New Fraud Challenges Introduced by Same Day ACH

We all recognize that Same Day ACH promises improved payments services for account holders. But FIs have a lot to figure out between now and when it goes live in September 2016, including how to mitigate increased fraud risk.

While we have some ideas for the types of schemes fraudsters may launch (below), perhaps the biggest risk is they have repeatedly demonstrated their creativity and innovation in how to take advantage of any disruption or change. If you want to be truly ready for Same Day ACH, it’s time to step up your fraud prevention game.

What’s Different?

If the improved service level has the effect that NACHA (and the industry) wants, there will be increased use of the ACH payments system for same day payroll, P2P, bill pay, and other payment offerings. So, more files will need to be processed in a shorter period of time.

Also, the funds will be harder to retrieve if a fraudulent transaction does slip through. Just as wire transfers have been popular with fraudsters because of the speed with which they can access the funds and move them out of reach, Same Day ACHs will now provide criminals with this same benefit.

How Will Criminals Attack?

Here are some of the fraud schemes that FIs need to consider as they update processes and consider new technologies. Fraudsters could:

  • Submit a large volume of payments just before the cut-off time, forcing FIs to rush through their review process and resulting in some payments slipping through undetected
  • Submit payments that are just under the FI’s review threshold so they’re less likely to get noticed, especially in light of higher payment volumes
  • Target other channels or payment types, on the theory that FIs are overly focused on ACH leading up to settlement times, lowering their guard elsewhere
  • Use social engineering techniques against account holders, resulting in payments that look legit because they’re coming from the actual account holder, but with less time to uncover the underlying scheme
  • Add recipients to payroll files or change account information for existing recipients within a payroll file, which are hard enough to detect today and will be even harder to detect under severe time constraints
  • Compromise third-party senders and submit fraudulent payments into which ODFIs have no visibility and that could get overlooked among the high volume of payments needing to be reviewed in the short review window

New Strategies for Mitigating Fraud Risk

Simply increasing the size of the team charged with reviewing ACH files is not an affordable, scalable, nor sustainable option. The cost of hiring additional staff would be prohibitive, especially at a time when many FIs are trying to downsize their fraud operations team, and pulling people from other functions for a few hours a day would leave those other areas understaffed and exposed.

And tightening up security rules crafted to identify suspicious ACH payments will likely just result in poor customer service and higher false positive rates. On top of the higher volume, this will produce more alerts, with less time to investigate them.

The best strategy is to add technology to automate as much of the review process as possible. A real-time behavioral analytics solution like FraudMAP can use behavioral models to triage incoming files into low risk payments that can be released automatically (the majority of payments), and the relatively few high-risk payments that require manual review.

Furthermore, FraudMAP’s rich activity history for will make it easier and faster for analysts to investigate high-risk payments and decide which ones to release.

Our most important recommendation is to start now, because you know the fraudsters have already started planning their new attacks. Rethink your payments offerings and policies, evaluate technology solutions for automatically reviewing payments, and budget now to be sure you’re ready to go come September 2016, which is just around the corner.

 

This article also appeared, with slight modifications, in Banking Exchange.

 

Be Sure to Calculate the Full ROI on Improved Fraud Prevention as you Plan your 2016 Budget

As you enter the 2016 budgeting season, you may be considering asking for improved fraud prevention. Many of the financial institutions we talk with are doing just this, especially in light of increased risk from the vast amount of data in fraudsters’ hands, the proven ineffectiveness of authentication, and the impending availability of Same Day ACH that will further increase fraud risk.

However, many of the FIs we talk with also make the same mistake when building their case for investing in improving their ability to mitigate fraud risk – they limit their estimated return to expected decreases in fraud losses. This is important, but it significantly undervalues what improved fraud prevention will deliver to your institution.

As you plan your budget for 2016, we encourage you to consider the strategic, business benefits of mitigating fraud risk, including:

  • Adding online and mobile products and improving service levels, which can improve competitiveness as well as generate added revenue
  • Winning new customers by offering faster payment processing, higher limits, and advanced payment services such as online bill pay and P2P.
  • Improving operational efficiency by automatically releasing low-risk wire and ACH payments, minimizing false positives, speeding investigations, and eliminating the need to write and maintain rules
  • Building client loyalty by taking responsibility for securing their assets and proactively alerting them to suspicious account activity
  • Reducing the full cost of fraud that includes the nominal loss plus legal costs, time spent on investigations, damaged reputation, and customer churn
  • Enhancing compliance with FFIEC Guidance that explicitly calls for using behavior to detect anomalies in banking activity.

These strategic business benefits are described in detail in our “Building a Business Case” document (PDF, 239kb). In addition to quantifiable examples of the business benefits realized by other financial institutions in each of the categories above, it provides specific topics to discuss internally to estimate the return you will see, given your institutions unique size, organization, staffing, services, and clients.

If you’re committed to improving fraud prevention and would like an estimate of how much to budget for, please request a FraudMAP cost estimate.

 

Fraud Factor – Latest News on Banking Fraud

We regularly hear from financial institutions how much they appreciate information we share about the latest banking fraud activities. Towards that end, this post pulls together recent news stories across the spectrum of banking fraud developments.

We also distribute this as a monthly Fraud Factor email. If you’d like to be added to the distribution list, please go to our Contact Us page.

Why Consumers Don’t View Banks As ‘Trusted Partners’
Every FI wants its customers to view it as a trusted partner. But it appears that goal is far from being met. According to a new study, only one quarter (27 percent) of U.S. consumers view their financial institutions as a “trusted partner.” Our customers, however, report that one of the best ways to build trust is to proactively contact account holders about the suspicious activity that FraudMAP detects, even if it turns out not to be fraudulent. Clients appreciate the FIs taking responsibility for the security of their accounts.

Wide-ranging Threats Span Mobile, Phishing, Social Engineering and Social Media

Financial Services Attacked 300 Percent More Frequently Than Other Industries
A new Websense research study reveals that: 1) the finance sector dwarfs the volume of attacks against other industries by a 3:1 ratio; 2) hackers are spending huge amounts on reconnaissance and lures; 3) credential stealing and data theft are criminals’ primary objectives; and 4) fraudsters switch-up campaigns frequently to outfox FIs’ security measures.

Critical Flaws in Apple, Samsung Devices
A zero-day bug in iOS and OS X allows the theft of both Keychain (Apple’s password management system) and app passwords. In addition, a serious vulnerability in a third-party keyboard app that is pre-installed on more than 600 million Samsung mobile devices allows attackers to remotely access resources like GPS, camera and microphone, secretly install malicious apps, eavesdrop on incoming and outgoing messages and voice calls, and access pictures and text messages.

Phishing Campaigns Harder to Mitigate
The emergence of top-level domains, such as .xyz, has fuelled an uptick in spoofed websites being used to wage targeted phishing attacks. While the new .bank domain has a privileged position with a very stringent vetting process, others, such as .cn, do not, and almost anyone can use them to register new domain names, including criminals.

Call Center Fraud Targets Processors
The massive number of retail point-of-sale breaches over the last two years has fueled an uptick in call center fraud that targets payments processors. Using stolen card details obtained in retail breaches, fraudsters call payments processors before the transactions are flagged as suspicious by the issuing institutions and convince the call-center staff that the transactions are legitimate.

The Rise Of Social Media Botnets
Cyber criminals use social media botnets to disseminate malicious links, collect intelligence on high profile targets, and spread influence. As opposed to traditional botnets, each social bot represents an automated social account rather than an infected computer. Bot herders leverage botnets to distribute phishing and malware links across social media. The lucrative part of the attack involves selling the phished information or the myriad ways malware is leveraged to extort money, be it data theft, ransomware, blackmail, or banking Trojans.

Federal Employees Top Data Breach News

U.S. Officials Report Massive Breach of Federal Personnel Data
Initially reported to affect 4 million federal employees, the breach is now understood to include all federal employees and retirees, as well as one million former federal employees. The personal information that was stolen includes Social Security numbers, addresses, birth dates, job and pay histories, health insurance, ages, gender, race, and more.

Where Has All the Stolen Data Gone?
In her latest blog post, Avivah Litan from Gartner explains the “dark web” and theorizes about who is buying the data and to what end. She explains that hidden dark web black data markets are very different than the black markets where stolen credit card data is sold. In the dark web data markets, only 4-5% of the information is exposed to initial site visitors. The rest is buried farther down in what’s known as the Deep Web, and access to this information requires that potential buyers pass intense background check and credentialing process. The buyers mine these vast troves of data to determine how to infiltrate their desired targets in unexpected ways and with unexpected motives.

Team GhostShell Hacking Group is Back
A group of hackers known as Team GhostShell claims to have hacked a multitude of organizations, including financial institutions, government agencies, political groups, law enforcement entities, and universities. They are dumping the data via Twitter, including emails, user names, addresses, telephone numbers, dates of birth, and other personally identifiable information.

Beware of Rogue Banking Apps, Malvertising, and the Malware Stepping in for Gameover

Cybersecurity Article Highlights Risk of Rogue Banking Apps
In a sample of 350,000 mobile banking applications analyzed by RiskIQ, 40,000 apps, or about one out of every nine, contained adware or malware. These neo bank robbers have been brazen in carrying out some of their scams. One bank began receiving calls from disgruntled customers about its Windows mobile banking application not working properly. The study’s author explains, “The help desk kept filing tickets for the calls until it found out the bank didn’t have a Windows mobile app. It was an app in the Windows mobile store for their bank that people were downloading and using, and all it was doing was capturing the user information and sending it to Russia.”

Massive Malvertising Campaign Hits Users with Angler Exploit Kit
This attack is focused on users browsing several well-trafficked sites in Europe and the US. The attack leads users to the Angler Exploit kit to infect users with the Bunitu Trojan turning the infected system into a zombie computer, allowing the computer’s network connection to be used for subsequent malicious activity.

Dyre’s Rise to Top Financial Malware Threat
Researchers are crediting Dyre malware with filling the void left by the Gameover ZeuS takedown last summer. The malware uses several different types of Man-In-the-Browser (MITB) attacks against the victim’s web browser to steal credentials. It targets all three major browsers (Internet Explorer, Firefox, and Chrome), and has been configured to target customers at more than 1,000 banks and other firms.

Webinar Recommends Device Binding to Mitigate Mobile Risk and Improve Client Experience

Last week’s webinar, titled “How Mobile is Reshaping Banking and Fraud,” reviewed the tremendous growth in mobile adoption, the fraud risks this introduces, and recommendations for embracing mobile to improve your clients’ experience. The webinar featured our own Chris Silveira, manager of fraud intelligence, who provided a holistic view of the impact that mobile is having on consumers and financial institutions.

Huge Growth in Mobile Usage Attracting Criminals

Did you know that 1 in 4 account holders consider themselves “mobile first”? This means that their primary channel for banking is mobile. Or that 33% of e-commerce orders are from a mobile phone? Mobile logins to financial accounts are skyrocketing and are estimated to be double online logins by next year.

In addition, Chris reported that mobile banking users are 47% more profitable for FIs than offline users. So, all of this growth in mobile adoption should be great news for banks and credit unions. But many only see risk, and understandably so.

Criminals are targeting mobile to gather personal data and credentials, conduct reconnaissance, defeat controls, and initiate fraudulent transactions. Chris also described some of the vulnerabilities of mobile phones, such as how criminals can access sensors that do not require the user permission the way the microphone and camera do. Did you know that the gyroscope used to orient content as the phone is turned sideways can be used to monitor and identify voices?

Use Mobile to Improve Clients’ Experience

All of which lead to perhaps the most interesting and insightful content. Instead of just coping with increased mobile usage and trying to defend against the myriad schemes that incorporate mobile, FIs have the opportunity to truly embrace mobile, use it as part of their security strategy, and improve clients’ experiences, ultimately creating competitive advantage.

Chris described the concept of device binding, which is using behavior, device characteristics, and information about the account holder to bind a device to the legitimate account holder. By doing so, FIs can not only mitigate mobile fraud risk, they can actually step DOWN authentication in some cases, decreasing friction and improving the user experience.

For example, through device binding, FIs could streamline ATM security, authorize retail payments, and skip re-authenticating someone calling customer service.

To hear the full story, you can watch the recorded webinar (duration: 58 minutes).

 

The Squeeze is on Financial Institutions

Financial institutions are always under some form of pressure. Now there’s a new squeeze being put on, as depicted in our new infographic.

FIs are caught between two powerful forces. On one side the pressure is coming from criminals who have access to vast amounts of personal information and credentials, to the point where bankers can no longer trust that clients are who they say they are (see Can You Trust Your Customers Really Are who They Say They Are?. Fraudsters are using detailed dossiers on victims and on FIs’ employees to launch relentless attacks, constantly changing their strategies and schemes as new security measures are put in place.

On the other side, the pressure is coming from account holders that want new banking capabilities and improved service levels. These might include faster payment processing, P2P and bill pay capabilities, higher limits, or expanded mobile banking options such as remote deposit capture. The challenge for FIs is that all of these elevate risk.

The combination of decreasing trust and competitive pressure to add products is placing unprecedented pressure on financial institutions to improve fraud prevention capabilities.

Download our infographic to learn more. And please contact us to learn how behavioral analytics can relieve the pressure.

Can You Trust Your Customers Really Are Who They Say They Are?

We live in unprecedented times. Criminals now know more about the identity of a bank’s customers than the bank.

Due to vast amounts of data available to criminals and their clever ability to masquerade as and manipulate their victims, FIs find it increasingly difficult to trust that their clients truly are who they say they are.

Trust Damaged by Access to Personal Data

Nearly a billion identities have been exposed since the beginning of 2013. Around the world, 1,355 records are stolen every minute. And criminals are using their detailed knowledge of account holder and bank employee identities to commit fraud.

We all see the news about new strains of malware, data breaches, credential compromises and new fraud tactics one at a time. But they are additive. When taken together, including what people willingly share on social networks and additional data gathered through social engineering, criminals have an unprecedented amount of data about account holders and employees.

Trust is further eroded by victims being tricked or manipulated into doing something that benefits the fraudster. Recent examples include criminals using compromised business email account to submit fake vendor invoices that fool AP staff into paying them, and compromising a CFO’s email account and using it to ask the controller to send a wire to the fraudster’s account.

As a result of this loss of trust, many financial institutions hold back on capabilities because of concerns over trust and security, scaling back the speed and depth of products and services they offer, how big of an audience is allowed to use certain capabilities, and the overall service levels being offered.

Institutions’ Unique Advantage Over Criminals – Behavior

This isn’t an authentication problem, or a device problem, or a manual review problem. These measures have been defeated and simply doing more of the same won’t prevent fraud nor solve the trust issue. Financial institutions need a different approach to validating that users are who they say they are and their actions are not being driven by criminal manipulation.

While criminals may have identity information as a weapon, FIs have an something much more powerful – a rich account holder history of interactions with the institution. Account holder behavior is an FI’s greatest asset in their fight to prevent fraud.

By using behavioral analytics to detect suspicious activity, FIs will once again know when a user is legitimate (and engaged in legitimate activity) and not an imposter. FIs will regain control over trust because while fraudsters can worm their way past any authentication control, they can’t mimic the behavior of the legitimate user.

Unprecedented times call for new solutions. A recent Aite Group study found that 79% of the financial institutions interviewed have one or more behavioral analytics solutions already in place, with another 10% in the pilot phase. FIs using behavioral analytics can prevent banking fraud and mitigate the risks associated with expanded services, turning this data-induced identity crisis into improved competitiveness and customer loyalty.

Beyond the Patch – Heartbleed Drives New Security Requirements

In the last 18 months we have seen some of the largest data breaches ever, and now the Heartbleed bug further erodes the small amount of remaining  trust we might have had that sensitive information and access to critical systems is protected. Given the scope of the hardware and software impacted by the Heartbleed bug and the time it will take to address the bug, companies and consumers are exposed more than ever to criminal attacks, even after patches are in place, new keys are issued and passwords are reset.

The impact of Heartbleed, the massive number of identities exposed in 2013 through data breaches – 552M – and the ongoing attacks on our sensitive information and systems will be long term and far reaching, ultimately requiring a rethinking of the fundamentals we use to protect ourselves and our customers.

The flaw and the successful exploitation of it calls into question the effectiveness of the controls and tools enterprises use to detect attacks on consumer accounts and corporate networks.   At the heart of the issue:

  1. The bug exposes information used to validate users – usernames, passwords, personal information, payment information, health and medical information.
  2. The bug allows criminals to attack and highjack traffic to gain access to networks and systems.
  3. It is unknown how much information has already been exposed and how long internal systems will take to patch.

Given these, criminals can successfully access consumer applications and corporate networks and go undetected by most common authentication and network and security controls.  With access to credentials, authentication-related information and network traffic, criminals will look just like legitimate users – no malware used, no other attacks on networks or servers needed.

Companies can no longer have confidence that users (consumers, employees, vendors, partners) are who they say they are.

The immediate focus was naturally been on stopping the bleeding through patches, new keys and password changes. While the majority of websites have been fixed, enterprises face the daunting task of identifying all of the software and equipment exposed and implementing patches.  In the meantime, they are exposed.

Enterprises, therefore, need to think “beyond the patch” and also implement a more comprehensive, effective and resilient change to their approach to securing access to applications and systems.   In the wake of this flaw, malware detection, network monitoring, sandboxing, and authentication all fail to detect the unauthorized access.   Companies cannot rely on looking for known patterns of bad actors – they won’t find any. Rather, they need to start with the perceived good actor and look for anomalies in their behavior as a signal of unauthorized access.

Bad actors hide behind legitimate credentials – but behavior never lies.

Companies at the forefront of security have already adopted user based behavioral analytics to strengthen consumer and corporate security. The Heartbleed bug means this approach is a new fundamental security requirement for all.

 

Were forgotten passwords really forgotten? Or were they never known in the first place?

While fraudsters continually develop new schemes, they also persist in using older techniques that have proven to be effective. Our latest Fraud Informer, Fake Forgetfulness Flags Fraud, describes how criminals are defeating authentication by using a feature that is available on every online banking system: the Forgotten Password reset.

Our fraud intelligence group has witnessed ongoing attacks against hundreds of retail clients plus a smaller number of commercial accounts at over 50 banks and credit unions. The pattern is very similar across all of them, and surprisingly, the attacks don’t include transactions.

This scheme is a good reminder of two important factors in detecting fraud attacks: 1) fraudsters can defeat authentication, and 2) you can’t detect fraud by only monitoring transactions. Make no mistake, this is fraud. And to detect it and prevent resulting offline fraudulent transactions you have to be monitoring the behavior taking place during online banking sessions.

Read on in the full Fraud Factor.

Fraudulent Needles in ACH Haystacks

We’ve been talking with a wide variety of financial institutions for a number of weeks leading up to the announcement of our latest anomaly detection solution, FraudMAP ACH.  We’ve heard story after story of the time consumed by staff manually combing through exception reports or Excel spreadsheets looking for the high risk transactions or batches in an growing and increasingly dynamic stack of ACH payments.  We’ve heard of the complexities of staff trying to maintain “fraud rules” or wait for their vendors to do it for them.

And it’s only going to get harder.  As criminals more eloquently tamper with ACH files, batches and transactions, they will more readily bypass caps, limits, and calendar validations. Realistically it is becoming more and more untenable for operational staff to hunt and peck for fraud in the manner in which they are today.  The fraudulent needles are getting smaller as the haystack of payments is growing larger.

In an infographic that we just released, we call out the four levels of fraud infiltration.  You’ll see as you study the diagram, that criminals are moving further and further into the files, making it harder for traditional “hunting and pecking” approaches to finding fraud an unsustainable model.

Here’s a sneak peak at the four levels.

  • LEVEL ONE – Fraudster submits a new ACH Batch file, all of which is fraudulent. Fraudulent files may or may not violate caps or calendar rules.
  • LEVEL TWO – Fraudster breaks into an existing batch file and adds a new payments which will change the number of transactions in the file and the total amount of all transactions in the file. Files may still be below established caps/limits.
  • LEVEL THREE – Fraudster breaks into an existing batch file and adds some new credit transactions (steals some money), but simultaneously adds some new debit transactions that leave the total dollar movement for the file as a whole unchanged.
  • LEVEL FOUR – Fraudster breaks into an existing batch file and edits specific parts of existing transactions (e.g. The payee account number), which leaves the number of transactions and the total dollar movement for the file as a whole unchanged.

Guardian Analytics was founded to turn online banking fraud prevention upside. Using behavioral analytics, our solution has turned two hundred financial institutions into highly proactive organizations that have high-risk activity detected FOR them before money leaves the bank.  With FraudMAP ACH, we are again fundamentally changing how FI’s manage their risk, this time by applying our proven anomaly detection capabilities to ACH transactions.  Regardless of how deep the criminals go, or how stealthy they are, FraudMAP ACH will surface any unusual activity and prioritize it for review. No more hunting and pecking.  The needles stand out bright red no matter how big you

 

PATCO ACH Fraud Ruling – Lessons Learned

As you’ve probably read by now, on July 3 the First Circuit Court of Appeals in Boston ruled in favor of PATCO in their lawsuit against Ocean Bank over fraud losses, reversing the U.S. District Court‘s 2011 judgment that favored the bank. Rather than merely rehashing the ruling, I’d like to offer some lessons learned and thoughts on how financial institutions can respond.

Where this all began – a  fraud attack

In a series of 6 fraudulent ACH transfers in 2009, fraudsters were able to drain $580,000 out of PATCO’s commercial account with the former Ocean Bank (now People’s United Bank). The bank was able to recover $243,000, leaving approximately $340,000 in losses.

The Initial Ruling

In 2010 PATCO file suit against Ocean Bank to recover its losses.  In the original ruling in August 2011, the District Court ruled in favor of Ocean Bank based stating that the bank did, in its opinion, have “commercially reasonable” security in place.  This opinion stemmed primarily from the fact that PATCO had signed a contract with the bank agreeing to the security procedures at the bank and also that the bank had common security solution in place.

With that said, the ruling did go out of its way to note that the bank probably should have detected the unusual activity since it was so unusual for PATCO’s typical behavior.

The Reversal on Appeal

Interestingly, the appellate court took a much broader view of what a “commercially reasonable” security solution offered and paid greater attention to the bank’s actions in utilizing the technology solutions that they had in place, not just the technology itself.

Here are some noteable examples from the latest ruling:

  • The bank used what the court calls a “one-size-fits-all” approach to monitoring and authenticating transactions. All ACH and wire transactions over $1 triggered a challenge question. The original intent was to increase security, but the actual impact was an increase in the chance that the response would be compromised, ultimately weakening this defense.
  • The bank had the ability to monitor high-risk transactions through its transaction-profiling and risk-scoring system, but chose not to do so. As one example, Ocean Bank’s scoring system gave the first fraudulent transaction a risk score of 790; PATCO’s usual risk scores ranged between 10 and 214.
  • The fraudulent ACH transfers out of PATCO’s account went to numerous individuals PATCO had never paid before. The perpetrators also logged in from devices and IP addresses never used by PATCO.

“The payment orders at issue were entirely uncharacteristic of PATCO’s ordinary transactions,” the ruling states. “These collective failures, taken as a whole, rendered Ocean Bank’s security procedures commercially unreasonable.”

I’m not trying to paint Ocean Bank as a ‘bad guy’ but more express a challenge the whole industry is facing. With criminal attacks growing more stealthy and more speedy every day and without the right tools to pinpoint the bad actors, it difficult for any bank to stay on top of the ever-growing online and mobile activity.

Lessons Learned

With that said, here are a few some takeaways from this whole situation.

  • Having a lot of technology is not enough. The courts are setting the stage that they will look for how the use of technology impacts the overall security.
  • The courts are shifting expectations of banks. Taken in conjunction with two other high-visibility lawsuits – EMI v. Comerica and Village View Escrow v. Professional Business Bank – the courts are expanding what is expected of financial institutions, or at least setting precedents that define terms such as “reasonable security” or “good faith”.  In both cases with judgements, the courts mention that the banks should have been able to detect the fraudulent activity because it was so unusual relative to typical customer behavior.
  • “One size fits all” doesn’t work. Security solutions and policies must be dynamic and tuned to each customer, situation, transaction, or online banking session. In other words, financial institutions need better tools to avoid having to consider such a “one size fits all” approach. On this point Gartner’s Avivah Litan commented, “Small banks just don’t have any resources to monitor 15-20 percent of the log-ins every day; they need better tools.”
  • Monitor. Monitor. Monitor. The fraudsters are clever and sophisticated, and unfortunately, financial institutions cannot let up for a minute. In the PATCO case, the fraudsters got through user ID & password, cookie-based device authentication, IP address profiling, challenge questions, and risk scoring, which taken together satisfied the “commercially reasonable” litmus test. And while fraudsters have repeatedly demonstrated the ability to surmount these defenses, they stand a better chance of detecting fraud only when the financial institution is actively monitoring activities and alerts.
  • Total losses are much higher than the fraudulent transfer. While the ruling did not award specific damages, instead simply encouraging the two parties to settle out of court, the legal costs, productivity losses, and negative PR dwarf the nominal fraud loss.

What’s a Financial Institution to Do?

I doubt anyone would debate that fraud prevention is a responsibility shared between the financial institution and their commercial clients. And when things go bad, it’s clearly a point of contention – often a severely divisive one – as to how this responsibility is shared. I encourage bankers to thoroughly consider how they can use the lessons learned from this case to do their part, and maybe even more than their part.

In today’s competitive, tight-margin banking environment, this ruling suggests to me an opportunity to use security as a differentiator to win new accounts and expand services (i.e. increase revenue). This is the ideal time to first put in place truly effective fraud prevention solutions across online, mobile and ACH channels, and then feature your commitment to preventing fraud in your communications to customers and prospects.  And, there are modern tools available that deliver efficient and effective fraud prevention.

Your business clients are not experts in security, which is why they are under attack from criminals. And again, security today is a shared responsibility, but the reality is that they are dependent upon you, their banking institution, and they (quite reasonably) expect you to be an expert (keep an eye out for more stats on this from our upcoming business banking trust study).

So, I encourage you to be the expert. Put in place outstanding layered security with the people and policies to ensure it works as designed. And then use that investment to gain new business and improve customer trust, loyalty, and longevity.

About Guardian Analytics

Guardian Analytics is the technology leader in the prevention of online account fraud, providing real-time risk management solutions that protect online channels. The company supports the end-to-end online risk management process with rich analytics and behavior-based modeling. We offer an analytics-based software solution that addresses the entire risk management lifecycle.