Corporate Account Takeover
The Texas Bankers Electronic Crimes Task Force (Task Force) developed a list of recommended processes and controls to assist banks in reducing the risks of Corporate Account Takeovers. The recommended processes and controls are structured under the Protect, Detect, and Respond framework developed by the United States Secret Service, the FBI, the Internet Crime Complaint Center (IC3), and the Financial Services Information Sharing and Analysis Center (FS-ISAC). The Task Force expanded upon these processes and controls using in part, the collective contributions from the following IT Security and Audit firms: Aporia Solutions; Compass Group Consultants, LP; CoNetrix; Ernst & Young, LLP; Experis Finance (formerly known as Jefferson Wells); Grant Thornton; Solis Security; Solutionary, Inc.; The Garland Group; and Virtuosi Group. Subsequently, a set of Best Practices has been compiled for each of the recommended processes and controls. These Best Practices are not an all-inclusive list and are provided as guidance to assist in implementing the recommended processes and controls to reduce the risk of Corporate Account Takeover theft. For minimum standards of risk management please refer to Supervisory Memorandum 1029.
Tools and Resources
The following sample presentations and forms are not endorsed, recommended or required by the Texas Department of Banking.
|“Practices for Reducing the Risks of Corporate Account Takeover”
Webinar hosted by IBAT and TBA, Moderated by SWACHA on January 25, 2012
|Presentation (slides only)|
|Presentations on Corporate Account Takeover||Sample for Bank Employees
Sample for Bank Customers
|CATO Project Tracking Tool||Project Status Report|
|Risk Assessment for Corporate Account Takeover||Sample Risk Assessment|
|Notice of Fraudulent Activity for Corporate Account Takeover||Sample Notice of Fraudulent Activity|
|ELOC Table Top Exercises||PowerPoint Exercise|
Frequently Asked Questions
Question 1: What’s the difference between the FFIEC Supplemental Guidance and the recent issuances by the Department of Banking and the Texas Bankers Electronic Crimes Task Force (Supervisory Memorandum 1029 and "Best Practices")?
Answer: The primary difference is the focus and depth of the documents. The "Best Practices" developed by the Texas Bankers Electronic Crimes Task Force (and the resulting Supervisory Memorandum issued by the Texas DOB) is more comprehensive. The FFIEC Supplement to Authentication in an Internet Banking Environment focuses on recommending controls to properly authenticate a customer. The "Best Practices" address that as well, but were developed by the banking industry to focus on how to implement controls (with specific options provided) and how to specifically respond to a theft. It was structured in a format to assist the industry in quickly protecting itself against these thefts. Additionally, the Task Force focused on controls just related to corporate accounts. The FFIEC Supplemental Guidance includes some requirements for consumer accounts. The Task Force and Texas Department of Banking documents are found on the Recommendations page of this website.
Answer: The amount of time it will take a financial institution to complete their risk management program for corporate account takeovers will depend on the size and complexity of the financial institution. Regular and continued progress during 2012 is expected, with the entire risk management program completed no later than December 31, 2012. Financial institutions of all sizes and locations have been affected by these large dollar thefts, which is why it is imperative that all financial institutions identify, develop, and implement a risk management program.
Question 3: Our financial institution does not utilize online corporate banking. Do we have to implement a risk management program?
Answer: An entire corporate account takeover risk management program is not needed if online banking services are not offered to corporate customers. This should be documented in a risk assessment. Please be aware that the FFIEC Supplemental Guidance addresses expectations regarding BOTH corporate and retail accounts. If your financial institution offers online banking services to retail/consumer accountholders, then, at a minimum, action will be needed related to enhanced authentication for your online retail customers. If you do not provide any online banking services or telephone voice response systems, you will need to document this in a risk assessment.
Question 4: What will be the criteria for determining when a Special Review regarding Supervisory Memorandum 1029 will be conducted?
Answer: No specific criteria have been established, as we anticipate the initial review of all state-chartered banks will begin in March 2012. These reviews will be conducted primarily off-site and will consist of general questions to gauge the institution’s initial plans and progress for implementing Supervisory Memorandum 1029. Should the risk assessment be incomplete at the time of the initial review, the institution will be asked to submit the assessment within a reasonable period of time. No formal report will be generated from this initial review, but institutions will be advised concerning their progress to date and suggestions, if any, to comply with Supervisory Memorandum 1029. All state-chartered banks are expected to be in full compliance with Supervisory Memorandum 1029 as of December 31, 2012.
Question 5: Should we notify the task force of previous takeovers we have dealt with to add to their records?
Answer: The Task Force does not need to be notified, however, a Suspicious Activity Report (SAR) should be filed with FinCEN on any incidents not previously reported. New guidelines, regarding information to provide in a SAR when identifying and reporting account takeover activity, are found in FinCEN Advisory 2011-A016 issued in December 2011.
Question 6: Should banks file Suspicious Activity Reports (SARs) if they discover what appears to be a Money Mule's account at their bank?
Answer: Yes, if you suspect an account is receiving stolen funds, you should file a SAR. Also, recent amendments to NACHA rules, effective January 1, 2012, may allow your institution to delay making the funds available, if you reasonably suspect that the ACH credit is not authorized.
Question 7: Where is the best place to look for contact information on banks that received money transferred from our bank during a corporate account takeover theft?
Answer: Banks that have been involved with these types of thefts report that one of the most frustrating aspects of trying to recover the stolen money is locating and talking to the appropriate person at the receiving bank. The Task Force recommends starting with the phone number of the receiving bank’s ACH department which can be found using the Federal Reserve's FedACH Directory. You can search the directory using the routing number for the receiving bank.
Question 8: Can the corporate account takeover risk assessment be added to our existing IT assessment?
Answer: Yes. The method of assessing the risk is completely up to the financial institution. The Task Force developed a sample Risk Assessment in an Excel spreadsheet format that is similar to a format used by many financial institutions in Texas so they can be easily merged together. The sample risk assessment is available on the Tools and Resources page of this website.
Question 9: When a Corporate Account Takeover theft occurs, are the wire and ACH transactions generally sent out of the country, or do they go to accounts within the United States?
Answer: The thefts studied by the Task Force involved transactions where the funds were initially sent to money mule accounts within the United States. The money mules quickly transferred the stolen funds to either an overseas account or to another intermediate account in the United States before being transferred out of the country.
Question 10: Is there a recommended timeframe for providing the Board with an outline of these thefts and the actions our financial institution is taking?
Answer: No specific timeframe was designated in Supervisory Memorandum 1029 or the "Best Practices" document since institutions vary in size and complexity; however, for most institutions, an initial briefing should be conducted within 60 days of the issuance of Supervisory Memorandum 1029 and follow-up briefings made periodically as a financial institution progresses in developing its risk management program. Providing the Board with at least an estimate of the number of corporate customers performing online transfers is recommended. Some Boards might want to review the customer education material on corporate account takeovers, since they, too, may be small business owners at risk. Multiple briefings on the implementation of a financial institution's risk management program are appropriate.
Question 11: Is NACHA changing the rules in the event of a fraudulent event? We had an event almost 2 years ago and we started making phone calls to 38 banks involved immediately, but it didn't help because the money was already out of the mule's accounts.
Answer: NACHA implemented a new rule on Corporate Account Takeover: Voluntary Availability Exception Option for RDFIs, which was effective January, 1 2012. This new rule provides an option for an RDFI to take advantage of a voluntary exception from the existing funds availability requirement prescribed within the Rules for an ACH credit when the RDFI reasonably suspects that the ACH credit is not authorized. The additional time might enable ODFIs and RDFIs to identify unauthorized credit entries due to corporate account takeover, and recover funds on behalf of originators. Refer to the 2012 NACHA Operating Rules & Guidelines, pages ORxxxi and OR36, Section 3.3, Subsection 126.96.36.199 and 188.8.131.52.
The Task Force has recommended that financial institutions trying to recover stolen funds submit a fraudulent ACH file alert request to the Federal Reserve Bank. A fraudulent file alert may help prevent the RDFI from delivering funds to a money mule. The Task Force also recognized that “immediate” calls to the receiving banks are very critical and recommended several practices to be included in the Incident Response Plan to help improve recovery. These recommendations are in the “Respond” section of the "Best Practices".
Answer: The purpose of rating (or ranking) corporate customers is simply to help identify those customers at greatest risk and then to assist the financial institution in determining how to implement their risk management program. Any method that works to achieve those goals is satisfactory. The “Best Practices” developed by the Task Force (found on the Recommendations page of this website) provides some suggested criteria for rating (or ranking) customers.
Question 13: What should we tell the customer to do if they think they may have malware on their computer? (i.e. they clicked on a link, etc.)
Answer: If the deceptive link was received through typical malware distribution methods (such as fake emails that are known to be circulating) and the malware is presumed to have been installed, the customer should be advised to contact computer/security professionals to clean and secure their computer system. Cleaning and securing a computer network (or even individual computers) can be complicated and requires detailed knowledge of the network configuration and how the computers at the business are used. The financial institution should also strongly consider disabling the customer's online access until notified by the customer that the malware has been removed. Once the malware has been removed, the customer's access credentials may be reset.