ACH Fraud: Catching Incidents Sooner ABA's Johnson Says Better Detection Has Decreased Losses
While incidents of account takeover increased in 2010, financial losses decreased, according to a survey conducted by FS-ISAC.

Still, some institutions, particularly smaller, community banks, don't view ACH and wire fraud as a top concern. "I think that apathy is basically a function of human nature," says Doug Johnson, vice president of risk management policy for the American Bankers Association and member of the Financial Services Information Sharing and Analysis Center.

"Only to an extent that a company has felt the pain ... of a takeover do they get the religion associated with the potential losses," Johnson says.

Banks should continually talk with their business customers about the nature of the threat, the protection measures the customers should be taking and the repercussions and potential liability that might ensue due to them not taking security measures.

In most cases, the customer is central to minimizing the losses associated with ACH and wire fraud, Johnson explains. "Any mechanism to develop annual training of these corporate customers is very important," Johnson says in an interview with's Tracy Kitten [transcript below].

Institutions should also have a separate document from the ACH and wire agreement that is written in plain language and helps the customer understand the threats.

During this interview, Johnson discusses:

  • Why, despite industry efforts to mitigate losses, corporate account takeover attacks are expected to continue;
  • The role evolving risk management and benchmarks will play in steps institutions and commercial customers take to curb fraud losses;
  • Why collaboration between banking institutions and commercial accountholders must continually improve.

Johnson currently leads the ABA's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and serves on the BITS/Financial Services Roundtable Security Steering Committee, in addition to his involvement with FS-ISAC.

ACH Fraud: The Survey

TRACY KITTEN: I understand this survey conducted by FS-ISAC in March is the first survey that the organization has launched that specifically addresses steps commercial businesses are taking to curb ACH fraud. Why did FS-ISAC feel the timing for this survey was right?

DOUG JOHNSON: First of all, thank you for allowing us to share some of the results of this survey. I think you are aware that the survey is coming out of the FS-ISAC Account Takeover Task Force and we've set various working groups within that task force for prevention, detection and response measures to make recommendations to individual bankers as well as to bank customers and give them additional tools to be able to try to solve some of the challenges associated with the challenge of account takeover. What we've really determined is that frankly you can't manage what you can't measure, to the extent that we can develop some baselines and some benchmarks associated with where account takeover is currently in terms of the number of events and the amount of actual losses, and what direction it's going. Are we doing a better job of detecting and deterring these takeovers? And if not, what else can we do? I think that you need to have those baselines and that trending information to really be able to make some decisions in terms of whether or not you are going in the appropriate direction and whether or not the activities that you are taking are effective.

Top Results

KITTEN: Looking at these results, they come from the actual commercial customers themselves. What stands out to you when you review some of the results that FS-ISAC collected?

JOHNSON: I think that the one thing which was heartening to us is that it demonstrated precisely what you said, that we had an increase in account takeovers during the first half of 2010, but we had a decrease in the amount of losses compared to 2009. I think that's exactly the direction that you want to go. We basically have seen that happen in the demand deposit accounts standard checking account fraud environment as well. We've been measuring that here at ABA for quite a few years. I will say, just to back up a moment, that we used our survey and benchmarking group to really conduct this survey for the FS-ISAC, and their work in the deposit account fraud area really shows that over the course of the last ten years banks have done a much better job of really detecting and preventing losses associated with checking account fraud. Now we are starting to see the same thing in ACH or wire fraud, and I think that's clearly true when you look at 2009 and you see that 63 percent of the takeovers resulted in some sort of loss during 2009 and only 27 percent had that occur within 2010.

KITTEN: It's interesting because there were actually more incidents, or more attempts, for these fraudsters to take over the accounts and to see a percentage increase. When you think about that there were more incidents, it actually shows that they are doing a much better job than maybe the percentage themselves alone would reflect.

JOHNSON: Yes, I think that is exactly right. One thing that I think it demonstrates is the fact that when you put together an approach which tries to address the threat not only at the bank level, but also at the customer level, you can have an impact on the environment and you can actually diminish the amount of fraud that occurs. That is particularly true in this environment where you absolutely need the assistance of the commercial customer in order to truly diminish these takeovers.

Education Efforts

KITTEN: That's a great point and it's a perfect segway to my next question. I wanted to highlight the fact that it seems banks and commercial customers are doing a better job when it comes to collaborating and catching some of these ACH and wire fraud attempts sooner, but many of these small businesses that participate in the survey said that they still do not view ACH and wire fraud as a top concern. With that in mind, what steps should and can banking institutions take to continue educational efforts that address that apathy?

JOHNSON: First of all, I think that apathy is basically a function of human nature. Only to an extent that a company has felt the pain, if you will, of a takeover do they get the religion associated with the potential losses that could occur to the business and I think that's just human nature. But I think that one of the things that as businesses, or rather as banks, we can do is to continually impress upon our business customers the nature of the threat, the protection measures that they as customers should be taking at their locations and the repercussions and potential liability that might ensue to them due to the extent that they determine not to take those security measures, and I think that you can do that in a way that doesn't create undue concern for the customers as well. That's one thing particularly that we focus on in the prevention and response working groups that we have under way, because part of the prevention working groups' function is really to develop best practices for customer awareness and part of the response one is to really develop best practices for responding to fraud once it occurs.

In both of those incidents the customer is central to really minimizing the losses. There are certain things that we recommend. Any mechanism to develop annual training of those corporate customers is very important. Not varying the potential liability and the actual security measures within the ACH or wire agreement themselves, but have a separate document that the customer reviews that's in plain language and really helps them really understand the nature of the threat, I think those are all things that can be done. I think one of the things that banks have also seen is that there's great success in really holding security seminars than one would actually think. I have known a number of banks that have been fairly successful at holding security seminars as opposed to investment seminars, or in addition to investment seminars, and found that the participation in those can actually be quite heartening. I think those are some of the things that you can do.

Resurgence in Online Fraud

KITTEN: The survey also found that despite the fact that we had kind of seen these corporate account takeover incidents slack off or taper off a bit, we saw a resurgence in 2010 when it came to online-related fraud. To what do you attribute this uptick?

JOHNSON: I think that clearly the criminals view cybercrime as a day job, and something that they are going to attempt to be increasingly sophisticated regarding and they are going to continue to find additional avenues to try to conduct those crimes. That would move them to some degree from account takeover to the extent that the environment gets a little bit hardened to other types of cybercrimes as well. I think one of the things that I have my eye on for instance is the fact that Zeus, SpyEye and those types of exploits can be used in a retail environment, for instance, to take over a home equity loan account that's attached to a demand deposit account on an Internet basis. And I think that things like that are things which I think are incumbent upon the ISAC and trade associations like the ABA to really be aware of and ensure that our members are in turn aware of as these threats migrate because as you well know, they always will migrate to different areas. That is one of our central functions, to ensure that as those things migrate that those banks that are members in the environment in general are aware of not only the threat but how to mitigate that threat.

Solutions: Catching ACH Fraud

KITTEN: That's a good point. We've talked quite a bit today about the important role that commercial education plays and the role that institutions play in educating their commercial customers and of course that all falls into the layered security approach that the new or updated FS-ISAC guidelines talk about. But for the bankers' part, what solutions, techniques, or even technologies do you see helping financial institutions when it comes to catching fraudulent ACH and wire requests? What should they be investing in?

JOHNSON: I think there are a lot of tools in the tool box there, and the ones that I think are very interesting particularly are those that really have some behavioral characteristics associated with them, as you are familiar with. And that's particularly true as it relates to monitoring the behaviors on a customer's PC to ensure whether or not that is particular to that customer or has some characteristics which would tend to make you believe that is not the customer that is conducting that transaction, either through the velocity of the transaction or the way that the transaction travels through the Internet channel. Because sometimes the software that are malicious in nature take shortcuts within an Internet banking platform and don't take the normal path that a human being would take. I think that as a layer of security that's an additional layer at the customer level that can be really helpful.

I think that at the bank level, the increased attention to transaction monitoring is an additional thing that banks are looking at, and the FFIEC indicated that was important in their authentication revision, because it's not just about authenticating the individual. It's also about authenticating the transaction at the bank level. And is that transaction one that is normal for that customer or is it one that hits a certain trigger that has potentially been agreed to by you and the customer as being a type of transaction either geographically or in terms of where it's relative size is unusual for the customer? Those are two areas that I see fit well within the FFIEC's desire to have additional layers of security, but that provision has been in the guidance since 2005. We have always been preaching to our members that it's not about any one particular type of authentication or security device. It's all about instituting a variety of layers of security and mixing those layers up on occasion too as the threats change. That's what's going to protect the environment and I think that has always been in place. One of the functions of the authentication guidelines is to reiterate that point and make sure that institutions were aware of it and were also conducting that risk assessment so that they would know when the threats changed.

KITTEN: You're absolutely right. I also wanted to make a note here that the current survey results only include data for the first six months of 2010. Now FS-ISAC says it expects to issue an update in October that highlights ACH-related fraud trends for the entire year. But I wanted to ask, what nuances do you expect if any for the full year results to reveal?

JOHNSON: Well I hope that the trend that we're seeing is in reality the trend that we will continue to experience. I would hope that again, using the demand deposit account experience as an example, once we started to put additional protection measures in place we saw an increasing decrease if you will in the amount of fraud which was occurring as a percentage of overall attempts. I would expect the same thing to happen as it relates to account takeovers, and that gets back to your point where you asked whether ... the overall level of cybercrime is not necessarily going down, it's just the criminals are moving to different areas. We will be fast followers to follow them to that new direction, but I do have every expectation knowing what I've seen in the marketplace that there are a lot of people that are on cases that relate to these account takeovers, and the additional defense mechanisms are being put in place. And part of it is in response to the authentication guidance again. The agencies did a good job in clarifying the fact that the guidance applies to commercial, as well as retail, accounts, that in fact commercial accounts warrant additional levels of security over and above what retail accounts might.

KITTEN: Finally before we close, what additional thoughts about the survey results in general would you like to leave our audience with?

JOHNSON: I'm heartened by the results. I have every expectation that the results will continue to exhibit the trend which we are starting to see, and I look forward to trying to put in additional measures within the survey to help us understand some of the other things that are important from the standpoint of measurement, because again going back to something I said at the beginning of this call, you can't manage what you can't measure, and I think it's increasingly important for us to be able to really effectively measure fraud so that we can determine whether or not we're being effective in terms of deterring it.

Around the Network