TD Bank on Customer EducationNew Study Underscores Need for Greater Awareness
"Phishing; limiting the paper trail; not leaving their computer screens up when they walk away; knowing who's around when they log on to the account are all educational points," says Jay DesMarteau, head of small business sales for TD Bank [CDN $630 billion in assets]. "We've seen instances of all of that, and so we've had to increase awareness."
Steps such as limiting paper trails and dedicating desktops to online banking business should be givens at this point, but many small-business owners continue to rely on unsafe, albeit conventional, business practice, according to a new study overseen by TD Bank.
In April, TD Bank commissioned ORC International to survey 300 small U.S. businesses about their takes on the current state of fraud. "Our intent with this survey was to increase awareness about fraud and help our small business customers understand what they can do to reduce risks related to online fraud." [Visit TD Bank's Security Center for more information.]
About 90 percent of TD Bank's commercial business customers fall into the small business category - a category that accounts for about one-third of TD Bank's balance sheet. Over the last several months, TD Bank has been sharing the survey results with its small-business base, using the results as an educational tool to show financial institutions where they are lacking in fraud investments and to point out where more attention needs to be paid.
"ACH - that's where we have seen fraud in the past, but things have gotten better over the last two years," DesMarteau says. "We do surveys from time to time around banking products and trends, just to see where we are. And this is an area, online fraud, that we see as being a trend. We want to share basic steps that can be taken to reduce fraud," which starts with the commercial customer.
The 300 small-business leaders TD Bank surveyed said they did plan to make investments over the next year to enhance fraud protections; but the responses were lackluster.
When asked, "Which of the following actions are you most likely to take over the next 12 months to protect your business from fraud?":
- 46 percent replied "Install/update firewalls and anti-virus software"
- 45 percent replied "Institute more internal controls/checks and balances"
- 17 percent replied "Schedule regular external audits"
- 40 percent replied "Start managing my finances using secure online banking tools"
- 17 percent replied "Employ an information management service to safely store sensitive documents"
Online fraud, not surprisingly, has been a problem for TD Bank in the past. But since 2009, ACH- and wire-related fraud incidents have dropped 50 percent, primarily because of stronger detection on the bank's end and more customer education. "We've done a lot more on our side around monitoring transactions and looking for payments to people that look out of sorts for a particular customer," DesMarteau says.
TD Bank also offers insurance, in case a commercial account is hacked, and a product called BusinessDirect, which provides commercial customers with 24/7 online account activity, so they can monitor transactions in real-time.
"It's a constant thing we are doing to prevent cyberfraud," says Robert Dunlop, head of corporate security for TD Bank. "I think a lot of smaller business customers don't think they will get attacked, and they do foolish things," like allow employees to browse the Web on desktops that are used to manage the bank's online account.
"And a lot of these small businesses don't understand the risks, and they don't have an IT staff in place to regularly update software or ensure they have the right anti-virus systems or firewalls, so we're working with them," Dunlop says. "These breaches, when they occur, are at the customer level, not at the bank level."
FFIEC and Customer EducationThe need for more customer education regarding online security is not a new concept. Consumers are often referred to as being the weakest links. That weakest link reference is amplified when talking about commercial accounts, since they don't carry the same protections as consumer accounts covered by Regulation E.
Commercial customer education is one of the tenets of the updated online authentication guidance issued by the Federal Financial Institutions Examination Council in June.
The FFIEC authentication guidance specifically calls for financial institutions to launch customer education efforts that include security steps for commercial customers.
The FFIC says banks and credit unions should suggest "commercial online banking customers perform a related risk-assessment-and-controls evaluation periodically," as well as provide a "listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found."
Joe Rogalski , information security officer of First Niagara Bank, a top 25 regional bank in the northeast U.S., says educating small business customers about online risks should be a top priority for every financial institution. "We're seeing more fraud and cross-channel fraud," he says. "We're continually doing risk assessments of our platforms. We're continually testing our controls and the effectiveness of our controls. ... We're doing anomaly detection on transactions, as well as a lot of end-user education."
TD Bank's recent survey results support Rogalski's view, and more institutions are pursuing customer education initiatives as part of their layered approaches to security and online-fraud prevention.
For TD Bank, sharing results from surveys is educational for customers. But TD Bank also regularly posts updates about emerging threats and new security initiatives through the TD Bank Security Center, a microsite dedicated to providing security alerts and information about everything from identity theft to emerging schemes.
"It's an outreach effort," Dunlop says. "These cybercriminals are very good at what they do, and we all have to do what we can to stay ahead."