Will new financial regulations help financial institutions reduce electronic transfer, online banking, and automated clearing house (ACH) fraud? That is the key question that is often being asked at the moment ahead of a wave of new regulations in the funds transfer and payments sector.
The financial regulatory environment is in flux. The Dodd-Frank Act in the US establishes guidelines to protect against fraud. In 2011, the Federal Financial Institutions Examination Council (FFIEC) issued supplemental guidance on protections from financial fraud. And in Europe, the pending single euro payments area (SEPA) initiative will consolidate and change the electronic funds transfer (EFT) landscape. But the problem of ACH, online banking and funds transfer fraud is beyond any regulatory solution.
Financial institutions (FIs) and their business customers need to be concerned about the threat of online payment fraud. Gartner estimates that small businesses in the US alone have lost more than US$2bn in recent years from fraudulent funds transfers. And a new generation of malware known as ‘banking trojans’ specifically targets financial transactions and it doesn’t discriminate between personal and business transactions.
Fraudulent electronic transfers from business accounts can cost corporations hundreds of thousands or even millions of dollars. In the US, the EFT Act (Reg E) protects consumers from online fraud, requiring FIs to cover any losses due to fraud. But it does not indemnify business banking accounts from the same type of online fraud. Corporate treasurers cannot depend on their FIs to cover losses from online transfer fraud.
However, FIs aren’t entirely off the hook, with a public backup. In some cases, courts may hold the institution accountable for losses due to funds transfer fraud. In July 2012, in the case of ‘Patco Construction versus People’s United Bank’, a federal appellate court held that the bank’s procedures did not meet “commercially reasonable” standards and held the bank accountable for ACH fraud losses. So, FIs have a serious incentive to tighten defences against fraud for their business customers.
Fraud Knows No Boundaries
Regulations are location specific, but fraud is truly a global phenomenon. Cybercriminals are opportunistic and will find ways around nearly any regulatory requirement.
For example, using two-factor authentication for online banking and transfers is a widely accepted practice in Europe. The European Central Bank (ECB) recommends two-factor authentication for all online payments, for both individuals and businesses.
Yet the widespread deployment of this practice has not shut down the cybercriminals. Criminals have targeted customers of German banks using Man-in-the-Browser (MitB) malware called the Tatanga trojan. With this MitB attack, a malware victim enters SMS-based text authentication code from the bank into a fake web form. The malware uses that code to authenticate its own fraudulent transfers, while shielding the actual transaction from the user.
Fraud is Constantly Evolving
As the two-factor authentication exploit illustrates, it’s not enough to require a specific technology or strategy, because cybercriminals will quickly change their strategies.
According to the Aite Group, 25 million new unique strains of malware appeared in 2011, and that number will reach 87 million new variants by the end of 2015. The growing adoption of mobile devices like smart phones and tablets is opening up an entirely new landscape for malware and fraud.
However, we can learn from legislative approaches that attempt to stay on top of the problem of funds transfer fraud through best practice. The primary example is the FFIEC security guidance, with its most recent update, the 2011 supplement. Intended for FIs, its lessons are useful for corporate treasurers as well.
The FFIEC guidance recognises that any individual authentication and fraud prevention technology can be compromised, and thus instructs FIs to put layered security and fraud prevention practices in place. These include risk assessments, user education, controls around business banking and higher-risk transactions, and the ability to detect and respond to suspicious activity.
While intended specifically for regulated FIs in the US, the practices outlined in the 2011 supplement could easily become the industry-standard practices – and hence the measure of what a court of law might recognise as commercially standard.
Beyond their legal value, FFIEC guidelines outline a reasoned, effective and risk-balanced way to address the growing problem of online fraud. And in that sense, these FFIEC regulations are relevant to all businesses that do EFTs. Here are a few ways to apply these guidelines to build your own layered defenses.
Preventing Account Takeover
Cybercriminals can take over an account by stealing credentials through various means, or by corrupting an authorised individuals’ computer with malware. Even two-factor authentication is not sufficient protection.
Putting protections in place to spot people logging in with stolen credentials can help reduce fraud incidents, by checking IP addresses and so forth. For example, complex device identification technologies can help you discover when the device attributes don’t match the authorised user attributes. The device could be connecting from an unexpected geographic location, hiding behind a proxy or part of a known botnet. Complex device identification can see around these tricks.
Proactively Monitor and Approve High-risk Transactions
Put extra defenses around high-risk transactions such as EFTs exceeding a specific volume and ensure that you proactively monitor and approve high-risk transactions.
You might also require explicit, proactive approvals for transfers over additional amounts, or ask additional security questions and flag the potential for fraud. Treasuries can easily put such measures in place with banking and technology partners.
Protect Critical Applications
You know which applications will be the target for cybercriminals looking for financial gains. Take preemptive action, therefore, and protect your highest-risk applications:
- Use web application firewalls to inspect all traffic coming to and from your most sensitive financial applications for known or emerging attacks, and to patch any applications specific vulnerabilities.
- Use malware detection to identify signs of corrupted devices or hijacked sessions – such as the traces of a MitB attack that is manipulating transaction details on the fly.
We’re never going to regulate our way out of the electronic payment fraud problem. The online threat environment simply changes too quickly, and specific regulatory requirements are too easy for cybercriminals to bypass.
While regulatory compliance is essential, it is equally important from both a legal and financial liability perspective to implement comprehensive, layered defences against fraud to demonstrate a policy and an attempt to hold the line has been made.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.