Wire transfer fraud prevention shifting risk is not enough
When banks and commercial customers clash over fault in cases of wire transfer fraud, the litigation historically goes against the bank. Customers argue the banks' systems and procedures failed, and that argument has traditionally won. A March decision in favor of a bank, however, could rebalance the roles and responsibilities of financial institutions and customers. The facts of the case show that banks can protect themselves and serve their customers better by explaining why certain processes are in place, not just what those processes are.
In Choice Escrow and Land Title, LLC v. BancorpSouth Bank (BSB), a Missouri company sued its Mississippi bank after it lost $440,000 to wire transfer fraud in 2009. Choice used BSB's online banking product, InView, to make electronic wire transfers. In its suit, Choice argued that it had not done any business with the entity in Cyprus to which the money was wired, and it "did not initiate, approve, authorize, or ratify" the transfer. According to the court ruling, InView used a Dual Control process that required two individuals with separate user IDs and passwords to enter and then separately approve a requested transfer.
In its defense, BSB argued that it had explained the Dual Control process to Choice, but Choice declined because it often had only one employee working at a time. Choice also declined to place daily transfer limits on the two employees authorized to handle wire transfers through the BSB account, or to put a limit on overall daily transfers. Choice signed an agreement that acknowledged it was waiving the Dual Control approach and was aware of the additional risks the waiver created. Thus, the security process was not in use when criminals used malware to steal one of the two users' ID and password.
U.S. Magistrate Judge John T. Maughmer of the U.S. District court for the Western District of Missouri, Southern Division, ruled in BSB's favor. In his decision, he wrote, "The experts in this case agree that the fraud would not likely have occurred if Choice had utilized the 'Dual Control.' It elected not to . . . twice."
The case demonstrates how financial institutions can effectively serve their commercial customers and, at the same time, protect their own interests. Like BSB, banks must go beyond simply telling clients what they need to do to protect themselves against fraud. Banks should give clients the why behind security processes and internal controls necessary that may seem burdensome or unnecessary. Given the endless threats, customers who think they can safely ignore basic security and internal control measures such as dual verification and daily limits are risking catastrophe.
Awareness is more vital than ever. The opportunities for theft have grown in recent years as banks rolled out commercial cash management (CCM) systems. CCMs connect banks and customers in a way that can eliminate traditional transfer verification steps such as callbacks and fax confirmations. Customers can now initiate electronic transactions such as ACH origination files and wire transfers on their own without these steps. The streamlined approach enhanced efficiency, but also prompted criminals to shift targets. Armed with hijacked IDs and passwords, criminals launch cyber-thefts from the customer side, which is what occurred with Choice.
How should financial institutions advise customers on security? Automated Clearing House (ACH) rules require banks to keep customers informed of security issues. The Federal Financial Institutions Examination Council (FFIEC) provides guidance but no regulations. Banks agreements with customers often include security steps and control procedures required for customers. If customers do not want to abide by the steps, best practices indicate that customers should be required to specifically opt out of them and accept responsibility for loss that may occur; this approach shifts the risk back to the customers.
But should a bank be satisfied in merely shifting risk to customers? Our advice to banks is: don't take the opt-out at face value. Rather, dig deeper to understand why a customer would opt out of reasonable security and control measures. What would cause a customer to act against its own best interests? We suggest that banking clients hold annual security reviews with customers to explain the reasons for the security and internal control processes, as well as the risks posed by the customer's opt-out request. Once a bank understands the opt-out, it can brainstorm with the customer to find alternative solutions.
These reviews can lead to closer security collaboration between banks and customers. Topics to discuss include:
- Bank customers can significantly reduce the threat of an attacker accessing their systems by conducting ACH and wire batch-file transactions through a dedicated system not used for any other Internet activity. A single-use system is relatively inexpensive, when compared to the funds at risk. Once a system connects to the Internet for other purposes, the risk of penetration escalates. Frequently, during fraud investigations with a bank's commercial customers, malware is found to be installed on the system used to create the ACH batch file or wire requests.
- All customer systems should be protected by a commercial-quality firewall and commercial-quality anti-virus software; also, security patches need to be applied as they are made available. Banks have used these same layers of security to deflect attacks, and customers should do the same.
- Rigorously practiced, controls and processes enhance security. Dual verification, phone callbacks or faxes to verify transactions, and limitations on daily transfers are examples of additional internal control procedures. Segregation of duties and reconciliations are also critical. Choice learned, to its $440,000 regret, that you ignore controls at your peril.
- Who's in charge? Smaller banks often suffer from informal risk oversight. Lacking a Chief Risk Officer, such banks rely on fragmented or distracted risk management. The staffer in charge of ACH and wire transfers often, by default, is also responsible for security. Our guidance: designate a risk manager to ensure technology and internal control process tools are in place.
Time-pressed or overconfident customers may balk when banks require self-assessments or security discussions. However, cases like Choice v. BSB give banks a strong argument for the conversations. Customers may be tempted to opt out of technology and process procedures—and banks may regard a signed opt-out form as enough protection for their interests. But that's short-sighted thinking all around. The better approach: banks engage customers in a thorough and ongoing audit and education of security and internal control processes, and push to make sure all processes are practiced.