BELLEVUE, Neb.-SAC FCU here is preparing to allow small business members to conduct the riskiest of transactions online: high-volume ACH and wire transfers.
"Small businesses do hundreds or thousands of pull transactions per month, introducing significantly more risk than your average member," said Roger Kipe, VP-IT at the $561-million credit union. "If a fraudster managed to get past our layered Internet banking security and steal the account, he could use ACH to transfer out that money."
SAC will address that risk-and comply with FFIEC guidelines-by employing behavior analytics software to detect suspicious activity when it turns on the transfer functionality later this year, said Kipe. The software models multiple elements of member and transaction behavior in real time.
"If the member logs in from a location that's out of the norm, or if the transaction amount is usually $10,000 but this month it's $50,000, the software halts the transaction processing and sends us an alert," he explained. "We'll catch the fraudulent transaction because it's different."
One-time passwords (OTP) will strengthen authentication for ACH and wire transactions, he continued. When the member business initiates a high-risk transaction, the Internet banking system can send a text message with an OTP to the member's token fob-provided by SAC-or smartphone application. The member enters the password on-screen to authenticate the transaction.
"The OTP would stop a keylogger in its tracks," said Kipe. Software that logs keystrokes could recognize the OTP keystrokes, but to no avail-an OTP remains valid for less than 30 seconds and can't be used more than once.
Both the analytics software and authentication technology are built into SAC's Internet banking platform, Q2ebanking, provided by Austin, Texas-based Q2.
Online ACH for nonbusiness members is less risky, Kipe continued. At a total of between 30 to 60 ACH transactions per day, the volume is small enough that the CU can manually review those transactions for suspicious behavior.
'Dumbing Down App'
Meanwhile, to make sure other Internet channels and functionality are FFIEC complaint, SAC FCU "dumbs down" mobile banking, in comparison with Internet banking, Kipe said.
"You can't transfer out money from mobile banking, and there's no bill pay," he said. "We're afraid members store their passwords in their mobile device. And it's easier to lose a mobile device than a computer."
To better serve members and meet FFIEC guidelines, SAC FCU needs to raise member awareness about Internet protection, suggested Kipe. Currently, the CU's site offers pop-up alerts to warn members against current Internet threats or remind them about security features. "But we're working on a full website page that discusses identity theft and Internet protection."
SAC performs an annual website and Internet banking risk assessment using a framework developed in-house. Later this year, the CU will contract a third-party to conduct a risk assessment.
The CU's compliance department of three scrutinizes all new online content and marketing. Compliant disclosures for accounts opened online are assembled into one PDF document online; members click a link during the account application process to view the disclosure PDF, Kipe said. Disclosures are kept in compliance by the credit union's product vendors, he said.
More than 50% of SAC's checking and savings account holders use Internet or mobile banking, Kipe said.
