In mid-December 1991, a major U.S. bank came perilously close to sustaining a $70 million fraud loss.
The attempted fraud involved the use of a seemingly genuine automated clearing house tape. The perpetrators had modified beneficiary account information to cause a fraudulent transfer of funds from a corporate customer's account to third-party accounts in two European banks.
Though the funds were transferred to the offshore accounts, the scheme failed. The perpetrators had apparently neglected the fact that the European banks would be closed for an additional two days after Christmas.
Instead of picking up the money on a Thursday, the crooks had to wait until the following Monday. That gave law enforcement personnel time to apprehend them when they came to collect the loot.
Such problems are not unique to the United States.
Recently, a major Swedish securities firm executed a routine payment of dividends via an automated clearing house tape transfer with its clearing house. However, the tape had been altered and beneficiary account information modified. The equivalent of about $9 million was credited to the perpetrators account.
The fraud was detected only when a shareholder became irate because his payment was not credited on time. Most of the funds were recovered.
In a similar incident, a major Norwegian bank's tape of clearing instructions was modified before input to the clearing house. Account-number and beneficiary data were altered, and the perpetrator's account was credited with the equivalent of about $135 million.
The transaction, extremely large even for interbank clearing, attracted the attention of clearing house management, which uncovered the fraud. It is agreed, however, that a smaller amount or the same total divided into smaller transactions would not have aroused suspicions; the fraud would have been a complete success.
Such war stories point to the vulnerability of automated clearing house bulk-payment systems to fraud as well as error.
The evidence is anecdotal, but where there is smoke there is often fire. According to Jeremy Grant, director of WBK International consulting firm in Britain, "European banks are experiencing detected attempts at fraud through their automated bulk payment systems at the rate of approximately one every two weeks."
Automated clearing house systems emerged in the late 1960s as an alternative to checks for recurring-transaction functions where same-day availability of funds is not seen as essential. These include payroll, utility payments, insurance premiums, and dividends.
The systems were developed using the computer technology then available, which was oriented toward batch processing - the handling of accumulated transactions in bulk.
Typically, a customer would bring to its servicing financial institution magnetic tapes containing transaction data such as debit account, beneficiary account, transaction amount, and routing codes.
The tapes would be input to the bank's mainframe-based automated clearing house system. The system would then perform a series of edits on the data.
The edits were designed solely to detect errors, not to validate the authenticity of the tapes or the data contained.
The Systems Evolve
Over the years, automated clearing house systems evolved to permit the transmission of customer data to banks, so the physical transfer of tapes became unnecessary. Further advances allowed customers to create, edit, verify, and release transactions from their own personal computers.
Although a bank's system accumulates instructions from customers for batch processing later, to the customers the system may appear to be processing input in real time.
Businesses have greatly increased their use of automated clearing house systems for cash management and to cut costs.
At some financial institutions, the volume of corporate payments through such systems being processed through the more expensive wholesale wire transfer systems such as Fed Wire, Swift, Chips.
Total automated clearing house payments are expected to exceed $7 trillion in the U.S. this year, compared with $2.2 trillion in 1986.
Since a single clearing house tape may contain hundreds of transactions - a company's accounts-payable transactions for an entire billing cycle, for example, or a full payroll cycle - the aggregate value being moved frequently amounts to hundreds of millions of dollars.
Thus the banking industry is faced with a major source of potential fraud loss.
Perils of Batch Processing
The risk derives from basic design as well as the way the systems are perceived by bankers and corporate users.
The automated clearing house, unlike the wholesale wire transfer networks, is designed to process payment instructions in batches, not transaction by transaction. This means authentication of an instruction is for the entire batch, not each transaction.
If batch totals on the tape agree with those on the accompanying transmittal document or in the file's header information, the entire batch is assumed to be authentic and is processed through the clearing house network.
As long as a genuine-appearing transmittal document and customer header information was provided, a completely fraudulent tape could be submitted for processing by the servicing bank.
Controlling the Risks
The fraud exposure may be significantly reduced by controls such as message authentication and encryption, which are found in many of the on-line automated clearing house products currently on the market for use with microcomputers.
But for the foreseeable future, most automated clearing house users will continue to use either the physical transfer of tapes or
While high risks in wholesale funds-transfer systems have long been recognized, many banks and corporate users simply do not view automated clearing house risks as equally high.
Therefore, many banks have failed to implement even the most rudimentary controls in this area.
Before 1989, there was no comprehensive body of law governing large-dollar funds transfers. This situation was rectified by the addition of Article 4A to the Uniform Commercial Code.
The article has been adopted in 39 states. In addition, the Federal Reserve has amended its Regulation J to incorporate Article 4A into the rules governing its Fed Wire, and the National Automated Clearing House Association has adopted the rules of 4A for the automated clearing house system.
Article 4A recognizes the importance of security for electronic payments and imposes liability for failing to use appropriate security.
The general rule of 4A is that senders of payment orders (known in the automated clearing house world as "entries") must pay only those they actually authorized. Losses arising from unauthorized transactions would typically be borne by the sender's depository institution.
An important caveat is 4A's notion of a verified payment order. The article provides that the purported sender will be liable - even when the order is unauthorized - if these criteria are met:
* The bank and its customer have agreed that a security procedure will be used to verify the authenticity of payment orders.
* The security procedure is commercially reasonable.
* The bank proves that it accepted the order in good faith and in compliance with the security procedure and any written agreement or instruction restricting acceptance of payment orders.
A sender may still be able to avoid liability for a verified order if it can prove that the fraudulent order was probably caused by someone with no connection with the customer. This is the the so-called interloper fraud exception.
Resolving questions of liability under this scheme hinge on the question of the "commercial reasonableness" of the security arrangement.
The burden is initially on the financial institution to review its customer's circumstances and offer that customer the appropriate level of security. question of commercial reasonableness is ultimately left to the courts to decide, case by case.
Article 4A does permit customers
tomers and their financial intermediaries to agree in writing that a particular security procedure will be deemed commercially reasonable. For this rule to apply, the security procedure has to be chosen by the customer after a commercially reasonable procedure was offered by the bank.
This approach is illustrated by Operating Circular No.10 of the Federal Reserve Bank of New York. Its Appendix 1 describes two levels of security. Senders of automated clearing house items who select the second must sign an agreement with the Fed recognizing that this level may be deemed commercially reasonable and that the sender will be bound by items accepted by the bank - even if they are, in fact, unauthorized
At a minimum, banks should use the batch-total reports generated while running a customer's automated clearing house input to confirm with the customer - by phone or fax - that the data match those the customer sent.
This simple procedure, used by a number of banks, significantly reduces the risk of a completely fraudulent tape or transmission.
Unfortunately, this procedure does nothing to detect fraudulent modifications to otherwise legitimate input. Authentication at this level can be handled only by technical means.
Procedures for Testing
Recognizing this, banking regulators in a number of European countries now require that bulk-payment instructions passed between corporate customers or other financial institutions by means of tape or tape image must utilize message authentication, much as Chips and Swift do at the transaction level.
With such a system, customer data changed by as little as one bit will flunk the bank's authentication routine. European institutions have found this technique effective and inexpensive.
In addition, some U.S. banks have begun to use "hash" totals of account numbers as a control against fraudulent modification of data. Any alteration in an account number will change the sum of the "hash" total, alerting the bank to potential fraud.
For the longer term, banks should aggressively begin moving their largest automated clearing house users to on-line workstations based on microprocessors.
Like their cash-management counterparts, these systems provide much more flexibility and security at the customer level as well as permitting the use of message authentication, encryption, or both.