- Corporate Account Takovers
- ATMs and the ADA
- Q&As on Getting Rid of Customer Property
- Foreign Remittance Transfer Rule to Change – Again
- FDIC Guidance on the Scheduled End of Unlimited Deposit Coverage
- MRAPLA Disclosures Postponement
- Reg Z’s Exemption Threshold Goes Up Again
Corporate Account Takeovers
Corporate Account Takeover (CATO) is costing banks big bucks. As banks encourage Internet banking and other forms of electronic banking, they know that consumers are protected from unauthorized transfers under Regulation E. If the compliance officer is asked if these protections extend to commercial accounts, the answer will be no. While that’s true, it is not the complete answer. UCC Article 4A will apply just because the transfers will NOT be covered by Regulation E and the Electronic Fund Transfer Act. Many banks have taken the position that if a commercial customer has agreed to the basic terms of an account which include electronic banking and multifactor authentication, the banks are compliant with all the regulations and will not suffer any losses. Various court cases and settlements in the news have proved that isn’t true.
The most recent case in the news is PATCO v Ocean Bank. In this case, the accounts for PATCO were taken over after PATCO computers were compromised by a trojan horse or similar malware, and funds were transferred out of the account. $588,000 was taken in 2009. The bank recovered $244,000 early on and told PATCO that it was PATCO’s error that lead to the loss, and that PATCO would suffer that loss alone. After three years of what had to be costly litigation on both sides, the bank is paying PATCO for the loss. There are lessons to be learned here for other banks.
Compliance officers are accustomed to addressing risk and that is what needs to be done here. Compliance is uniquely qualified to assist in or manage the CATO Policy and Procedures because compliance has a familiarity with the deposit agreements, electronic transfers, electronic security processes and claims for unauthorized transfers.
A bank should have a plan similar to a disaster management program in place to address corporate account takeovers in advance of a situation arising, and such a plan can fit neatly into the bank’s overall risk management program. Like eating an elephant, this has to be done one bite at a time. Following a program established by the Texas Bankers Electronic Crimes Task Force, the bank can break the task into three segments to better prevent these takeovers, become aware of them sooner when they do happen, and be able to react quickly to minimize any loss. Remember, the dollars saved from the CATO hackers may well be your own.
Protection
The first part of the plan deals with Protection. Add an entry in the risk management program for CATO. Review the customers who use Internet banking and risk-rate them. Consider the dollars at risk, the type of business, levels of technology used and the customer’s expertise in computer security. Is this simply another way for the commercial customer to bank, or are they serious about protecting their money, with dual controls in place for authorization when transfers are made, regular checks of their accounts, malware awareness and protection for their computers, Internet security training for employees, etc. These and more factors can be tailored to your customer base and your risk rating system.
Train all your Internet banking customers on the security basics like protecting confidential information, use of strong passwords, and the need for immediate contact with the bank if there is a question about a transfer. And train your higher-risk customers to dedicate a computer to banking – use it for no other web surfing, no email use and not to attach thumb drives or other peripherals to it which could lead to a malware infection.
Establish controls within the bank to mitigate the risks of CATO. Establish a team of employees who are familiar with the higher-risk accounts. When unusual transactions are requested, based on a dollar amount, the number of transfers, or the frequency and destination (such as twice monthly payroll for a company was last week, but there is a batch request again this week, or a concrete company suddenly wiring money to Moscow) is there a process or software system that will raise red flags? We have seen many cases where the customer suing the bank brings up their record of transfers. Experi-Metal Inc. is one example. In two years it had completed two wires from its account. When there were almost 100 in just a couple of hours, this was unusual, and the court agreed. $560,000 was lost in that case. Does the bank have an agreement to verify these unusual ("out-of-band" is the technical term) transfers directly with the customer? That is, the bank used something other than the computer verification to authorize the transfer such as a telephone call to the company CFO. Is there a pay or no pay agreement if that verification can’t be received? One customer was to receive text messages whenever a transfer went out of the bank account. The hackers/thieves knew this, knew the cell number, and bombarded it with spam text messages when they initiated the bank transfer. The customer turned off his device not realizing a confirmation was incoming. The bank transferred the funds since there was no objection.
In the end, the bank and the customer have to agree on who makes the final call when a transfer request is made, and how it is verified. Under UCC 4A, the bank must have an agreement with the customer stating the security precautions it will take. These precautions must be “commercially reasonable” which is both subjective and subject to change. And these precautions must be followed. When they aren’t, the bank has accepted undue risk under 4A.
The compliance department should review the bank’s agreement with the customer, noting some of the points above, and the bank’s procedures should be reviewed. Are they timely, effective against current threats, and being followed? Does the agreement assign liability for transfers not in accordance with the agreement, are there security requirements placed on the customer that will assist in preventing CATO, and does the agreement call for a forensics exam of the computer if there is a takeover? In some instances banks have agreed to pay “reasonable” claims when the customers agree to an independent exam so the bank can better analyze what happened. Liability might then be assigned based on the analysis, in whole or in part.
The bank should work with vendors to regularly receive updated security information. What are the current threats, where are they coming from, what can prevent them, etc?
Detection
The second part of this new program is detection. Bank employees need to be educated on the warning signs of a CATO. Employees need to understand they are not there just to carry out the wire transfer request because the person requesting it was able to log on to the system and must therefore be authorized. This applies to both sending and receiving transfers. A few months ago the City of Burlington, WA, a town of 8400, had $400,000 transferred out of its account at a local bank. The funds were sent to money mules at an east coast bank. That bank called the City and asked about these unusual incoming wires. That was when the first red flag was raised and anyone other than the hacker knew money was stolen. It wasn’t the customer missing the money, nor the bank which wired the funds. This was likely the first time funds in this amount went to the other side of the country. If you were on a jury, would you consider this unusual?
Customers also need to be educated about CATO. They need to be taught to look at their balances regularly. Because employees take vacations, have sick days, and may have extended periods away from those accounts, there needs to be a back up person who checks the account, even when the office is closed for something like a school system vacation. When it is known a key person will be gone, the account is more vulnerable. Customers need to recognize when a balance appears low and to review debits that don’t look familiar. If multiple employees have the ability to work out of these accounts, this is more critical. Employees need to be aware of suspicious emails like a past due invoice, a court notice, or a notice about a missed UPS package for example. They could have attachments that could actually carry malware and load a keylogger on the business’s computer or subject them to a man-in-the-middle type attack. Hackers have many ways to invade a computers. This of course supports the idea of the bank communicating with vendors, getting the latest threats, and passing this information to customers directly or through social media.
Preparing the Response
The third component to the program is preparing your response plan. When transactions appear suspicious the bank has to react immediately. Call, text, email, do whatever needs to be done to verify with the customer that the “unusual” transfers are or are not authorized. If the bank can’t complete a verification, does the agreement say to complete or not complete the transfer? If unauthorized transfers were made, the bank has to react immediately. At this point you should be counting the minutes; in hours the money is gone. These transfers are often made shortly before the receiving bank closes so the money mule can make the withdrawal and your bank has a short window to recall the funds with anyone at the receiving bank. Striking at the beginning of a weekend also means your bank will have fewer employees available to respond. The employees, and there should be several, need to prioritize the recall of funds. Where did the most money go – call those banks first. Use the FedLine and send a Fraudulent File Alert.
The receiving banks need to be notified immediately to hold and/or return the funds. They may require a letter of indemnification and your bank has to have this ready to be completed and sent. While this is being done another employee has to freeze the accounts at your bank which appear compromised. Absolutely do not process any other transactions which are not confirmed. In the Experi-Metal case, 47 wires were sent in three and half hours to China, Estonia, Finland, Russia and Scotland. The bank called these to the attention of the customer, but then sent 38 more over the next three hours. Some banks would send an email to confirm a transfer. In the case of Green Ford Sales an email confirmation was sent to the same computer that was infected with malware. The intended recipient never received the email, but the hacker controlling the computer did. Green Ford has now changed how they bank. Email confirmations are sent to a different email address for a person at a different computer. Green Ford’s accounts are flagged to not allow ACH transfers. On paydays, the customer calls the bank and authorizes the batch payroll ACH, and as soon as it is complete they call the bank again and ACH is turned off.
Now that transfers have been recalled and no other transfers can occur, it is time to contact your bank’s regulator and law enforcement. You should have a good idea of how much was taken, where it went, and what has already been recovered. Then document your recovery efforts and prepare whoever is designated to respond to the press. There may be questions and the bank needs to have a qualified response.
In the PATCO case $344,000 remained unrecovered. The customer offered to settle with the bank and accept part of that loss. The bank refused and after three years of litigation costs paid the full amount plus interest to the customer. The bank initially won in a lower court, but the U.S. Court of Appeals judge that heard the case sent it back to a lower court saying the security measures were not commercially reasonable and while the judge left open which party was liable for what amounts, he urged the bank to settle, which it did. In the Experi-Metal case the judge said the bank didn’t act in good faith. The bank was aware there were problems but allowed them to continue. Village View had $465,000 taken from its account. While there were problems at the customer’s business, there were 26 consecutive wire transfers from Village View’s accounts to 20 individuals around the world who had no legitimate or previous business with them. Email verification procedures were defeated. The customer said prior transfers which were far less suspicious had been stopped when there was no email verification in the past. Why were these allowed? The bank repaid Village View the full amount of its loss plus interest. There are many examples where banks lost these cases but initially felt secure in the position they took. In the case of small losses, the customer may not believe it can afford to fight the bank. But the banks still lose in these cases. Preparation can recover funds, avoid losses and retain customers.
This program will work well with the FFIEC processes you already follow. It is as flexible as you want it to be and can be expanded and contracted to best meet your needs.
ATMs and the ADA
There are two sets of guidelines released through the Department of Justice on compliance with the Americans with Disabilities Act, one from 2004 and another from 2010. These 2010 guidelines were effective March 15, 2012, and they include the earlier issuance, plus stringent new requirements for a bank’s ATMs. Vendors were not able to retrofit all of the ATMs in the time required, regardless of what banks did to comply. As a result there was a fear of litigation for noncompliance and for some banks it became a reality.
Since March 15, 2012, Bruce Carlson of Carlson Lynch LTD has reportedly filed 19 class action suits on behalf of a Texas woman, Victoria Gilkerson, and 20 similar suits on behalf of a Pennsylvania man, Robert Jahoda, for noncompliance with the ADA. Both Gilkerson and Jahoda are legally blind. It may seem like these serial plaintiffs are seeking out instances of noncompliance such as was seen in the past with fee notices required under Reg E to be posted on ATMs.
Gilkerson had her ATM card in hand and had her driver take her to various ATMs which she tested for accessibility compliance. The lawsuits against various ATM owners are a result of her tests. Jahoda appears to have followed a similar path. In several of the Jahoda cases the ATM owners (banks and credit unions) have settled the cases. The bank or credit union promises to upgrade the ATM within a specified time, pays no damages, but does pay tens of thousands of dollars in legal fees.
A judge has dismissed one of the Pennsylvania cases. The defendant credit union showed that Jahoda lived 54 miles from that ATM and he could therefore not prove that he was injured by not being able to use that particular machine. There were many more that were conveniently located to him that he could use. In Texas one or more of these cases were similarly dismissed. The court noted that Gilkerson lived between 7 and 20 miles from the ATMs cited in her suit, she was not a customer of the banks owning them, and she had no history of using them in the past. These were not the most conveniently placed ATMs for her use and like Jahoda, she was not truly injured because she couldn’t use them.
Had these ATMs been closer to the plaintiffs’ workplaces or homes, these cases could have had less favorable outcomes for the banks.
Compliance with the rules, their spirit and intent is certainly what every bank should strive for. But there are business decisions that a bank has to make when lawsuits are brought. It is not always necessary to reach an immediate settlement. Curing the problem is the right thing to do, not rushing to the checkbook.
Attorney Carlson’s name may be familiar because he has also recently filed suits against two Pennsylvania banks, Citizens Bank of Pennsylvania and PNC Bank, in federal court for improper, rather than missing, ATM fee notices. He maintains the notices are not in "a prominent and conspicuous location on or at the machine." In a prior case (Brown v. Wells Fargo) the court found that Reg E fee notices were not prominent and conspicuous as required by § 1005.16(c). As you complete maintenance and inspections at your ATMs, this is yet one more thing to review.
By Pauli D. Loeffler
Q&As on Getting Rid of Customer Property
At this time of gift giving, we are all thinking of getting rid of useless items in order to make room for new stuff we will be receiving. The two Q & As here seem to pop up with some frequency at regular intervals. Both involve customer property that the bank wants to get rid of. The first question deals with items left in repossessed vehicles, and the second addresses a situation where the new safe deposit box affidavit allowing the transfer of the contents to the heirs cannot be used.
Q: Can you tell me where to find out how long we have to keep contents of a car we repossessed?
A: I presume the bank repossessed the car rather than accepted it as a surrender under which you waived any rights to a deficiency judgment. This provides you with a choice based on what was left in the vehicle. If you have an expensive set of tools not used in the customer’s trade, an air compressor to inflate tires that uses the cigarette lighter, DVD/game players that are not built into the seats, or similar items, you may want to file an execution on the deficiency, provide notice as required by statute, and sell the items of property.
If you don’t have a deficiency or the items (such as clothing) are exempt from sale, or aren’t worth the cost of sale, then what? Unless the customer has affirmatively said: “You can keep what’s left in the car,” I suggest that the bank contact the customer and request that he pick up his property within 10 business days of receipt of the letter. If he fails to do so, you could keep sending letters at intervals. You may state that you will impose a storage charge, but that does imply a higher duty of safekeeping.
As the days pass into weeks, and the weeks pass into months, you will wonder how long you must keep the property. If the bank disposes of the property other than by a forced sale after proper notices, it will be liable for conversion if it throws the property away, sells it or donates it. The statute of limitations for bringing a suit for conversion is two years, plus the property is presumably subject to the laws for unclaimed property and will be treated the same as the contents of a safe deposit box. I say “presumably” since there is nothing in the statutes or administrative rules that directly covers this situation.
A bank is a “holder” by definition under Title 60 O.S. Section 651 and the following State Treasurer’s Rules found in the Administrative Code:
735:80-1-2: "Holder" means any person, partnership, corporation, or any other form of legal or commercial entity who has filed or is required to file an unclaimed property report(s) with the Treasurer under the Uniform Unclaimed Property Act.
735:80-3-1: (a) Annually a holder must file a verified report of unclaimed property. If a holder has no property that is reportable, a negative report (a report or a letter stating no property is reportable) is encouraged. Report forms may be obtained from OST.
An Addendum to the Oklahoma State Treasurer’s Report of Unclaimed Property Verification and Checklist found at this link http://www.ok.gov/treasurer/documents/Verification%20Checklist’.pdf under the category Safe Deposit Boxes and Safekeeping includes a line with Code SD03 for Other Tangible Property that has a 5 year abandonment period. Your first letter to the customer will mark the start of the abandonment period.
Q: We have the following situation and would like to know how to handle it:
We have a safe deposit box where the individuals authorized to enter the box were a husband, wife, and their daughter. All authorized parties are now deceased. No one has entered the box since 1998. The annual box rent has been automatically debited from the deceased husband and wife’s account each year. This year the account will go negative when the box rent is debited which is what prompted this question. The deceased daughter was married and her husband has asked to enter and close the box. Also, there is a living daughter (of the husband and wife) that has asked to do the same. We presume there was no estate for the husband and wife. Do you have any advice on how to close the box or is there a way to give permission to enter the box?
A: I am going to presume that the last surviving renter died sometime before November 1, 2012, so we can’t use the new affidavit found in Tit. 6 O.S. Sec. 906. Auto-debiting of an account causes plenty of problems establishing abandonment when the bank does not know the renter is deceased, but it should have ceased immediately after the bank knew of the death of the last parent (the parent’s account was being charged). The money in the account should have gone to the heirs, either the two daughters, or the living daughter and the children of the deceased daughter if any, if she predeceased her parents. I presume the deceased daughter died before both her parents.
All that being said, both the living daughter and the husband of the deceased daughter have the right to search the box for a will, trust or insurance policies under Tit. 6 O.S. 1308 — the daughter for those items with respect to the parents and the husband with respect to the deceased daughter. I suppose it is too much to hope that the surviving daughter or the husband actually has a key to the box, so there will be drilling charges.
If there is nothing in the box, this is all well and good, but if there is, then you could have the heirs fill out an affidavit of heirs under Tit. 58 O.S. Sec. 393, if the last renter’s net estate was $20,000 or less and there was no probate. Who the heirs are will depend on who was the last living renter. If it was one of the parents, it will be the living daughter and any children of the deceased daughter just like for the account. If it was the deceased daughter, then the husband and any children would be the heirs with regard to the box. The other daughter would NOT be an heir on the box unless there was a will naming her as an heir.
If you suspect there is going to be a fight about who is entitled to the contents, you may simply stop the auto pay, follow the procedures for non-payment of rent found in Tit. 6 O.S. Sec. 1301, give notice to whoever was the last living renter, drill the box, and if there is anything in the box, ask the Oklahoma Treasurer to accept the contents early. The heirs can claim the contents through the unclaimed property procedures of the Treasurer.
If you have to drill the box, the heir(s) to the funds in the account may not be particularly happy since the auto debit should have ceased on death of the last owner on the account. If the person is also an heir to the box, and the parents have been dead for some time, you might think consider waiving the drilling fee.
By John S. Burnett
Foreign Remittance Transfer Rule to Change – Again
Maybe the CFPB blinked.
In mid-October, when the Bureau conducted a webinar on the Foreign Remittance Transfer Rule, Director Cordray offered financial institutions a glimmer of hope when he said that the Bureau understood industry concerns about one of the Rule’s more controversial provisions – one that would make providers responsible when funds fail to be delivered or go astray due to erroneous recipient account or routing information supplied by senders. Mr. Cordray said the Bureau expected "to take action to address those concerns shortly." On November 20, the Federal Home Loan Bank of New York, a high volume provider of international wire transfers, announced that, "as a result of the uncertainty posed by provisions of the [Dodd-Frank Act] and [the Remittance Transfers Rules issued by the Bureau], it plans to stop processing international wire transfers for its members on December 31, 2012."
Just one week after the FHLBNY announcement, the Bureau issued a bulletin announcing its intention to propose further amendments to the Rule that will change the way the rule applies to situations in which a sender provides an incorrect recipient account number which results in a transfer being deposited to the wrong account. Under the proposal the remittance transfer provider (a bank, for example) would be required to attempt to recover the funds but would not be liable for the funds if the attempt is unsuccessful.
Two other changes are also intended, according to the Bureau’s bulletin. One will allow remittance transfer providers to use published bank fee schedules when making disclosures of third party fees, and will provide additional guidance on foreign tax disclosures. The other will limit those foreign tax disclosures to taxes imposed at the national level, eliminating concerns about regional, tribal or other non-national taxes affecting net remittance amounts.
Finally, the Bureau said it intends to "fast track" the amendment through the proposal and final rule steps, but extend the effective date of the rule beyond the current February 7, 2013 date to all a full 90 days for final implementation after the publication of the final rule making these changes, which would, according to the Bureau, move the effective date for the Foreign Remittance Transfer Rule to late spring of 2013.
FDIC Guidance on the Scheduled End of Unlimited Deposit Coverage
In spite of various attempts to prod a lame-duck Congress to approve a two-year extension of the December 31, 2012, sunset of the unlimited deposit insurance coverage provisions for non-interest bearing transaction accounts and IOLTAs ("NIBTAs"), the FDIC wants banks to prepare for the deadline under the assumption that Congress won’t act.
In its FIL-45-2012, issued on November 5, the FDIC reminded insured depository institutions of the scheduled end of the special coverage mandated by section 343 of the Dodd-Frank Act, and encouraged institutions to take three steps to ensure that depositors are informed of the change in coverage and not confused by information about the temporary program.
1. Notify NIBTA customers adequate advance notice in writing that the temporary coverage is scheduled to expire on 12/31/12, and thereafter the FDIC will insure NIBTAs up to $250,000 per depositor.
2. Remove from all offices and websites the "Notice of Changes in Temporary FDIC Insurance Coverage for Transaction Accounts" required by FDIC rules at 12 CFR § 330.16(c)(1). This should be done before the opening of business on January 2, 2013 (January 1 for any bank open on that day).
3. Review NIBTA account agreements and related disclosure statement, and modify as necessary to reflect accurately deposit coverage on and after January 1, 2013.
The notices in item #1 are not mandated by law or by regulation. However, institutions are encouraged to provide the notices to reduce the potential for misunderstandings about deposit insurance coverage. The FDIC included two model notices that may be used (or adapted for use); comments in BankersOnline’s Bankers’ Threads suggest that even the shorter of the two models may be too long for many banks’ statement notice character limits. If you start with the model notice language, you may need to pick out the important information, and chop away at some of the rest of the verbiage.
Many banks will have provided their notices by the time this article goes to press. Others may be delaying in the hope that Congress will pass an extension at the eleventh hour. We share your frustration with the fact that it’s impossible to know exactly what will happen. Whatever your bank’s decision, one thing that all banks will have to do is TRAIN, TRAIN, TRAIN their tellers, new accounts staff and other customer-facing staff members, including any call center employees, about this important change (or the fact that it has been postponed for a couple of years).
Also make very certain that any customer information that refers to the temporary coverage can be quickly replaced (item 3 in the list above) and that any scripts used by customer contact personnel can be quickly revised to ensure the outdated information is taken out.
MRAPLA Disclosures Postponement
Many of the most difficult changes being made by the CFPB are required by Dodd-Frank Title XIV, also known as the "Mortgage Reform and Anti-Predatory Lending Act," or MRAPLA. Among the significant changes included in MRAPLA are amendments to TILA and RESPA that add many new disclosure requirements for residential mortgage loans. MRAPLA has an automatic default effective date of January 21, 2013, unless the CFBP has issued final implementing regulations by that date. Without implementing regulations, the MRAPLA changes would wreak havoc.
In another section of the DFA, the CFPB is charged with devising new disclosure requirements to integrate or combine TILA and RESPA early disclosure and loan closing disclosures. That effort is well underway, but it does not have a "drop dead" date in the law like the MRAPLA deadline.
Many of the disclosures being added or changed by MRAPLA would be included in the integrated disclosures to be finalized by the CFPB, but those integrated disclosures won’t be in final form by the MRAPLA January 21, 2013, deadline. Thus the conflict faced by the CFPB.
The CFPB has deftly handled the problem by issuing a final rule that very concisely says that no one will be required to comply with the requirements of specified new disclosure provisions of TILA and one optional disclosure under RESPA. The final rule negates the January 21, 2013, deadline in MRAPLA for those specific requirements only. The Bureau intends to issue final rules implementing other substantive MRAPLA changes before the January deadline.
The Bureau has also said that the specified disclosure provisions will be reactivated/finalized in connection with its final rule implementing the early and closing integrated RESPA and TILA disclosures, sometime in 2013, so that all of those disclosure changes can be implemented at one time.
Here’s a list of the delayed TILA and RESPA provisions:
TILA §§
• 128(a)(16) – Disclosures of monthly payment, including escrow, at initial and fully-indexed rate for variable-rate residential mortgage loan transactions.
• 128(a)(17) – Disclosure of aggregate amount of settlement charges, amount of charges included in the loan and the amount of such charges the borrower must pay at closing, the approximate amount of the wholesale rate of funds, and the aggregate amount of other fees or required payments in connection with a residential mortgage loan.
• 128(a)(18) – Disclosure of aggregate amount of mortgage originator fees and the amount of fees paid by the consumer and the creditor.
• 128(a)(19) – Disclosure of total interest as a percentage of principal.
• 128(b)(4) – Repayment analysis disclosure to include amount of escrow payments for taxes and insurance.
• 129C(f)(1) – Warning regarding negative amortization features.
• 129C(g)(2) and (3) – Disclosure of State law anti-deficiency protections.
• 129C(h) – Disclosure regarding creditor’s partial payment policy prior to consummation, and, for new creditors, after consummation.
• 129D(h) – Disclosure regarding mandatory escrow or impound accounts.
• 129D(j)(1)(A) – Disclosure prior to consummation regarding waiver of escrow in connection with the transaction.
• 129D(j)(1)(B) – Disclosure regarding cancellation of escrow after consummation.
RESPA §
• 4(c) – Optional disclosure of appraisal management company fees.
Reg Z’s Exemption Threshold Goes Up Again
Yet another of the many effects of the Dodd-Frank Act is the updating of the TILA exemption dollar threshold for certain exempt consumer credit transactions. The old $25,000 threshold that had existed for decades was doubled to $50,000 and immediately tied to an "inflation adjustment" requirement. The Bureau, on November 21, published the amount of the adjusted threshold amount for calendar year 2013: $53,000. Extensions of credit greater than $53,000 made in 2013 that are not secured by real property or a principal dwelling, and are not private education loans, are not subject to TILA and Regulation Z. That dollar threshold amount is subject to adjustment annually.