Bank Security: War Elevates Concern

Like it or not, banks have been conscripted to the front lines of the government’s “war on terror,” having been assigned the duty of helping to identify terrorists and disrupting their financial networks. It’s an awesome responsibility, and even some of the best-run banks are having a tough time living up to regulatory expectations.

Many banks are being faulted for failing to comply with provisions of anti-money-laundering and USA Patriot Act regulations. Some of the infractions might seem small to the non-indoctrinated, but banks are getting written up by regulators for seemingly minor mistakes on required money laundering reports, for example. And while examiners have been lenient so faru00e2u20ac”typically requesting remediation instead of the criminal and civil penalties spelled out in the new regulationsu00e2u20ac”this grace period will not last long. Explains Ken Proctor, senior consultant with Alex Sheshunoff Management Services, Austin, Texas: “Regulators have indicated a zero tolerance policy” for any and all violations of anti-money-laundering and Patriot Act rules. “They can and will issue enforcement actions, even cease-and-desist orders for seemingly small errors,” he says.

The regulators’ concerns aren’t limited to the filing of suspicious activity reports, either. Every bank’s computer systems (especially those containing crucial customer and transaction information) and its links to the Internet should be protected from cyberattacks, too. “Examiners are hitting risk management really hard,” says Jeff Hall, national manager of the information security practice at RSM McGladrey, a St. Paul, Minnesota-based consulting firm. Furthermore, there are growing expectations that banks need to do more to protect individual customers from identity theft and other acts of information exposure and piracy. “The information security proscriptions cover a wide breadth of the bank enterprise,” explains Rob Drozdowski, senior regulatory specialist with the trade group America’s Community Bankers.

The price of compliance is steep. One estimate by the technology consulting firm TowerGroup states that U.S. financial institutions will shell out $60 billion for compliance-related technology alone this year in order to keep step with requirements of the USA Patriot Act. That’s substantially more than the $50 billion the industry spent fending off the much-feared Y2K bug.Yet the ultimate cost of not complying with the USA Patriot Act’s legal and regulatory requirements is potentially greater still. The cost to banks of identity fraud, alone, could top $8.5 billion a year by 2005, mostly in losses to bankcard issuers, estimates Dennis Behrman, research analyst with Financial Insights, a Framingham, Massachusetts-based consultancy.

Banks have amassed pretty sophisticated weaponry in their ongoing battles against fraud. There are systems that track demand-deposit account activity, for example, and ferret out check-kiting schemes and other forms of deposit fraud. There are systems that can track potential loan frauds. And there are all kinds of gadgets and monitoring systems that help defend against physical assaults on a bank, its employees, and its customers. But the technologies that support these systems haven’t always kept pace with the computer age, or with changing market demographics.

“You’re not just looking at data and transactions anymore. You’re looking at systems as a whole, and everything that goes into those systems, and the insider implications as well,” explains Eric Uner, cofounder of Bodacion Technologies, a Barrington, Illinois firm that sells Internet security systems.

The “insider implications” Uner references are substantial. RSM McGladrey noted in a recent report on bank security issues that an audit of a Pennsylvania bank’s security revealed that personal information from 700 mortgage loan applications was accessible to any and all comers because an employee had accidentally shut off some security settings before surfing the Internet. Horror stories like these have become all too common, the experts say. “Security training on the logical side is really lacking,” says Hall.

Meanwhile, on the technology side, there’s no silver bullet. New and emerging technology weapons typically address just one facet of security requirementsu00e2u20ac”e.g., identifying potential terrorists who may be laundering money or stopping computer hackers.

Regulators are demanding that banks put in place comprehensive security programs and are insisting these programs have the mark of each institution’s board of directors. “A lot of boards aren’t documenting what’s being done,” explains Cynthia Bonnette, managing director of M ONE Inc., a Phoenix-based consultancy. “Examiners criticize things that they see [or don’t see]. They see and understand things that are documented or physical,” notes Bonnette, a former member of the FDIC headquarters’ staff.

Bonnette and others dispute suggestions that community banks have few worries about being caught up in fraud and terrorism schemes. Community banks are just as vulnerable, if not more vulnerable, than larger banks, and the bad guys know this, the experts insist.

“A lot of community banks don’t believe they’re targets, and in fact, they are the best targets,” says Hall.

Hall believes much of the current vulnerability arises from the focus community banks place on customer service as a market differentiator. “In the ’90s, we spent a lot of time focused on customer service. Now, it’s coming back to bite us,” the consultant says.

Many culprits, for example, use social engineering techniques that some experts liken to a verbal rendition of three-card monte, where instead of walking away with cash, the culprits score more valuable assets like critical customer data or unlimited access to “secured” computer systems.

One of the more common social engineering attacks can come at a bank by way of the telephone. A hacker might telephone a bank’s call center or a help desk, pretending to be a customer or a bank executive, and gradually extract information that provides access to critical bank systems and information. “At most financial institutions, internal security isn’t up to par at all,” says Hall. “As a result, if somebody does penetrate your bank’s network, you’re done.”

“You can’t get away with being lucky,” adds Bonnette.

Every bank is at risku00e2u20ac”the regulators know it, the bad guys know it, and customers are concerned about it. A recent TowerGroup survey found that among consumers who have access to the Internet, the top reasons for not using online banking services all involve security.

And don’t be fooled into thinking that outsourcing technology operations to specialists puts your bank in a better position than those banks that support technology in-house. To be sure, banking processors all have technology weapons like firewalls, intrusion detection, and antivirus software. But many of these weapons were developed to defend the companies’ core systems, not necessarily its connections to customers. Often, the hardware and software configurations that establish the connections aren’t up to standards, leaving banks vulnerable to outside attacks or a regulatory write-up.

Basic vendor management is crucial. “Just knowing who has access to your information. That’s the thing I find really amazing; many banks don’t know that,” says Sheshunoff’s Proctor. Worse, the training environments that produce today’s tech-savvy employees may be exposing banks to risks never before imagined. The Pennsylvania bank security breach mentioned above was one of countless examples uncovered in research and interviews for this story. Imagine the consequences of an employee, bored during downtime, tooling around with the bank’s internal networks or its Internet connection. Consultants who specialize in network vulnerability testing say these are problems they encounter on an almost-daily basis.

But, again, the banking industry’s role in the war on terror is about more than defending access to bank systems and information. It’s much broader, and includes safeguarding customer information, defending against money laundering, defending against computer viruses and disruptions in services, and helping the government identify potential terrorists.

The best betu00e2u20ac”and the legal requirementu00e2u20ac”to protect a bank and its directors from becoming casualties in the war on terror is to actively pursue and monitor a broad-based security program, with the advice and counsel of security experts, and to document everything.

Who Do You Call?