Banks are doing a better job of staving off losses linked to incidents of corporate account takeover despite increases in online-banking attacks, a new survey shows.
See Also: IoT is Happening Now: Are You Prepared?
It's a good sign, and probably one that reflects investments banks and credit unions have made to improve fraud detection and prevention.
Losses suffered by corporate customers totaled $490,000 for the first half of 2011, compared with $1.16 million for all of 2010.
This week, the American Bankers Association and the Financial Services Information Sharing and Analysis Center shared the results of an ACH-fraud trends survey of 95 banks and five service providers.
The survey asked participants to compare their ACH fraud experiences in 2009, 2010 and for the first half of 2011. It shows these institutions saw 314 online bank account attacks during the first half of 2011, up from 239 attacks for the entire calendar year of 2010, the so-called Year of ACH Fraud. By comparison, they reported suffering from just 87 attacks in 2009.
But despite the surge in attacks the first half of 2011, financial losses related to ACH fraud totaled just $777,000 for the period, down significantly from the $3.12 million in losses banks reported for the full year in 2010. And losses suffered by corporate customers totaled $490,000 for the first half of 2011, compared with $1.16 million for all of 2010.
Tech Investments to Curb Fraud
When asked what solutions they thought had been the most effective at reducing ACH and wire fraud, the top four answers were customer education, at 92 percent; a new or different multifactor authentication solution, at 67 percent; shutting down a customer's online access to commercial systems once anomalous activity is detected, at 58 percent; and modifications to existing multifactor authentication solutions, at 50 percent.
To me, that shows institutions are taking fraud detection and prevention seriously.
Impact of FFIEC Guidance?
Though the FFIEC's updated Authentication Guidance was not yet out when the FS-ISAC and ABA conducted their survey, the results suggest banks were already moving in the direction of stronger layered security measures, which the guidance calls for, to curb ACH fraud.
The guidance highlights the need for banking institutions to:
- Focus more attention on regular and ongoing risk assessments;
- Implement stronger user authentication practices and enhanced device identification technologies; and
- Launch improved customer/member and employee education and awareness campaigns.
The information FS-ISAC and ABA collected about improved fraud detection and prevention technologies are in line with results we collected in the spring about fraud and FFIEC conformance trends.
According to our annual Faces of Fraud Survey, when asked what types of fraud they felt best prepared to detect and prevent, 60 percent of the institutions listed ACH and wire fraud.
But most institutions also questioned whether conformance with the guidance was really going to have an impact on fraud reduction. Only 11 percent of the more than 200 institutions we surveyed said they had achieved conformance since the guidance was issued, and almost 30 percent said they still didn't completely understand the guidance. Not a good sign.
And nearly 90 percent said they did not believe the security measures called for in the guidance would have a significant impact on reducing online fraud.
Are the FS-ISAC and ABA survey results a positive sign? Will conformance with the FFIEC Guidance ultimately have a long-term, positive impact on fraud? I think so, but banking and security leaders must remember that compliance alone does not ensure security.