Typically, the fraud involves malicious computer software that enables a hacker to attack a small business that has an on-line checking account with its bank. The intruder gains access to the business computer or the bank’s computer and obtains the user ID and password and then sends multiple wire transfer orders from the victim’s checking account that are payable to accounts at other distant U.S. banks; those involved in the fraud quickly wire the funds to a foreign bank for deposit into a customer account. The cash transfer amounts are less than the $10,000 Bank Secrecy Act currency transaction reporting requirements, and thus, are not reported to the Department of Treasury by the banks involved in the transactions. According to the FBI, losses range from thousands to millions of dollars. As mentioned above, the involved banks may deny financial responsibility citing UCC4A as a defense.
FBI analysis has found in many cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions. The bank account holders are often small to medium-sized businesses across the United States, court systems, school districts, and other public institutions. Mostly, the fraud victims used single factor authentication for their electronic Internet banking with their banks. The Federal Financial Institutions Examination Council (FFIEC) has twice cautioned banks (2001 and 2005) single-factor authentication is the only control mechanism to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”
Recently, I was engaged as a bank security expert by the Western Beaver County School District, PA to assist the district’s law firm, Buchanan Ingersoll & Rooney, in a civil action against the district’s bank and the recovery of lost tax payer funds of over $700,000 wire transferred to Eastern Europe. The bank used UCC4A, among others, as a defense (the law firm has subsequently reached a favorable settlement for the school district).
During the summer of 2010, I brought this growing fraud problem against small businesses (including the Western Beaver matter) to the attention of Senator Bob Corker and his banking legislative assistant and through the latter’s introduction, to a senior staff member at the Federal Reserve Board; both agreed first in the immediate future business and government need to become aware of the financial risks involved in single factor authentication wire transfer activity and secondly, some form of governmental regulation may be necessary.
Recently, I reviewed the Treasury Department’s rulemaking notice to modify 31 CFR Part 103 that would require banks and money transmitters to report certain cross-border electronic transmittals of funds (CBETFs). Specifically, banks acting as the last-out financial institution for CBETFs requests from U.S. customers’ accounts to a cross-border bank with instructions to deposit the funds into a customer’s account at a foreign must report these CBETFs to the Treasury Department. I support this proposed rule change; however, it does not prevent the transfer of fraudulently obtained funds as described in paragraph three above since by the time a report is received by law enforcement, funds gone and non-recoverable.
Law enforcement sources believe some of the stolen funds are being used to finance terrorism directed against the U.S. – how repugnant destroying American business and using taxpayer money to support Al Qaeda!
My white paper entitled Wire Transfer Fraud Alert published by ASIS International for businesses and government entities articulates in more detail the problem and addresses risks associated with wire transfer and procedures to mitigate the risks (see link below).
The public, especially small businesses, needs to be aware of the risks involved in Internet banking, and especially use of single factor authentication for wire transfer activity.
ABOUT THE AUTHOR: Richard F. Cross, CPP
As a consultant, engaged to conduct security audits, develop security policy and procedures for over 50 clients, and engaged to assist in over 150 litigation matters for defendant banks and/or plaintiffs. At The Bank of New York, VP Director of Corporate Security developed and implemented the bank’s security, anti-money laundering investigative programs.
Education and Training:
•American University, Bachelor of Arts
•Washington College of Law
•University of Wisconsin, School for Bank Administration, Diploma
•Author, Bank Security Desk Reference, Branch Security Reference and Training Manual, NAFCU’s Security Manual for Credit Unions
•ASIS International (ASIS), Member and Past President
•Professional Certification Board of ASIS International CPP, and Past President
•Association of Former Intelligence Officers, Member
•Tellico Consultants Alliance, Member
Copyright Richard F. Cross
More information about Richard F. Cross
Wire Transfer Fraud
By Richard F. Cross Bank and ATM Security Expert Witness and Litigation Support Services
Call Richard F. Cross, CPP at (865) 458-8946
Small businesses are being victimized by wire transfer fraud that involves substantial financial losses to the victims. The victims’ banks have denied responsibility citing UCC4A as a defense. Case law needs to affirm a bank’s financial responsibility for customer losses from Internet fraud where either the bank’s security procedures are not commercially reasonable or the bank failed to recommend commercially reasonable security procedures and controls to its Internet banking customer.
While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.