This article is a shortened version of a legal memorandum published on the NC Bankers Association website. Click here to read the full version.
Criminal schemes to steal funds through fraudulent wire transfers are increasing in frequency and sophistication. Funds stolen from small business accounts, for example, total more than $2 billion, according to a recent estimate by Gartner. A recent string of court cases have resulted in unfavorable rulings for banks that failed to prevent fraudulent transfers from business accounts. These cases and recent guidance from the Federal Financial Institutions Examination Council (FFIEC) create onerous security requirements for banks to ensure that electronic transactions are actually being made by their customers and not fraudsters. In the recent court cases, potential liability for the three defendant banks ranged from about $345,000 to $460,000. (The damages issue has not been resolved in two of the cases.) Therefore, financial institutions should address these security requirements by, at a minimum, implementing a layered security program that includes: (1) processes designed to detect and respond effectively to anomalies in the initial login and initiation of electronic funds transfers; and (2) for business accounts, enhanced controls for system administrators who are allowed to set up or change system configurations, such as setting access privileges. Financial institutions should strongly consider the following in order to respond to the new case law and FFIEC guidance:
- Single-factor authentication, such as static login IDs, passwords, and challenge questions (things the user knows) can be readily picked up by malware like key loggers and leave accounts susceptible to unauthorized access.
- Authentication procedures should require complex login user names and passwords that include a mix of letters, numbers, and special characters.
- Authentication procedures should use more than one “factor.” There are three types of factors: (1) something the user knows (e.g., password, PIN), (2) something the user has (e.g., ATM card), and (3) something the user is (e.g., biometric characteristic, such as a fingerprint). The FFIEC guidance recommends multifactor authentication, especially for business customers who perform high-risk transactions.
- Challenge questions are not always effective. When frequently repeated, they are more likely to be exposed to fraudsters. FFIEC guidance notes that a search engine is all it takes to discover the answer to many challenge questions, such as mother’s maiden name or year of graduation. Due to the amount of information available on the Internet, the FFIEC no longer views these basic challenge questions to be an effective risk mitigation technique.
- In contrast to simplistic challenge questions, sophisticated challenge questions can be part of an effective layered security approach that does not rely on publicly available information. The FFIEC recommends using numerous questions, without posing all questions during one session. “Red herring” questions should be included that a fraudster would attempt to answer but the intended user would not.
- Case law and FFIEC guidance make clear that financial institutions should consider implementing behavioral analytics programs in order to recognize and respond to anomalous activity related to the amount, destination, and frequency of funds transfers, among other things.
- It is essential to periodically review information security programs and make adjustments as needed in light of changes in technology, fraudulent schemes, and threats to information systems. Risk assessments should be updated at least every twelve months, and they should always be updated prior to implementing new electronic financial services.
- Customer agreements should be reviewed in order to ensure that they contain an express acknowledgment that authentication measures are commercially reasonable.
- Finally, financial institutions should stay abreast of legal developments, including judicial decisions, enforcement actions, and guidance from regulators.
Elizabeth Johnson, an attorney no longer with Poyner Spruill, was the original author of this article.