of institutional reporting system so periodically, maybe monthly, there is some kind of review and analysis of electronic funds transfer activity that is reported up through an appropriate committee and then, potentially, to the board. That way, there is senior management awareness of these electronic funds transfer activities, trends, patterns, etc.