The Perfect Storm is Brewing
I was talking with one of my security forensics contacts, and he related a bit of insight that made me stop and think. "Why is it," he told me, "that a bank will weigh the scales of risk and consider it better to take $1 million in losses rather than spend $2 million to fix its security and stop the fraud in the first place?"
The call for better security comes not just from my contact, but was also raised by security vendor Authentify, which says it plans to petition Congress on e-banking security policies. The question raised in the PlainsCapital Bank case and the countersuit filed by its business customer is about 'What is reasonable security?' The vendor will be asking security professionals to voice their opinion on this question at the RSA conference. This petition also brings up the possibility of changing banking security regulations, especially to the Reg E, to include businesses. If Reg E is changed to cover business accounts for fraud losses, it would mean real change would have to come to banking security.
The 'perfect storm' is coming, fueled by the public opinion that their banks aren't doing enough to protect them.
The coming storm is fed by the rash of ACH fraud caused by criminal hackers, the onslaught of phishing attacks, lawsuits from business customers and private consumers charging their institutions have poor security, along with the pending creation of a consumer financial protection agency at a federal level.
Another factor: The advent of social media networks such as Facebook and Twitter, while seen as positive branding tools and pushing customer interaction to an immediate level never seen before, can also wield a negative slant when masses of customers complain about a bank's customer service, policies or how their case was/wasn't handled. A Google search of big bank names with additional words such as "hate, overdraft fees, unfair, robber, poor security," turns up millions of pages of complaints, rants and personal stories of how customers are battling with their institutions over policies, fraudulent charges and more. Try it yourself. Try it with your institution's name.
A website called "Banking Horror Stories," (bankinghorrorstories.com) was launched last week and is described as a website "designed exclusively for consumers to share their horror stories about dealing with their banks," says Steve Dibert, the site's founder and owner of MFI-Miami, a Florida-based firm that does compliance examinations and mortgage fraud investigations.
Dibert says he created this site after hearing stories from clients about the horrific treatment they received from their banks. "My clients tell me their complaints of arrogant executives, unresponsive managers and incompetent staff people fall on deaf ears when they call their banks."
The site's purposes are to give homeowners information on the banking world, as well as give them a place to get legal help in investigating banks that violate consumer protection laws. Dibert says the site also sends a "strong signal to the major banks -'you are not too big to control!' If Congress won't bring you under control, the American people will!"
I'm interested to see which institutions people will complain about on this site, and more importantly -- what those institutions will do to defend themselves. I'm sure no bank wants to find itself listed on a site such as this one.
This "Banking Horror Stories" site and the banking security petition to Congress are just the tip of the iceberg when it comes to how very deep the feelings run for consumers and business customers re: how they feel about what their institutions are doing to protect them and their personal information.
I'm making the warning now that the 'perfect storm' is coming, fueled by the public opinion that their banks aren't doing enough to protect them, the creation of a federal consumer protection agency focused on financial services, and the increased call for stronger online banking security measures. The industry better be ready to react and correct its course, or we will be flung into a swirling mass of compliance, regulations, and consumer protection requirements ... and I don't see anyone getting out without paying some kind of price, whether it is the cost of increased security, a loss of customers, deposits or trust.