A reminder to community banks from the Bankers’ Bank of the West Executive Team
Fourth quarter 2013
You may recall that a crime commonly known as corporate account takeover was committed at banks in the mountain states and Great Plains region earlier this summer.
The fact is, any bank—of any size, in any region—can fall prey to cyber criminals.
The intended victim
The main target of a corporate account takeover is a financial institution’s business customer, not the bank itself. The crook sees the corporate customer as more vulnerable than the (presumably) well-secured financial institution. Using a mix of techniques—generally involving spyware that monitors corporate employees’ keystrokes to steal passwords and other sensitive information—the criminals might take several months to plan their attack. Then they attempt, and often successfully pull off, a quick online heist of hundreds of thousands of dollars. Because many such thefts are perpetrated from far-off corners of the world, most of the crooks are never caught.
Keep in mind that either the corporate customer or its bank, or both, frequently suffer huge losses when a corporate account takeover is committed. This underscores the need for the corporate customer as well as the bank to maintain high security standards; otherwise, both could become susceptible to attack. To borrow a proverb, a chain is only as strong as its weakest link.
We recommend building a tough defense
The value of staying current on developments affecting banks, especially in the area of cyber security, cannot be overstated. Scam artists regularly adapt their tactics to changing conditions, after all. Don’t allow yourself to become complacent.
Following are some commonsense steps to help you control risk to your bank and your corporate customers:
- Educate your customers—especially businesses. Update them on the tactics being used by criminals. Let them know the biggest security risks are human-related. For instance, scammers are constantly tweaking their social engineering tactics (like phishing) in an effort to trick victims into downloading malicious software. Also stress the need to secure any “bring your own” smart devices used by employees in the workplace—including tablets, smart phones, laptops, and e-book readers.
- Make employee vigilance a high priority at all levels of your bank. In addition to knowing the customer, you need to know your customer’s routine banking behavior. Watch for changes in established patterns. Question anomalies. If out-of-the-ordinary activity occurs on a commercial account, shut down access immediately.
- Involve your customers in fraud-prevention efforts. Some banks provide anti-malware software, and regular updates, to customers with online access. If such an expense is out of the question, consider at least providing best-practices guidance and software recommendations for business customers.
- Make certain that verifiers at your bank critically review all ACH files before sending them through. This step is a linchpin in your security scheme.
- Require business customers to follow dual control when originating ACH files. Never release an ACH file before getting a receipt from a second authorized individual at that business.
- Specify in your agreements that customers must maintain balances sufficient to cover any unfunded files—both debits and credits.
- Warn your business customers against originating ACH files from any computer that isn’t properly secured—for instance, a laptop on a public network. Consider including language in your agreements that expressly prohibits the customer from originating ACH files from a non-secured computer. Or advise customers to use a dedicated computer for online access.
- Keep a current ACH Risk Management Handbook (a NACHA publication) nearby. You can order a copy from NACHA or get one through your regional payments association.
- Earmark both funds and staff time for the ongoing education and training of bank employees. Even a modest commitment represents a wise investment in these changing times. Urge key employees to become certified in areas of expertise most crucial to their function. Enroll appropriate staff in courses, webinars and conferences offered by your state banking associations, your payments associations, and other professional groups. Invite employees to share security-related information with their co-workers.
- Even though automated risk management tools are no substitute for following proper risk management rules and procedures, they can significantly reduce the potential for inconsistency and human error. What’s more, they can help ensure regulatory compliance. If your bank is on BIDS, ask about the BIDS ACH Risk Management solution, which is equipped with a full complement of helpful features including real-time notification of limit exceptions. To learn more, contact us at 800-873-4722 or firstname.lastname@example.org.
Another abundant source of current information is the Internet. Among the many worthwhile websites are the Financial Crimes Enforcement Network website and the members-only section of American Bankers Association website.
Several major providers of prepaid card programs have announced plans to discontinue their prepaid product lines, citing the difficulties of complying with Durbin Amendment rules.
Even so, community banks will continue to enjoy uninterrupted access to high-quality prepaid card products through Bankers’ Bank of the West (BBW). Why? Because Simplexes™, the partner behind BBW’s prepaid solutions, prepared long in advance to meet the rules and requirements set out in the Durbin Amendment.
Thanks to this partnership with Simplexes, all of the prepaid card programs offered by BBW are completely PCI compliant. In addition, their turnkey design makes them easy to deploy by community banks of any size. BBW’s prepaid product lines are:
- Gift Cards
- Reloadable Cards
- Travel Cards
- Youth Cards
Viveca Ware, in the April 2013 issue of ICBA Independent Banker Today, observes that financial institutions are competing not only with one another but also with giant retailers―not to mention entities like Facebook―looking to entice consumers to bypass banks by offering unconventional payment channels (“Wading Into the Prepaid Waters,” pp. 68-9). Prepaid card programs give retail and commercial customers alike the flexibility they might otherwise seek elsewhere.
To learn more about trends and developments in prepaid cards, or to find out how to set up a prepaid program at your bank, contact either of these individuals in the Bank Card Division at BBW (telephone 800-601-8630): MaryAnn Elliott-Supples, senior vice president, at email@example.com; or Lynette Gregg, bank card product development and training officer, at firstname.lastname@example.org.
Six-figure con attempts are increasing in frequency – April 2013
Attorneys and community banks have been targeted
Since 2010, the incidence of bold, carefully plotted, and occasionally successful efforts to swindle six-figure sums from professionals—and the community banks that serve them—calls for keen awareness and an educational push on the part of financial institutions. As an ally and partner to community banks, Bankers’ Bank of the West urges banks to proactively inform their employees and customers of the risks inherent in potentially fraudulent transactions and make them aware of precautions that could minimize exposure to both the bank and its unsuspecting customers.
Contrary to conventional belief, the intended victims in recently reported attempts have been professionals and banks in smaller communities located some distance from large metropolitan areas. Some of the criminals have successfully cheated their victims; others have been foiled. While con artists are adept at varying their targets and methods, some of the most egregious scams have followed this general pattern
- A perpetrator, usually operating from outside the United States, contacts an attorney in a small community, requesting assistance with a U.S. transaction to take place at some undetermined date. The perpetrator spins a credible backstory regarding the fictional transaction—for example, a real estate investment—and becomes a client of the attorney, whose supposed role is to serve as an intermediary when the transaction takes place. Next, the “client” sends a six-figure check to the attorney, who is instructed to deposit the check (drawn on a foreign bank), and then await instructions. The attorney deposits the foreign check with his or her community bank. Some days or weeks later, the “client” regretfully notifies the attorney that the deal fell apart and then provides wiring instructions for the return of funds received, minus a portion for the attorney to retain for the inconvenience. The attorney obliges, and the community bank, following its customer/attorney’s request, wires the funds to the purported client outside the U.S. Shortly thereafter, the check is discovered to be counterfeit. Having been sent by wire, the funds are not recoverable.
Under this scenario, unless the attorney has sufficient funds on deposit with the bank to cover the loss, the community bank is in a major predicament.
The basis of the risk
In the situation described above, the risk lies in accepting a check ostensibly drawn on a foreign bank, and subsequently exchanging the instrument for good funds with no chance of recourse. Unlike a check drawn on a U.S. institution, which is subject to various regulations regarding the presentment and payment of checks, a check drawn on a foreign bank is not covered by U.S. regulations and, in fact, could take weeks, months, or even years to settle or to be proven uncollectable or counterfeit. Contrast this with the immediacy of a wire transfer, and the results are perfect-storm conditions for fraud.
- Communicate with your customers, particularly business customers, about scams. Recent incidents have victimized attorneys in non-metropolitan areas. It is conceivable, though, that con artists could target victim profiles or other geographic areas.
- Train employees to watch what sorts of items customers are depositing. When presented with checks drawn on institutions outside the U.S., bank employees should ask smart questions.
- Recognize that a bank accepting foreign checks is at a big risk. Set policies that take those risks into account.
- Consider an alternative to depositing a foreign check.Sending a foreign item for collection is a cumbersome, time-consuming solution—but one that eliminates risk to the bank of presentment and the bank’s customer. The process, which can take weeks or even months, entails these basic steps:
- The bank of presentment sends the physical item to its correspondent.
- The correspondent sends the check to a U.S. bank having a relationship with the foreign institution it is drawn on.
- The foreign institution researches and evaluates the item to determine its validity and the availability of funds.
- If the item is determined valid and funds are available, the foreign bank sends the funds to the correspondent for further credit to the bank of presentment.
©2013 Bankers’ Bank of the West