Corporate Account Takeover: A Bank's Perspective

January 2011

Moderator: Welcome to the Federal Reserve Bank of Atlanta's Payments Spotlight podcast. Today we're joined by Tina Giorgio, senior vice-president of operations for Sandy Spring Bank in Maryland. Tina is an accredited ACH professional and a member of both the NACHA and Mid-Atlantic Automated Clearinghouse's board of directors. Tina is also the chair for the NACHA's Risk Management Advisory Group, a member of the Federal Reserve's Fifth District Payment Advisory Council, and serves on the advisory group for the Atlanta Fed's Retail Payments Risk Forum. Recently, Tina was named co-chair of the FS-ISAC [Financial Services–Information Sharing and Analysis Center] Critical Infrastructure Payments Protection Council. She will be speaking to us about Corporate Account Takeovers: A Bank's Perspective.

Tina, thank you for joining us.

Tina Giorgio: Thank you, Ana. It's great to be here.

Moderator: Well, first off, I know you're a member of the Risk Management Advisory Group. Could you tell us a little bit about your involvement with that group and its work as it relates to corporate account takeovers?

Giorgio: Certainly, Ana. As you mentioned, I am the chair of NACHA's Risk Management Advisory Group, or RMAG, which advises the NACHA board of directors on risk management issues. RMAG has been actively engaged in addressing corporate account takeover since it emerged as a risk in 2007. As you know, corporate account takeover is a type of identity theft in which cyberthieves gain control of a business's bank account by stealing the business's valid online banking credentials. It occurs when the company's online banking credentials are stolen and used to fraudulently access bank accounts and engage in fraudulent banking activity. The key to stopping corporate account takeover is employing sound business practices. In fact, NACHA's board of directors recently released a policy statement detailing the importance of financial institutions and other ACH participants, including originators and third parties, employing sound business practices to prevent and mitigate the risks associated with corporate account takeover and its affect on payment transactions such as ACH payments.

RMAG has diligently been working to ensure that all parties, both businesses and financial institutions, have an awareness of sound business practices. We are currently developing resources to aid businesses and financial institutions in evaluating and establishing sound business practices. These resources will be revised and updated as the technology and techniques used by cyberthieves change.

Moderator: Well, that's interesting, Tina, but can you discuss the significance of corporate account takeover threats as viewed from a bank's perspective?

Giorgio: That's a great question, Ana. When you take a step back and look at the vast number of online transactions initiated everyday, it's clear that, overall, financial institutions are providing a safe and secure payment environment. We are all taking corporate account takeover very seriously, as we do with any emerging threat. By using sound business practices—for example, deploying multi-factor and multi-channel authentication, out-of-band authentication, and alerts—financial institutions create strong barriers against corporate account takeover.

From a bank's perspective, detecting and protecting against corporate account takeover becomes one step in diligent risk management. Corporate account takeover is about a business's systems being compromised, so businesses have an active role to play as well. ODFIs [originating depository financial institutions] should educate their business customers about sound business practices, including the importance of reconciling accounts daily, having a dedicated computer for online banking activity, deploying up-to-date security patches, among other things.

Customer education is a crucial part of a risk mitigation program. Financial institutions and their business customers must work together in partnership to minimize the risk of corporate account takeover.

Moderator: Well, as you may have heard, there is some talk in the industry about possibly amending Regulation E to protect corporate customers. What impact would this have in the business account environment, and would this move help or hinder the fight against corporate account takeovers?

Giorgio: Well, Ana, it's important to recognize that businesses and financial institutions are partners in preventing corporate account takeover. Each of us has a role to take in implementing sound business practices to minimize risk and prevent attacks. As such, each member must assume responsibility for the aspects that are under their control. That's why RMAG emphasizes prevention detection as the solution. Financial institutions and businesses both can employ sound business practices to safeguard against corporate account takeover and greatly minimize its impact on payments. Specifically, there are tools and procedures to help businesses and financial institutions prevent or quickly detect these attacks, to either stop or mitigate the risk of corporate account takeover.

In my opinion, it's critical that our focus be on ways to stop the activity before it happens in the first place.

Moderator: From that perspective, what are some of the best practices that banks can employ to best mitigate this type of fraud?

Giorgio: Ana, I know I've reiterated throughout this interview the importance of sound business practices in mitigating corporate account takeover. The good news is that these sound practices embrace tools financial institutions may already have in hand. Financial institutions can make a lot of headway in reducing corporate account takeover by educating their business customers and recommending key controls.

For example, FIs can recommend payment file initiation under dual control, incorporate security requirements into agreements with originators, and encourage use of out-of-band authentication and alerts. In addition, low-tech options, like exposure limits, pre-notification, and origination calendars certainly provide added layers of security, and these are processes and controls that ODFIs may already have in place.

Financial institutions also may want to consider fraud detection and risk management services offered by the ACH operators and online banking service providers. A threshold, or cap, on ACH credit origination could alert a financial institution, particularly a small institution with low average daily ACH credit origination, to irregular activity. Many providers also offer security options, such as IP address authentication and behavioral analytics, or payment patterning, for their account holders.

Above all, financial institutions and businesses need to be vigilant in protecting against corporate account takeover. The number one thing we're told about insuring personal safety is that you have to be aware of your surroundings. The same can be said in the instance of corporate account takeover. When both the financial institution and the business work in concert to implement sound business practices, they exponentially increase their safeguards against these cyberattacks and take a giant step towards prevention.

Moderator: Tina, it's been a pleasure talking to you. Thanks so much for sharing your insights with us today.

Giorgio: Thank you, Ana. It was great to be here.

Moderator: Again, we've been speaking today with Tina Giorgio, senior vice-president of operations for Sandy Spring Bank in Maryland. This concludes our Payments Spotlight podcast on Corporate Account Takeovers: A Bank's Perspective.

You can find more information about the Retail Payments Risk Forum by visiting our website at Thanks for listening, and please return for more podcasts. If you have comments or questions, please send us an e-mail at