ABA on Fraud: 'All is Not Lost'Interview with Doug Johnson of the American Bankers Association on how to Respond to Corporate Account Takeover
Doug Johnson of the American Bankers Association (ABA) says the message to concerned parties is "All is not lost." In an exclusive interview, Johnson discusses:
- The significance of the threat;
- How banks and businesses must respond;
- Why the ABA opposed Reg E reform or any other legislative remedies.
Johnson is the American Bankers Association's Vice President and Senior Advisor, Risk Management Policy, where he is involved in a variety of public policy and compliance issues. He currently leads the association's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness.
Johnson represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and serves on the BITS/Financial Services Roundtable Security Steering Committee. He is also a board member of the Financial Services Information Sharing and Analysis Center, a private corporation that works with government to provide the financial sector with cyber and physical threat and vulnerability information, as part of the nation's homeland security initiative.
TOM FIELD: The topic today is corporate account takeover. Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking with Doug Johnson, the Vice President of Risk Management Policy with the American Bankers Association. Doug, it is a pleasure to talk with you again.
DOUG JOHNSON: Good afternoon, Tom.
FIELD: So, Doug, sort of the news hook here is last week the announcement of the PlainsCapital and Hillary Machinery settlement. What can you say about the significance of this case in terms of corporate account takeover?
JOHNSON: Well, Tom I can't say much about the settlement since it is confidential, but I do think the case in general is significant. I do frankly reject the notion that is brought out by Hillary Machinery that somehow community banks don't have the ability to appropriately protect their small business and municipal customers. I believe that community banks, as well as larger financial institutions, have that obligation and have the ability to do that, and so I was disappointed to see that one of the things that the case did is appear to pit one portion of the industry against another when actually we are all trying to together protect this environment.
FIELD: Doug, you see institutions of all sizes so put this in perspective. How big is the current threat of corporate account takeover?
JOHNSON: Well, I think that the threat is very large. I think that the threat is not only a large one from the standpoint of the number of cases -- which the FBI continues to observe are increasing for them. But I think the biggest risk that we face here, as it relates to the corporate account takeover, is the damage it does to the reputation of financial institutions and financial institutions' customers, and the damage it does potentially to the relationship between our customers and our financial institutions. Because I do believe at the end of the day this is all about shared responsibility. Both financial institutions as well as financial institution customers do have a responsibility to have skin in the game to protect accounts, and I think that it is only through that active partnership that they were able really to address the current threat.
FIELD: Doug, we first spoke about this maybe 10 months ago, last August. Since then how has the ABA responded to the threat and helped institutions respond, not just in terms of security, but as you say in the repairing or staving off some of the reputational damage?
JOHNSON: We are working on the issue on a number of fronts. First and foremost it is all about communication. It is all about ensuring that banks and bank customers have the information, which is necessary for them to protect themselves. So I think one of the first things, which was important from my perspective, was to get the account hijacking for corporate customers recommendations that the Financial Services Information Sharing and Analysis Center, where I serve on the Board, did in concert with the FBI and with NACHA. We made that a public document (it was previously a classified document). Making it public allowed it to really be easily disseminated throughout the entire environment, which was very important I think, as an educational piece because it has a variety of good recommendations for customer education.
We have had articles that written. We wrote a joint article with NACHA for our compliance magazine. There is a Q&A that is going to appear in next month's ABA Banking Journal where I go through the challenges associated with corporate takeover. We have put workshops on corporate takeover in front of both our Risk Management Forum, which we held earlier this year, as well as our Regulatory Compliance Conference because this just isn't about the risk side, there are compliance aspects to this as well, and so it is important that all segments of the bank that have a portion of this responsibility have the tools available to really complete their responsibilities. We have held a webinar in concert with the FBI and NACHA on the takeover issue as well.
So there is a variety of ways that we have communicated with our membership about the threat and about the mechanisms to really address those threats, so that they really have the tools to do so. We have also worked with the core processing environment because we feel that core, obviously, are just as vital in terms of providing solutions regarding authentication and fraud detection, particularly for the community bank market. So, Tom, it is safe to say that we are active on a variety of fronts and we will continue to be active going forward.
FIELD: Well, Doug ,you have been active, and certainly the FDIC was active a couple of weeks back by pulling together a one-day symposium, as you say though, the threat continues to grow. What needs to happen now given the efforts that you have put in and the attention that the FDIC brought to this?
JOHNSON: Well I think that one of the things, which was announced at the FDIC symposium that will be extremely helpful, is the effort of the FSISAC, the Financial Services Information Sharing and Analysis Center to really pull together a broad coalition of associations and individual companies to really try to address these issues. Again, the coalition was announced at the event, and it will really deal with all of the various aspects of the threat in terms of detecting the threat, trying to prevent the attacks from occurring and then resolving those threats once they occur. You will see a wide variety of institutions involved in that particular effort. The financial services roundtable as well as the ABA is involved, as well as NACHA. It is really going to be a broad coalition of individuals and associations to really try to develop a concerted and consistent approach to this issue because I think it is really through unified effort that we are really going to be able to address the challenges before us.
FIELD: Doug, as you know, one of the louder voices out there has been calling for either new legislation or reform of Reg E even to protect some of the businesses that have suffered fraud losses. What are your thoughts on the call for legislative remedies?
JOHNSON: Well, I do believe that it is vitally important, as I have indicated earlier, that business customers recognize their share of responsibility. Banks have a tremendous responsibility to protect their small businesses and municipal customers just as they have that responsibility to protect their retail customers. But the retail customer protections of Reg E would essentially absolve the small businesses of any responsibility or liability for not properly protecting themselves, and you can certainly appreciate that in a community bank market it is very difficult for a financial institution, through no fault of its own, to really make a corporate customer whole for a loss which could be upwards toward a half of million dollars. And there would be less incentive on the part of the corporate customer to protect themselves if they knew that they were going to be made whole in that fashion, even if they didn't protect themselves.
So I think that what you do when you place Reg E protections, legislatively or otherwise, in the business account environment, is you potentially do tremendous violence to the business model because you could create an environment where you have essentially put in place tremendous disincentives for the bank to even offer the kinds of online products, which our corporate and small business customers and our municipal customers have come to expect. So it is only really through that shard responsibility that that model works, and I think that to the extent that that shared responsibility does not exist, the model doesn't work and could potentially not exist in the future.
FIELD: So fair to say the ABA would oppose any sort of legislative remedy?
JOHNSON: That is correct.
FIELD: Doug, final question for you. We have talked about education; we have talked about shared responsibility, as you said from the onset, the numbers continue to grow. What are some best practices that banks and businesses really must employ now to be able to beat back this threat?
JOHNSON: Well, I am really glad you asked that question, Tom, because I continue to stress, when I have the opportunity, that I get concerned when people and experts believe that there are only technological fixes to account takeover. And so when they see for instance Zeus as a piece of malicious software being able to potentially defeat a random number generator token, they think 'Well, all is lost.' Well, all is not lost.
We tend to really not think about the standard blocking and tackling that a financial institution customer and a financial institution can do in terms of implementing the proper levels of internal controls as well as technological controls. Controls as simple as dual control where in the small business environment one person is not sufficient to conduct and ACH transaction. You have to have a person authorized as well as execute that transaction. It is a very simple control that can defeat Zeus because it is a human factor, and sometimes human factors work tremendously well in concert with technological factors. So that is what I would stress is to ensure that banks and business continue to look at internal controls as well as technological solutions.
The other thing that I would stress, and I think this is also done in partnership between banks and bank customers, is that the banks and bank customers come to some good decisions about what are reasonable transactions for that business so that when you have a transaction in an ACH or wire environment that doesn't fit that norm that the bank will question it. So it is through putting proper transactional thresholds in place and coming to an agreement about what those thresholds should be in concert with your business customer that I think can really assist, because it is not just about know your customer in the banking environment; it is also all about know your transaction.
So, those are two of the lessons that I think are learned by the current environment, and just like every environment, we continue to learn and get smarter, and I do have every expectation that we will continue to do so.
FIELD: Doug, it strikes me that the partnership and the protections sound relatively simple. Where are they breaking down?
JOHNSON: Well, I believe that where they break down is in the execution. I think that we are all human, and because we are humans, humans are going to make mistakes. It is only through ensuring that both the banks and bank customers adhere to the controls that are supposed to be in place that we can really effectively drive ourselves to a solution to this problem.
FIELD: Doug, as always I appreciate your time and your insight. Thank you so much for spending time with me.
JOHNSON: Sure, Tom. Glad to do it.
FIELD: We have been talking about corporate account takeover. We have been talking with Doug Johnson of the American Bankers Association. For Information Security media Group, I'm Tom Field. Thank you very much.