ACH Fraud: Catching Incidents Sooner

ABA's Johnson Says Better Detection Has Decreased Losses

While incidents of account takeover increased in 2010, financial losses decreased, according to a survey conducted by FS-ISAC.

Still, some institutions, particularly smaller, community banks, don't view ACH and wire fraud as a top concern. "I think that apathy is basically a function of human nature," says Doug Johnson, vice president of risk management policy for the American Bankers Association and member of the Financial Services Information Sharing and Analysis Center.

"Only to an extent that a company has felt the pain ... of a takeover do they get the religion associated with the potential losses," Johnson says.

Banks should continually talk with their business customers about the nature of the threat, the protection measures the customers should be taking and the repercussions and potential liability that might ensue due to them not taking security measures.

In most cases, the customer is central to minimizing the losses associated with ACH and wire fraud, Johnson explains. "Any mechanism to develop annual training of these corporate customers is very important," Johnson says in an interview with's Tracy Kitten [transcript below].

Institutions should also have a separate document from the ACH and wire agreement that is written in plain language and helps the customer understand the threats.

During this interview, Johnson discusses:

  • Why, despite industry efforts to mitigate losses, corporate account takeover attacks are expected to continue;
  • The role evolving risk management and benchmarks will play in steps institutions and commercial customers take to curb fraud losses;
  • Why collaboration between banking institutions and commercial accountholders must continually improve.

Johnson currently leads the ABA's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and serves on the BITS/Financial Services Roundtable Security Steering Committee, in addition to his involvement with FS-ISAC.

ACH Fraud: The Survey

TRACY KITTEN: I understand this survey conducted by FS-ISAC in March is the first survey that the organization has launched that specifically addresses steps commercial businesses are taking to curb ACH fraud. Why did FS-ISAC feel the timing for this survey was right?

DOUG JOHNSON: First of all, thank you for allowing us to share some of the results of this survey. I think you are aware that the survey is coming out of the FS-ISAC Account Takeover Task Force and we've set various working groups within that task force for prevention, detection and response measures to make recommendations to individual bankers as well as to bank customers and give them additional tools to be able to try to solve some of the challenges associated with the challenge of account takeover. What we've really determined is that frankly you can't manage what you can't measure, to the extent that we can develop some baselines and some benchmarks associated with where account takeover is currently in terms of the number of events and the amount of actual losses, and what direction it's going. Are we doing a better job of detecting and deterring these takeovers? And if not, what else can we do? I think that you need to have those baselines and that trending information to really be able to make some decisions in terms of whether or not you are going in the appropriate direction and whether or not the activities that you are taking are effective.

Top Results

KITTEN: Looking at these results, they come from the actual commercial customers themselves. What stands out to you when you review some of the results that FS-ISAC collected?

Around the Network