ACH Fraud: The Great DebateSecurity Vendor, ABA Square Off with Opposing Views on How to Protect Banks, Businesses from Corporate Account Takeover
In separate interviews this week, Doug Johnson of the American Bankers Association (ABA) and Jim Woodhill, a security services vendor, offer diametrically opposed perspectives on this issue of how to prevent corporate account takeover.
Woodhill, founder and chairman of Chicago-based Authentify Inc., is currently lobbying for more protections for small business. Pointing to the PlainsCapital-Hillary Machinery case, which revolved around the definition of "reasonable security," Woodhill says banking institutions won't provide commercial customers with more protection unless they're forced.
"We can't stop ACH fraud, but we can stop the (commercial) victims from being stuck with the losses from ACH fraud," Woodhill says in his interview with Tom Field, editorial director of Information Security Media Group, publisher of this site.
Amending Reg E, which currently protects only consumers - not businesses -- would be a good first step, Woodhill says.
"We've been to Washington, D.C. a number of times and met with members of the House Committee on Financial Services, Subcommittee on Financial Institutions and Consumer Credit, and the Senate Banking Committee, Subcommittee on Financial Services," Woodhill says. "In just about every case, it's a complete surprise, and they don't believe you have the story right. It sounds impossible, you know, that banks would allow this to happen to their commercial customers."
Johnson, vice president of risk management policy for the ABA, says amending Reg E is a bad idea -- one that would pit banks against their commercial customers.
"(Changes) on the retail side of Reg E would completely absolve a retailer from any responsibility, and you can see from a community bank standpoint how that might not be effective," he tells Field. "When you place Reg E protections, legislatively or otherwise, in the business account environment, you potentially do tremendous violence to the business model, [create] tremendous disincentives for the banks to provide basic products for our commercial customers that they have come to expect."
Rather, Johnson sees stronger protections against database breaches coming from a more collaborative approach one that takes FI and business interests to heart.
"I do reject the notion that somehow community banks don't have the ability to protect their smaller business customers," he says. "Community banks, just like larger banks, have the ability to protect customers. ... I think the biggest risk we face here with corporate account takeover is the damage it does to financial institutions and customers. Because I do believe at the end of the day, it's all about shared responsibility to protect accounts."