New Guidance Raises the Bar for Bank Internet Security


it-security-article.pngOn the morning of January 22, 2009, an employee of Experi-Metal in Macomb County, Michigan, a manufacturer for the auto industry, received an email forwarded from a colleague. It appeared to come from the company’s financial institution, Dallas-based Comerica Bank, and said: “Comerica Business Connect Customer Form.”  The employee followed the link to another web site, where he complied with instructions to type in his secure login for the company’s bank account and other identifying information.

Sometime between the hours of 7:30 a.m. and 2:02 p.m. that day, 93 fraudulent payment orders totaling $1.9 million were executed on the company’s account.

Comerica eventually recovered all but $561,399. Experi-Metal sued the bank for its loss and won the case last month, putting Comerica on the hook for the fraud.

A Comerica spokesman, Wayne Mielke, said the company is considering alternatives, including a possible appeal.

U.S. District Court Judge Patrick Duggan wrote in his opinion that he considered multiple factors as to whether the bank acted in “good faith,” using “commercially reasonable” security measures. Among clues that something was going wrong at Experi-Metal: The sheer volume and frequency of the fraudulent transactions; a $5 million overdraft executed on an account with normally a zero balance; a history of limited wire activity on the part of the company; and the destinations and beneficiaries of those funds (banks in places such as Russia or Estonia, long known as hubs for such fraud).

That case emphasizes the importance of looking for anomalies in accounts—missing those could make a bank liable for fraud. There are other reasons why providing customers with a log in and password is not enough.

Michael Dunne, an attorney with Day Pitney in Parsippany, New Jersey, thinks the new guidance issued last month from federal regulators—the Federal Financial Institutions Examination Council—raises the bar much higher in terms of what’s “commercially reasonable,” the legal standard for what a bank is supposed to provide in terms of Internet security for customers.

No longer can banks rely on dual-factor security, typically a log in, password, plus something like a security token that recognizes a computer or other device that is logging in. That dual-factor security was OK in the 2005 guidance on Internet security, Dunne says. Now, banks will have to introduce even more layers of security on top of that, which many of them already are doing.

An example of an extra layer would be email notifications to the customer every time payments are requested on the account.

At a minimum, banks will now be required to have a process that detects anomalies and responds to them, such as a customer suddenly initiating 93 payment orders for $1.9 million in one day, where few such transactions occurred before.

Banks also must have controls for system administrators on business accounts. Such a person could have the ability to approve all transactions on a commercial account when multiple employees have access to the account.

The guidance goes into effect in January for bank examinations, but Dunne thinks it could have an impact much earlier, in terms of the lawyers bringing up the new standard in court cases where banks get sued by victims of fraud.

Stop me if you’ve heard this one…


…an IT salesman walks into a bank.

Now, if such a thought sends you running for the nearest exit, you might pause and consider that a number of institutions — both big and small — are implementing new technology strategies to lower costs for retaining clients, improve operating efficiencies and differentiate their brands and customer offerings.

That said, I know for many executives, talking tech can be a foreign, four-letter, budget-busting concept. So let me help you based on personal experience and professional interests.

I’ll admit that my days of devouring espn.com for sports updates on my Boston teams has given way to similar searches for insights on the financial industry. And so as we continue to invest in Bank Director’s future, I’m taking a long, hard look at the technology companies that support the community. Splitting time between California and the east coast last week, I found myself reading a number of white papers, reports and blogs about the risks — and potential rewards — of new technologies in our community: here are two that I thought bank executives shouldn’t overlook. One comes from our friends at American Banker (FinTech100); the other, from global IT consultant Accenture (vis-a-vis their financial services publication).

As someone who has evaluated a number of web-based tools designed to better predict behavior, I’m bullish on the adoption of new technologies to maximize a customer’s experience. If you’re interested to see who’s who in the technology industry as it applies to financial institutions, the FinTech 100 list is a good place to start. So too will a new offering coming from Bank Director later this month — BankBusiness. Why the drive to identify potential vendors? Simple: Accenture opines that the financial crisis and subsequent economic reforms have made profitable but risky sub-prime segments less attractive to many institutions, [so] the future of banks rests increasingly on sustainable long-term relationships with high-quality customers. Intuitive? Perhaps. But the consultancy identified the following emerging customer behaviors that should make all of us sit up and take notice:

accenture-chart.jpg

According to the firm’s research, your customers “have gone through several major changes in recent years, from diminished loyalty to—and trust in financial institutions—to heightened expectations for seamless multichannel customer service and simple, transparent products… With loyalty to banks at all-time lows, the good news is that the time is right for those with superior customer experience and cost-to-serve management to win new business.”

So what emerging technologies might catapult your bank’s business? In isolation, I’d be hard pressed to answer. As part of an institution’s systematic, data-driven approach? The foundation for future posts…