Tom Hinkel, Director of Compliance
Recent FFIEC guidance on Retail Payment Systems has increased the focus on electronic transactions and payment methods. If your financial institution is offering any products or services with “remote” in the name, this guidance will affect you. However, simply being compliant with the current guidance may address the regulatory risks of these products, but not go far enough to actually prevent fraud and the corresponding financial and reputational losses. Similarly, relying solely on the security mechanisms of your product doesn’t fully address the risks either.
Although paper checks remain the most popular payment vehicle, electronic payment methods are becoming more popular. Many institutions see electronic retail payment products such as remote deposit capture and remote ACH origination as the answer to many of the problems of traditional check fraud, but as the FFIEC observed in their recently updated IT Examination Handbook on Retail Payments:
“… the emergence of a new payment mechanism can also enable the rapid propagation of fraud, money laundering, and operational disruption if data is compromised.”
A transaction is considered “high risk” if it permits the “movement of funds to other parties”. The agencies of the FFIEC (Federal Reserve, FDIC, OTS, OCC and NCUA) consider transfer of deposit transaction information to represent the “movement of funds to other parties”, and as such, necessitating stronger authentication and/or additional controls. Since remote (merchant-based) technology represents the highest level of the “high risk” category, institutions should focus on the risks as they relate to remote deposit capture, remote ACH origination, and remote wire transfer.
Vendors – trust but validate
Because the institution is heavily reliant on the vendor for the security of merchant-facing products and services, and because the institution is nonetheless responsible for the risks associated with these products, the institution must adopt a “trust but validate” approach, particularly with vendors when they supply and support high risk transaction products. Combining “trust but validate” with the principle of layered controls means going beyond the standard checklist used by most institutions to periodically rank service providers by risk, and the standard controls (i.e. financial statements, SAS 70’s, third-party reviews, etc.), to include additional control verification capabilities.
Identity theft – looking beyond the customer
Identity theft is also a growing concern among financial institutions (and regulators), and remote payment systems introduce a unique and potentially significantly expanded perspective on this, as responsibility for the confidentiality of customer information may extend beyond the institution’s customer. For example, consider the type of information entered into the remote deposit capture merchant device. The merchant’s customer presents a paper check, which is scanned into the device for transmission to the institution. Checks typically contain name, address, account number, ABA routing number, sometimes even phone numbers, driver’s license numbers and even social security numbers. In short, more than enough information to pose a threat of identity theft, making the institution potentially responsible for risks to their customers’ customer information if an attacker successfully penetrates an RDC device.
There is currently discussion in Washington about expanding Regulation E to extend the same consumer protections in electronic funds transfers, to commercial accounts. But regardless of how responsibilities for fraud losses are determined, there is currently no transference of liability for financial losses from identity theft. This may be further tested and possibly redefined as current court cases are litigated later this year and early next. One potentially groundbreaking case is PlainsCapital Bank vs. Hillary Machinery. The customer originally sued the bank when the bank honored a series of wire transfer requests to overseas accounts after a cyber breach at the customer location was able to capture the ACH authentication credentials. Although the bank was able to recover most of the funds, the customer sued for recovery of the remaining loss. However, instead of reimbursing the customer, the bank made the unprecedented decision to counter-sue, alleging that the bank “at all times maintained commercially reasonable security measures within the meaning of 12 C.F.R. §§ 4A-201 and 4A-202”. PlainsCapital Bank spokesperson John Floeter is further quoted as saying “…the cyber attack wasn’t against our system.” This case promises to test the generally accepted view that the remote (merchant-based) devices are, by definition, functionally equivalent to a device located inside the banks internal network, and therefore subject to the same level of security.
Institutions are responsible for the privacy and confidentiality of customer data, regardless of where it may reside. The core vendors are currently working to address improvements in their security measures, but because community financial institutions are almost completely dependent upon the protection and security mechanisms provided to them by their vendor, and because the risks are real and immediate, they need to take the initiative to tighten security on their own.
As this paper was being written, the NIST had just issued their set of recommendations on protecting the confidentiality of personally identifiable information (PII). According to NIST, the two most important risk management controls are policy and procedure creation; and education, training, and awareness. I agree, and would propose a third control- a process that verifies that procedures are indeed being followed. This process would integrate documentation in the form of automated monitoring of key security metrics, combined with reporting and management oversight. Additionally, as NIST recommends, financial institutions should go the extra step and offer periodic training to their customers on information security best practices.
Regulators consider “transfer of funds” technology as high risk transactions. Allowing your customers to originate ACH and wire transfers from the convenience of their location is classified as a “transfer of funds,” as such is subject to a much higher level of scrutiny. Compounding the problem are recent court cases alleging that financial institutions failed to provide reasonable security for transactions originated at the merchant location.
Financial institutions must adequately assess and control the risks of remote electronic transactions in order to comply with the latest regulatory guidance, but they may need to go beyond the “compliance response.” The controls suggested here may not completely eliminate the effects of financial, operational and reputation risk, but they go a little farther than current requirements, and may go just far enough to protect your organization.
 FFIEC, Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment, August 15, 2006
 FFIEC, Risk Management of Remote Deposit Capture, January, 2009