Standards, Regulations & Compliance

ACH Fraud: Is Legislation Needed?

FDIC Symposium a 'Good Start,' But Attendees Want More Talk, Action
ACH Fraud: Is Legislation Needed?
The Federal Deposit Insurance Corp. (FDIC) gets credit for finally touching the hot-stove debate over ACH fraud that's boiling between banks and businesses. But more attention is needed, say attendees of the agency's one-day symposium on cyber threats.

"No one wants to talk about what's really going on," says Amanda Gross, vice president of government affairs for Chicago-based Authentify Inc., which provides multifactor authentication for Internet-based transactions.

"Small businesses, the companies that the economy is leaning on to pull us out of the economic recession, are bearing the brunt (of losses related to fraud), and it's not fair," says Gross, who attended the FDIC's May 11 event in Arlington, VA. "What I'd like to see is an open dialogue between the banks and the small business owners. We need to encourage the legislators to put pressure on banks to support and protect our smaller businesses."

Authentify CEO Jim Woodhill is currently lobbying legislators to enact legislative reform to protect businesses from fraud losses.

George Tubin of Needham, MA-based TowerGroup and Tiffany Riley of Los Altos, CA-based Guardian Analytics agree that deeper discussions between bankers and retailers are needed, and this event only scratched the surface.

Tubin says the imbalance between big business and small business is obvious.

"The support from banks, when a breach occurs, is not uniform across the board," he says. "Most agree it will take legislative action to make a change."

Riley says the event was a good "first step," but much deeper discussions should be part of the future plan.

"I think today was a great first step ... just getting the fundamentals out there, and this can lead to the birth of some deeper-dive, online discussions in a variety of different areas that will hopefully bring together businesses, banks, lawmakers, regulators and the technology sector to look at the varying ways we can solve the problem going forward," Riley says.

Necessary Next Steps

At the FDIC event, presenters spent a lot of time saying the industry has a cyber fraud problem, but the scope of the problem -- who's to blame for cyber-fraud breaches, and who's ultimately liable for cyber hacks -- was not answered. Figuring out how banks and smaller businesses can share losses related to ACH hacks is the crux, the majority of the symposium's 180 to 200 attendees agreed. But that issue was not broached, nor was the role that transaction processors, Internet service providers, network operating systems, etc., play in the chain.

Howard Schmidt, the new U.S. national cyber security coordinator, delivered the morning keynote, saying the government is taking cybersecurity seriously.

Going forward, Schmidt says, the National Security Council's Comprehensive National Cybersecurity Initiative will focus on partnerships between public and private entities, protecting national networks by:

  • Providing government intelligence;
  • Strengthening online transaction security;
  • Pushing international governments for stronger cross-border cooperation and international laws;
  • Ensuring that law enforcement is involved and informed about cyber crimes.

Joseph Menn, author and keynote speaker, went so far as to say Internet connectivity itself, TCP/IP, needs to be replaced. It was an interesting suggestion, and one that might not be too far off, says Sam Vallandingham of Huntington, WV-based The First State Bank. After all, the cybersecurity issue is likely much deeper than this symposium suggested.

"We need to mitigate the potential risk in the marketplace," says Vallandingham, who appeared on a panel dedicated to the current landscape and emerging threats. "We're both (banks and businesses) put into an environment we can't control, one in which we don't have the ability to oversee the products which we use. Case in point: the browsers or the computers or the operating systems. And ultimately we're going to have to work together to resolve these problems."

How does one define risk?

"When it comes to financial losses, you have to determine liability and I think that both sides have to understand what their role in protecting that information is," Vallandingham says. "And in many cases, I think the consumer market doesn't understand their role in protecting the financial data that is their responsibility."

For more: See the exclusive interview with Dennis Simmons, President of SWACHA and one of the symposium speakers.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.