The State of ACH FraudIncidents Continue; We Just Hear Less About Them
A year ago, it was common enough that the U.S. Federal Financial Institutions Examination Council was inspired to issue the FFIEC Authentication Guidance update, which in part took banking institutions to task for not doing enough to detect and prevent incidents of corporate account takeover. The guidance spells out steps institutions can take to help deter ACH/wire fraud.
See Also: Passwords Alone Aren't Enough
So, what difference has the guidance made? As institutions work to conform with the guidelines, are they now doing a better job of stopping these incidents?
In part, we're hearing less about ACH- and wire-related fraud because cybercriminals have gotten savvier.
Opinions are mixed: Some insiders feel we hear less about ACH and wire fraud because fewer incidents are occurring. Others say banks and credit unions are simply not catching the fraud that's still going on - or they're settling with their customers quietly and avoiding embarrassing publicity. [See Account Takeover: Better or Worse?]
In fact, evidence suggests incidents of ACH/wire fraud are growing. Yet, many U.S. institutions are either failing to detect the incidents, or are doing what they can to address their breaches outside the purview of public attention.
Interestingly, FinCEN, the Financial Crimes Enforcement Network, has issued an advisory to help banks and credit unions identify incidents of corporate account takeover, some of which could be linked to ACH and wire fraud.
FinCEN says it wants banking institutions to report takeover activity through suspicious activity reports.
Jane Larimer, executive vice president and general counsel of NACHA - The Electronic Payments Association, says FinCEN's advisory is a constructive sign.
"From our perspective, this is a positive development that will better enable the industry to use consistent, accurate data in understanding and evaluating corporate account takeover, including unusual ATM activity, sudden wire transfers, changes to customer and account profiles, and clustered ACH transactions in particular geographies," she says. "This data will enable us to better differentiate corporate account takeover activities and payment mechanisms (wire versus ATM versus ACH, etc.), so financial institutions can better monitor patterns of activity and proactively address issues."
But I doubt the advisory will have much of an impact, at least not in the short-term. Frankly, I don't think many institutions have a good handle on the amount of fraud that's targeting their customers. In part, we're hearing less about ACH- and wire-related fraud because cybercriminals have gotten savvier. Institutions and businesses are getting hit from angles they aren't anticipating, and fraudsters are deploying multiple attacks at once, so banks are distracted from the account takeover attempts.
And often when fraud incidents are detected, banks and credit unions are handling those matters discreetly by reimbursing customers for losses, rather than dragging controversies into a public forum. Who wants to be the next Comerica Bank or PlainsCapital Bank, making headlines over lawsuits with customers?
Having accurate data is always good for the industry, as Larimer rightly says. Few would disagree. But what's the incentive for institutions to report these incidents (if, in fact, they're aware of them)? After all, no bank wants to be the one to step forward and be the poster child of fraud-protection gone wrong.
By this time next year, perhaps this will be a moot point. As banking regulators initiate their audits this month, checking banks and credit unions for conformance with the updated online authentication guidance, we all should get a better handle on how successfully institutions are detecting and preventing fraud. If institutions are in conformance, their fraud numbers should be down.
It's about layered security, anomaly detection, administrative controls and customer awareness, right? That's what the FFIEC Authentication Guidance told us. Now it's up to banking institutions to show they've taken the time and made the investment to prevent ACH/wire fraud.