We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlyssa Martins
Modified about 1 year ago
Online and Mobile Banking Fraud Issues and Hot Topics Treasury Management Association of Chicago 2012 Windy City Summit (Chicago, Illinois) Erin F. Fonté, Shareholder Cox Smith Matthews Incorporated June 7, 2012 © 2012, Cox Smith Matthews Incorporated
Disclaimers 2 The opinions expressed in this presentation are solely those of the presenter and do not necessarily reflect the opinions of Cox Smith Matthews Incorporated. This presentation is an educational tool that is general in nature and for purposes of illustration only. The materials in this presentation are not exhaustive, do not constitute legal advice and should not be considered a substitute for consulting with legal counsel. Cox Smith Matthews Incorporated does not have obligation to update the information contained in this presentation. © 2012, Cox Smith Matthews Incorporated
Trends In Payments Fraud 3 © 2012, Cox Smith Matthews Incorporated Payment Channel Percentage of Importance (Source: AITE Group)
Trends in Payments Fraud (cont’d) 4 FFIEC Supplement – “Threat Landscape & Compensating Controls” Fraudsters using increasingly sophisticated and malicious techniques Many schemes target small to medium-sized business Key logging/keystroke malware Man-in-the-middle/Man-in-the-browser attacks Controls: anti-malware software; transaction monitoring/anomaly detection; out-of-band verification; use of restricted funds transfer recipient list; establishing limits based on customer’s business; require business customers to utilize dual control routines © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, FFIEC Authentication Supplemental Guidance Supplement to “Authentication in an Internet Banking Environment” (issued in 2005, supplement 6/28/11) Effective January 1, 2012 FFIEC Authentication Supplement includes changes/additional guidance for: (1) risk assessments (2) authentication for high-risk transactions (3) layered security programs (4) effectiveness of certain authentication techniques (5) customer education and awareness (esp. commercial customers) © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d) 6 (1) Risk Assessments Should consider, but not be limited to, the following: Changes in the internal and external threat environment (including Appendix information) Changes in customer base adopting electronic banking Changes in the customer functionality offered through electronic banking (e.g. consumer RDC via mobile device) Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d) 7 © 2012, Cox Smith Matthews Incorporated (1) Risk Assessments (cont’d) Bank A has effectively implemented a layered approach, including active monitoring solutions and stringent authentication requirements, both in and out-of-bank in nature All new customers that send wires or originate ACH transactions must go thru a one-on-one Webex training class where fraud prevention is stressed along with following established internal procedures and controls We are also deploying a fraud awareness and prevention program for our commercial customers to ensure they have the knowledge and tools needed to protect their assets
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, © 2012, Cox Smith Matthews Incorporated (2) Customer Authentication for High-Risk Transactions 2005 FFIEC Guidance definition of “high-risk transactions” remains unchanged (“electronic transactions involving access to customer information or the movement of funds to other parties.”) Retail/Consumer Banking Generally involve accessing account info, bill payment, intrabank funds transfers or wire transfers Small dollar and therefore a comparatively lower level of risk, but still need layered security Business/Commercial Banking Generally involve ACH and wire Frequency and dollar amounts larger, so comparatively more risk than consumer “Layered security... utilizing controls consistent with the increased level of risk for covered business transactions”
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, (2)Customer Authentication for High-Risk Transactions (cont’d) Bank A requires dual authorization of all wires submitted through our Commercial Online Banking application Bank A requires dual authorization and file authentication for all ACH files Bank A has only allowed a limited number of customers outside the U.S. to utilize RDC and we monitor those transactions on a daily basis © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, (3) Layered Security Programs Layered NOT the same as multi-factor Layered security uses different controls at different points in a transaction process so weakness in one control can be compensated by strength of other control Examples: Fraud detecting and monitoring systems that include customer history and behavior (i.e. heuristics) and enable a timely and effective FI response Dual customer authorization through different access devices Out-of-band verification for transactions (authentication via 2 systems at same time – login, PW, token + phone call verification) Use of “positive pay,” debit blocks, and other techniques to limit transactional use of account © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (3)Examples of Layered Security (cont’d): Enhanced account controls (transaction value thresholds, payment recipients, # of transactions per day, days and times for payment (payment windows) Internet Protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud Enhanced control over changes to account maintenance activities performed by customers either online or through customer services channels Enhanced customer education to increase awareness of fraud risk and effective techniques customers can use to mitigate risk 11 © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (3)Examples of Layered Security (cont’d): Minimum Layered Security Components: Anomalies/FI response for initial login and authentication for electronic banking Anomalies/FI response Initiation of electronic transactions involving transfers of funds to other parties Control of Administrative Functions: more controls than routine business use Bank A has implemented or plan on implementing the various examples of layered security described above We strongly encourage our customers to utilize Positive Pay and Payee Review Ongoing customer education thru messages on our Online Banking application, notification of recent fraud schemes, webinars, etc. 12 © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (4) Effectiveness of Certain Authentication Techniques Device Identification Simple cookies no longer “cut it” Geo-location and IP address matching – fraudsters can now beat those, too One time cookies and “digital fingerprint” methods are better All Agencies consider complex device identification to be more secure and preferable to simple device identification “Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique” © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (4) Effectiveness of Certain Authentication Techniques (cont’d) Challenge Questions Keystroke logging malware and personal information voluntarily posted on social media have made basic challenge questions (mother’s maiden name, high school mascot) ineffective Must use “out of wallet” questions to be effective (sophisticated, customer can knows “in their head” and often deploy red herring questions to trick fraudsters Dual authorization seems to be working quite well. We have only experienced a couple of losses from wire or ACH fraud and those were caused by customers not following prescribed internal procedures and controls Requiring out of band authentication for originated ACH files has been highly effective and has prevented multiple fraud attempts 14 © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, (5) Customer Education and Awareness (esp. commercial customers) “A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include following elements:” Explanations of protection provided and not provided, and the extent to which Reg E covers their accounts Explanations of when, if ever, bank will contact customer on unsolicited basis and/or ask for electronic banking credentials Suggestion that online banking customers perform a related risk assessment and controls evaluation periodically A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk (or resources where such info can be found) Listing of FI contacts for customers to use to alert FI to suspicious account activity or security-related questions © 2012, Cox Smith Matthews Incorporated
Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, (5) Customer Education and Awareness (esp. commercial customers) (cont’d) Bank A performs onsite customer audits of all Remote Deposit Capture customers that we deem to be high risk to insure proper internal procedures and controls are being followed Bank A asks all Remote Deposit Capture customers to complete an annual Risk survey that focuses on fraud prevention and internal controls Bank A clearly states on the front page of its Treasury Management PT&C that it will never ask for passwords, User Ids, token authentications by , internet links, mail, over the telephone or in-person Bank A has a revolving list of alerts in our Online Banking application about fraud detection and prevention © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures 17 Commercially Reasonable Security (Patco issues) Unknown third parties initiated a series of withdrawals from Patco’s account with Ocean Bank over several days totaling $588,851; Oceans Bank blocked $243,406; Patco wanted bank to pay remainder Court focused on whether the security procedures employed by Ocean Bank were “commercially reasonable” (under UCC and state UCC) 70 page opinion looking at: perspectives of competing experts; industry practices; and alternative security measures Court concludes that bank’s procedures may not have been perfect or best, but they were “commercially reasonable” (appeal?) Patco challenged use of challenge questions themselves – unique threat of key logging renders challenge questions ineffective © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 18 Commercially Reasonable Security (Patco issues cont’d) Brian Krebs “Krebs on Security” said “Passwords + Secret Questions = “Reasonable” eBanking Security” Multi-factor: (1) what you know (login, password); (2) what you have (token); (3) who you are (biometric) BUT word to the wise – do not fall behind on making sure that the multi-factor authentication is also part of layered security Open question on whether failure to comply with updated FFIEC guidance would be strike against bank’s security being “commercially reasonable” Open question as to how far below the FFIEC guidance bar you have to fall before your security measures become “unreasonable” Guidance is meant to set a “baseline” for best practices, and in reality “guidance” documents are still used by plaintiffs and litigants when arguing what the standard of care should be; carries weight in that it can aid plaintiffs in moving their case pretty far along And always keep up with what your competition is offering © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 19 Experi-Metal v. Comerica Issues Whether EMI employee who was phished was authorized to initiate wire transfers = risks to and claims against bank for complete customer administrative controls Bank’s escalation procedures killed telephone wires, and killed future sessions of online banking – BUT did not kill current session where fraudsters were in the system Resulted in fraudsters being able to conduct additional fraudulent transfers from 12:04 p.m. until 2:05 p.m. (2 hours, 1 minute) – 15 additional fraudulent wire transfers orders initiated in that time © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 20 Experi-Metal v. Comerica Issues (cont’d) “Good Faith” standard under UCC Court in Experi-Metal v. Comerica Bank concluded that Comerica did not act in good faith (i.e. did not observe “reasonable commercial standards of fair dealing”) “A bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped” the fraudulent activity earlier No longer “good heart and empty head” but rather “honesty in fact and the observance of reasonable commercial standards of fair dealing.” (U.C.C. §§ 1-201, 3-103, emphasis added) “Honesty in fact” = SUBJECTIVE prong (pure heart and empty head) – no evidence that Comerica employees © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 21 Experi-Metal v. Comerica Issues (cont’d) “Observance of reasonable commercial standards of fair dealing” = OBJECTIVE prong (Michigan court citing In re Jersey Tractor Trailer Training, 580 F. 3d at 156.) The Official Comments to the U.C.C. make clear that this objective standard should not be equated with a negligence test: Although fair dealing is a broad term that must be defined in context, it is clear that it is concerned with the fairness of conduct rather than the care with which an act is performed. Failure to exercise ordinary care in conducting a transaction is an entirely different concept than failure to deal fairly in conducting the transaction. (citing U.C.C. § cmt. 20.) © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 22 Experi-Metal v. Comerica Issues (cont’d) “There is a paucity of cases and authority discussing this recently added prong of the “good faith” requirement.” The Maine Supreme Court is only court that has proposed an approach to address whether the objective prong as been met: (1) whether the conduct of the holder comported with industry or “commercial” standards applicable to the transaction and,(2) second, whether those standards were reasonable standards intended to result in fair dealing. (citing Maine Family Fed. Credit Union, 727 A.2d at 343). © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 23 Experi-Metal v. Comerica Issues (cont’d) EMI and Comerica’s expert witness’ comments on “good faith” were basically rejected by court Comerica offered NO EVIDENCE that it did act in “good faith” – unlike “commercially reasonable security” good faith standard places burden on BANK NO EVIDENCE on OBJECTIVE prong of UCC good faith test = BANK LOSES © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 24 Experi-Metal v. Comerica Issues (cont’d) [T]he parties cannot vary by agreement what satisfies the “good faith” standard... If “reasonable commercial standards of fair dealing” obligated Comerica to respond to the fraudulent wire transfer activity in a particular way and Comerica failed to observe those standards, it cannot demonstrate that it acted in good faith simply by showing that it was relieved of the obligations to adhere to any of those standards in its agreement(s) with Experi-Metal... [T]o prevail, Comerica had to present evidence conveying the reasonable commercial standards of fair dealing applicable to a bank’s response to an incident like the one at issue here and to show, by a preponderance of the evidence, that its employees observed those standards... © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 25 Experi-Metal v. Comerica Issues (cont’d) “There are number of considerations relevant to whether Comerica acted in good faith with respect to this incident” (1) “The volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders” = FFIEC Layered Security (2) “The $5 million overdraft created by those book transfers in what is regularly a zero balance account” = FFIEC High Risk Transaction (3) “Experi-Metal’s limited prior wire activity” = FFIEC Layered Security (Customer History and Behavior) © 2012, Cox Smith Matthews Incorporated
Case Law Issues and Preventative Measures (cont’d) 26 Experi-Metal v. Comerica Issues (cont’d) (4) “The destinations and beneficiaries of the funds” = FFIEC High Risk Transactions (5) “Comerica’s knowledge of prior and the current phishing attempts” = FFIEC Risk Assessments “This trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise.” © 2012, Cox Smith Matthews Incorporated
QUESTIONS? Erin F. Fonté, CIPP Shareholder Banking and Financial Institutions/ Privacy and Data Security Cox Smith Matthews Incorporated 111 Congress Avenue, Suite 2800 Austin, Texas Direct: Link me in: Erin Fonte 27 © 2012, Cox Smith Matthews Incorporated
11%20(FFIEC%20Formated).pdf FFIEC Agency Supplement to Authentication in an Internet Banking Environment.
FFIEC Customer Authentication Guidance: Authentication in an Internet Banking Environment.
The Mobile Channel, TCPA and Privacy NCHELP New Orleans January 19, 2012 Mercedes Kelley Tunstall Of Counsel ballardspahr.com Jerod.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.
Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
© 2009 National Automated Clearing House Association. All rights reserved. Industry Perspectives on Emerging Risks and Public/Private Engagement: Network.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Identity Theft and Red Flag Rules Training Module The University of Texas at Tyler.
Wire Fraud Prevention Training: Setting Your Organizational Structure to Mitigate Fraud Risk and Comply with Regulatory Expectations Presented by: Terri.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.
An Educational Computer Based Training Program CBTCBT.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
IDENTITY THEFT 2015 ANNUAL TRAINING By: Denise Goff.
Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.
Red Flags Rule & Municipal Utilities. What is the Red Flags Rule? The federal Fair and Accurate Credit Transactions Act (FACT Act, or FACTA) required.
Bryce K. Earl, Esq. and Thomas G. Grace, Esq Presentation To: Association of Corporate Counsel January 26, 2010 ______________________________ Covenants.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Commercial eSecurity Training and Awareness. Common Online Threats Most electronic fraud falls into one of three categories: PHISHING – Fraudulent s.
Protect Yourself from Your Customer Kristin A. Stedman, AAP Senior Vice President Education Services 1 © 2014 TACHA. All Rights Reserved.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
U.S. Businesses Targeted Randy Wolverton Brian J. Koechner.
ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING.
Information Security Policies and Standards Bryan McLaughlin Information Security Officer Creighton University
“2016 Will Be Better” (Prediction to the OCU Staff in November 2015)
© Grant Thornton LLP. All rights reserved FFIEC Authentication Guidance Association of Credit Union Internal Auditors 2012 Region 6 Conference September.
Information Security 2013 Roadshow. Roadshow Outline Why We Care About Information Security Safe Computing Recognize a Secure Web Site (HTTPS) How.
1 Session 3 – Information Security Policies. 2 General - background How to establish security requirements –Risk assessments –Legal, statutory requirements.
Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.
Security Bank of California Internet Banking Security Awareness.
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Network security policy: best practices Ref: document ID
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
NUAGA May 22, IT Specialist, Utah Department of Technology Services (DTS) Assigned to Department of Alcoholic Beverage Control PCI Professional.
1 Reg. Z Rules for Loan Originator Compensation Mortgage Success April 13, 2011 James M. Milano
Who’s Who Despositary Bank – the first to take check. Payor Bank – the bank that pays the issuer’s check. Intermediary Bank – any bank that handles a.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.
© 2017 SlidePlayer.com Inc. All rights reserved.