Bank Lawyer's Blog

Vendor Mismanagement

2015-05-10T14:03:37-05:00

While banks have complained about the crushing burden of regulations in a post-Franken-Dodd world, in one area they could use a little more regulation. Not of the banks, but of third-party service providers to banks.

I have yapped repeatedly on this rag sheet about how banks need to treat regulatory guidance seriously. While some regulators send confusing signals about the legal enforceability of guidance, they have also made clear that they expect banks to comply with it. Period.

One piece of guidance that we have discussed is OCC Bulletin 2013-29 regarding third party relationships, which is a reworking and expansion of guidance first issued in in 2001 (OCC Bulletin 2001-47). Other federal financial institution regulators have issued similar guidance. One portion of that guidance deals with provisions that the OCC expects to be incorporated into written agreements between banks and their service providers. Banks who take regulatory guidance seriously attempt to ensure that their written agreements with their significant vendors meet the regulators' expectations.

If some technology service providers are to be believed, not many banks take the guidance seriously.

Repeatedly, attorneys who advise banks on such agreements will hear a common complaint: the bank asking for such a contractual provision is the only bank that has ever asked the vendor for the same. Putting aside my stock response ("You'll never be able to say that again, will you?"), let's take them at their word and see what this means.

Let's pick two provisions, access by the bank's regulators to the service provider's records concerning the services it provides to the bank, and a binding agreement by the vendor to provide the bank with a disaster recover plan and modifications to it. These aren't the only provisions. There are many more, but I don't make a living off this blog, so they'll have to do for now.

OCC Bulletin 2013-29 provides in part as follows:

In contracts with service providers, stipulate that the performance of activities by external parties for the bank is subject to OCC examination oversight, including access to all work papers, drafts, and other materials. The OCC treats as subject to 12 USC 1867(c) and 12 USC 1464(d)(7), situations in which a bank arranges, by contract or otherwise, for the performance of any applicable functions of its operations. Therefore, the OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself on its own premises.

That's pretty clear. Yet, we have repeatedly encountered service providers, including one of the major technology service providers in the United States, who have resisted such a contractual "stipulation". In one discussion, a service provider that was providing an online banking system and related customer-facing services asked the bank to cite the provision of the law that gave the OCC the right to have such access. When we gave it the citation to 12 USC 1867(c), it responded that its inside counsel did not agree with the OCC's interpretation of the Bank Service Company Act, and that examinations that it had permitted the OCC to make were purely voluntary and could be terminated at any time. We responded that we didn't give a flying fig in a rolling donut what its in-house counsel thought about the OCC's interpretation, since the law was clear on its face. In that case, we compromised on language that required such regulatory access "as is required by applicable law." However, we were told by that vendor that other banks did not insist on such a provision in the agreement.

With respect to business continuity plans, OCC Bulletin 2013-29 provides the following:

Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Stipulate whether and how often the bank and the third party will jointly practice business resumption and disaster recovery plans.

Recently, we have encountered a technology service provider who provides a critical online banking service that absolutely refuses to agree to any provision in the agreement that addresses business continuity plans or procedures. While it states that it has such a plan and that the bank can review it, it will not agree to put anything in the contract regarding such plans. Again, the bank was informed by the vendor that it has never agreed to provide such contractual protection to a financial institution, and that no other bank has insisted upon it. Again, this is a critical service provider whose service, if it went "offline" for any length of time, would cause intense heartburn to the bank.

These are only two examples. There are many, many more. It's as if not only are many vendors unaware of requirements that their bank clients must meet (and that have been required for over a decade), but that many banks do not care about complying with regulatory guidance. In the case of smaller institutions, there is also the problem that they lack the expertise to negotiate, or perhaps they believe that they do not have sufficient importance to the vendor to bargain effectively. Whatever the reasons, many of them are rolling over with their paws in the air instead of trotting in the other direction.

This leaves those banks that take regulatory guidance seriously in a tough position. Some of them are simply walking away and trying to find vendors who "get it," even if they are not the first choice from a purely business standpoint. Others end up negotiating with themselves to arrive at less-than-reasonable contractual compromises.

I have a couple of suggestions for the regulators. First, try enforcing the guidance across the board. There are financial institutions who are trying to "do it right," but who are being undercut by those who aren't. Moreover, use your authority under the Bank Service Company Act and otherwise to bring home to the vendors directly that if they want to play in this arena, they need to play by your rules. Some of them are not getting the message. Perhaps it would be helpful to start naming names on both ends of the spectrum. Perhaps that would get some attention.

In fairness, there are technology service providers who are doing it right. They understand the guidance, and while they are not willing to fall over and play dead, they are willing to make a reasonable attempt to accommodate what is essentially appropriate risk allocation between the parties, and appropriate accommodation to their customers' regulators' expectations. They "get it." Here's hoping that more of them eventually get the message, as well.

What's Good For The Bank Is Good For The Bank Lawyer

2014-11-09T22:13:00-06:00

Recent articles in the Wall Street Journal (paid subscription required) point out an inconvenient truth for many bank law firms: as third party service providers, they, too, must ensure that their information security systems are "up to snuff."

Big banks are demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers.

Once given special status as trusted third parties, lawyers, particularly those who get access to sensitive bank information, now are more likely to get full background checks. The number of compliance checklists for law-firm technology systems and security procedures has ballooned. And law firms big and small increasingly are getting on-site audits to check who has access to documents and office servers.

[...]

The demands come as financial regulators are paying more attention to third-party vendors. Benjamin Lawsky , the superintendent of New York state’s Department of Financial Services, last week sent a letter to dozens of banks requesting information on security risks relating to law firms, accounting firms and other third parties.

Law firms “can have access to a very large volume of sensitive data on a recurring basis and that makes them a point of vulnerability,” Mr. Lawsky said.

When "Gentle Ben" Lawsy speaks, lawyers better listen. Not because he possesses any special insight into the banks he regulates (his background in actual banking is non-existent), but because he's demonstrated that he intends to follow in the footsteps of his role model, Eliot "Mess" Spitzer, by pursuing publicity-laden enforcement actions against victims that the public loves to loathe. Banks and lawyers might as well have a bulls-eye painted on their foreheads.

Thus far, it appears that big banks and their big firm minions are first in line for proctoscopic examinations. However, how long will it be before the "trickle down" theory of bank regulation that we've seen prove itself again and again since the creation of Franken-Dodd and its dark spawn, the CFPB, will spread this "closer look" process to smaller banks and their law firms? Not long, I think, even if you measure the passage of time in dog years.

It's hard to argue that law firms for banks of any size should be cut any slack. The Interagency Guidelines Establishing Information Security, the relevant regulatory guidance on third party relationships (such as OCC Bulletin 2013-29), and basic ethical requirements to protect the confidentiality of client information, should have impelled lawyers for banks to take information security in an online world quite seriously long before this point. In many cases, engagement agreements between law firms and bank clients already specifically require that law firms take the kind of security precautions that big banks are requiring of their law firms. True, "one size does not fit all" may be as true of bank law firms as it is of the banks they represent, so, perhaps, not every law firm will need to have inn place all of the precautions described in the linked article.

Some firms instruct attorneys not to open documents sent via email unless they are in a secure environmentin the office, or using a firm laptop on an encrypted line. For particularly sensitive matters, firms might restrict work to stand-alone computers that don’t connect to the Internet, said Mary E. Galligan, a Federal Bureau of Investigation veteran who now is a director of cyberrisk services at consulting and accounting firm Deloitte & Touche LLP.

Mobile devices are a particular focus. Many firms can wipe data from smartphones and laptops that are lost or stolen, and most firms install some level of encryption.

Law firm Davis Polk & Wardwell LLP in recent weeks added a new precaution: Lawyers must have a special application installed on their smartphones to open attachments sent to their firm addresses.

On the other hand, those security measures make sense and many of them are not unreasonably expensive to implement. Those firms that don't want to encounter a nasty (and expensive) surprise would be wise to take this concern seriously, and prepare for such an examination, whether or not one is ever actually performed.

The Stickiness of Browsewrap

2014-09-07T21:41:00-05:00

A recent client alert from Arent Fox discusses a potential problem for every bank that has a website, which, I assume, means almost every bank. A decision of the US Ninth Circuit Court of Appeals held against Barnes & Noble, which attempted to force a customer to abide by the alternative dispute resolution terms that were contained in B&N's "terms of use" (TOU) that governed the use of its website. Visitors to the website are notified of the existence of the TOU through a highlighted "hyperlink" at the bottom of the website's homepage (you can view B&N's homepage here and scroll to the very bottom of the page, left-hand corner, to see the link). The TOU also appeared, underlined and in different colored font, at the bottom of each web page that the customer used during the check-out process. According to the court, that wasn't sufficient notice of the TOU, at least not sufficient to bind a consumer to the binding arbitration provisions.

It then went on to explain that, in situations where a website owner wishes to bind a user to the terms in a browsewrap agreement, “the validity of the browsewrap agreement turns on whether the website puts a reasonably prudent user on inquiry notice of the terms of the contract” and that, in turn, “depends on the design and content of the website and the agreement’s webpage.”

[...]

In fact, the Ninth Circuit explicitly held that making the Terms of Use available for review via a conspicuous hyperlink is insufficient to create constructive notice:

[W]e therefore hold that where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on — without more — is insufficient to give rise to constructive notice. While failure to read a contract before agreeing to its terms does not relieve a party of its obligations under the contract … the onus must be on website owners to put users on notice of the terms to which they wish to bind consumers. Given the breadth of the range of technological savvy of online purchasers, consumers cannot be expected to ferret out hyperlinks to terms and conditions to which they have no reason to suspect they will be bound.

The author of the client alert, Dana Finberg, thinks that the implicit lesson of the decision may be that "browsewrap" TOU agreements may have to adopt many of the features of "clickwrap" TOU agreements (where the customer actually has to give affirmative consent to having read and agreed to the terms by "clicking" a "I Agree" button or via a similar process), "at least as to individual consumers using commercial websites."

Obviously, using a "clickwrap" process, whereby all visitors to a bank's website, before they can use it, must affirmatively consent that they agree to the website's TOU, is the legally safest method of ensuring enforceability. It's also a process designed to discourage customers and potential customers from using the website, which is why most banks and other businesses don't use it (see, as only one example, Chase Bank's website's homepage, where the TOU is buried at the bottom of the page and not even highlighted).

A middle ground might be to draw the reader's attention to the TOU by other means, such as content that explicitly states that the use of the website is subject to the TOU and that draws the reader's attention through size, color, and/or other variations from the other content. At the very least, the business must consider the risks of using browsewrap rather than clickwrap agreements for its TOU, and consider the impact of those risks on the content of the TOU. For example, should binding arbitration provisions ever be contained solely in a TOU that is presented to a consumer solely as a "browsewrap" agreement? What other processes might make sense to ensure the enforceability of such critical terms? Should separate processes be used with respect to agreements with web site users who are not customers and web site users who are customers?

Are we having fun yet?

BancSouth Wins Big

2014-06-22T21:57:00-05:00

A recent Eighth Circuit Court of Appeals decision in favor of BankSouth bodes well for financial institutions who understand their obligations under UCC Article 4A and take those obligations seriously. Unlike consumer customers, who are pretty much protected against unauthorized funds transfers by Regulation E if they examine their monthly bank statements and promptly inform their banks of any unauthorized transactions, business customers whose bank accounts are compromised by cybercrooks have much less protection. As the 8th Circuit points out, the inquiry in such instances is focused on whether the bank and customer had agreed upon commercially reasonable security procedures that the bank would use to determine whether or not a purported funds transfer was authorized by the customer and, if so, whether or not the bank employed those security procedures in good faith. If the bank meets that two-pronged test, the business customer is stuck with liability for any unauthorized transfer.

The controversy usually arises when an employee of the business customer has fallen for a "phishing" scheme, clicking on link in an email that causes malware to be downloaded that allows the crooks to learn the user name and password that the employee uses to log in to the online banking system of the bank. In the BancSouth case, that apparently occurred. However, regardless of how access to the password and user name was obtained, the focus of the court was, as it should have been, whether the agreed upon security procedures used by the bank were commercially reasonable and employed by the bank in good faith. In this instance, the court (and the trial court) found that they were.

While the customer's attorneys argued that the use of a user name and password was "one-factor authentication" that is contrary to FFIEC guidance that advises that "multi-factor authentication" processes should be used, the court countered that argument by finding that the bank offered "dual controls" for wire transfer (separate persons must authorize the initial funds transfer request and the confirmation of that transfer order), the customer opted not to use such a procedure on the grounds that it was "inconvenient." More cautious banks not only offer dual controls, they require it unless the customer signs a separate agreement or waiver under which it indemnifies the bank from any claims, loss, or liability arising out of unauthorized transfers from the account under a single-control authorization process. BancSouth had such a waiver and the customer signed it.

BancSouth's online banking agreement also contained an indemnification provision that is common in online banking agreements in one form or another, pursuant to which the customer agreed to indemnify and hold the bank harmless from claims, losses, liabilities, costs and expenses, including reasonable attorneys' fees, arising out of the bank's provision of services, as long as the bank fulfilled its obligations. The appellate court ruled that this provision provided a sufficient basis for the bank to pursue a claim against its customer for payment of attorneys' fees, and overturned the trial court's denial of a counterclaim by the bank for such fees. Again, well-drafted online banking agreements ought to contain a similar provision.

Dan Mitchell, an attorney who has been involved in other high-profile litigation on this subject, and another commenter, had some cogent observations on the implications of this decision.

Perhaps most significantly, Mitchell said, the decision could be a blow to companies trying to recover cyberheist losses from their banks. Bancorp South had asserted at the trial court level that its contract with Choice Escrow indemnified it against paying legal fees in such a dispute. The trial court dismissed that claim, but the appeals court said in its decision that the bank could recover the costs from the escrow firm.

"The bank had asserted a counterclaim that the customer should pay the bank’s legal fees," said Mitchell, who battled similar claims in which Patco — a Maine construction firm — successfully sued its bank over a $588,000 cyberheist. "There’s no other federal circuit court case other than Patco that has gotten up to that level. The appeals court said the bank can now pursue its legal fees against the customer. And that may end up being the important part of this opinion in the long run if [plaintiffs are] looking at not only have to pay their lawyers to pursue a loss but also those of the bank."

Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said the appeals court decision means that indemnification is now the ‘law of the land’ in the 8th Circuit.

Castagnoli said she expects two results from this decision: that banks which don’t already have these clauses in their online banking agreements will add them; and that cyberheist victims will think more cautiously about bringing a lawsuit.

"This is the first time a court has ruled on fee shifting, and that will certainly have a chilling effect on litigation," Castagnoli said.

The opinion contains other nuances that are worth considering. The linked article from Brian Krebs' excellent blog contains a link to the opinion.

When Curry Speaks, All Banks Should Listen

2014-04-17T21:45:00-05:00

The Comptroller of the Currency Thomas Curry gave a speech the other day (paid subscription required), and emphasized a couple of points that vendor management folks at financial institutions with various charters--state and federal, bank and credit union--and the lawyers who represent them, would be wise to heed.

Comptroller of the Currency Thomas Curry said his agency is increasingly concerned about the cybersecurity risks from banks relying too much on certain vendors and using service providers in foreign countries.

Banks can end up becoming dependent on certain vendors because of consolidation in the service provider industry, Curry said in his prepared remarks for the Consumer Electronics Show's Government Summit in Washington. They can also be exposed to risks when they assign critical functions to outside vendors, including those that use foreign-based subcontractors.

"Banks need to consider the legal and regulatory implications of where their data is stored or transmitted, and make a determination as to whether geographic limitations are needed in their contracts," Curry said. "Finally — and perhaps most importantly — we are concerned about the access third parties have to large amounts of sensitive bank or customer data."

Here are a few take-aways:

First, cybersecurity due diligence of your vendor assumes critical importance when that vendor has access to customer data and other sensitive information of the institution. Access to sensitive information ought to make that vendor a "critical" vendor regardless of the dollar "value" of the contract. The institution needs to be able to document that it examined the information security procedures and systems and found that they met industry standards.

Second, the provisions of the agreement between the institution and such vendors on confidentiality and information security need to be "robust." This is especially critical when one or a couple of vendors of the institution have access to a lion's share of sensitive data. Read OCC Bulletin 2013-29, FFIEC's handbooks on the outsourcing of technology services, and other regulatory guidance. Make sure you know what contractual assurances you need and then make sure they're in the agreement.

Third, the financial institution needs to monitor the compliance of these vendors with information security safeguards throughout the life of the relationship. If a critical vendor's not providing an annual SASE 16 audit report of an appropriate type (SOC 1 vs. SOC 2), and not addressing problems raised by such annual reviews, you've got a problem.

"We expect the board and management to ensure that appropriate risk management practices are in place, that clear accountability for day-to-day management of these relationships is established, and that independent reviews of these relationships will be conducted periodically," Curry said in his remarks Wednesday.

That's a red flag, no?

Fourth, you need to read between the lines of what Curry's saying about "certain vendors." Pay attention to what's happening in the marketplace. If an article appears in the press that notes problems with a critical vendor, investigate and assure your self that any problems are being addressed. Review the web sites of the regulators for enforcement actions, and pay attention to what you find if a vendor is the subject. Pay attention to your own due diligence. If you gather necessary information but don't act upon it appropriately, your regulator will not be pleased.

Fifth, foreign subcontractors have become a "hot button" concern. I would recommend that in your vendor agreements with critical vendors you have adequate restrictions on the use of subcontractors. Among those restrictions ought to be that the use of a non-US based subcontractor requires your prior written consent. I represent banks that would never consent, but that's a story for another day.

If the vendor pushes back, that vendor ought to be a cause for grave concern. They're not doing you a favor by selling you their technology, although a few of the larger ones act that way, especially if you're a smaller institution. These concerns are regulatory concerns, matters of safety and soundness. If the vendor is large and representing a number of financial institutions, none of these issues should come as surprise to them. If you have concerns about a vendor, give your federal regulator a call and tell him or her about those concerns. As Curry makes clear, your regulator will be interested. Very interested.

Vendor Management Is Still A Regulatory Hot Button

2013-02-24T21:42:00-06:00

According to the FDIC, a common theme in IT examination downgrades is poor vendor management by banks.

Last year, in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor, says Donald Saxinger, senior examination specialist in FDIC's Technology Supervision Branch.

"I'm not saying it was the primal causal factor, but, in 46% of the downgrades, vendor management was cited," Saxinger says. He spoke during the recent ABA Telephone Briefing "Vendor management: Unlocking the value beyond regulatory compliance."

Although the most common “error” that FDIC examiners discovered was the failure by banks to ask their vendors for copies of regulatory examinations, that wasn’t the only nugget contained in the linked article from the ABA Banking Journal. Among the others:

• Vendor management needs to consider all service providers that hold sensitive customer information, not just IT vendors. These include loan workout consulting, appraisal review companies, outside attorneys, and others.

• Make sure to get the proper exam reports about individual vendors. Some banks just obtain reports for the host data center, but not for the specific application that the banks were using.
• Even the proper reports don't cover everything that a bank must consider in its security risk management efforts. For example, one service provider with an otherwise clean report did not have an internal audit program and its business continuity planning was poorly documented.

This is all sound advice, of course, but knowing what you need to ask for is only half the battle. You also need to make certain that the agreement with your vendor gives the bank the right to ask for, and the vendor the obligation to deliver to the bank, copies of the necessary reports. Relying on the goodwill of the vendor in coughing up examination and audit reports, especially when they may contain results that are less than flattering to the vendor, is "unwise."

Here's one more tip: if the report reveals problems, the agreement with the vendor should require the vendor to notify the bank of what action the vendor intends to take to remedy the defects, and should also require the vendor to give the bank periodic progress reports on its progress in correcting those problems.

I'll be doing a webinar on March 6, 2013 on the topic "Technology Service Agreements: Meeting Regulator’s Expectations." It covers regulatory guidance applicable to credit unions, banks, and thrifts, although the same essential principles apply to each. The goal is to discuss the provisions of a technology service agreement that regulators expect (and that sound business judgment requires) be included, and to give financial institutions guidance on how to approach the issues covered by each of those provisions so that the institution meets its regulator's expectations while also meeting the institution's business needs.

Cyberheists: Big Banks Increase Small Banks' Losses

2013-02-03T21:34:00-06:00

Internet security guru Brian Krebs had an excellent post a few weeks ago about much of the attention on cyberheists may be focused on the security vulnerabilities of small banks and their business customers, the large banks are playing a large role in small banks' losses.

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

Krebs responds to a question often asked of him, whether it's safer for a business to bank with a large bank rather than a small bank, by asserting that it's a difficult question to answer "because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses"

Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.

That's right. Regulation E does not apply to business customers. That's something that sometimes comes as a shock to small business customers, especially those who were too cheap to hire legal counsel to review the account and other online banking agreements before they were signed. "Forewarned is forearmed" is an old adage with a lot of wisdom behind it. It's not that banks will negotiate the terms of their agreements (most of them will not, especially with small customers), but that customers who understand their legal position going into the relationship are more likely to be concerned about doing due diligence on the bank's security procedures and track record and considering other methods to lessen and cover their risks (I've seen a few who suddenly realize that having a PC dedicated solely to online banking transactions and no other activities is not such a waste of money, after all).

Krebs also points out that since larger banks are more likely to have the resources to settle even large losses to avoid the reputational risk of cyberheists, it may be difficult to know how many instances of loss occur. However, it's reasonable to assume that the large banks spend a lot more money and person-power on security measures than do small banks.

Wearing my cyberthief glasses, if I’m looking at a huge pile of data stolen from thousands of victims, I’m probably more apt to target victims at smaller banks based on one simple assumption: Because I’m going to have a much higher success rate than I would targeting customers of larger institutions.

Krebs takes a shot at technology service providers who service many of the smaller banks for not doing more to secure online banking transactions.

Case in point: Optimumbank’s service provider is Fiserv, one of the largest banking industry service providers. According to Fiserv’s site, at least 52 percent of the nation’s $19 billion in ACH payments are processed using Fiserv software. If this is true, one might think that Fiserv’s systems handled about half of the mule transfers that were sent from Niles Nursing’s hacked bank account.

But according to Murray Walton, Fiserv’s chief risk officer, the software that most of its customer banks run — called PEP+ – is a client solution that does not interact with the company’s data centers. He said while Fiserv does offer an antifraud solution called FraudNet, that tool is designed for online bill pay services that banks can use to detect fraud patterns on consumer accounts.

“There are vendors who can knit it all together for banks, but that isn’t what we do,” Walton said in an interview. “For various and sundry reasons we don’t offer an engine that does the same thing as [an anti-fraud provider like] Guardian Analytics. Realistically, the client and end-user have responsibilities that they can’t abdicate to us. Everyone in this needs to take it seriously and not think that someone else has their back.”

I understand Walton's point, but on the other hand, a small bank's takeaway from those three paragraphs might be "Fiserv doesn't have your back, so look elsewhere." A competing core platform and processing vendor that "does have your back" might have a tag line to use.

Large banks are also lambasted for allowing so many "mule accounts" to be established.

As it stands, the big banks don’t have an incentive to police new accounts for mule activity, because it’s generally not their customers who are getting robbed from this activity, said Avivah Litan, a fraud analyst with Gartner Inc.

“The bad guys shouldn’t be able to set up these mule accounts in the first place,” Litan said. “The bigger banks are not doing a good job of screening for this activity because they’re not the ones eating the fraud on these attacks on smaller bank customers. [The bank service providers] should be spending more money. And the regulators should be coming down on them harder.”

Krebs suggests that, perhaps, "small, regional and local banks can pool their clout and resources to extract more from service providers than what those companies are currently offering." Fat chance. Several years ago, some of the largest users of technology services in the country made a concerted effort to get giant service providers to take more contractual responsibility for the performance, and vulnerabilities, of their technology. It fell flat. Unless the bank regulatory agencies intervene directly with the service providers, they'll continue to do what they do best: collect fees and deny liability.

As for watching your own back as it applies to business customers, Krebs offers some good suggestions, among them:

Shop around for banks until you find one that assures you that it uses layered security.
Use "Positive Pay" if your bank offers it because it not only deters check fraud but other unauthorized transfers, online and off (I heartily concur).
Use Live CD to temporarily covert your PC from Microsoft to Linux for doing online banking transactions.

Krebs also offers an online "best practices" guide for businesses. As with much of his material, it's good stuff.

PATCO Played Out: A Few Lessons Learned

2013-01-17T22:05:00-06:00

The last time we discussed the PATCO decision, the appellate court had found that the bank's security procedures to defeat account takeover were not "commercially reasonable," but had sent the case back down to the trial court to determine what legal responsibility the customer might have to prevent account takeover. Following that action, the bank and PATCO settled the case, so that burning legal issue was not resolved.

Recently, PATCO co-owner Mark Patterson and counsel Dan Mitchell were interviewed by Bank Info Security's Tracy Kitten about the lessons they think they learned from the case. Among those (along with my observations) are:

PATCO approached the bank within the first month of the incident with a settlement proposal that turned out to be a heck of a lot less than what the bank eventually paid in settlement after three years of litigation. Both sides ended up enriching their legal counsel needlessly. Sweet!
Community banks seem more willing to settle quickly than do larger banks. Mitchell and Patterson think that's because community banks are more concerned about the reputational risk if the dispute hits the press. Might this be a potential competitive marketing advantage for community banks? "Bank with us! We'll pay for your negligence!"
Most cases of corporate account takeover are settled quickly, and off the radar screen. That certainly appears to be accurate from our personal experience. While many lawyers live to engage in disputes, bankers live to make money the old fashioned way: by doing business. It's hard to do business when you're the defendant and your customer is the plaintiff.
Prospective litigation costs and reputational risk can be as much of a deterrent to bank customers pursuing litigation as they can be to banks.
There's not much case law on these issues. Until there is, there is likely to be much jockeying for position, blustering and posturing by lawyers for both sides, unless responsible business leaders on each side of the table seize control early in the game and keep their eyes on the prize: salvaging the relationship (if possible) without breaking either the bank or the customer.
Patterson thinks ACH should not be done by businesses, no matter how allegedly "strong" the security devices or procedures used. He claims that his business will use ACH only for tax payments. The reasons for his revulsion: the one-sided nature of the agreements prepared by the banks, which place almost all liability on the customer. Hey, that's why banks pay us the big bucks, Mark!
Patterson and Mitchell do believe that customers have "some responsibility" for protecting their accounts from takeover. However, they claim that banks bear more responsibility than customers because they are "in a better position" to prevent and detect takeovers. While I don't disagree that banks should be more sophisticated in this area than the average small business owner, I'm still not willing to go as far as Patterson and claim that using a dedicated separate PC solely for online banking (and not for cruising Internet porn sites) is cost prohibitive for most small businesses. That simply doesn't pass the smell test for me. On the other hand, I'm an alleged elitist, so perhaps my view is slanted toward my liege lords and masters, "The Banks." Perhaps a refurbished eMachine for $250 is simply beyond the reach of the average small business. If that's the case, how much money would they stand to lose from any of their corporate accounts? Wouldn't cybercrooks just enter, laugh, and leave?

Whether you represent banks or bank customers, Mitchell's final words ring true.

I would bet my bottom dollar that there will be more lawsuits in the future in this area. What types of questions will come up really will depend on the unique circumstances of each case. But given the prevalence of corporate account takeover, you can bet that there will be more cases.

The Problem With The Cutting Edge

2013-01-13T22:04:00-06:00

In an interview by Tom Fields of Bank Info Security, Matthew Speare, SVP of IT for M&T Bank, talks about a painful truth regarding inflicting pain on cybercrooks who steal from banks: You’ll never be able to beat them. The best a bank can do is make it so painful for the bad guys to try to steal from your bank that they decide to “go down the street” and pick on a 98-pound weakling of a community bank that thinks “multi-factor authentication” means having a password stronger than your social security number.

Other participants in the interview are Christopher Paidhrin, the IT security compliance officer at PeaceHealth Southwest Medical Center, and Elayne Starkey, the CSO for the State of Delaware. Among the new authentication technologies that they discuss are “biomettics,” including iris scans, voice recognition, and fingerprint and palmprint identification techniques. Speare also discusses “soft” tokens as something his bank has experimented with as an alternative to the traditional “hard” tokens. Many of those technologies have been around for a number of years, and in the health care and governmental fields, appear to be gaining acceptance as part and parcel of daily life. That also seems to be the case with authentication technologies that are employed by bank personnel that do not directly impact bank customers.

Speare, however, discusses a problem with the use of such “cutting edge” authentication techniques by bank customers: “the end user experience.” He asserts that password-based authentication has become so ingrained in the minds of bank customers, even business customers, that adding additional requirements to the authentication process that slow down or otherwise impede the customer in the performance of banking transactions becomes an issue where bank marketing and customer relationship personnel begin to push back, as their customers squawk like we used to squawk to our mothers when we were little kids. “Why do I have to do this? None of the other kids’ mothers makes them do it!”

Here’s my not-so-novel suggestion: spend more time thinking about how to educate your customers as to the benefits of these new techniques and to “sell” them on those benefits, rather than to moan to bank security officers about customer resistance. You could even invite them to a free lunch or cocktail hour seminar at which your favorite lawyer and/or IT security expert could elevate their collective consciousness to a higher plane. Yes, this is more work than simply resisting change and increasing risk to both bank and customer, but we’re now well into the second decade of the twenty-first century, and the criminals are ahead of the banks and so far out ahead of the customers that they're in danger of actually lapping them, so maybe it’s time for everyone to at least try to power on up the sophistication curve. An added benefit is that you could use those sessions to fulfill your duty under the 2011 FFIEC Supplement to its Online Authentication Guidance to educate your customers about how to better protect themselves in a cruel online banking world.

What do you say?

An Act of War: Against Banks

2012-09-27T21:37:00-05:00

Supporting terrorist groups worldwide is a very bad thing. Killing your own people when they publicly oppose the existing government is a very bad thing. Building a nuclear weapon and threatening to annihilate your neighbors is a very bad thing. Having a president who wears a bomber jacket, sports a three-day growth of beard, and goes by a moniker that sounds like "I'm-A-Major-Whack-Job" is a very bad thing. However, launching denial-of-service attacks on bank webistes is beyond the pale.

The website glitches and outages that affected Bank of America and Chase last week are rumored to be just that sort of attack. In fact, financial fraud sources say both banks were hit with denial-of-service attacks likely backed by Iran.

Experts say banks better brace themselves, and they're right. With the U.S. election approaching, institutions can count on more DDoS attacks sponsored by nation-states.

Nation "states"? It sounds one nation "state" to me. I suppose this is to be expected from a government with whom this country and its ally, Israel, have been waging an undeclared war that, according to some sources, includes the introduction of destructive computer viruses into Iranian computer systems and the delivery of bullets to the heads of Iranian scientists.

The experts were correct about banks bracing themselves for further attacks, because following the date the above-linked blog post was posted, Wells Fargo was also hit. What are banks supposed to do?

A fraud alert issued Sept. 17 by FS-ISAC, the Federal Bureau of Investigation and the Internet Crime Complaint Center, suggests 17 steps institutions should take to mitigate risks posed by cyberthreats...

Among those steps:

Educate employees about phishing e-mails and suspicious attachments;

Monitor site traffic spikes, which could indicate a DDoS attack;

Limit employees' ability to remotely access internal networks and work-related e-mails from personal devices.

[...]

"Traditional preventive measures, such as bandwidth over-provisioning, firewalls and intrusion prevention systems, continue to provide some protection. However, traditional measures are ineffective against today's DDoS attacks," the FS-ISAC says, calling for the use of layered defenses.

[...]

Banks and credit unions should ensure that their tellers and other branch personnel are well-educated about all the security steps the organization is taking and can communicate that information clearly to customers.

As if banks didn't have enough to do merely trying to survive the terror imposed by the CFPB. Now they have to deal with cyber-terror launched by a nation whose leaders make even Liz Warren seem rational in comparison.