Fighting ACH Fraud: A Case Study 'We Have Not Had a Loss Because of the Precautions'
Barry Rich says wire- and ACH-related fraud is alive and well, and banks have done a poor job of staying ahead of the risk curve. [See Account Takeover: Better or Worse?.]

"Overall, the industry has been slow to respond and understand the risks," says Rich, chief financial officer of CapitalMark Bank & Trust, a Tennessee-based de novo with $668 million in assets. "Our industry is in the mode of playing catch up. And when it comes to security, you're always in the mode of playing catch up."

Today, online and ACH/wire fraud is top of mind for most institutions. The pervasiveness of phishing attacks and subsequent incidents of corporate account takeover have called attention to vulnerabilities in traditional authentication practices.

CapitalMark is no exception. In 2010, long-standing controls and authentication practices proved insufficient when one of CapitalMark's commercial customers was hit.

"The money went out, but we got a majority of it back," Rich says.

That fraud event was impetus for change.

A Risk-Based Approach

Established in 2007, CapitalMark's focus revolved around remotely serving small to mid-sized businesses in Knoxville and Chattanooga, Tenn. That set-up meant most transactions and communications between the bank and its customers would either be handled via third-party courier services, electronic banking or remote deposit capture.

Given that branchless approach, CapitalMark had to address potential fraud concerns early, by identifying, assessing and addressing potential risks from the outset.

When CapitalMark opened, its focus on small business necessitated fraud alerts and enhanced fraud detection. Educating business customers about fraud was important, but CapitalMark wanted to ensure it had controls in place that protected commercial accounts with limited customer involvement.

The bank relied on a retail-oriented detection system, which was effective but did not address unique and growing risks facing commercial accounts. Last year, when one of CapitalMark's accountholders was breached, the bank decided to explore some additional security measures. "One fraudulent wire got through and hit a commercial account," Rich says.

Attacking Small Business Fraud

ACH Alert, a Chattanooga-based provider of ACH and wire risk management solutions, had been a long-time CapitalMark vendor. ACH Alert provided CapitalMark's ACH A.L.E.R.T. system, which notified clients of incoming ACH debit activity; but the system was not designed to address suspicious activity related to outbound ACH transactions. So, after one of its customers took a hit, CapitalMark went back to ACH Alert to see if the system could be expanded to include fraud detection for outbound transactions.

"When we started out, we vetted their fraud-alert product, and we tried to adapt it for notification of [ACH] transactions we send for our business customers," Rich says. "Later, we asked them to help us [with wires], so they wrote a program that met our needs."

In September, ACH Alert launched C.O.P.S. - Credit Origination Positive-Pay, which adds fraud detection to out-bound entries. The system provides out-of-band authentication for ACH credit and wire transfers by requiring customer approval of all ACH and wire transactions before they are transmitted. "We use a positive confirmation that goes out, and they have to come back and say send or don't send," Rich says.

The solution has reduced CapitalMark's potential losses.

"We had an attempt within the last 30 days," Rich says. "But because of the out-of-band authentication, an e-mail that goes out to the business, the e-mail went out and the lady who originates the wires at that company called us back and said 'That's not my wire.'"

CapitalMark requires all of its 2,500 customers to use the C.O.P.S. authentication service.

Attacks against businesses have increased, but accounts have not been compromised. "We have not had a loss because of the precautions we've taken," Rich says. "Banks and businesses have to realize: It's not a matter of 'if' when it comes to these attacks; it's just a matter of when. You have to keep layering security in, or you're going to take a loss."

Banking institutions can never stop enhancing and tweaking their practices and precautions. "You don't ever want to rely on just one thing and think you've found the magic bullet," Rich says. "And a lot of times, it's not the potential damage to your assets as much as it is the damage to your reputation, which can be really devastating."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network