Texas Targets ACH FraudNew Task Force Issues Security Standards for Banks
Banking regulators in Texas are determined to curb ACH and wire fraud.
And with the help of the Secret Service, the Texas Bankers Association, the Independent Bankers Association of Texas, and SWACHA, Texas' clearinghouse association, the Texas Department of Banking is making online security a priority for 2012. Members of these groups have formed a new Texas Bankers Electronic Crimes Task Force, which has just issued new recommendations to help institutions improve online security and risk management programs - specifically to defend against ACH and wire fraud.
"We saw what a problem this was and knew we needed to address it," says Phillip Hinkle, chief IT security examiner with the Texas Department of Banking.
Despite all the attention paid to ACH and wire fraud - including 2011's issuance of the FFIEC Authentication Guidance - community banks and credit unions still have a long way to go when it comes to staving off online attacks and subsequent fraud.
"It's hard for a lot of these community banks to keep up with everything that's going on," Hinkle says. "I see it in Texas, and I don't think the banks in Texas are that different from banks in other parts of the country."
ACH fraud certainly is not limited to Texas. But Texas was one of the first states to shine a spotlight on the trend.
In November 2009, Dallas-based PlainsCapital Bank [$4.4 billion in assets] sued former business customer Hillary Machinery after cyberthieves successfully pushed a series of fraudulent ACH and wire transfers from Hillary's bank account at PlainsCapital. In total, more than $801,000 in bad transactions was approved by the bank.
PlainsCapital and Hillary eventually settled their legal dispute over who was responsible for the fraud losses, but their case proved to be the first in a long line of takeover incidents that garnered national attention.
Other cases of note include the heavily publicized legal wrangles between Maine-based PATCO Construction Inc. and Michigan-based Experi-Metal Inc. with their respective former banks.
PATCO, whose legal dispute with Peoples United Bank [formerly Ocean Bank] continues, was hit with more than $540,000 in bad transactions when cyberthieves hijacked its account. EMI, which won its lawsuit against Comerica Bank, saw more than $560,000 drained from its account after fraudulent transactions exceeding $1.9 million were approved by the bank.
Those incidents, and others, were catalysts for the issuance in June 2011 of the updated FFIEC Authentication Guidance.
Texas Fights Back
In Texas, regulators and law enforcement agents felt institutions needed more specific guidelines, and so in January of this year the Texas Department of Banking, in collaboration with the U.S. Secret Service, established the Texas Bankers Electronic Crimes Task Force.
Building on information provided by Texas banks and investigations conducted by the North Texas District Office of the Secret Service, the Texas Department of Banking and Secret Service developed a set of processes and controls for strong risk management programs. The newly created task force then contacted IT Security and Audit firms in Texas to develop an additional list of online security recommendations.
The purpose: To issue and enforce best security practices and guidelines that mitigate financial risks associated with electronic crimes, such as corporate account takeover.
"In Texas, electronic thefts through banks have ranged from a few thousand to several million dollars," the task force states in its guidance. "These thefts have occurred in banks of all sizes and locations and may not be covered by the bank's insurance. Along with the financial impact, there is also a very high level of reputation risk."
Where the FFIEC guidance offers more general security guidelines and recommendations, the Texas task force list gets more specific. "It's really more about community banks helping other community banks, through the sharing of information. That is what we're encouraging," Hinkle says.
Information sharing is a big part of what the task force is pushing. Giving bankers a view of the "big picture" and offering some suggested control points is the best place to start. "For community banks, it's like trying to drink from a fire hose. Few even know where to start," Hinkle says. "Collaboration is a great deterrent to crime."
The crux of a successful risk management program: education and communication. Among the best practices the task force recommends around protection, detection and response:
- Expand risk assessments to specifically include account takeover;
- Rate each customer or type of customer that performs online transactions;
- Outline to the boards of directors account takeover issues and concerns;
- Communicate basic online security practices for corporate online banking customers;
- Implement and enhance customer security awareness for retail and high risk business accounts;
- Establish bank controls to mitigate risks of corporate account takeovers;
- Educate bank employees about warning signs of account theft and takeover;
- Educate accountholders about the warning signs of potentially compromised computer systems;
- Implement contingency plans to recover or suspend compromised systems;
- Contact law enforcement and regulatory agencies when initial recovery efforts have concluded.
The task force's real concern: small banks. It's not a criticism, Hinkle says, but community institutions struggle with the expense of online security.
"Conformance and better security does not have to mean big investments," Hinkle says. "There are manual things that banks can do, and we're working on getting this information out to them now."