ACH Fraud: More Education Needed

Victim Says Businesses Need More Fraud Training from Banks Tracy Kitten (FraudBlogger) • November 21, 2011

After more than $545,000 in ACH transactions in May 2009 was moved from a commercial bank account with the former Ocean Bank, PATCO Construction Inc. leaders learned the hard way that losses associated with account takeover are not always covered by the bank. In fact, most losses associated with ACH-related fraud aren't covered for small business accounts; the fraud usually results from a breach suffered by the business, not the bank.

But for Mark Patterson, co-owner of the Maine-based PATCO, that revelation was a shock. He, like many small business owners, just assumed losses associated with fraudulent transactions would be covered by the bank.

Patterson shares details about his corporate account takeover incident during a podcast interview with BankInfoSecurity.com. [Listen to the podcast interview.]

"The bank basically said, 'This is your problem,'" he says. "We were able to claw back a little over $200,000, so our total loss was $345,000." But the financial loss was still devastating.

PATCO is a small residential and commercial construction company. With only 22 employees, most members of PATCO's workforce share responsibilities and wear many hats. Identifying when or how an online breach could and might occur is not something in which PATCO specializes. And Patterson says he doubts most small businesses have a handle on how vulnerable they are to online phishing attacks, such as those waged by Zeus and other keyloggers.

FFIEC Guidance: It Doesn't Do Enough

As the Federal Financial Institutions Examination Council's updated online authentication guidance takes effect Jan. 1, Patterson says financial institutions are making changes to ensure stronger online security for commercial customers. But the guidance does not go far enough.

"The FFIEC guidance is just a restatement of what banks should already have been doing," he says. "They're not really expanding it at all."

Until banks are held legally liable and accountable for losses suffered after incidents of ACH and wire fraud, security won't improve, Patterson argues. Financial institutions have strong fraud-detection systems and mechanisms for consumer retail accounts. Because they are required under Regulation E to reimburse consumers who suffer losses associated with account takeover, Patterson says banks have the ability to detect fraud for commercial accounts, too. "The banks already have that software and it's being used," he says. "They have to protect consumers ... and the banks do a very good job of that."

PATCO remains at legal odds with Peoples United, which acquired Ocean Bank shortly after the PATCO breach. PATCO is now appealing a ruling handed down by a magistrate earlier this year that found the bank's fraud-detection systems at the time of the takeover were commercially reasonable.

Patterson says the legal process has been long and drawn out. But ultimately, he hopes his case raises awareness - an area he says remains in need of improvement.

"I think the banks should sit down with the business owners when they open an account and say, 'This is what the potential loss can be if someone compromises your computer,'" Patterson says. "They really need to understand the agreement they sign with the bank, and that they are not necessarily protected if the account is breached."

Fewer incidents of ACH-related fraud garner headlines these days, but Patterson says corporate account takeovers still happen, and oftentimes go unreported. "What's the total number of losses that are occurring right now? I'm not sure anybody has that number," he says. "I just don't think small businesses know the threat that's out there."