Reducing the Risk of Online Fraud for Financial Institutions
Corporate Account Takeover (CATO) fraud, or the theft and unlawful use of a business customer’s online banking credentials to steal funds, results in the loss of millions of dollars each year for financial institutions and their customers. As a result, state and federal authorities have implemented specific legal and regulatory requirements for financial institutions to protect and educate their business customers.
According to the Federal Deposit Insurance Corporation (FDIC), a majority of funds lost from fraud occur due to a breach of customer’s computer and subsequent unauthorized automated clearing house (ACH) or wire transfer transactions from the customer’s online banking accounts.
Numerous customers experiencing CATO fraud have filed lawsuits against financial institutions. Here’s how federal courts have ruled in some recent cases. Read more
Fraudsters typically obtain a customer’s credentials by sending a “phishing” email with an embedded link to a fake website, where the customer unknowingly downloads malware onto their computer. The malware records the customer’s login information to an online banking account, and then uses the information to transfer funds to domestic and international accounts.
Federal and state regulatory requirements
The amount of online fraud has become so significant that the Federal Financial Institutions Examination Council (FFIEC) piloted a cybersecurity examination program at 500 institutions this summer to raise awareness about IT risks. The FFIEC also provides guidance on the regulatory expectations for online banking services. Specifically, its 2005 Authentication in an Internet Banking Environment and its 2011 supplement require institutions to:
- Perform annual online banking risk assessments
- Implement layered security controls, including multi-factor authentication for higher-risk transactional online banking services
- Establish additional security requirements for online banking account administrators at the customer’s location
- Regularly communicate information security best practices and current and developing fraud risks to business customers
State banking authorities are also establishing CATO requirements for regulated entities. For example, the Iowa Division of Banking (IDOB) now requires all state-chartered banks to comply with CATO risk management standards to minimize the risk of online banking fraud. Other states are also following suit.
Uniform Commercial Code
Financial institutions must also adhere to the Uniform Commercial Code (UCC), which standardizes commercial transactions law for all 50 states. Article 4A of the UCC provides a framework for the security of online banking transfers. This framework includes a description of how a payment order will be considered authorized and verified, which is based on the “commercial reasonableness” of a security procedure. This is defined as:
- The size, type, and frequency of payment orders normally issued by the customer to the bank
- Alternative security procedures offered to the customer
- Security procedures in general use by customers and similarly situated receiving banks
Recent court decisions are moving toward a test to determine whether a security procedure is commercially reasonable by combining the analysis of Article 4 of the UCC and regulatory guidance mentioned above.
Based on current regulatory and legal guidance, financial institutions can reduce the risk of liability for funds transfer losses by:
- Performing a risk assessment of all online banking services to determine which are susceptible to CATO, or involve the external transfer of funds, and then identify adequate controls to mitigate potential losses. This risk assessment should be performed at least annually to account for new services and threats.
- Examining the entire range of security procedures that your online banking software provider offers to determine which will most effectively protect your business customers.
- Meeting with all current business customers to discuss the services offered and the corresponding recommended security procedures. Consider making some security procedures mandatory, such as dual control and out-of-band confirmations, which require the active involvement of multiple people to complete a funds transfer.
- Establishing firm exposure limits for business customers based on their credit and account history.
- Implementing an anomaly monitoring process that reviews high-risk funds transfers and compares them to the customer’s typical pattern of behavior. This will alert you to unusual and potentially fraudulent transfers.
- Offering periodic security awareness training for your business customers.
Although you can never completely eliminate risk, understanding the regulatory requirements for online banking services and how to comply with them will help you in the event of a breach. An advisor can also help review and develop your overall information security program, including penetration testing, to identify other vulnerabilities to your operations.