Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online and Mobile Banking Fraud Issues and Hot Topics Treasury Management Association of Chicago 2012 Windy City Summit (Chicago, Illinois) Erin F. Fonté,

Similar presentations


Presentation on theme: "Online and Mobile Banking Fraud Issues and Hot Topics Treasury Management Association of Chicago 2012 Windy City Summit (Chicago, Illinois) Erin F. Fonté,"— Presentation transcript:

1 Online and Mobile Banking Fraud Issues and Hot Topics Treasury Management Association of Chicago 2012 Windy City Summit (Chicago, Illinois) Erin F. Fonté, Shareholder Cox Smith Matthews Incorporated June 7, 2012 © 2012, Cox Smith Matthews Incorporated

2 Disclaimers 2 The opinions expressed in this presentation are solely those of the presenter and do not necessarily reflect the opinions of Cox Smith Matthews Incorporated. This presentation is an educational tool that is general in nature and for purposes of illustration only. The materials in this presentation are not exhaustive, do not constitute legal advice and should not be considered a substitute for consulting with legal counsel. Cox Smith Matthews Incorporated does not have obligation to update the information contained in this presentation. © 2012, Cox Smith Matthews Incorporated

3 Trends In Payments Fraud 3 © 2012, Cox Smith Matthews Incorporated Payment Channel Percentage of Importance (Source: AITE Group)

4 Trends in Payments Fraud (cont’d) 4 FFIEC Supplement – “Threat Landscape & Compensating Controls” Fraudsters using increasingly sophisticated and malicious techniques Many schemes target small to medium-sized business Key logging/keystroke malware Man-in-the-middle/Man-in-the-browser attacks Controls: anti-malware software; transaction monitoring/anomaly detection; out-of-band verification; use of restricted funds transfer recipient list; establishing limits based on customer’s business; require business customers to utilize dual control routines © 2012, Cox Smith Matthews Incorporated

5 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 5 FFIEC Authentication Supplemental Guidance Supplement to “Authentication in an Internet Banking Environment” (issued in 2005, supplement 6/28/11) Effective January 1, 2012 FFIEC Authentication Supplement includes changes/additional guidance for: (1) risk assessments (2) authentication for high-risk transactions (3) layered security programs (4) effectiveness of certain authentication techniques (5) customer education and awareness (esp. commercial customers) © 2012, Cox Smith Matthews Incorporated

6 Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d) 6 (1) Risk Assessments Should consider, but not be limited to, the following: Changes in the internal and external threat environment (including Appendix information) Changes in customer base adopting electronic banking Changes in the customer functionality offered through electronic banking (e.g. consumer RDC via mobile device) Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry © 2012, Cox Smith Matthews Incorporated

7 Supplemental Guidance on Internet Banking Authentication (FFIEC) (cont’d) 7 © 2012, Cox Smith Matthews Incorporated (1) Risk Assessments (cont’d) Bank A has effectively implemented a layered approach, including active monitoring solutions and stringent authentication requirements, both in and out-of-bank in nature All new customers that send wires or originate ACH transactions must go thru a one-on-one Webex training class where fraud prevention is stressed along with following established internal procedures and controls We are also deploying a fraud awareness and prevention program for our commercial customers to ensure they have the knowledge and tools needed to protect their assets

8 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 8 © 2012, Cox Smith Matthews Incorporated (2) Customer Authentication for High-Risk Transactions 2005 FFIEC Guidance definition of “high-risk transactions” remains unchanged (“electronic transactions involving access to customer information or the movement of funds to other parties.”) Retail/Consumer Banking Generally involve accessing account info, bill payment, intrabank funds transfers or wire transfers Small dollar and therefore a comparatively lower level of risk, but still need layered security Business/Commercial Banking Generally involve ACH and wire Frequency and dollar amounts larger, so comparatively more risk than consumer “Layered security... utilizing controls consistent with the increased level of risk for covered business transactions”

9 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 9 (2)Customer Authentication for High-Risk Transactions (cont’d) Bank A requires dual authorization of all wires submitted through our Commercial Online Banking application Bank A requires dual authorization and file authentication for all ACH files Bank A has only allowed a limited number of customers outside the U.S. to utilize RDC and we monitor those transactions on a daily basis © 2012, Cox Smith Matthews Incorporated

10 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 10 (3) Layered Security Programs Layered NOT the same as multi-factor Layered security uses different controls at different points in a transaction process so weakness in one control can be compensated by strength of other control Examples: Fraud detecting and monitoring systems that include customer history and behavior (i.e. heuristics) and enable a timely and effective FI response Dual customer authorization through different access devices Out-of-band verification for transactions (authentication via 2 systems at same time – login, PW, token + phone call verification) Use of “positive pay,” debit blocks, and other techniques to limit transactional use of account © 2012, Cox Smith Matthews Incorporated

11 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (3)Examples of Layered Security (cont’d): Enhanced account controls (transaction value thresholds, payment recipients, # of transactions per day, days and times for payment (payment windows) Internet Protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud Enhanced control over changes to account maintenance activities performed by customers either online or through customer services channels Enhanced customer education to increase awareness of fraud risk and effective techniques customers can use to mitigate risk 11 © 2012, Cox Smith Matthews Incorporated

12 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (3)Examples of Layered Security (cont’d): Minimum Layered Security Components: Anomalies/FI response for initial login and authentication for electronic banking Anomalies/FI response Initiation of electronic transactions involving transfers of funds to other parties Control of Administrative Functions: more controls than routine business use Bank A has implemented or plan on implementing the various examples of layered security described above We strongly encourage our customers to utilize Positive Pay and Payee Review Ongoing customer education thru messages on our Online Banking application, notification of recent fraud schemes, webinars, etc. 12 © 2012, Cox Smith Matthews Incorporated

13 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (4) Effectiveness of Certain Authentication Techniques Device Identification Simple cookies no longer “cut it” Geo-location and IP address matching – fraudsters can now beat those, too One time cookies and “digital fingerprint” methods are better All Agencies consider complex device identification to be more secure and preferable to simple device identification “Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique” © 2012, Cox Smith Matthews Incorporated

14 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 (4) Effectiveness of Certain Authentication Techniques (cont’d) Challenge Questions Keystroke logging malware and personal information voluntarily posted on social media have made basic challenge questions (mother’s maiden name, high school mascot) ineffective Must use “out of wallet” questions to be effective (sophisticated, customer can knows “in their head” and often deploy red herring questions to trick fraudsters Dual authorization seems to be working quite well. We have only experienced a couple of losses from wire or ACH fraud and those were caused by customers not following prescribed internal procedures and controls Requiring out of band authentication for originated ACH files has been highly effective and has prevented multiple fraud attempts 14 © 2012, Cox Smith Matthews Incorporated

15 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 15 (5) Customer Education and Awareness (esp. commercial customers) “A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include following elements:” Explanations of protection provided and not provided, and the extent to which Reg E covers their accounts Explanations of when, if ever, bank will contact customer on unsolicited basis and/or ask for electronic banking credentials Suggestion that online banking customers perform a related risk assessment and controls evaluation periodically A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk (or resources where such info can be found) Listing of FI contacts for customers to use to alert FI to suspicious account activity or security-related questions © 2012, Cox Smith Matthews Incorporated

16 Supplemental Guidance on Internet Banking Authentication (FFIEC) – June 28, 2011 16 (5) Customer Education and Awareness (esp. commercial customers) (cont’d) Bank A performs onsite customer audits of all Remote Deposit Capture customers that we deem to be high risk to insure proper internal procedures and controls are being followed Bank A asks all Remote Deposit Capture customers to complete an annual Risk survey that focuses on fraud prevention and internal controls Bank A clearly states on the front page of its Treasury Management PT&C that it will never ask for passwords, User Ids, token authentications by e-mail, e-mail internet links, mail, over the telephone or in-person Bank A has a revolving list of alerts in our Online Banking application about fraud detection and prevention © 2012, Cox Smith Matthews Incorporated

17 Case Law Issues and Preventative Measures 17 Commercially Reasonable Security (Patco issues) Unknown third parties initiated a series of withdrawals from Patco’s account with Ocean Bank over several days totaling $588,851; Oceans Bank blocked $243,406; Patco wanted bank to pay remainder Court focused on whether the security procedures employed by Ocean Bank were “commercially reasonable” (under UCC and state UCC) 70 page opinion looking at: perspectives of competing experts; industry practices; and alternative security measures Court concludes that bank’s procedures may not have been perfect or best, but they were “commercially reasonable” (appeal?) Patco challenged use of challenge questions themselves – unique threat of key logging renders challenge questions ineffective © 2012, Cox Smith Matthews Incorporated

18 Case Law Issues and Preventative Measures (cont’d) 18 Commercially Reasonable Security (Patco issues cont’d) Brian Krebs “Krebs on Security” said “Passwords + Secret Questions = “Reasonable” eBanking Security” Multi-factor: (1) what you know (login, password); (2) what you have (token); (3) who you are (biometric) BUT word to the wise – do not fall behind on making sure that the multi-factor authentication is also part of layered security Open question on whether failure to comply with updated FFIEC guidance would be strike against bank’s security being “commercially reasonable” Open question as to how far below the FFIEC guidance bar you have to fall before your security measures become “unreasonable” Guidance is meant to set a “baseline” for best practices, and in reality “guidance” documents are still used by plaintiffs and litigants when arguing what the standard of care should be; carries weight in that it can aid plaintiffs in moving their case pretty far along And always keep up with what your competition is offering © 2012, Cox Smith Matthews Incorporated

19 Case Law Issues and Preventative Measures (cont’d) 19 Experi-Metal v. Comerica Issues Whether EMI employee who was phished was authorized to initiate wire transfers = risks to and claims against bank for complete customer administrative controls Bank’s escalation procedures killed telephone wires, and killed future sessions of online banking – BUT did not kill current session where fraudsters were in the system Resulted in fraudsters being able to conduct additional fraudulent transfers from 12:04 p.m. until 2:05 p.m. (2 hours, 1 minute) – 15 additional fraudulent wire transfers orders initiated in that time © 2012, Cox Smith Matthews Incorporated

20 Case Law Issues and Preventative Measures (cont’d) 20 Experi-Metal v. Comerica Issues (cont’d) “Good Faith” standard under UCC Court in Experi-Metal v. Comerica Bank concluded that Comerica did not act in good faith (i.e. did not observe “reasonable commercial standards of fair dealing”) “A bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped” the fraudulent activity earlier No longer “good heart and empty head” but rather “honesty in fact and the observance of reasonable commercial standards of fair dealing.” (U.C.C. §§ 1-201, 3-103, emphasis added) “Honesty in fact” = SUBJECTIVE prong (pure heart and empty head) – no evidence that Comerica employees © 2012, Cox Smith Matthews Incorporated

21 Case Law Issues and Preventative Measures (cont’d) 21 Experi-Metal v. Comerica Issues (cont’d) “Observance of reasonable commercial standards of fair dealing” = OBJECTIVE prong (Michigan court citing In re Jersey Tractor Trailer Training, 580 F. 3d at 156.) The Official Comments to the U.C.C. make clear that this objective standard should not be equated with a negligence test: Although fair dealing is a broad term that must be defined in context, it is clear that it is concerned with the fairness of conduct rather than the care with which an act is performed. Failure to exercise ordinary care in conducting a transaction is an entirely different concept than failure to deal fairly in conducting the transaction. (citing U.C.C. § 1-201 cmt. 20.) © 2012, Cox Smith Matthews Incorporated

22 Case Law Issues and Preventative Measures (cont’d) 22 Experi-Metal v. Comerica Issues (cont’d) “There is a paucity of cases and authority discussing this recently added prong of the “good faith” requirement.” The Maine Supreme Court is only court that has proposed an approach to address whether the objective prong as been met: (1) whether the conduct of the holder comported with industry or “commercial” standards applicable to the transaction and,(2) second, whether those standards were reasonable standards intended to result in fair dealing. (citing Maine Family Fed. Credit Union, 727 A.2d at 343). © 2012, Cox Smith Matthews Incorporated

23 Case Law Issues and Preventative Measures (cont’d) 23 Experi-Metal v. Comerica Issues (cont’d) EMI and Comerica’s expert witness’ comments on “good faith” were basically rejected by court Comerica offered NO EVIDENCE that it did act in “good faith” – unlike “commercially reasonable security” good faith standard places burden on BANK NO EVIDENCE on OBJECTIVE prong of UCC good faith test = BANK LOSES © 2012, Cox Smith Matthews Incorporated

24 Case Law Issues and Preventative Measures (cont’d) 24 Experi-Metal v. Comerica Issues (cont’d) [T]he parties cannot vary by agreement what satisfies the “good faith” standard... If “reasonable commercial standards of fair dealing” obligated Comerica to respond to the fraudulent wire transfer activity in a particular way and Comerica failed to observe those standards, it cannot demonstrate that it acted in good faith simply by showing that it was relieved of the obligations to adhere to any of those standards in its agreement(s) with Experi-Metal... [T]o prevail, Comerica had to present evidence conveying the reasonable commercial standards of fair dealing applicable to a bank’s response to an incident like the one at issue here and to show, by a preponderance of the evidence, that its employees observed those standards... © 2012, Cox Smith Matthews Incorporated

25 Case Law Issues and Preventative Measures (cont’d) 25 Experi-Metal v. Comerica Issues (cont’d) “There are number of considerations relevant to whether Comerica acted in good faith with respect to this incident” (1) “The volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders” = FFIEC Layered Security (2) “The $5 million overdraft created by those book transfers in what is regularly a zero balance account” = FFIEC High Risk Transaction (3) “Experi-Metal’s limited prior wire activity” = FFIEC Layered Security (Customer History and Behavior) © 2012, Cox Smith Matthews Incorporated

26 Case Law Issues and Preventative Measures (cont’d) 26 Experi-Metal v. Comerica Issues (cont’d) (4) “The destinations and beneficiaries of the funds” = FFIEC High Risk Transactions (5) “Comerica’s knowledge of prior and the current phishing attempts” = FFIEC Risk Assessments “This trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise.” © 2012, Cox Smith Matthews Incorporated

27 QUESTIONS? Erin F. Fonté, CIPP Shareholder Banking and Financial Institutions/ Privacy and Data Security Cox Smith Matthews Incorporated 111 Congress Avenue, Suite 2800 Austin, Texas 78701 Direct: 512-703-6318 efonte@coxsmith.com @PaymentsLawyer Link me in: Erin Fonte 27 © 2012, Cox Smith Matthews Incorporated


Download ppt "Online and Mobile Banking Fraud Issues and Hot Topics Treasury Management Association of Chicago 2012 Windy City Summit (Chicago, Illinois) Erin F. Fonté,"

Similar presentations


Ads by Google