How Innovative Banks are Eliminating Online Card Fraud

Card fraud has a new home. Just a few years after the prolonged and pricey switch to EMV chip cards, fraud has migrated from purchases where the card is physically swiped to transactions where the card is not present. The shift means that U.S. banks might be on the cusp of yet another move in card technology.

EMV chips were so successful in curbing cases of fraud where the card was swiped that fraud evolved. Fraud is 81 percent more likely to occur today in “card-not-present” transactions that take place over the phone or internet rather than it is at the point of sale, according to the 2018 Identity Fraud Study by Javelin Research.

Technology has evolved to combat this theft. One new solution is to equip cards with dynamic card verification values, or CVVs. Cards with dynamic CVVs will periodically change the 3-digit code on the back of a credit or debit card, rendering stolen credentials obsolete within a short window of time. Most cards with dynamic codes automatically change after a set period of time—as often as every 20 minutes. The cards are powered by batteries that have a 3- to 4-year lifespan that coincides with the reissuance of a new card.

Several countries including France, China and Mexico have already begun adopting the technology, but the rollout in the United States has been more limited. The new Apple Card, issued by Goldman Sachs Group, boasts dynamic CVV as a key security feature. PNC Financial Services Group also launched a pilot program with Motion Code cards in late 2018.

Bankers who remember the shift to EMV might cringe at the thought of adopting another new card technology. But dynamic CVVs are different because they do not require merchants to adopt any new processes and do not create extra work for customers.

But one challenge with these more-secure cards will be their cost. A plastic card without an EMV chip cost about 39 cents. That cost rose to $2 to $3 a card with EMV. A card with the capability for a dynamic CVV could cost 5 times as much, averaging $12 to $15.

But advocates of the technology claim the benefits of eliminating card-not-present fraud more than covers the costs and could even increase revenue. French retail bank Société Générale S.A. worked with IDEMIA, formerly Oberthur Technologies, to offer cards with dynamic CVVs in fall 2016. The cards required no change in customers’ habits, which helped with their adoption, says Julien Claudon, head of card and digital services at Société Générale.

“Our customers appreciate the product and we’ve succeeded in selling it to customers because it’s easy to use.”

He adds that card-not-present fraud among bank customers using the card is “down to almost zero.”

Eliminating card-not-present fraud can also eliminate the ancillary costs of fraud, says Megan Heinze, senior vice president for financial institutions activities in North America at IDEMIA. She says card fraud is estimated to cost banks up to $25 billion by 2020.

“A lot of prime customers ask for the card the next day. The issuer then has to get the card developed—sending a file out that has to be printed—and then it’s FedExed. The average FedEx cost is around $10. The call to the call center [costs] around $7.50,” she says. “So that’s $17. And that doesn’t even include the card.”

What’s more, dynamic CVVs could also create a revenue opportunity. Société Générale charges customers a subscription fee of $1 per month for the cards. The bank saw a more than 5 percent increase in new customers and increased revenue, according to Heinze.

Still, some are skeptical of how well a paid, consumer-based model would fare in the U.S. market.

“The U.S. rejected EMV because it was so expensive to do. It was potentially spending $2 billion to save $1 billion, and that’s what you have to look at with the use case of these [dynamic CVV] cards,” says Brian Riley, director of credit advisory service for Mercator Advisory Group. “If it tends to be so expensive I might want to selectively do it with some good customers, but for the mass market there’s just not a payback.”

Still, dynamic CVVs are an interesting solution to the big, expensive problem of card-not-present fraud. While some institutions may wait until another card mandate hits, adopting dynamic CVV now could be a profitable differentiator for tech-forward banks.

Potential Technology Partners

IDEMIA

Idemia’s Motion Code technology powers cards for Société Générale and is being piloted by PNC and WorldPay.

GEMALTO

Gemalto’s Dynamic Code Card hasn’t been publicly linked to any bank or issuer names, but the company cites its own 2015 Consumer Research Project for some impressive statistics on customer demand for dynamic CVV cards.

SUREPASS ID

SurePass ID offers a Dynamic Card Security Code. The company’s founder, Mark Poidomani, is listed as the inventor of several payment-related patents.

FITEQ

FiTeq’s dynamic CVV requires cardholders to push a button to generate a new CVV code.

VISA AND MASTERCARD

Visa and Mastercard are leveraging dynamic CVV codes in their contactless cards

Learn more about the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connectplatform.

How Innovative Banks are Eliminating Online Card Fraud


technology-5-8-19.pngCard fraud has a new home. Just a few years after the prolonged and pricey switch to EMV chip cards, fraud has migrated from purchases where the card is physically swiped to transactions where the card is not present. The shift means that U.S. banks might be on the cusp of yet another move in card technology.

EMV chips were so successful in curbing cases of fraud where the card was swiped that fraud evolved. Fraud is 81 percent more likely to occur today in “card-not-present” transactions that take place over the phone or internet rather than it is at the point of sale, according to the 2018 Identity Fraud Study by Javelin Research.

Technology has evolved to combat this theft. One new solution is to equip cards with dynamic card verification values, or CVVs. Cards with dynamic CVVs will periodically change the 3-digit code on the back of a credit or debit card, rendering stolen credentials obsolete within a short window of time. Most cards with dynamic codes automatically change after a set period of time—as often as every 20 minutes. The cards are powered by batteries that have a 3- to 4-year lifespan that coincides with the reissuance of a new card.

Several countries including France, China and Mexico have already begun adopting the technology, but the rollout in the United States has been more limited. The new Apple Card, issued by Goldman Sachs Group, boasts dynamic CVV as a key security feature. PNC Financial Services Group also launched a pilot program with Motion Code cards in late 2018.

Bankers who remember the shift to EMV might cringe at the thought of adopting another new card technology. But dynamic CVVs are different because they do not require merchants to adopt any new processes and do not create extra work for customers.

But one challenge with these more-secure cards will be their cost. A plastic card without an EMV chip cost about 39 cents. That cost rose to $2 to $3 a card with EMV. A card with the capability for a dynamic CVV could cost 5 times as much, averaging $12 to $15.

But advocates of the technology claim the benefits of eliminating card-not-present fraud more than covers the costs and could even increase revenue. French retail bank Société Générale S.A. worked with IDEMIA, formerly Oberthur Technologies, to offer cards with dynamic CVVs in fall 2016. The cards required no change in customers’ habits, which helped with their adoption, says Julien Claudon, head of card and digital services at Société Générale.

“Our customers appreciate the product and we’ve succeeded in selling it to customers because it’s easy to use.”

He adds that card-not-present fraud among bank customers using the card is “down to almost zero.”

Eliminating card-not-present fraud can also eliminate the ancillary costs of fraud, says Megan Heinze, senior vice president for financial institutions activities in North America at IDEMIA. She says card fraud is estimated to cost banks up to $25 billion by 2020.

“A lot of prime customers ask for the card the next day. The issuer then has to get the card developed—sending a file out that has to be printed—and then it’s FedExed. The average FedEx cost is around $10. The call to the call center [costs] around $7.50,” she says. “So that’s $17. And that doesn’t even include the card.”

What’s more, dynamic CVVs could also create a revenue opportunity. Société Générale charges customers a subscription fee of $1 per month for the cards. The bank saw a more than 5 percent increase in new customers and increased revenue, according to Heinze.

Still, some are skeptical of how well a paid, consumer-based model would fare in the U.S. market.

“The U.S. rejected EMV because it was so expensive to do. It was potentially spending $2 billion to save $1 billion, and that’s what you have to look at with the use case of these [dynamic CVV] cards,” says Brian Riley, director of credit advisory service for Mercator Advisory Group. “If it tends to be so expensive I might want to selectively do it with some good customers, but for the mass market there’s just not a payback.”

Still, dynamic CVVs are an interesting solution to the big, expensive problem of card-not-present fraud. While some institutions may wait until another card mandate hits, adopting dynamic CVV now could be a profitable differentiator for tech-forward banks.

Potential Technology Partners

IDEMIA

Idemia’s Motion Code technology powers cards for Société Générale and is being piloted by PNC and WorldPay.

Gemalto

Gemalto’s Dynamic Code Card hasn’t been publicly linked to any bank or issuer names, but the company cites its own 2015 Consumer Research Project for some impressive statistics on customer demand for dynamic CVV cards.

SurePass ID

SurePass ID offers a Dynamic Card Security Code. The company’s founder, Mark Poidomani, is listed as the inventor of several payment-related patents.

FiTeq

FiTeq’s dynamic CVV requires cardholders to push a button to generate a new CVV code.

Visa and Mastercard

Visa and Mastercard are leveraging dynamic CVV codes in their contactless cards

Learn more about the technology providers in this piece by accessing their profiles in Bank Director’s FinXTech Connect platform.

How And Where Blockchain Fits in Traditional Banking


blockchain-12-26-18.pngMany banks haven’t found an efficient way to deal with issues like payment clearing inefficiencies, consumer fraud, and the general limitations of fiat currencies.

Blockchain, however, may be the go-to solution for many of these challenges.

Issues Traditional Banks Face Today
Traditional banks and financial institutions have faced some challenges for decades, but we have yet to see the technical innovations to mitigate or eliminate them, including inefficient payment clearing processes, fraud and currency options.

Inefficient Payment Clearing Processes
One of the biggest roadblocks that banks face today is how to quickly clear payments while complying with regulatory procedures. The number of payment clearing options available in 2018, is not different from the options available in 2008 – a decade ago.

In the U.S., for example, same-day ACH is likely considered to be the biggest improvement during this decade. Only in recent years have cross-border fintech applications emerged that reduce payment clearing costs and wait times. For the most part, we are still stuck with old architectures that lack innovation, efficiency and the data to make a meaningful impact on money laundering and fraud reduction.

Inability to Stop Fraud
Fraud has always been notoriously difficult to stop. Unfortunately, this remains the case even today. Fraud costs are so high in the US, that interchange fees paid by merchants are some of the highest in the world. Despite an increase of available identity fraud detection systems, banks are still unable to make a material improvement in fraud reduction.

For banks, this leads to financial losses in cases where funds are paid to the fraud victim. For customers, this can reduce trust in the bank. For merchants, it means higher fees for facilities, which creates higher costs for customers. Additionally, customers often wait to receive a new bank card. In 2017 alone, the cost the data lost to identity theft totaled $16.8 billion.

Limited Number of Currency Options
Fiat currencies are limited by geography and slim competition.

When we think about fiat currency around the globe, we have seen a steady move towards standardization. This presents risks for banks and consumers. For example, a heavy reliance upon a single national currency relies upon factors like economic growth and monetary policy.

Twenty-eight nations have experienced hyperinflation during the past 25 years. Not only did banks fail in some cases, but entire economies collapsed. Because there were no currency choices, the problem could not be easily avoided.

This process continues to happen in many locations globally.

Benefits of Blockchain Over Traditional Systems
There are ways blockchain can reduce or eliminate these issues for financial institutions.

More Efficient Approval Systems
When compared to traditional payment approval processes, many blockchains are already more efficient. Instead of waiting days for payments to go through clearinghouses, a well-designed blockchain can complete the verification process in minutes or seconds. More importantly, blockchain also offers a more transparent and immutable option.

With innovations like KYC (Know Your Customer) and KYT (Know Your Transaction) transactions conducted via blockchain, banks can be more capable of preventing finance-related crimes. This means traditional finance can more effectively comply with laws for AML (Anti-Money Laundering), ATF and more.

In addition, legitimate transactions can be approved at a lower cost.

No More Fraud
While fraud seems like a pervasive issue in society, this can be reduced using technology. Blockchain can change how people prove identity and access services.

Instead of having to wait to stop a case of fraud, blockchain can stop transactions before they ever occur. The Ivy Network will have smart contracts which will allow banks and financial institutions to review a transaction and supporting KYC and KYT before accepting the deposit. Because blockchain transactions are immutable, we could see a reduction in counterfeiting of paper currency and consumer products.

Increased Digital Payment Options
While blockchain has many use cases, this is one example of how technology can change finance and the global economy. In the early days of cryptocurrency, there was really only bitcoin. Now, there is a range of coins and tokens like Ivy that serve important purposes within existing regulatory and legislative frameworks.

One of the biggest misconceptions is crypto and fiat payment systems have to be direct competitors. By creating a blockchain protocol that links fiat and cryptocurrency, businesses and consumers can have more, better market choices and use cases for cryptocurrency.

At the same time, financial institutions can serve an important role in the future of digital payments and fiat-crypto currency conversions.

As financial institutions look to solve many challenges they face around payment clearing inefficiencies, consumer fraud, and the limitations of fiat currencies, blockchain is a viable solution. Financial institutions that fail to embrace blockchain’s potential will face heightened monetary and reputational risks, and miss opportunities for growth and innovation.

What Bank Directors Are Worried About Now


Apparently, bank directors are a very worried bunch. Nearly 20 members of Bank Director’s membership program responded to the question posed in last month’s newsletter: “What worries you most about the future?” We’ve compiled a word cloud that shows which words came up most often in bank directors’ responses, followed by direct quotes.


Scandals and Internal Audit: Where Banks Can Do Better


7-28-14-Bishop.pngMany well-known banks are paying billions of dollars to settle allegations of a wide range of wrongdoing. Directors at all financial institutions would be wise to ask how these things could happen without internal controls preventing or timely detecting them. Is there a systemic weakness in internal controls that could also affect your institution? Studying The Institute of Internal Auditors’ (IIA) last Global Audit Survey in light of recent events suggests there is such a weakness and that it impairs 62 percent of the internal audit functions in the financial services industry.

Widespread noncompliance
So what’s the issue? Essentially, an alarmingly high proportion of internal audit functions are failing to comply with the “International Standards for the Professional Practice of Internal Auditing,” which set out basic requirements that the IIA considers essential for an internal audit function. The IIA mandates that members comply fully with its Standards. Failure to do so is a violation of the IIA’s Rule of Conduct 4.2.

This is not just a paperwork issue: it is substantive and affects the quality and reliability of internal audits. According to the IIA’s Global Internal Audit Survey, last conducted in 2010, only 38 percent of finance industry chief audit executives self-reported that their internal audit function complied fully with the IIA’s quality assurance standard, AS 1300: Quality Assurance and Improvement Program. Self-reported compliance with other IIA standards was higher, but still worryingly short of what investors, regulators and bank directors might reasonably expect. Only 60.6 percent of chief audit executives said they complied fully with PS 2600: Resolution of Senior Management’s Acceptance of Risks. This standard requires them to inform the board of directors if management failed to resolve risk-taking that the chief audit executive believed to be excessive—an extremely important issue for directors.

Looking at two of the simplest, most basic standards, while 76.1 percent complied with AS 1200: Proficiency and Due Professional Care, that still means that nearly a quarter of internal audit employees in the finance industry apparently operated without the skills necessary to do their job properly or failed to conduct their work with appropriate care. For AS 1100: Independence and Objectivity, chief audit executives self-reported 83.4 percent compliance, suggesting that one-sixth of internal audit departments in finance failed to meet the requirements to be independent and objective, a fundamental tenet of auditing.

I have many friends who are internal auditors whom I respect highly, yet the internal audit profession has allowed the IIA standards to be widely disregarded without disciplinary consequences. This situation has been going on for years, is well-known within the internal audit profession, but has not been well communicated to the broader financial community.

In addition to putting their reputation at risk, bank directors who allow such noncompliance to occur at their financial institution may expose themselves to allegations of negligence and breach of their duty of care.

Actions You Can Take
Some actions you can take to help your bank deal with this issue are:

  • Ask your chief audit executive whether the internal audit function operates in full compliance with all IIA standards. If it is not, ask why and whether there’s a plan to come quickly into compliance. Probe, with professional skepticism, any negative responses.
  • If there is noncompliance, identify potential legal, regulatory, financial and reputational risks, as well as the potential impact on the effectiveness of the entity’s enterprise risk management.
  • Work with your chief audit executive, chief financial officer, chief executive officer and board chair to implement any appropriate changes to bring your bank’s internal audit promptly into full compliance with all IIA standards as a minimum level of quality. Going beyond the minimum standards may also be necessary for more sophisticated entities and those with high risks.

Conclusion
Internal audit is a key internal control for preventing and detecting major fraud and other wrongdoing at banks. Customers, investors and other stakeholders can reasonably expect bank directors to ensure that their internal audit functions meet, or exceed, IIA standards. Bank directors can help internal audit get sufficient moral and financial support from management and the board to comply fully with IIA standards

Be Prepared: The Board’s Role in Monitoring Fraud


For Banker, By Banker Video Series
Knowing the bank’s risks, including the potential for internal and cyber fraud, is an important responsibility for board members.  As part of our For Banker, By Banker video series, Mary Beth Vitale outlines steps the board can take to identify and prepare for potential fraud. She is the nominating and governance committee chairman for Denver-based CoBiz Financial Inc., the $2.6-billion asset financial services company offering commercial banking and other services.


Avoiding Liability for Online Banking Fraud


security.jpgIf you are a community bank executive, imagine facing this unpleasant scenario:  Your head of operations calls to tell you that one of the bank’s largest customers suffered a computer hack and millions of dollars were transferred out of the customer’s accounts. 

This situation will deliver a severe stress test to your bank’s operational systems. Were the right procedures in place?  Were they followed?  Are you liable and is the loss insurable?  When your biggest customer has taken a crushing financial loss and is desperately looking for a source of recovery, you don’t want to be discovering for the first time that there were some basic steps you could have taken. While hacking can never be prevented entirely, a careful bank can avoid liability for a hacking incident. A careless bank can be forced to absorb the customer’s loss, plus interest and other amounts.

In most cases, the fraud is discovered well after deadlines for reversing or cancelling the transfer.  However, depending on applicable state law, there may be a way to impose a freeze on the funds by delivering the correct affidavit and/or indemnity.  Sometimes, if there is a reasonable basis for believing the funds have not left the destination account, the bank’s attorneys can impose a temporary restraining order to freeze the funds in place.  The success of such measures is highly uncertain, given the strict deadlines that apply to funds transfers.  If the funds were sent outside the U.S., then legal recourse is usually limited or unavailable as a practical matter.

Insurance of course is vital and all community banks should ensure that they (and hopefully their customers) have a policy directly covering losses caused by unauthorized online transfers. It is well worth the time to “stress test” your policy by running through a common online fraud scenario. Does your insurance application accurately describe all of your online banking operations?  And, is the coverage amount adequate if a criminal drains all the funds in your largest business deposit account? Because these cases are almost always litigated, you need to know that your defense costs are squarely covered and that the policy limit is enough to cover defense costs and the dollar amount of your customer’s loss. 

After a loss, observe the basics in obtaining coverage such as not agreeing to settle with your customer without the insurer’s express consent.  Even if all of these issues are adequately addressed, a bank may still face an insurer that denies coverage for at least a portion of the bank’s costs, delays a coverage determination or obstructs a settlement, forcing the bank to litigate with its customer. 

Far better than relying on only an assumed insurance coverage is a thorough review of the bank’s policies and account documents to ensure the bank can withstand a massive online fraud on one of its business customers. Do your operations, Bank Secrecy Act and information technology teams understand what the other is doing with regard to online fraud prevention? Are you positive that your team has pored over the Federal Financial Institutions Examination Council guidance on “Authentication in an Internet Banking Environment” (supplemented in June 2011) and made a thoughtful choice as to the online banking security and anti-fraud procedures the bank will follow and offer to its customers? 

Keep in mind a recent harsh federal court decision in the Patco Construction Co. case (July 2012, First Circuit Court of Appeals in Boston) that faulted a bank for not using features of its computer system that the court theorized could have been used to prevent the account hijacking. The court also faulted the bank for taking a uniform approach to fraud prevention, i.e., not taking the customer’s particular circumstances into account. It is generally worth the investment to seek written assurance from legal and/or security experts as to compliance of the bank’s online security with FFIEC guidance and those in Uniform Commercial Code Article 4A.

There is a continuing clash between the security a bank wants its customers to implement and what the customers are actually willing to do. A bank is not required to force its customers to adopt and follow all security best practices, but it should carefully document its offer of additional security precautions and the customer’s rejection of the offer. 

Once a bank has designed a suitable online security program, the bank must ensure careful compliance with those procedures. Banks’ security procedures do evolve and change over time. It is critically important to know what the bank’s actual procedures are so that new personnel can seamlessly comply and the bank’s auditors can accurately audit compliance. 

A bank should also inventory and review the agreements, certifications and other documents that affect the relative rights and obligations of the bank and its customers with respect to online fraud. If the bank’s form documentation is outdated, then those documents may allocate far more liability to the bank than banking regulations require or that is acceptable in the industry. 

Designing and following robust and compliant online security procedures is necessary to avoid catastrophic liability for a bank. It is also smart business. Senior management that thoroughly understands the bank’s security system is a management team that can then communicate the value of that system to customers and enhance the value of the franchise.

Top Ten Cybersecurity Trends for Financial Services in 2012


cybersecurity.jpgBooz Allen Hamilton, a consulting firm serving federal, nonprofit and commercial clients, recently had this report on the top ten financial services cybersecurity trends for 2012: 

  1. The exponential growth of mobile devices drives an exponential growth in security risks. Every new smart phone, tablet or other mobile device, opens another window for a cyber attack, as each creates another vulnerable access point to networks.
     
  2. Increased C-suite targeting. Senior executives are no longer invisible online. Firms should assume that hackers already have a complete profile of their executive suite and the junior staff members who have access to them.
     
  3. Growing use of social media will contribute to personal cyber threats. A profile or comment on a social media platform—even by the CEO’s son or sister—can help hackers build an information portfolio that could be used for a future attack.
     
  4. Your company is already infected, and you’ll have to learn to live with it—under control. Security should remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection—the focus of cybersecurity tactics increasingly must be to analyze, detect and expunge threats inside your system.
     
  5. Everything physical can be digital. The written notes on a piece of paper, the report binder and even the pictures on the wall can be copied in digital format and gleaned for the tools to allow a hacktivist-type of security violation, and increasingly this will be a problem.
     
  6. More firms will use cloud computing. The significant cost savings and efficiencies of cloud computing are compelling companies to migrate to the cloud. A well designed architecture and operational security planning will enable organizations to effectively manage the risks of cloud computing.
     
  7. Global systemic risk will include cyber risk. As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected. A security breach at one firm can create negative ripple effects that greatly impact systemic risk in financial markets.
     
  8. Zero-day malware (malicious software) and organized attacks will continue to increase. Like a vicious, insidious virus that mutates, the tools of cyber criminals adapt and change constantly, rendering the latest defenses useless. Firms need to be prepared to adapt quickly as well to zero-day malware and the tactics of organized crime and foreign adversaries that are increasingly used today.
     
  9. Insider threats are real. The accidental insider breach will continue to be the primary source of compromise for the Advanced Persistent Threat (APT) and other attacks. Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access.
     
  10. Increased regulatory scrutiny. Recently, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material.

For a full copy of the report, click here.

New Guidance Raises the Bar for Bank Internet Security


it-security-article.pngOn the morning of January 22, 2009, an employee of Experi-Metal in Macomb County, Michigan, a manufacturer for the auto industry, received an email forwarded from a colleague. It appeared to come from the company’s financial institution, Dallas-based Comerica Bank, and said: “Comerica Business Connect Customer Form.”  The employee followed the link to another web site, where he complied with instructions to type in his secure login for the company’s bank account and other identifying information.

Sometime between the hours of 7:30 a.m. and 2:02 p.m. that day, 93 fraudulent payment orders totaling $1.9 million were executed on the company’s account.

Comerica eventually recovered all but $561,399. Experi-Metal sued the bank for its loss and won the case last month, putting Comerica on the hook for the fraud.

A Comerica spokesman, Wayne Mielke, said the company is considering alternatives, including a possible appeal.

U.S. District Court Judge Patrick Duggan wrote in his opinion that he considered multiple factors as to whether the bank acted in “good faith,” using “commercially reasonable” security measures. Among clues that something was going wrong at Experi-Metal: The sheer volume and frequency of the fraudulent transactions; a $5 million overdraft executed on an account with normally a zero balance; a history of limited wire activity on the part of the company; and the destinations and beneficiaries of those funds (banks in places such as Russia or Estonia, long known as hubs for such fraud).

That case emphasizes the importance of looking for anomalies in accounts—missing those could make a bank liable for fraud. There are other reasons why providing customers with a log in and password is not enough.

Michael Dunne, an attorney with Day Pitney in Parsippany, New Jersey, thinks the new guidance issued last month from federal regulators—the Federal Financial Institutions Examination Council—raises the bar much higher in terms of what’s “commercially reasonable,” the legal standard for what a bank is supposed to provide in terms of Internet security for customers.

No longer can banks rely on dual-factor security, typically a log in, password, plus something like a security token that recognizes a computer or other device that is logging in. That dual-factor security was OK in the 2005 guidance on Internet security, Dunne says. Now, banks will have to introduce even more layers of security on top of that, which many of them already are doing.

An example of an extra layer would be email notifications to the customer every time payments are requested on the account.

At a minimum, banks will now be required to have a process that detects anomalies and responds to them, such as a customer suddenly initiating 93 payment orders for $1.9 million in one day, where few such transactions occurred before.

Banks also must have controls for system administrators on business accounts. Such a person could have the ability to approve all transactions on a commercial account when multiple employees have access to the account.

The guidance goes into effect in January for bank examinations, but Dunne thinks it could have an impact much earlier, in terms of the lawyers bringing up the new standard in court cases where banks get sued by victims of fraud.

Where is all the bailout fraud?


fraud.jpgNeil Barofsky stepped down this week as the official watchdog for the $700 billion Troubled Asset Relief Program, a safety net for just about everyone during the financial crisis, from banks to car companies to homeowners. As the special inspector general for the Troubled Asset Relief Program (STIGTARP), Barofsky has done a great deal to highlight problems and pinpoint areas for improvement.

He has repeatedly criticized the U.S. Treasury, for example, for its handling of the TARP Home Affordable Modification Program, which failed to live up to its lofty goal of saving three million to four million households from foreclosure.

But in one respect, Barofsky takes a little too much credit.

He said in its last quarterly report to Congress in January that his organization had 142 ongoing criminal and civil investigations, resulting in 13 criminal fraud convictions.

But none of the law enforcement investigations described in the report relate to any taxpayer dollars stolen. Two of the companies mentioned, The Shmuckler Group and Residential Relief Foundation, were accused of swindling homeowners by promising to modify mortgages in exchange for fees. (The Home Affordable Modification Program does try to help struggling homeowners modify mortgages through their banks, but without any upfront fees for homeowners).

Another case is the prosecution of bank officers for Colonial Bank and mortgage lenders Taylor, Bean & Whitaker. Prosecutors believe Colonial Bank tried to obtain $550 million in TARP program money using fraudulent mortgages cooked up by officers at Taylor, Bean & Whitaker, according to The New York Times. (The case is ongoing). Again, no TARP money was obtained by the bank, but The New York Times says the case got started when STIGTARP became suspicious of the size of the bank’s TARP application.

In another case, Gordon Grigg, who is now serving a 10-year prison term, was convicted in Nashville, Tennessee, of stealing at least $6 million from investors. Grigg promised at least one investor he could invest in TARP-related debt, although no such investment opportunity exists. I was a reporter covering a press conference in Nashville in 2009 when Barofsky flew in from Washington, D.C. to join federal and local law enforcement officials announcing the charges against Grigg. It was advertised as the first TARP-related fraud case, and it got national media attention.

Again, no actual TARP money was involved.

Still, the law enforcement end of STIGTARP presses on. The watchdog agency has 45 armed officers and 27 vehicles equipped with lights and sirens, and recently asked Congress for additional money to upgrade vehicles, according to a recent CNBC story.

A spokeswoman for STIGTARP, Kris Belisle, confirmed that report and said the agency has been successful in stopping people from using TARP money fraudulently. 
That may be the case. But after more than two years of TARP, it’s surprising the lack of fraud using taxpayer dollars disclosed so far by all these armed investigators. Is that because none exists, or is that because we haven’t found it?