Fraud Victim Favors Draft Guidance

FFIEC Proposal Seeks to Prevent Corporate Account Takeover
Fraud Victim Favors Draft Guidance
The Federal Financial Institutions Examination Council's proposed authentication update is exactly what the banking industry needs. That's the view of Choice Escrow, the Springfield, Mo.-based company that lost $440,000 last fall in an incident of corporate account takeover via wire fraud.

Based on a preliminary draft of the new FFIEC guidance, which has been circulating throughout the industry, guidelines call for more stringent risk assessments, authentication and customer education. One of the major themes of the draft guidance, in fact, is how many recent incidents of corporate account takeover may have been avoidable.

"Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring/anomaly detection could have prevented many of the frauds," the draft says. "The ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior."

These words are welcome news to Jim Payne, owner of Choice Escrow. "We want to know what the FFIEC guidelines actually mean and who is responsible for enforcing audits and compliance. That would have helped us," he says. "We've had contact with several businesses in our area, and most of them are totally oblivious about the kinds of breaches that are out there, as well as about the fact that their accounts are not protected."

Addressing Fraud

The current draft of the FFIEC's "Interagency Supplement to Authentication in an Internet Banking Environment" calls for:

As part of the effort to educate commercial customers about fraud risks and security, the draft suggests financial institutions explain what protections are and are not provided under Regulation E. The draft also asks banking institutions to work with their commercial online banking customers to perform periodic risk assessment and controls evaluations.

It is important to note that this guidance, dated Dec. 13, 2010, is currently in draft form and may be amended significantly before final guidance is issued.

Corporate Customers Respond

In November 2010, Choice Escrow sued BankcorpSouth, the $14.3 billion bank that held Choice's breached commercial account. Choice's suit claims the bank failed to follow existing FFIEC guidelines to ensure security of online-initiated wire transfers.

"Knowing how much money we had in our account, they should have made some recommendations about security," Payne says. "But when we signed with them, they did not give us any recommendations about protections or multifactor authentication."

Choice Escrow is not alone. Experi-Metal Inc., which in December 2009 sued its former bank, Comerica, lost more than $550,000 in fraudulent wire transfers from its commercial bank account.

Valiena A. Allison, CEO and president of Michigan-based EMI, says commercial customer education regarding security risks and protections should be required of banks and credit unions. "Before this all happened, I never realized there was a difference between the laws and the protections (under Regulation E) for commercial businesses versus consumer accounts," she says. "The laws are not the same. That never occurred to me. That should have been something we were notified about by the bank."

EMI and Comerica faced off in U.S. district court earlier this year, and a verdict in that trial is expected soon.

Choice Escrow and EMI are but two of a handful of commercial customers who have fallen victim to recent incidents of corporate account takeover. Other high-profile corporate account takeover victims include:

  • Village View Escrow of Redondo Beach, Calif., which in March2010 lost $465,000 to an online hack;
  • Hillary Machinery, which in January 2010 was sued by its bank, PlainsCapital Bank, after a legal battle over ACH fraud liability. The suit was later settled for undisclosed terms;
  • The Catholic Diocese of Des Moines, Iowa, which in August lost $600,000 in fraudulent ACH transactions.

Payne says the FFIEC has a lot to consider when weighing new guidance. "When we signed up for the online banking, we did not know anything about the risks," he says. "It was all new to us. We were probably only nine months in when we got breached." Had the bank explained more about the risks, or done more to assess Choice Escrow's risks, Payne says the breach may have been avoided.

"The way I see it, the industry has two choices: Either the FFIEC guidelines will require that banks do [more stringent] risk assessments, or Regulation E will have to be amended to protect commercial customers," he says. "Otherwise, there's no way the banks are going to change the way they do business."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network