PlainsCapital Settlement Stirs Debate

Observers Still Expect Legislation to Address Fraud, Security
PlainsCapital Settlement Stirs Debate
While the strange legal case of "Bank vs. Customer" may be over, the settlement between PlainsCapital Bank and Hillary Machinery still fuels questions about the scourge of corporate account takeover.

Question #1 is about reputation, says David Navetta, a lawyer at InfoLaw Group, a law firm specializing in information security law.

"Banks live and die on their customer's trust," he says. The risk of facing a jury trial may have led PlainsCapital to settle with Hillary. But the case is only one of many instances where businesses have lost money through these fraudulent ACH transactions, resulting also in lost confidence in the banks. "Institutions need to look at their contracts with business customers and make sure they are as tight as possible."

Security as a Competitive Edge?

Navetta sees an opportunity for banking institutions to market themselves if they feel they have strong security. But the problem with this idea, says Charisse Castagnoli, an independent banking consultant and information security law expert in Austin, TX, is most banks don't come close to having the "strong two-factor authentication" that is called for in the FFIEC guidance.

"I am very disappointed by the banks' response to the FFIEC guidelines," she says. "I don't believe that the majority of the banks have employed true, two-factor authentication."

Strong authentication for online banking customers isn't just a community bank issue, she says. "There are big banks being hit with this as well," Castagnoli points out. Part of the problem is a lack of awareness and education, but it's also a challenging environment in the online banking space. "Everyone wants instantaneous access, but the real worry is what they are trading off when they get that immediate access is a lack of security."

'Viral' Movement

Financial institutions across the country may soon face another security gauntlet -- this time from their business banking customers in the form of a grassroots movement that is being organized by some of the businesses that have already suffered fraud losses.

Leading the businesses is Jim Woodhill, CEO and founder of Authentify, who says "It is hard to imagine a message more likely to spread virally than 'your organization's money is not safe in its bank.'"

Woodhill is aware of a victim initiative readying a website launch that will have a letter template that businesses will take to their institutions. The letter will ask whether the institution will stand behind its fraud controls in the event the business' online banking account is compromised. Woodhill says word on this crime will eventually start spreading on its own, but to help it along the website will give victims and potential victims information on the crime.

Lobbying lawmakers for legislation to answer this problem is ongoing in Washington, says Woodhill, who sees his efforts taking shape. The settlement of the PlainsCapital v Hillary Machinery suit has no impact on these efforts. "There are other businesses still getting hit with this crime, and it is not going away," he says.

Woodhill notes that every small business owner that looks at the Hillary case has to ask: "Do I really want to do banking at a bank that doesn't protect my money?"

Legislation may be coming, but InfoLaw Group's Navetta warns that the industry must approach this carefully. "We have to be careful in how it comes about, because often it is a knee-jerk reaction to an issue and will make matters even more complicated," he says.

Castagnoli predicts there will be legislation coming from Congress regarding strong authentication and account takeover. "It may come from Congress, or if it doesn't come from them, the new consumer protection agency may have it as one of its first actions," she notes. "I would hope that the industry is able to get some voice in it. You can legislate a solution to this one type of problem, but the world we live in with the immediate, always on, always available banking we offer, these threats are not going to go away."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.