5 Things Your Credit Union Must Know About Wire Fraud April 8, 2015 Moderator E. Andrew Keeney, Esq. Presenter R. Johan Conrod, Jr., Esq.
R. Johan Conrod Jr., Esq. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3183 rjconrod@kaufcan.com E. Andrew Keeney, Esq. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153 eakeeney@kaufcan.com http://www.kaufmanandcanoles.com/movies/credit-unions.html
Introduction • The goal of this Webinar is to provide credit unions practical tools to – Understand the fundamentals of authentication processes, – Know how wire fraud bond coverage works just in case a fraud occurs, and – Recognize best practices to prevent wire fraud and protect bond claims These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet users should not act upon this information without seeking professional counsel from a lawyer licensed in the reader’s home jurisdiction.
Wire Fraud Is Everywhere Criminals are creative – a Overall, Wire Fraud Wire Fraud incidents recent widespread scam cases have risen are increasing at a targeted HELOCs and tenfold in the past 10 faster rate than even involved more than two years (Wall Street identity theft (WSJ, dozen credit unions Journal, 10/9/13) 10/9/13) (Credit Union Times, 11/25/14)
The 5 Things 1. What is authentication? 2. How is authentication applied in real life? 3. What wire fraud coverage is available under my fidelity bond? 4. Do other bond coverages apply? 5. How can I best protect my credit union?
THE BASICS OF IDENTITY AUTHENTICATION
Point of Clarification **FFIEC guidance relates specifically to online banking -Most wire transfer requests are made through phone, facsimile or in-person requests, not via your online banking system -However, the principles that form the foundation of the FFIEC guidance are critical to understanding authentication in general, including as it relates to wire transfers
AUTHENTICATION FACTORS RECOGNIZED BY THE FFIEC Authentication refers to the process by which a credit union verifies that the person making a request is authorized to make the request Authentication can be either “single - factor” or “multi - factor” – the more factors, the more security The 3 categories of “factors” are: (1) something you know (password or PIN), (2) something you have (ATM card or phone number that can be called), or (3) something you are (fingerprints, retina scans, etc.)
Multi-factor Authentication • Multi-factor authentication refers to the act of using more than one category of factor when authenticating a person’s identity • Using an ATM machine is a classic example of multi-factor authentication: the PIN is “something you know,” and the ATM card itself is “something you have”
Critical Point! For example, asking for “Multi - factor” authentication multiple passwords is not refers to multiple different multi-factor authentication, types of authentication, not because all passwords fall multiple uses of the same under the “something you type of authentication know” type of authentication
FFIEC Guidance • Single-factor authentication is “inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.” • In other words, you typically must use some form of multi-factor authentication when wiring funds • However, multi-factor authentication alone might not be enough in today’s Internet environment – procedures such as “dual control” may be required – Dual control requires authentication information from more than one member to authorize a transaction
“Single Factor Authentication”
Survey Question # 1 “Multi - factor authentication” refers to: a. An algebraic equation you must know for the SAT; b. How NASA calculates coordinates for the Mars rover landing; c. The act of using more than one category of factor when authenticating a person’s identity
UCC Article 4A Shifts risk of loss from financial institutions to Deals with wire fraud member if CU uses “commercially reasonable authentication in commercial security procedures” set forth transaction context and risk shifting in a written agreement with the member that governs the transaction at issue
Commercially Reasonable Security Procedures • Does not require use of the “best” available procedures, just those that are reasonable under the circumstances • 4A gives examples – “algorithms or other codes, identifying words or numbers, encryption, callback procedures, or similar security advices” • Handwriting analysis is not a commercially reasonable security procedure
Commercially Reasonable Security Procedures, cont. • “One size fits all” procedures are not sufficient – procedures must fit the particular member • 4A says in assessing commercial reasonableness, courts should consider “the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated”
Patco Construction Co., Inc. v. People’s United Bank 684 F.3d 197 (1 st Cir. 2012) • $588,851 in fraudulent withdrawals from Patco’s account • Bank claimed its security procedures were reasonable and therefore Patco had risk of loss • Trial court agreed with Bank – But appeals court reversed, finding that procedures were not commercially reasonable
Patco Construction Co., cont. • Bank used third-party security software with multiple security options, including user IDs and passwords; invisible device authentication via “cookies”; risk profiling via assessment of geo-location, IP address and transaction history; and use of “challenge questions” • But Bank mis-stepped in 2 big ways: – Bank lowered threshold for use of challenge questions to $1, which meant that questions were used every time Patco performed any transaction – Bank did not follow up on warnings generated by software system • Fraudsters used a keylogging malware, which discovered the challenge questions and enabled the theft
Patco Construction Co., cont. • According to appeals court, failing to follow up on software warnings and lowering challenge question threshold to $1 were both commercially unreasonable under the circumstances • The Bank argued that lowering challenge question threshold to $1 for all bank customers helped bank better catch small frauds • But appeals court rejected this position – the court said that the question of commercial reasonableness must be analyzed on a customer by customer basis • “One size fits all” solutions are not reasonable , said the court
Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8 th Cir. 2014) • $440,000 fraudulent wire from Choice’s account to an account in the Republic of Cypress • Prior to fraud, Bank had offered heightened security procedures but Choice declined them • Appeals court found that because Choice turned down procedures that were commercially reasonable, risk of loss fell on Choice and not Bank
Choice Escrow & Land Title, LLC, cont. • Court recognized that security procedures must evolve as fraudsters become more sophisticated – so a procedure that is reasonable today may not be tomorrow • Bank offered “dual control” option to Choice because multi-factor authentication standing alone may not have been sufficient • Choice declined dual control, and instead used single-control process, which only required authentication information from one employee rather than two
Survey Question # 2 Yes or No : Handwriting analysis is a commercially-acceptable security procedure under the UCC?
FIDELITY BOND COVERAGE FOR WIRE FRAUD
BOND COVERAGE IS NOT AN EXCUSE TO AVOID IMPLEMENTING ADEQUATE SECURITY PROTOCOLS • “Insurance coverage is not a substitute for an information security program. …[T]he Security Guidelines require a financial institution to implement and maintain controls designed to prevent those [fraudulent] acts from occurring.” – Interagency Guidelines Establishing Information Security Standards , Board of Governors of the Federal Reserve System
“Don’t worry, insurance will cover it.”
Typical Bond Language
Alternate Coverage **Note that at least one major credit union bonding company has recently changed its funds transfer coverage so that, instead of providing full coverage, the insurer shares all funds transfer loss above $25,000 50/50 with the credit union
Recommend
More recommend