Must Know About Wire Fraud April 8, 2015 Moderator E. Andrew - - PowerPoint PPT Presentation

5 Things Your Credit Union Must Know About Wire Fraud

April 8, 2015

Moderator

• E. Andrew Keeney, Esq.

Presenter

• R. Johan Conrod, Jr., Esq.

• R. Johan Conrod Jr., Esq.

150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3183 rjconrod@kaufcan.com

• E. Andrew Keeney, Esq.

150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153 eakeeney@kaufcan.com http://www.kaufmanandcanoles.com/movies/credit-unions.html

Introduction

• The goal of this Webinar is to provide credit unions

practical tools to

– Understand the fundamentals of authentication processes, – Know how wire fraud bond coverage works just in case a fraud occurs, and – Recognize best practices to prevent wire fraud and protect bond claims

These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client

• relationship. Internet users should not act upon this information without seeking professional counsel

from a lawyer licensed in the reader’s home jurisdiction.

Wire Fraud Is Everywhere

Overall, Wire Fraud cases have risen tenfold in the past 10 years (Wall Street Journal, 10/9/13) Wire Fraud incidents are increasing at a faster rate than even identity theft (WSJ, 10/9/13) Criminals are creative – a recent widespread scam targeted HELOCs and involved more than two dozen credit unions (Credit Union Times, 11/25/14)

The 5 Things

1. What is authentication? 2. How is authentication applied in real life? 3. What wire fraud coverage is available under my fidelity bond? 4. Do other bond coverages apply? 5. How can I best protect my credit union?

THE BASICS OF IDENTITY AUTHENTICATION

Point of Clarification

**FFIEC guidance relates specifically to online banking

• Most wire transfer requests are made

through phone, facsimile or in-person requests, not via your online banking system

• However, the principles that form the

foundation of the FFIEC guidance are critical to understanding authentication in general, including as it relates to wire transfers

Authentication refers to the process by which a credit union verifies that the person making a request is authorized to make the request Authentication can be either “single-factor”

• r “multi-factor” – the more factors, the

more security The 3 categories of “factors” are: (1) something you know (password or PIN), (2) something you have (ATM card or phone number that can be called), or (3) something you are (fingerprints, retina scans, etc.)

AUTHENTICATION FACTORS RECOGNIZED BY THE FFIEC

Multi-factor Authentication

• Multi-factor authentication refers to the act of

using more than one category of factor when authenticating a person’s identity

• Using an ATM machine is a classic example
• f multi-factor authentication: the PIN is

“something you know,” and the ATM card itself is “something you have”

Critical Point!

“Multi-factor” authentication refers to multiple different types of authentication, not multiple uses of the same type of authentication For example, asking for multiple passwords is not multi-factor authentication, because all passwords fall under the “something you know” type of authentication

FFIEC Guidance

• Single-factor authentication is “inadequate in the

case of high-risk transactions involving access to customer information or the movement of funds to

• ther parties.”
• In other words, you typically must use some form of

multi-factor authentication when wiring funds

• However, multi-factor authentication alone might not

be enough in today’s Internet environment – procedures such as “dual control” may be required

– Dual control requires authentication information from more than one member to authorize a transaction

“Single Factor Authentication”

Survey Question # 1

“Multi-factor authentication” refers to: a. An algebraic equation you must know for the SAT; b. How NASA calculates coordinates for the Mars rover landing; c. The act of using more than one category of factor when authenticating a person’s identity

UCC Article 4A

Deals with wire fraud authentication in commercial transaction context and risk shifting Shifts risk of loss from financial institutions to member if CU uses “commercially reasonable security procedures” set forth in a written agreement with the member that governs the transaction at issue

Commercially Reasonable Security Procedures

• Does not require use of the “best” available

procedures, just those that are reasonable under the circumstances

• 4A gives examples – “algorithms or other codes,

identifying words or numbers, encryption, callback procedures, or similar security advices”

• Handwriting analysis is not a commercially

reasonable security procedure

Commercially Reasonable Security Procedures, cont.

• “One size fits all” procedures are not sufficient –

procedures must fit the particular member

• 4A says in assessing commercial reasonableness,

courts should consider “the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated”

Patco Construction Co., Inc. v. People’s United Bank

684 F.3d 197 (1st Cir. 2012)

• $588,851 in fraudulent withdrawals from

Patco’s account

• Bank claimed its security procedures were

reasonable and therefore Patco had risk of loss

• Trial court agreed with Bank – But appeals

court reversed, finding that procedures were not commercially reasonable

Patco Construction Co., cont.

• Bank used third-party security software with multiple security
• ptions, including user IDs and passwords; invisible device

authentication via “cookies”; risk profiling via assessment of geo-location, IP address and transaction history; and use of “challenge questions”

• But Bank mis-stepped in 2 big ways:

– Bank lowered threshold for use of challenge questions to $1, which meant that questions were used every time Patco performed any transaction – Bank did not follow up on warnings generated by software system

• Fraudsters used a keylogging malware, which discovered the

challenge questions and enabled the theft

Patco Construction Co., cont.

• According to appeals court, failing to follow up on

software warnings and lowering challenge question threshold to $1 were both commercially unreasonable under the circumstances

• The Bank argued that lowering challenge question

threshold to $1 for all bank customers helped bank better catch small frauds

• But appeals court rejected this position – the court

said that the question of commercial reasonableness must be analyzed on a customer by customer basis

• “One size fits all” solutions are not reasonable, said

the court

Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611 (8th Cir. 2014)

• $440,000 fraudulent wire from Choice’s account to an

account in the Republic of Cypress

• Prior to fraud, Bank had offered heightened security

procedures but Choice declined them

• Appeals court found that because Choice turned

down procedures that were commercially reasonable, risk of loss fell on Choice and not Bank

Choice Escrow & Land Title, LLC, cont.

• Court recognized that security procedures must

evolve as fraudsters become more sophisticated – so a procedure that is reasonable today may not be tomorrow

• Bank offered “dual control” option to Choice because

multi-factor authentication standing alone may not have been sufficient

• Choice declined dual control, and instead used

single-control process, which only required authentication information from one employee rather than two

Survey Question # 2

Yes or No: Handwriting analysis is a commercially-acceptable security procedure under the UCC?

FIDELITY BOND COVERAGE FOR WIRE FRAUD

BOND COVERAGE IS NOT AN EXCUSE TO AVOID IMPLEMENTING ADEQUATE SECURITY PROTOCOLS

• “Insurance coverage is not a substitute for an

information security program. …[T]he Security Guidelines require a financial institution to implement and maintain controls designed to prevent those [fraudulent] acts from occurring.”

– Interagency Guidelines Establishing Information Security Standards, Board of Governors of the Federal Reserve System

“Don’t worry, insurance will cover it.”

Typical Bond Language

Alternate Coverage

**Note that at least one major credit union bonding company has recently changed its funds transfer coverage so that, instead of providing full coverage, the insurer shares all funds transfer loss above $25,000 50/50 with the credit union

Alternate Coverage, Cont.

**This risk-sharing program does not include the same requirements as other bond coverage, but rather encourages CUs to:

 Establish monetary thresholds for requiring in-person requests at a branch

• ffice. For example, require that any requests via telephone, fax, email,

electronic messaging or online requests above $25,000 be completed in person.  Review a history of the types and sizes of wire transfer requests the CU typically receives, and consider the CU’s risk tolerance, when establishing these monetary thresholds.  If a transaction does not meet these requirements, treat the request as an exception that requires additional layers of security, sign-off by senior staff and only appropriate in the most exceptional circumstances.

Call-back Verification

Call is made to a member’s official number, and the member is

then asked for a password or PIN (two-factor authentication) – the call must be originated from the credit union to the member’s

• fficial phone number of record.

Callback Verification to Members’ Phone (something they have)

Password (something they know) Authentic

BUT BEWARE!

• Thieves have successfully taken over

members’ official phone numbers

• Thieves have reset PIN numbers
• Thieves have copied signatures

Option 2: A commercially reasonable security procedure

Must be signed by member, not fraudster (arguably) Must be commercially reasonable – courts likely would use an analysis similar to 4A cases

OTHER BOND COVERAGES

• “Electronic Crime” and “Electronic Crime – Loan” are

additional coverage parts that may or may not be triggered by a fraudulent event

• But note that Exclusion q bars claims for “loss

resulting directly or indirectly from a fraudulent instruction through E-mail, Telefacsimile, or Telephonic means, or ACH debit … except as may be covered under the … Funds Transfer Insuring Agreement.”

Survey Question # 3

“Call back verification” refers to: a. What the pizza delivery guy does to make sure he has the right address; b. A call initiated from a member to the credit union to confirm a wire request; c. A call initiated from the credit union to the member’s authorized phone number to confirm that a wire transfer request is legitimate

PRACTICAL POINTERS

Member Agreements

Include specific multi- factor authentication process for fund transfers Consider

• ptions such

as dual- control, tokens, or

• ther

enhanced features

Do not merely cross- reference CU policies

Consider member’s needs before the relationship begins

Remember, one size fits all does not work Must show that you considered specific needs of member

Wire Transfer Requests

Include same security procedure language in WTRs as Member Agreement Consider whether WTRs must originate from something other than facsimile, which may be easier to fake

Always Perform Call-Backs

The simplest way to maximize bond coverage Consider multiple line call-backs (i.e., mobile and land line numbers)

LOSS ACTION STEPS

The First 24 Hours

Shut down access Report crimes to authorities Notify federal regulators where appropriate Give notice to bond carrier Retain legal counsel Involve credit union board

THE FIVE W’S

Who? What? When? Where? Why?

Who?

• If possible, need to know who perpetrated the

fraud

What?

• Need to know the nature of the loss, i.e., the

scheme by which it was perpetrated

When?

Need to know when the loss happened, and, perhaps more importantly, when it was discovered Fidelity bonds are triggered by “discovery,” which usually means when you did or reasonably should have discovered the loss Important to report loss to insurer immediately upon discovery

Where?

• Where the loss happened will often dictate

the coverage that applies and, in case of wire fraud, could impact sources of recovery and applicable law

Why?

• This may not always be critical in a wire fraud

case, but if a CU employee is involved it may become significant

• Was it to cause credit union loss? Was it to

gain improper financial benefit?

Final Thoughts/Best Practices

• Consider appropriate security procedures when
• pening new accounts
• Constantly monitor security procedures to make sure

they’re keeping up with peer Cus

• Have your procedures and wire authorization form

documentation reviewed/approved by bonding company

• Review bond coverage to ensure your policies meet

bond requirements

• Train, train, train, train
• If in doubt, seek qualified counsel

QUESTIONS?

• R. Johan Conrod Jr., Esq.

150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3183 rjconrod@kaufcan.com

• E. Andrew Keeney, Esq.

150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153 eakeeney@kaufcan.com http://www.kaufmanandcanoles.com/movies/credit-unions.html

5 Things Your Credit Union Must Know About Wire Fraud

Moderator

• E. Andrew Keeney, Esq.

Presenter

• R. Johan Conrod, Jr., Esq.