Reg E Reform Discussed in D.C.
Vendor, ABA 'Agree to Disagree' on Possible Legislation Security vendor Jim Woodhill took his Reg E reform crusade to Washington, D.C. this week, meeting with the American Bankers Association (ABA) and other interested parties.While rejecting Woodhill's call for legislative action to further protect businesses from ACH fraud losses, the ABA's Doug Johnson does describe the dialogue as productive.
"Clearly the one threat that is at the front of everyone's mind is the corporate and municipal account takeovers," Johnson says, referring to incidents such as those suffered by Hillary Machinery and the Town of Poughkeepsie, NY. He told Woodhill that the ABA is in active conversations with banking core service providers, and is in the process of finding out the dynamics of the identity management offerings that they are providing for their customers. "Changes may come in view of these current threats," he says. "But the core service providers get it; they know we need to work in concert to address those threats. I see improvements in their security measures, as threats are always changing."
Woodhill, CEO of security vendor Authentify, also met with the legislative counsel from U.S. Senator Charles Schumer's office to discuss possible Congressional hearings on his notion to amend Regulation E to include business accounts under the same stipulated fraud loss amounts as consumer accounts -- or to write a new law to limit the amount of fraud losses a business could bear from fraudulent ACH or wire transfers.
"I now see that there are no true villains in this saga, outside of the criminal gangs in Eastern Europe," says Woodhill, following his ABA meeting. Still, he says, there are executives in the financial services industry and its suppliers "who have a duty to their customers and the nation to act, and act quickly."
'Agree to Disagree'
Describing their two-hour meeting, the ABA's Johnson says the two sides made progress in opening dialogue on how best to solve the ACH fraud threat. "[Woodhill] correctly stated that community banks are somewhat beholden to the authentication and security protections provided to them by their core service providers," Johnson says.
But when it comes to suggesting a legislative route to ease businesses' pains, Johnson says he and Woodhill "agree to disagree." The ABA maintains that if Reg E is changed to afford fraud loss coverage for retail business accounts, then many banks won't be able to afford to carry retail accounts, or will limit their transactions and exclude certain services such as ACH transactions.
Johnson also says that Woodhill is "stirring the pot" about community banks having weak authentication compared to larger banks, and this message could become a "self-fulfilling prophecy," with smaller businesses moving away from community banks out of fear.
Woodhill says he fears small financial services institutions that do have good fraud controls "will lose customers because of the actions of those who don't." Without legislative remedy, he says, the word will be "that you are risking your small- and medium-sized enterprise's financial life by banking online with 'small banks,' and customers won't take the time to investigate whether their money is safe at their small bank."
Following his meetings, Woodhill is no less determined to pursue his legislative agenda. He is against this issue being tried on a "case-by-case basis by the executives at hundreds of banks that happened to host the commercial bank accounts of thousands of randomly-unlucky school districts, public libraries, small businesses, and charities."
In his view, commercial-bank-account "cyber-looting" is the quintessential issue that should be "legislated rather than litigated."
Security Expert: Tighter Controls Needed
The real problem with defending against ACH fraud is that many banking institutions don't have the proper protections and controls around high risk transactions, says Avivah Litan, a noted Gartner analyst and fraud expert.
"Most of these problems will simply go away if the banks institute fraud protection and controls around money transfers and other high risk banking transactions," Litan says.
The type of fraud detection and transaction verification that would stop ACH transaction fraud needs to be layered on top of user authentication that is stronger than a simple password, Litan says. Some of the stronger user authentication methods could include (but are not limited to):
- Text messages/one time passwords (OTP);
- challenge/response with pre-registered questions;
- OTP or public key infrastructure (PKI) from dedicated tokens.
Litan says banks should keep in mind that a layered approach is what is important, "Since the crooks know how to break through authentication methods that communicate through a PC browser."
The problem is that many institutions won't prioritize these controls "unless they are forced to by legislators or regulators," Litan says. "That is very short sighted of them."