Depository Examination Staff

June 6, 2013

Page 1

SUPERVISORY MEMORANDUM

June 6, 2013

TO:All State-Chartered Banks;

FROM:Director David Mills

SUBJECT:Standards for the Risk Management of Corporate Account Takeovers

Purpose

This Supervisory Memorandum establishes minimum standards for a risk management program to specifically minimize the risks of Corporate Account Takeovers. Hundreds of electronic thefts through Corporate Account Takeover have impacted financial institutions and corporate account holders. Municipalities, school districts, churches, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets of cyber thieves. This type of theft can cause significant financial harm on its victims and impact entire communities and financial institutions. This Supervisory Memorandum reinforces the Indiana Department of Financial Institutions position that all financial institutions should identify, develop, and implement appropriate risk management measures for electronic crimes.

Background

Corporate Account Takeover is a form of business identity theft where cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves. Businesses with limited or no internal computer safeguards and disbursement controls for use with the financial institution’s online banking system are vulnerable to theft when cyber thieves gain access to their computer systems, typically through malicious software (malware). Malware infects a business’ computer system not just through ‘infected’ documents attached to an email but also simply when an infected Web site is visited.

Businesses across the United States have suffered large financial losses over the last few years from these thefts through the banking system. Electronic thefts through financial institutions have ranged from a few thousand to several million dollars[1]. These thefts have occurred in financial institutions of all sizes and locations and may not be covered by the financial institution’s insurance. Along with the financial impact, there is also a very high level of reputation risk for financial institutions.

As a result of these growing thefts, the Indiana Department of Financial Institutionshas been working with the Conference of State Bank Supervisors, the United States Secret Service, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) to provide a risk mitigation program to assist banks in protecting corporate account holders. The risk mitigation program was developed by an Electronic Crimes Task Force (Task Force) of bankers in Texas working with the US Secret Service, bank trade associations, and a payment processing association. The Task Force was composed of operational executives from a diverse group of banks in terms of size, complexity, and market environment. This is an industry developed program designed specifically to assist other financial institutions.

Overview

The Task Force developed a list of recommended processes and controls which expanded on a three-part risk management framework of: 1) Protect; 2) Detect; and 3) Respond developed by the United States Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3), and the FS-ISAC[2]. The Task Force also developed Best Practices for Reducing the Risks of Corporate Account Takeovers (Best Practices) to help financial institutions establish specific practices to implement the recommended processes and controls. The Best Practices document is a valuable resource to effectively reduce risk.

As the Task Force was concluding its work related to Corporate Account Takeover, the Federal Financial Institutions Examination Council (FFIEC) released Supplement to Authentication in an Internet Banking Environment (FFIEC Supplemental Guidance). The FFIEC Supplemental Guidance, issued on June 28, 2011,reinforces previous FFIEC guidance related to risk management of online transactions and updates regulatory expectations regarding customer authentication, layered security, and other controls related to online activity. The Task Forces’ recommended three-part Corporate Account Takeover risk management framework and related controls are similar to controls in the FFIEC Supplemental Guidance and include the minimum expectations conveyed in the FFIEC guidance. However, the Task Force guidance has a more specific focus on reducing the risk of Corporate Account Takeovers and therefore provides additional steps to help protect financial institutions and corporate customers.

Minimum Standards for a Risk Management Program to Mitigate Risks of Corporate Account Takeover

There are nineteen processes and controls (components) to support the three-part risk management framework of Protect, Detect, and Respond. Management and the board of directors of all financial institution must address each of these nineteen components (attachment A) in a risk management program to mitigate the risk of Corporate Account Takeover. Since the industry Task Force that developed the program included both small and large bank representatives, the required components are broad enough to accommodate the unique needs of every financial institution and its customers utilizing online banking services. Financial institutions may adopt any practices to implement the components of Protect, Detect, and Respond. Although the use of the Task Force developed Best Practices is optional, it will greatly assist most financial institutions in implementing or expanding practices. The Best Practices are cross referenced to each of the components listed below and are attached. If your financial institution does not have any business customers that send electronic instructions to transfer funds, you would only need to complete the risk assessment mentioned in P1 below of this Supervisory Memorandum.

The Indiana Department of Financial Institutionshas adopted the attached components supporting the Protect, Detect, and Respond framework in setting the minimum standards for a risk management program to mitigate the risks of Corporate Account Takeover. The Indiana Department of Financial Institutionswill review implementation efforts for reducing the risks of these electronic crimes through [both on-site and off-site] reviews. These reviews will focus on the nineteen components in this Memorandum as well as the FFIEC Supplemental Guidance. Examination staff reviews will begin July of 2013.

For further information about this memorandum, contact Randall L. Rowe, Bank Supervisor, at (317) 232-5852.

Attachment A: Corporate Account Takeover - Minimum Standards for a Risk Management Program

Attachment B: Best Practices - Reducing the Risks of Corporate Account Takeovers

Attachment A

Corporate Account Takeover - Minimum Standards for a Risk Management Program

Protect

Implement processes and controls to protect the financial institution and corporate customers.

P1. Expand the risk assessment to include corporate account takeover.

P2. Rate each customer (or type of customer) that performs online transactions.

P3. Outline to the Board of Directors the Corporate Account Takeover issues.

P4. Communicate basic online security practices for corporate online banking customers.

P5. Implement/Enhance customer security awareness education for retail and high risk business account

holders.

P6. Establish bank controls to mitigate risks of corporate accounts being taken over.

P7. Review customer agreements.

P8. Contact your vendors to regularly receive information regarding reducing the risk ofCorporate

Account Takeovers.

Detect

Establish monitoring systems to detect electronic theft and educate employees and customers on how to detect a theft in progress.

D1. Establish automated or manual monitoring systems.

D2. Educate bank employees of warning signs that a theft may be in progress.

D3. Educate account holders of warning signs of potentially compromised computer systems.

Respond

Prepare to respond to an incident as quickly as possible (measured in minutes, not hours) to increase the chance of recovering the money for your customer.

R1. Update incident response plans to include Corporate Account Takeover.

R2. Immediately verify if a suspicious transaction is fraudulent.

R3. Immediately attempt to reverse all suspected fraudulent transactions.

R4. Send a “Fraudulent File Alert” through FedLine.

R5. Immediately notify the receiving bank(s) of the fraudulent transactions and ask them to hold or

return the funds.

R6. Implement a contingency plan to recover or suspend any systems suspected of being compromised.

R7. Contact law enforcement and regulatory agencies once the initial recovery efforts have concluded.

R8. Implement procedures for customer relations and documentation of recovery efforts.

Best Practices for Banks

Reducing the Risks of Corporate Account Takeovers

(Developed by the Texas Bankers Electronic Crimes Task Force)

Corporate Account Takeover is a form of business identity theft where cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves.

Businesses across the United States have suffered large financial losses from electronic crimes through the banking system. These thefts have ranged from a few thousand to several million dollars. They have occurred in banks of all sizes and locations. And, they may not be covered by the bank’s insurance. Along with the financial impact, there is also a very high level of reputation risk for financial institutions.

Recognizing the importance of having banker developed practices specifically to assist the banking industry, the Conference of State Bank Supervisors (CSBS) and the Financial Services - Information Sharing and Analysis Center (FS-ISAC) have joined with the United States Secret Service (US Secret Service) and Texas Department of Banking to make practices for mitigating the risks of Corporate Account Takeover available to financial institutions nationwide.

The Texas Bankers Electronic Crimes Task Force (Task Force) was formed by the Texas Banking Commissioner in cooperation with the US Secret Service.The Task Force is composed of operational executives from a diverse group of banks in terms of size, complexity, and market environment. Members also include the Independent Bankers Association of Texas, the Texas Bankers Association, and SWACHA. The Texas Department of Banking’s Chief IT Security Examiner serves as a liaison member.

The Task Forcedeveloped a list of nineteen processes and controls for reducing the risks of Corporate Account Takeovers. These processes and controls expand upon a three-part risk management framework developed by the FS-ISAC, the US Secret Service, the Federal Bureau of Investigation, and the Internet Crime Complaint Center (IC3)[3]. Fundamentally, a bank should implement processes and controls centered on three core elements: Protect; Detect; and Respond.

The Task Force has also compiled a set of best practices for each of therecommended processes and controls under the Protect, Detect, and Respond framework. These best practices are not an all-inclusive list and are provided as guidance to assist in implementing the nineteen processes and controls needed to reduce the risk of Corporate Account Takeover thefts. The Federal Financial Institutions Examination Council’s (FFIEC) Supplement to Authentication in an Internet Banking Environment[4](FFIEC Supplemental Guidance) issued on June 28, 2011, conveys minimum expectations which are noted within this document. It is important to remember that electronic crimes are dynamic as cyber criminals continually change their techniques. Additional changes in risk management processes and controls will be necessary as this type of theft continues to evolve.

Supporting Organizations

Conference of State Bank Supervisors (CSBS): CSBS is the nationwide organization of banking regulators from all 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands. State banking regulators supervise nearly 5,400 state‐chartered financial institutions. For more than a century, CSBS has given state supervisors a national forum to coordinate supervision of their regulated entities and to develop regulatory policy.

Financial Services – Information Sharing and Analysis Center (FS-ISAC): The FS-ISAC was launched in 1999 by the financial services sector in response to 1998's Presidential Directive 63. That directive mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure. The FS-ISAC is uniquely positioned to quickly disseminate physical and cyber threat alerts and other critical information, including analysis and recommended solutions from industry experts. The Treasury and Department of Homeland Security rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis.

United States Secret Service (US Secret Service): The mission of the US Secret Service is to safeguard the nation’s financial infrastructure and payment systems to preserve the integrity of the economy, and to protect national leaders, visiting heads of state and government, designated sites and National Special Security Events. In 2001 the USA PATRIOT Act mandated the Secret Service to establish and maintain a nationwide network of electronic crime task forces (ECTFs). The goal of the ECTFs is to establish, promote and continue robust public/private partnerships based on the Secret Service’s historic strategic alliances with federal, state and local law enforcement agencies, private industry and academic institutions. The ECTFs respond, confront and suppress cybercrime, malicious uses of cyberspace, and threats to cyber security which endanger the integrity of our nation’s financial payments systems and critical infrastructure.

Texas Department of Banking: With over 100 years of service to the citizens of Texas, the Department of Banking is entrusted with ensuring the safety of the public’s money held by businesses that provide financial services and with ensuring that a competitive financial services system exists. The Department conducts examinations of entities under its supervision to ensure they operate in a safe and sound manner and are in compliance with state and federal laws. The Department’s supervisory authority extends to over 1,178 financial service providers that control approximately $404.2 billion in financial assets as of December 31, 2011.

Overview of Processes and Controls for Reducing the Risks of Corporate Account Takeovers

Protect

Implement processes and controls to protect the financial institution and corporate customers.

P1.Expand the risk assessment to include corporate account takeover.

P2.Rate each customer (or type of customer) that performs online transactions.

P3.Outline to the Board of Directors the Corporate Account Takeover issues.

P4.Communicate basic online security practices for corporate online banking customers.

P5.Implement/Enhance customer security awareness education for retail and high risk business account holders.

P6.Establish bank controls to mitigate risks of corporate accounts being taken over.

P7.Review customer agreements.

P8.Contact your vendors to regularly receive information regarding reducing the risk of Corporate Account Takeovers.

Detect

Establish monitoring systems to detect electronic theft and educate employees and customers on how to detect a theft in progress.

D1.Establish automated or manual monitoring systems.

D2.Educate bank employees of warning signs that a theft may be in progress.

D3.Educate account holders of warning signs of potentially compromised computer systems.

Respond

Prepare to respond to an incident as quickly as possible (measured in minutes, not hours) to increase the chance of recovering the money for your customer.

R1.Update incident response plans to include Corporate Account Takeover.

R2.Immediately verify if a suspicious transaction is fraudulent.

R3.Immediately attempt to reverse all suspected fraudulent transactions.

R4.Send a “Fraudulent File Alert” through FedLine.

R5.Immediatelynotify the receiving bank(s) of the fraudulent transactions and ask them to hold or return the funds.

R6.Implement a contingency plan to recover or suspend any systems suspected of being compromised.

R7.Contact law enforcement and regulatory agencies once the initial recovery efforts have concluded.

R8.Implement procedures for customer relations and documentation of recovery efforts.

BEST PRACTICES FOR REDUCING THE RISKS OF

CORPORATE ACCOUNT TAKEOVERS

I.Protect

P1. Expand the risk assessment to incorporate Corporate Account Takeover.

The risk assessment should include risks of Corporate Account Takeovers and be reviewed/updated at least annually for threats and risks related to online payment services. After the risk assessment is updated, an analysis should be made to identify the bank’s existing controls that need to be updated or controls that need to be implemented to achieve compliance with regulatory guidance. A sample Corporate Account Takeover risk assessment is available electronically on the Electronic Crimes Task Force page of the Conference of State Bank Supervisors website,

An effective risk management assessment should:

  1. Define the scope and complexity of the institution’s payment and online banking services, noting any changes since the prior risk assessment;
  2. Identify what functionality is offered or has changed regarding:
  3. Online wire transfers;
  4. Online ACH origination;
  5. Online bill payments;
  6. Delivery channels (such as mobile banking or remote deposit capture);
  7. Assess if transaction limits have been set within the automated system and if those limits are appropriate;
  8. Present a clear understanding of the bank’s:
  9. Customer segmentation (e.g., number of business customers or types of customers adopting online banking) and any changes that have occurred;
  10. Customer utilization of online banking services - type and extent; and
  11. Expected electronic payment volumes (size and frequency of wires and ACH origination files – both the average and peak volumes);
  12. Assess reliance on third-party service providers for electronic payment processing and delivery of online banking services[5];
  13. Determine and assess on-going customer education and training practices;
  14. Identify and assess all “automated pass-through” payment processing activities (e.g. online, real-time instructions for wire/ACH transactions that are automatically passed to the payment system operator, usually the Federal Reserve Bank, for processing or that are automatically passed to a bill payment system) and assess practices for reviewing automated anomaly detection alerts;
  15. Identify and assess manual controls (and/or any automated anomaly detection) used to evaluate transactions that are not automatically sent to processor;
  16. Determine the ability of corporate customers to correct, update, or change (“uninitiate”) a transaction without further confirmation/authentication of the final transaction’s instruction;
  17. Assess the training and awareness of bank employees that process incoming transfer instructions, as well as the adequacy of staffing for these activities;
  18. Assess the competency of bank staff responsible for sustaining adequate risk management practices related to ever evolving electronic payment risks, which includes considering available resources such as service providers and security and audit vendors;
  19. Identify the most significant types of fraud being experienced by the industry and the emerging threats;
  20. Evaluate the degree to which IT security training is provided to all employees including bank managers and front line customer contact employees. (Is there a strong corporate culture of security?); and
  21. Assess the need for electronic theft insurance. If this type of insurance has been purchased, contact insurance carrier to determine if there are any required controls. Evaluate compliance with those controls.

P2. Rate each customer (or type of customer) that performs online transactions.

It is important to know the level of risk associated with customers using online banking services and especially to know those customers that are high risk. While the focus of these best practices are on corporate accounts that perform online wire and ACH transactions, any customer with any online transaction capability (including bill payments) should be evaluated for risk. Additionally, the FFIEC Supplemental Guidance applies to both business and consumer accounts. Reviews for risk rating customers should be conducted at least annually and documented. There are many different methods and formats that can be used based on the bank’s size and resources. A bank may choose to simply rate all consumer customers using bill payment services with low transaction amounts and a low volume limit at a lower risk category than corporate customers. Another option would be to rate as high risk all corporate customers with certain online capabilities. In this case, “individually documented” reviews to determine the risk rating of each customer would not be necessary. However, banks with a moderate or small number of corporate customers may choose to rate their customers individually.