Banking Fraud Risks
By David Dyk, Moss Adams
While regulators don’t
maintain a single source of statistics on Internet banking fraud, it’s clear
that fraudulent ACH and wire transactions resulting from online account
takeovers were a growing trend in 2009 and 2010. A number of high-profile fraud
incidents and resulting lawsuits have raised awareness of the growing problem
and have damaged reputations and caused increased regulatory scrutiny.
The most relevant current
guidance was issued in 2005 by the Federal Financial Institutions Examination
Council (FFIEC) and focused on authentication. The guidance specifically
instructed institutions to implement authentication that’s stronger than a
involves something the user knows, such as a password. A second factor would be
something the user has, such as a token. Many institutions have hybrid systems
that attempt to validate a password and recognize the workstation. If the
workstation isn’t identified, then an additional “challenge” question is
validated. Fraudsters, however, can use software designed for customer
workstations to steal challenge questions and passwords or even steal a
time-sensitive onetime passcode during authentication. These authentication
solutions are inherently compromised technologies that no longer provide strong
Regulators and examiners have been considering this issue in recent years and are expected to provide updated guidance in 2011. In the meantime, scrutiny based on existing regulatory guidance has increased, and institutions should carefully examine their Internet banking to gauge the need to increase the security of high-risk transactions such as ACH batches and wire transfers.
If your institution does
offer these higher-risk Internet banking transactions online, a combination of
controls – including authentication, verification, limits, risk management,
and monitoring – should be considered:
The major Internet banking
service providers are aware of these risks and are beginning to offer solutions
to help institutions deal with them. However, out-of-band authentication and
security options for the client browser are newer technologies and have
generally not been incorporated into the basic offerings from these firms, which
means they’ll need to be implemented separately.
The updated FFIEC guidance in 2011 may require improvements in authentication, in which case the major Internet banking service providers will be rolling out authentication improvements to many of their customers, reducing those costs for any one institution. In the meantime, smaller community banks with limited volume should consider manual controls, such as verifying high-risk transactions through the phone and revisiting credit limits, as a cost-effective first step. Internet banking fraud risk is a hot topic for regulators, and taking action now in advance of 2011 guidance updates will help your institution manage the transition successfully.