Could Fraudsters Take Down Your Bank?

Amid the throng of financial sector failures this year, one sad story stands out. The demise of Dwelling House Savings and Loan, a venerable minority-owned institution in Pittsburgh, came not as a result of the usual bad mortgage deals, but after cyberthieves siphoned off some $3 million to $4 million via fraudulent automated clearing house (ACH) transactions over more than a year. Federal regulators seized the S&L in August and turned its operations over to PNC Bank.

Now, to be sure, this was a small institution; PNC took over less than $14 million in deposits. Still, this was a sad end to Dwelling House's proud history -- nearly 120 years of independence and community service down the tubes, just like that, because it failed to defend itself against a bunch of tech-savvy criminals.

Think it couldn't happen to a larger bank?

Barry Barretta, principal with consulting firm Treasury Strategies, is convinced it's only a matter of time. Fraud risk is at an unprecedented high in the financial services industry, he says, for three reasons: First, there's the economic background; in tough times, fraud perpetrators have more incentive than ever to do bad things. Second, Barretta points to the ongoing distress in the banking industry: "Because banks are just barely keeping the doors open, they don't have money to be investing in sophisticated fraud control systems and risk management staff to stay ahead of what the fraudsters are doing."

Third, law enforcement lacks the tools to keep up with the technology that's being deployed by fraudsters today.

Internet bank fraud perpetrators have moved way beyond phishing. For years they've concentrated on getting people hired on the inside so that they can reverse-engineer how payment systems work, and now they're starting to put that knowledge to use, notes Barretta. They're investing in sleeper accounts that enable them to study the timing of credits and debits and observe how money moves across the payment infrastructure. And they're making their decisions based on a longer investment horizon than the institutions they're targeting.

A survey of financial services firms published in Kroll's 2009/2010 Global Fraud Report suggests banks are indeed losing ground in the battle to keep fraud attacks in check. Eighty-seven percent of the firms polled had suffered fraud loss in the past three years. Even more disturbingly, 86 percent reported that their exposure increased in that period.

Blake Coppotelli, senior managing director in the New York office of Kroll's business intelligence and investigations division and head of the firm's real estate integrity services practice, says he's seen an "explosion" of fraud cases in the financial industry. Because banks' transactions involve a much broader sector of the business community than most companies, they're at risk for just about every type of fraud that can be committed, he points out. "What we're seeing is a move toward more complex, sophisticated, global types of fraud. The impact is greater, and it does have the potential to take down a company, not only from the reputational risk perspective, but also from the enforcement risk perspective."

Banks should carefully assess their vulnerabilities, Coppotelli adds. "They really have to make sure they're aware of the legal consequences of not having an effective compliance program, a solid ethics policy, and the ability to understand their risks, internal as well as external, by market and geography, for each specific business opportunity."

For corporates, job one is to put their own house in order, says Barretta. That means putting into effect all of the fraud protection systems their banks and software systems vendors offer. Many companies like to compensate their banking partners through their balances, rather than paying fees, but in the current low interest-rate environment balances don't go as far as they used to in terms of buying services. It's important to resist the temptation to skimp on anti-fraud services.

In addition, says Barretta, companies should be proactive and "start to raise the profile of the risk in discussions with their banks," for example by asking what types of anti-fraud mechanisms they have in place and how they manage fraud attempts.