Electronic Banking Security And Risk Analysis Guidance
Hats off to the Texas Bankers Electronic Crimes Task Force, and its study of current best risk minimization practices to deter financial crimes, particularly account takeover attacks. The report is recommended reading for CIO’s, security officers and fraud investigators, even if their financial institution resides outside of the Lone Star State.
The Task Force’s report (“Best Practices-Reducing the Risks of Corporate Account Takeovers”) materially, and with specificity, goes beyond the start made with last summer’s FFIEC Supplemental Guidance. See http://www.ectf.dob.texas.gov/ectfrecomend.htm. In fact, it’s the “meat” that the Report puts on the theoretical “bones” of the Guidance which is so intriguing. The Report is built on a 3-part risk management frame work of: (1) Protect; (2) Detect; and (3) Respond. Under the separate categories, 19 points are discussed in detail:
· Expand core risk assessments to include corporate account takeover issues.
· Rate each customer or type of customer that performs online transactions.
· Inform your Board of Directors about cyber security risks.
· Communicate with your banking customers about security practices and risk vulnerabilities.
· Implement enhanced customer security awareness education for higher risk business account holders.
· Implement the FFIEC’s layered security controls for external interaction and internal functionality.
· Review and update your bank’s contracts with its on-line banking customers.
· Work with your vendors on risk reduction controls, and demand they keep you updated on evolving risks.
· Establish automated or manual monitoring systems.
· Educate your internal staff of red flag warning signs.
· Educate your accounts holders of red flag warning signs.
· Create and regularly update your incident response plans.
· Know how to “immediately” verify suspicious transactions with a each customer.
· Know how to immediately reverse all fraudulent or suspected transactions.
· Use “Fraudulent File Alert” offered by FedLine.
· Work immediately with the receiving banks to hold or return funds.
· Suspend or recover any systems suspected of being compromised.
· Contact law enforcement and regulatory agencies after the initial recovery efforts have been implemented.
· Prepare in advance plans for customer relationship issues, and the bank’s documentation of its response/recovery efforts.
While those who practice regularly in this area may find grounds (and even good grounds) to nit-pick the particulars, the Task Force was clear that its recommendations are not to be blindly followed. Rather the 19 Best Practices present a worthwhile starting point from which each financial institution may analyze its own operations, products, customers and risk tolerances.
One of the listed Best Practice points is the requirement of a periodic review and modification of accountholder contracts. As many of your commercial contracts were written before the current wave of on-line banking attacks began, this is obviously sound advice. But equally important for the legal review team is the recognition that recent case law has developed in this field pointing to new opportunities to protect the bank’s financial and legal interests. While it will always be the first priority to secure our customers and to protect the institution’s reputation for security, it cannot be ignored that carefully structured contractual documents will minimize litigation risks if and when these criminal attacks occur.
One final point of Task Force’s work merits special attention. We all recall the FFIEC’s Supplement’s direction that customer education should be included as part of the institution’s overall risk minimization program. But no direction was provided as to form or content to accompany that mandate. The Task Forces helpfully provides a sample customer education template.
The conclusions and analysis offered in the Task Force’s report should be critically studied. Each state’s laws will vary and each institution must account for its own unique situation. The lawyers of Frost Brown Todd invite the question you will have about this subject. Bill Repasky can be contacted at firstname.lastname@example.org or (502) 779-8184.
Post a comment:
Ask the Blogger
Do you have a topic that you would like discussed in a future blog article? Please let us know. If you have a confidential question regarding a blog article, please feel free to contact the article's author directly, or let us know if you would like for someone to contact you directly.
William T. Repasky practices with the Litigation Department at Frost Brown Todd. He focuses on lending and commercial services; banking litigation and financial institutions.