Corporate account takeovers – responsibility vs. liability
In all remote merchant services (RDC, remote ACH, remote wire origination, etc.) there are three main parties responsible for securing the transaction:
- The Financial Institution
- The vendor that supplies and supports the hardware/software components
- The merchant (customer)
Each party has a role to play in keeping the transaction secure from end-to-end. The FI conducts pre-installation site visits, drafts strong contracts, and conducts post-installation training. The vendor provides secure software with various built-in reporting metrics. And the customer agrees, at a minimum, to agree to the terms of the contract (and ideally, to have a basic understanding of data security). Yet with all these elements in place, corporate account take-overs are still occurring, and with increasing regularity.
Most financial institutions rely heavily on the vendor that supplies the software to adequately secure the transaction from end-to-end. But in an interview on BankInfoSecurity, an anonymous bank CEO described his experience with a recent account takeover at his institution. He, like many community bankers, uses his core vendor to provide remote electronic services. At first, the core vendor was very involved in the forensic phase of the investigation, but that changed. He said that although he was grateful for the assistance of the vendor initially, he was “very unhappy with the attitude of management once (the Bank) told them they were being sued”. He goes on to say that at that point, they were no longer able to speak with anyone but the vendors’ legal department.
There are two lessons here…the first is that the Bank may have relied too heavily on the vendor for security, essentially miss-assessing the residual risk. The second is that once the vendor sensed that they might be drawn into the lawsuit, they changed from being a partner in the remediation process, to being an adversary.
What do your vendor contracts for remote electronic services stipulate, particularly if an incident occurs? Will they be at your side throughout the entire process? Make sure your risk assessment correctly measures where your vendors’ responsibility ends (contractually), and yours begins. One thing is certain…regardless of how the responsibility is split, if the merchant prevails in court, the Bank will be 100% liable for the loss.
