New Guidance Raises the Bar for Bank Internet Security


it-security-article.pngOn the morning of January 22, 2009, an employee of Experi-Metal in Macomb County, Michigan, a manufacturer for the auto industry, received an email forwarded from a colleague. It appeared to come from the company’s financial institution, Dallas-based Comerica Bank, and said: “Comerica Business Connect Customer Form.”  The employee followed the link to another web site, where he complied with instructions to type in his secure login for the company’s bank account and other identifying information.

Sometime between the hours of 7:30 a.m. and 2:02 p.m. that day, 93 fraudulent payment orders totaling $1.9 million were executed on the company’s account.

Comerica eventually recovered all but $561,399. Experi-Metal sued the bank for its loss and won the case last month, putting Comerica on the hook for the fraud.

A Comerica spokesman, Wayne Mielke, said the company is considering alternatives, including a possible appeal.

U.S. District Court Judge Patrick Duggan wrote in his opinion that he considered multiple factors as to whether the bank acted in “good faith,” using “commercially reasonable” security measures. Among clues that something was going wrong at Experi-Metal: The sheer volume and frequency of the fraudulent transactions; a $5 million overdraft executed on an account with normally a zero balance; a history of limited wire activity on the part of the company; and the destinations and beneficiaries of those funds (banks in places such as Russia or Estonia, long known as hubs for such fraud).

That case emphasizes the importance of looking for anomalies in accounts—missing those could make a bank liable for fraud. There are other reasons why providing customers with a log in and password is not enough.

Michael Dunne, an attorney with Day Pitney in Parsippany, New Jersey, thinks the new guidance issued last month from federal regulators—the Federal Financial Institutions Examination Council—raises the bar much higher in terms of what’s “commercially reasonable,” the legal standard for what a bank is supposed to provide in terms of Internet security for customers.

No longer can banks rely on dual-factor security, typically a log in, password, plus something like a security token that recognizes a computer or other device that is logging in. That dual-factor security was OK in the 2005 guidance on Internet security, Dunne says. Now, banks will have to introduce even more layers of security on top of that, which many of them already are doing.

An example of an extra layer would be email notifications to the customer every time payments are requested on the account.

At a minimum, banks will now be required to have a process that detects anomalies and responds to them, such as a customer suddenly initiating 93 payment orders for $1.9 million in one day, where few such transactions occurred before.

Banks also must have controls for system administrators on business accounts. Such a person could have the ability to approve all transactions on a commercial account when multiple employees have access to the account.

The guidance goes into effect in January for bank examinations, but Dunne thinks it could have an impact much earlier, in terms of the lawyers bringing up the new standard in court cases where banks get sued by victims of fraud.

Audit Committee Members Face New Challenges


Audit committee members who participated in two separate roundtable discussions for public community banks at the Bank Director Peer Group sessions, held as part of the Bank Director Audit Committee Conference in Chicago on June 13, were able to let down their guard and share with their counterparts their experiences, uncertainties and pearls of wisdom. Despite being separated by thousands of miles, participants in both roundtable discussions shared their views on similar issues as if they were next-door neighbors.

audit11-peer.jpg

It quickly became clear that the institutions represented in both groups are very focused on responding to an increase in regulatory scrutiny of how audit committees oversee the management of certain risks. This increasing level of scrutiny is being experienced now and is expected only to increase further in the foreseeable future.

Historically, audit committee members have focused primarily on their institutions’ higher-level financial measures and performance against budgets. In addition, audit committees have devoted a significant amount of attention to the results of exams such as internal audit, regulatory safety and soundness, and external audit findings.

In response to the expected increase in the level of regulatory oversight, however, additional areas of focus are now becoming part of the regular responsibilities of audit committees over and above their past approach. These include:

  • Monitoring credit concentrations
  • Monitoring classified loans
  • Compliance-related issues
  • Monitoring the remediation of exceptions noted by regulatory examiners, as well as internal and external audit
  • Understanding new initiatives and their related risks

Furthermore, to remain current on new issues, audit committee members are using tools such as self-assessment checklists, while also seeking out educational opportunities about new and emerging regulatory and accounting matters. Clearly, expectations are rising regarding engaging in and documenting participation in learning activities.

audit11-peer2.jpg

The members also discussed their interactions with and expectations of management. Because their relationships with management are generally collegial, it can be challenging at times to maintain the fierce independence that is expected of audit committees. Members agreed that reminding each other on a regular basis of their responsibilities helps them meet this challenge.

In addition, roundtable participants considered other approaches to holding their colleagues accountable for being productive committee members including attendance and participation requirements and peer evaluations. They also agreed that maintaining a culture of open and frank communication is vital in maintaining effective audit committee performance.

A few distinctions emerged between the two community bank roundtable groups, which were divided by size of institution. For example, members representing larger institutions (generally with more than $1 billion in total assets) have heard more from their regulators about formally documenting the identification and measurement of risks their institutions face as well as the mitigation of those risks – in other words, enterprisewide risk management. Members from smaller institutions indicated that risk identification, measurement, and mitigation were being documented less formally and generally their regulators have not asked them to do more.

 

Audit Committee 101: Back to Basics


Duty of care, loyalty and good faith are the basic foundations for every board member as they strive to increase revenue and shareholder value for their institutions. As the regulatory requirements continue to expand, the role of the audit committee is quickly following suit, leaving many bank audit committee members concerned about their effectiveness.

At Bank Director’s Bank Audit Committee conference in Chicago on June 14-15th, Robert Fleetwood, partner for Chicago-based law firm Barack Ferrazzanno’s financial institutions group and Todd Sprang, partner at the certified public accounting firm Clifton Gunderson, took a crowded room of audit committee members back to basics during their Audit Committee 101 session.

audit-fleetwood-sprang.jpg

Cautioning that these are not one-size-fits-all requirements, Fleetwood and Sprang outlined a list of fundamentals and best practices for today’s audit committee members.

1.       Understand your duties. Sprang suggested if you are unsure of your role or responsibilities, seek a tutorial from outside counsel to ensure that every member is comfortable with their duties.

2.      Recognize the reputational risk to the organization and you as an individual. At the end of the day, you want to do the right thing by all parties. It’s never a good situation when a director has to admit that he/she didn’t read the materials or didn’t know what was going on at their institution.

3.      Oversight. The primary role of the audit committee is to evaluate the audit process, oversee financial reporting, and assess the risk and control environment. To do this effectively, committee members should be asking lots of questions, requesting feedback and regularly discussing concerns.

4.      Committee composition. Most boards typically look to local CPAs to fill their audit committee seats, yet having members with a wide range of expertise provides additional perspective and beneficial feedback.

5.      Yes, you need a committee charter. Not only should the charter be reviewed on a regular basis to ensure that the board is complying, but it happens to be a great tool for setting agendas.            

6.      To rotate or not to rotate? Fleetwood recommended that if you do implement a rotation requirement, that it take place after an extended period of time. The audit committee has a steep learning curve and rotating frequently creates the risk of losing members before they had a chance to peak.

7.     Build a relationship with the external auditors. Communication is the key.  Review your reports and materials ahead of time, and use the review session to ask them questions, get their perspectives on market trends, and request recommendations.

8.   Internal audit reviews. Whether your institution uses in-house resources or outsources this process, a major red flag is a report with no findings. Ask why. You should always be finding ways to improve, rather than just going through the motions.                

9.      Setting the agenda. The agenda should follow the committee charter as well as include an annual checklist to work through regularly. Delegate the legwork to your experts and include them on the agenda periodically.

10. Attend the meetings. Distribute materials ahead of time, whether in print or through board portals, and include only what is necessary to review. Read the materials beforehand and attend in person at least quarterly.