Protecting ACH Transfers
(Read the .pdf version: Protecting ACH Transfers.)
New regulations require financial institutions to monitor risk for ACH transactions. Even when a financial institution’s systems are secure, its customers systems may not be. ACH rules take over where Red Flags rules left off by going beyond consumer protections to mitigating risk in business accounts. Find out what’s behind the new rules and how your organization can prepare.
As of June 2010, federally insured financial institutions were required to start performing ACH risk assessments. Regulators are asking organizations to look at ACH processes and wire transfers—however they move money electronically—and mitigate the risk.
Regulators are working with financial institutions to shore up weaknesses within the financial transaction system. The objective, of course, is to intercept fraud, catch problems early, and make sure these transactions remain secure.
ACH transactions have been occurring for years, but they’re becoming more prevalent. More consumers—and more businesses—are choosing this option.
And obviously, the crooks are paying attention. They’re intercepting these connections and creating their own transactions to steal money directly out of customer accounts.
It’s not a bank’s network that’s being compromised. It’s a customer’s network. It’s a case of corporate identity theft, pure and simple. The thieves can authenticate themselves to the bank, as if they were the customer, and transfer money.
The Back Story
In November 2008, the introduction of Red Flags regulation meant that financial institutions would have to start monitoring accounts for evidence of identity theft. Organizations had to come up with early detection systems.
The thing is…that regulation specifically exempted most business accounts. The primary obligation was to monitor personal, consumer accounts.
In the ideal scenario, financial institutions adapted the Red Flags guidelines and applied them to their business accounts. (At least that’s what we advised our clients to do.) But, many organizations opted to focus on consumer accounts only. And that’s where the crooks stepped in.
As far as we can tell, the bad guys were paying attention. They noted the gap and began targeting corporations.
In early 2009, we started seeing evidence that crooks were finding ways to steal corporate identities. They found a way to get between corporations and their banks to steal money from corporate checking accounts.
The most infamous attack was dubbed the Zeus Banking Trojan. The trojan was introduced into the corporation network. From there, it allowed the bad guys to access corporation information as they logged into an internet banking site. The trojan captured login and other key identification information, so the crooks could later sign on and authenticate themselves as if they were legitimate users. We call it a man-in-the-middle attack.
It was an attack like that that made Hillary Machinery national news—as least in financial circles. On November 9, 2009, cyberthieves started transferring money out of Hillary Machinery’s bank account. They took more than $800,000, over two days, before Hillary noticed the problem. The company’s bank, PlainsCapital, was able to recover nearly $600,000, but said it shouldn’t be responsible for the rest.
From there, the two organizations entered a veritable war—found on both legal and media fronts. PlainsCapital sued Hillary Machinery and asked the court to rule that its security practices were reasonably sufficient. The transfers, they alleged, were made by someone who accessed Hillary’s account information through Hillary’s own systems.
Hillary Machinery responded with a countersuit and a caustic PR campaign. The case generated all sorts of buzz and came to represent the increasing conflict between banks and business customers over responsibility for misappropriated account credentials.
An Everywhere Problem
Some people think that ACH fraud is something that happens in big cities. Unfortunately, that’s simply not the case.
Consider the widely published account of Wisconsin’s Eau Claire County and how they successfully stopped just this kind of man-in-the-middle attack in January 2010. In that case, the county’s bank became the hero of the story after it noticed some suspicious wire transfers.
The bank contacted the Eau Claire County treasurer’s office and determined the county had only approved one transfer. In all, it stopped about $800,000 from being moved to an outside, dummy account. According to news reports, the FBI suspected Russian hackers were behind the attack.
It takes constant vigilance to maintain security in electronic systems—even in small city Wisconsin.
An ‘It’s Your Problem’ Problem
When the Hillary Machinery and PlainsCapital case settled out of court, we lost out on any kind of legal precedent that would assign liability in cases like these. So right now, we still don’t know who would be ultimately responsible for these losses.
What we do know is that the ACH regulations will make it a lot harder for a financial institution to throw up its hands and say, “Not my problem.” Having adequate security will mean more than protecting your own data systems. It will mean watching out for possible breaches in your customers’ systems too.
The FFIEC published ACH risk assessment guidance in February 2010, and risk assessments were supposed to start as of June 2010. As financial institutions enter their 2011 annual exams, they can bet that regulators are going to be looking for compliance.
Here’s what needs to happen: Institutions needs to identify all the vendors or systems they’re using to process ACH or wire transfer payments. They need to obtain as much information as possible on how the security systems work, what risks might be applicable, and how these risks might be mitigated.
The financial institution is responsible for coming up with controls on their end AND educating customers to catch and prevent risks from the other side of the process.
And here’s something else you might not have thought of: Examine your marketing materials. Be sure you’re not positioning ACH as a tool to prevent theft. Because it’s not…not anymore. The risk environment is changing rapidly. Review what you as an organization could be doing to help educate your customers.
Bottom line, the ACH regulation fills a hole left in the Red Flags rules. Financial institutions need to work with their customers to prevent these kinds of thefts. No more finger pointing. This is an effort to get the two parties to work together.