No Due Diligence? Say Hello To Potentially Uninsured Losses

SAN ANTONIO-Credit unions are being cautioned that as they expand membership by adding business accounts and related services, including online banking and checking account services, they must perform proper due diligence or risk potential losses that may be uninsurable.

Many credit unions are finding that merely offering business loans is not enough to attract new business members who want more than a source of financing, according to Ken Otsuka, senior consultant, Credit Union Protection Risk Management.

"Credit unions are introducing additional services to enhance their service portfolio and be a one-stop source for a business' needs, but failure to adopt sound banking practices and important loss controls exposes credit unions to significant losses," Otsuka said in remarks before CUNA's America's Credit Union Conference.

Business checking accounts and online banking services pose unique risks.

Before opening a new business checking account, credit unions should first perform a risk assessment for two key reasons. "First, you must verify the existence of the business entity to comply with Customer Identification Program rules. Secondly, a risk assessment should be performed to determine the financial condition of the entity to qualify the business for various services," Otsuka said.

Some of the largest check-related losses have involved unauthorized accounts opened at credit unions by dishonest employees of businesses to aid in their embezzlement schemes against those businesses. The severity of losses could be significant due to the volume and dollar amount of check transactions.

"The embezzlements can take place over several years before they are discovered, and these losses may not be insurable," he added.

Otsuka went on to address the alarming escalation of online banking fraud in the financial services industry. The root of the problem has been Trojan keyloggers, primarily the Zeus Trojan, which monitors and captures keystrokes, logs them to a file and sends them to cyber thieves. The Trojan resides on users' computers without their knowledge and is primarily used to capture online banking login credentials.

Trojans like Zeus are spread through phishing e-mails, generally targeting key employees of an organization. Users of popular social networking websites, such as Facebook, have also been targeted. Thousands of computers infected with customizable Trojans like Zeus form a botnet allowing cyber thieves to control the infected machines through command and control centers. Attacks can infiltrate computers at credit unions and those of business members they serve.

Zeus is also used in man-in-browser (MITB) attacks, whereby the victim's browser is infected with the Trojan, which sits patiently for the user to access online banking websites, Otsuka added.

"When the user visits a targeted online banking website, Zeus silently springs to life. After the user is successfully authenticated-even with two-factor authentication such as a one-time-password generated by a token-Zeus 'piggybacks' on the user's session. It intercepts and modifies details of a transaction entered by the user and initiates new transactions without the user's knowledge," Otsuka said.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER