Sued Business Finds a New BankHillary Machinery Cites Security in Selection of New Institution
"Our new banking partner asked us not to mention their name, as they would rather not be brought into this whole fiasco," says Troy Owen, a vice president at Hillary Machinery. But he describes the institution as a "large world bank that takes fraud very seriously, as they have much more at risk than a smaller bank."
Hillary's previous bank, PlainsCapital, a $4.4 billion Dallas-based institution, sued Hillary late last year, following a dispute over a series of incidents that began when cyber thieves made a series of ACH transactions that totaled $801,495 from Hillary Machinery Inc.'s bank account. The bank was able to retrieve about $600,000 of the money, but when Hillary subsequently requested that the bank refund the remaining $200,000, PlainsCapital responded with its lawsuit. Hillary subsequently filed a countersuit against the bank. At issue in this conflict: What constitutes "reasonable security?"
Shopping for a New Bank
"PlainsCapital's decision to deny its inherent responsibility to protect a customer and file a lawsuit is what prompted us to start looking for another bank," says Owen. "PlainsCapital left us little choice. We needed a bank that could protect our deposits."
After researching trends in bank security and due diligence of several financial institutions, Hillary chose a large money center bank to protect its future commercial deposits. "Specifically, major money center banks simply have more resources to dedicate to a defense-in-depth, or a layered security program," Owen says. The selection team sought true two-factor authentication as a first layer, intense fraud controls as a second layer, as well as resources to change as threats evolve. "They also don't simply comply with regulator's expectations," he says. "They do whatever is necessary to protect themselves and their customers."
Although strong authentication was important criterion in evaluating potential banks, sophisticated fraud detection was equally important, considering some of the unusual activity that went unnoticed on Hillary Machinery's account at PlainsCapital prior to and during the fraudulent transactions in November of 2009. "We are not bank IT security specialists," Owen says. "We are a small business that sells and services manufacturing equipment. We needed a bank that had the expertise and resources that professionally and seriously takes on the responsibility of protecting our commercial deposits and stays up to date on authentication and fraud detection systems as threats change."
Fraud's Toll: $120 Million
The ongoing threat of ACH transaction fraud is due in part to the lack of defense in depth at the smaller institution/service provider level, says the Internet Crime Complaint Center (IC3). The FBI's analysis has found in most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions.
This trend jibes with FDIC's David Nelson's assessment of the threat. "Banks and business customers may be over-relying on authentication and not using layers of controls," says Nelson, a specialist in the Cyber Fraud and Financial Crimes Section at the FDIC. In a recent presentation at the RSA Conference, Nelson said the FDIC estimates banking customers have lost $120 million to fraud over the past year.
In preparation for the litigation with PlainsCapital Bank, Hillary's team is putting together a timeline of all the cautionary statements and alerts issued by government agencies and banking groups, including the FDIC, FTC, FBI and American Bankers Association. "It will likely not bode well for any bank that was targeted," Owen says, "because they were warned by multiple agencies prior to them being hit."