The Legal Side to Risk Assessment
Courts Want to Know Banks Are Testing Technologies
By Tracy Kitten, July 18, 2013.
Former federal banking examiner Amy McHugh says detailed risk assessments have to be a priority. And recent legal decisions handed down by courts in disputes involving incidents of corporate account takeover prove just how critical those assessments are, she adds.
Ongoing and regular risk assessment allows banking institutions to test their technologies and adjust to the changing threat landscape - two points to which regulators and the courts are holding banks and credit unions more accountable, says McHugh, a bank adviser and former IT examination analyst for the Federal Deposit Insurance Corp. during an interview with BankInfoSecurity [transcript below].
"The FFIEC agencies are requiring more of their financial institutions, as far as performing detailed annual risk assessments of their online banking services, making sure that - particularly for their business customers that perform higher-risk, electronic transactions online for ACH and wire transfer origination - they are really risk-assessing those products and ensuring that they have implemented appropriate security measures to address the increasing risks for those services, as well as the risks that are becoming more apparent in the industry," she says.
McHugh says the clear message from the courts is this: Ensure online controls align with the Federal Financial Institutions Examination Council's updated authentication guidance, as well as Article 4-A of the Uniform Commercial Code.
"What I see emerging is the court's increased reliance on guidance, particular the FFIEC's 2005 and 2011 guidance," she says. "I also see the fleshing out of the UCC's 4-A analysis of what constitutes a secure procedure."
Banking institutions must constantly re-evaluate whether they are adequately addressing their risks and meeting the minimal requirements of the FFIEC's guidance, McHugh says. That means they also must focus on customer education - an area where many institutions have, to date, been lacking, she adds.
"The 2011 supplement requires financial institutions to implement some types of customer security awareness education program, meaning that they should be informing their customers, particularly those that perform high-risk transactions, about the fraud environment," McHugh says. "Are they ensuring that they have up-to-date and effective antivirus and patch management procedures for their system, so that if they do get some kind of a virus or a keylogger, for example, they can catch it and neutralize it as soon as possible?"
During this interview, McHugh discusses:
- The role agreements with commercial banking customers are playing in court decisions and settlements over ACH and wire fraud incidents;
- Why the onus for security is increasingly falling on the shoulders of the banks;
- A review of recent ACH and wire fraud cases.
Courts' Reliance on FFIECAMY MCHUGH: What I see emerging is the court's increasing reliance on regulatory guidance, particularly the FFIEC's 2005 and 2011 guidance on authentication in the Internet banking environment. And, also, the courts' reliance on the FFIEC's IT examination handbooks. These are kind of the de facto industry standards and are assisting the courts in their determination of what constitutes commercially reasonable security procedures. I also see developing kind of the fleshing out of the UCC 4A's analysis of what constitutes a commercially reasonable security procedure, as well as reliance on the good faith prong of UCC 4A. While the security procedures may be commercially reasonable, are the financial institutions acting in good faith in their dealings with their business customers?
Banks' Focus?KITTEN: What should banks and credit unions be focused on when it comes to some of these decisions and or settlements?
MCHUGH: Well, I think all financial institutions should be reviewing those two FFIEC guidance documents on authentication in the Internet banking environment, particularly the 2011 supplement, because of the increasing level of electronic funds transfer fraud in the industry. The FFIEC agencies are requiring more of their financial institutions, as far as performing detailed annual risk assessments of their online banking services, making sure that - particularly for their business customers that perform higher-risk, electronic transactions online for ACH and wire transfer origination - they are really risk assessing those products and ensuring that they have implemented appropriate security measures to address the increasing risks for those services, as well as the risks that are becoming more apparent in the industry.
And, also, the 2011 supplement requires financial institutions to implement some type of customer security awareness education program, meaning that they should be informing their customers, particularly those that perform high-risk transactions, about the fraud environment. What is existing out there? What additional steps should those particular business customers take in their own environment, meaning, how do they protect their computers? Are they limiting their electronic funds transfer operations to a particular computer? Are they limiting Web surfing on that computer? Are they ensuring that they have up-to-date and effective antivirus and patch management procedures for their system, so that if they do get some kind of a virus or a keylogger, for example, they can catch it and neutralize it as soon as possible?
Choice Escrow's Appeal?KITTEN: The Choice Escrow ruling is likely to be appealed, you argue. Why?
MCHUGH: I think it will be appealed is based primarily on the court's analysis of PATCO. I think that in the Choice Escrow case it was a case of a small business that would initiate electronic funds transfers, and that because they only had two people who were doing these funds transfers, they did not want to implement a dual-control system. One of the two people may be out of the office and so it just wouldn't be feasible for that organization. And the court kind of relied on that in determining whether the bank had actually implemented commercially reasonable security procedures. UCC 4A talks about if a security procedure is considered commercially reasonable, and if a customer has been offered that feature and then turns down, then another security procedure must be used. So any security procedures that are still left in place, in this case the user ID and password, and I believe a secure device token, which is a cookie on their computers, would then be considered commercially reasonable. This kind of bothered me, in a sense, about whether or not this was an actual issue for Choice Escrow; meaning, we won't have both people in the office at the same time for most of the time to allow us to perform these electronic funds transfers. There are situations where you are going to have small business customers and that truly may not be a feasible option for them. Going back to the PATCO case, BancorpSouth kind of offered this one-size-fits-all solution. So you take dual control; if you can't use dual control, yet nothing else is offered, then how can that be reasonable? I found that kind of questionable in the sense that the UCC 4A and the FFIEC guidance both say that financial institutions, when determining what security procedures to offer their customers, have to consider the circumstances of that particular customer. So, I see that there might be an option here for a potential appeal, in the sense that these security procedures were not sufficiently tailored to this particular customer's circumstances and that something else, maybe, should have been offered.
Leaning on UCC 4A
KITTEN: And then what about some of the Article 4A implications here for commercial customers?
MCHUGH: This has been stated before - the increasing awareness that customers, business customers, definitely have some responsibility for protecting their own systems, which I totally agree with. While the bank is in what is considered the "better position" to be aware of these particular security procedures and risks, business customers still have some responsibilities, as far as being aware of basic security procedures for their location. Again, going back to effective antivirus maintenance, patch management on their systems, limiting, as much as possible, any kind of Internet activity on a particular PC that is used for online banking transactions. And basic things such as appropriate password configuration complexity. I definitely think that business customers differ from consumers, in the sense that they are in a slightly better position to be aware of general risks and things and should be able to implement security into their system. But, what I found, and again this is from smaller institutions, is that the banks themselves are not necessarily as aware as I think they should be about security procedures and risks to their Internet banking systems. That then kind of filters down then to the customers. I think that while banks definitely have a better position and should be able to communicate to their customers what they should be doing, the business customers should also start taking some responsibility for protecting their own systems.