Reg. E Bill Introduced in Senate

Proposed Change Covers Municipalities, Schools - Not Businesses
Reg. E Bill Introduced in Senate
In response to the ongoing threat of ACH/wire fraud, Sen. Charles Schumer, D-N.Y., has introduced a proposed amendment to Regulation E that would give municipalities and school districts the same level of protection as consumers.

S. 3898 would extend the Electronic Fund Transfer Act's Regulation E protections to local government bodies, including municipalities and school districts. The Board of Governors of the Federal Reserve System would define which entities fall into the categories of "municipality" and "school district."

Schumer's proposed legislation does not extend protection to commercial businesses, such as Experi-Metal Inc., which have been most victimized by this form of fraud, also known as corporate account takeover.

Industry associations reacted swiftly to the news of the proposed amendment, calling it a "knee-jerk" reaction to the ACH fraud that, in addition to pilfering businesses, has hit local governments and school districts such as the Poughkeepsie municipal government account and the Duanesburg, NY school district.

The crimes are perpetrated against the victims with malware known as "Zeus", a Trojan designed to steal banking credentials from a user's computer. The fraudsters then pose as the corporate account holder on the online banking portal of the victim's bank and make ACH or wire transfers to money mules based across the globe, often over a weekend period to avoid detection.

No Quick Action Expected

The current "lame duck" Congress may not favor passage of a bill sponsored by a Democrat, says David Navetta, a law partner at InfoLaw Group. "Banking lobbyists might have something to say about this as well, and of course they carry significant sway in Congress," Navetta says. "My gut says this amendment is not likely to happen quickly."

Expectations that this amendment will make it through the Senate to a vote aren't high, and there are several factors that will likely delay or even kill it, says Doug Johnson, vice president of risk management policy at the American Bankers Association. "It's always tough to forecast what's going to happen during a lame duck session of Congress, and there are other cyber issues in other bills already being considered" Johnson says. "It would be doubtful that much legislation gets done during this lame duck session."

Still, despite the timing, "The fact that Sen. Schumer, a very powerful person on the banking committee, introduced the bill says there is concern about this issue," says Bill Nelson, executive director of the Financial Services Information Sharing and Analysis Center (FS-ISAC). Nelson says it doesn't make sense to make municipal governments or school districts the same as consumer. This amendment shows a lack of understanding on how banking works, he adds.

Nelson and Johnson agree that if this amendment is passed, it may create more of a problem for the municipalities and school districts because many banks would either raise the price of services such as ACH and wire transfers, or balk at offering these services without very strict parameters for transaction verification.

Johnson says while he is totally sympathetic to the plight of the school districts and municipalities being hit with this fraud, there is a shared responsibility for both the bank and the corporate account holder.

Potential Game Changer?

If Congress passes this amendment, it certainly changes the game for municipalities and school districts. "It makes them liable for $50 maximum for fraudulent wire transfers. It might also change the game to some degree for banks who now fear being liable for such wire transfers," says Navetta. He sees the possibility that banks would mandate additional security measures, "some of which might be more inconvenient for municipalities and school districts."

If the amendment is passed, it will likely make banks look more closely at security -- theirs and their municipality and school district customers'. "However, I believe the rash of lawsuits filed for online banking security breaches is already likely having that effect," Navetta says.

On the opposite end of the spectrum, Troy Owen, co-owner of Hillary Machinery, a company hit by ACH fraud in 2009, says the amendment if passed won't be a real game changer. "Cities, municipalities and school districts operate on tax revenue anyway; it's the private sector that has nothing to fall back on when their accounts get plundered," says Owen, whose company was able to settle with its bank for the money not recovered after a lengthy lawsuit was dragged through the court system after the theft.

Owen doesn't see the amendment as far reaching enough to get the attention of bankers. "It's likely they will only put more stringent requirements on those types of accounts; much in the same way they have for consumer accounts," he says. Banks in general are not going to spend the money to install protections for accounts they are not mandated to protect, he says.

What About Business Accounts?

The question as to why Sen. Schumer limited the amendment to cover municipalities and school districts may be because those entities are ultimately made up of actual individuals/taxpayers. "It is probably an easier sell to limit the bill to those types of entities, as opposed to pure private enterprise," says Navetta. Expanding the amendment across the board would probably be viewed as shifting the current balance too much against the banking industry. Navetta says in most states there is already a mechanism for shifting risk of loss -- UCC 4A-202.

Hillary Machinery's Owen takes the opposite view and argues the amendment should be expanded to cover all businesses hit with this type of corporate account takeover. "Quite simply, it's the right thing to do," he says. "As I have stated numerous times before, it's a jobs issue and a national security issue." Millions of dollars are getting stolen from small businesses and sent to eastern Europe. "These losses are devastating to small businesses, many of which delay hiring, lay off employees, or close down their businesses altogether putting lots of people out of work," Owen says.

Despite his negative view of the amendment, Johnson says that the industry and businesses need to come up with a solution to address the ACH fraud/corporate account takeover issue. "It's about using all the tools in the toolbox," he says. "By using all the resources already available, internal controls, dual controls, along with technology, these fraud events can be stopped."

Technology is helpful, Johnson says, "But nothing like putting an additional human being between the approval of the transaction to cut fraud. This is the best way to defeat Zeus."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network