About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« New Payments Spotlight podcast on mobile payments and banking | Main | Mobile P2P money: Contemplating new risks while analyzing adoption potential »

May 24, 2010


Bank revenues and fraud detection: A marriage made in heaven?

Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.

The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.

Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.

The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.

Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

May 24, 2010 in account takeovers , banks and banking , malware , wire transfer fraud | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c0133ee5157af970b

Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven? :

Comments

Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.

Posted by: richard oliver | May 24, 2010 at 02:13 PM

The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.

It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.

Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.

Posted by: Rob | May 24, 2010 at 01:49 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad