The Texas Department of Banking recently released a Supervisory Memorandum, establishing minimum standards for risk management programs, with the intent to help minimize the risks of Corporate Account Takeovers. The letter reinforces the Department’s position that all banks should be aware of the growing risk of electronic crimes, and the need to identify, develop, and implement appropriate risk management measures.
Corporate Account Takeovers happen to corporate businesses, municipalities, school districts, churches, large non-profit organizations and customers performing electronic transfers. Often times, cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials and then make fraudulent wire and ACH transactions to accounts controlled by the thieves. Businesses with limited or no internal computer safeguards and disbursement controls are at greatest risk for an account takeover.
In an effort to combat the problem, the Texas Department of Banking and the United States Secret Service formed the Texas Bankers Electronic Crimes Task Force. Members of the Task Force expanded on the risk management framework of PROTECT, DETECT and RESPOND by developing nineteen recommended processes and controls for bank management and directors to address.
The minimum standards for a risk management program to mitigate the risk of Corporate Account Takeovers are as follows:
PROTECT
(Implement processes and controls to protect the financial institution and corporate customers.)
1. Expand the risk assessment to include corporate account takeover.
2. Rate each customer (or type of customer) that performs online transactions.
3. Outline to the Board of Directors the Corporate Account Takeover issues.
4. Communicate basic online security practices for corporate online banking customers.
5. Implement/Enhance customer security awareness education for retail and high risk business account holders.
6. Establish bank controls to mitigate risks of corporate accounts being taken over.
7. Review customer agreements.
8. Contact your vendors to regularly receive information regarding reducing the risk of Corporate Account Takeovers.
DETECT
(Establish monitoring systems to detect electronic theft and educate employees and customers on how to detect a theft in progress.)
1. Establish automated or manual monitoring systems.
2. Educate bank employees of warning signs that a theft may be in progress.
3. Educate account holders of warning signs of potentially compromised computer systems.
RESPOND
(Prepare to respond to an incident as quickly as possible (measured in minutes, not hours) to increase the chance of recovering the money for your customer.)
1. Update incident response plans to include Corporate Account Takeover.
2. Immediately verify if a suspicious transaction is fraudulent.
3. Immediately attempt to reverse all suspected fraudulent transactions.
4. Send a “Fraudulent File Alert” through FedLine.
5. Immediately notify the receiving bank(s) of the fraudulent transactions and ask them to hold or return the funds.
6. Implement a contingency plan to recover or suspend any systems suspected of being compromised.
7. Contact law enforcement and regulatory agencies once the initial recovery efforts have concluded.
8. Implement procedures for customer relations and documentation of recovery efforts.