The ABC's of ACH Fraud
ACH fraud. We've been talking about it for nearly a year now.
It was last August, you may recall, when the FDIC issued a warning about the risks of online fraud to mid-sized businesses and banking institutions. For six months, the agency said, it had been tracking reports of businesses being pilfered by unauthorized transfer after their online banking credentials were either stolen or compromised.
And yet since that warning, we've seen some of our biggest ACH incidents, including:
- PlainsCapital Bank v. Hillary Machinery -- the case of "bank sues customer" after Hillary lost $800,000 to an ACH scam, and the bank asked the court to declare what is considered "reasonable security."
- Town of Poughkeepsie, NY -- losing nearly $400,000 to an ACH scheme.
- Experi-Metal vs. Comerica Bank -- over a $550,000 theft.
There have been other stories, of course, and certainly lots of outrage from small, local businesses that suddenly saw huge chunks of money drained into overseas accounts.
But for all this action, there's been very little talk. Aside from the FDIC's announcement last summer, the federal regulatory agencies have been quiet on the matter. In March, several federal and state agencies got together and formed an advisory, offering tips to banking institutions and businesses. Still, for a crime spree that has siphoned so much money from so many entities, the dialogue has been surprisingly quiet.
When I spoke about this issue last summer with Doug Johnson of the American Bankers Association, he told me "It is all about education." Yet how many banking institutions have you seen step forward and say "This is what we're doing to educate customers about the risks ...?"
Well, here's hoping the silence is about to be broken.
On Tues., May 11, the FDIC is hosting a one-day symposium on what it describes as "combating the threats posed by cyber criminals targeting small and midsize businesses."
According to the FDIC, the day's agenda includes presentations from cybersecurity experts from the federal government, law enforcement and banking, among other sectors. Featured speakers include White House Cybersecurity Coordinator Howard L. Schmidt and National Cyber Security Alliance Director Michael Kaiser.
The event, to be held at the FDIC's Virginia Square facility in Arlington, VA., is open to the public, but seating is limited. Pre-registration is a must.
What will come of this day-long dialogue? Well, the goals are to raise awareness, share best practices and identify technologies that may prevent these incidents. It'd be foolish to think that ACH fraud will go away after a single symposium. But it'd be even crazier to think it'll disappear without this open discussion.
My take is: The symposium is a start - it's at least acknowledging a problem that a lot of people would just like to ignore. But we've got to quickly move beyond the talk to tactics. Don't just say "It is all about education" - tell us what you're actually doing to educate customers. Show us what you've implemented to detect and prevent these fraudulent transfers. Forget the courts; what have you decided is reasonable security?
We'll cover the symposium next week and get back to you with insights from the event. Meanwhile, I'd love to hear your thoughts on what's necessary to stop this scourge.