I was recently informed that my business had its banking and my personal information stolen in the Global Payments Hack. We formally used the company to process credit cards. And they apparently allowed my personal and small business information to get out into the wild. Global Payments is now paying for one year of credit monitoring for my personal information, but my business bank info is out there without protection accept my diligence to daily check for unauthorized bank transfers. It was suggested that I close the account and open an new one. I am forced to consider this, but changing all the electronic payments I currently have setup on my business account is a time consuming problem. I may decide to do this, but as anyone who considers this as a good solution should remember what a detailed process it is to have to change bank accounts.
The issue is that the financial system does not seem like the idea of really tight security. I think that there is tremendous profit in the noise created by having a certain amount of fraud transactions for the all the big principal intermediaries in the financial system despite the claim they work so hard to prevent it. They are not financially responsible under most contract law as far as I can tell as a layman and small business owner, it is the party that allowed the fraud to happen who is responsible or in my case if someone decides to raid my business bank account after being told that there is a problem, me. Not the service providers. If someone empties your bank account electronically, you not your bank have a problem. Same is true if you credit card gets used unauthorized. Even if you are protected, you still have a problem with the amount of time and effort necessary to clean up the mess. And it can cause havoc with your life.
It is possible to make it much more difficult for unauthorized bank transfers or credit card fraud.
Simply require that all transactions be PIN based or require advanced setup with the bank before authorizing any kind of electronic funds transfer out of my account.
If for example, my tax payment which in the Commonwealth is done electronically monthly, I would require that I inform my bank, that the commonwealth is an authorized requester for a fund transfer, fill out a authorization form with the commonwealth’s information and my bank would then have the Commonwealth listed on a white list. By requiring the white listed payees in advance and in person, my bank and I will have much greater security that some off shore bank robber can not steal from me. I can pay the commonwealth and the transaction should go through. Only White listed Payees should be allowed to get electronic payments under this scheme. Such a system would now put the responsibility for allowing fraudulent transactions happen on to the financial system not me. I do not think it would be perfect, but it would be much better than what we have now, which is practically in effect security by ignorance of my account being available to steal from. There is no security on most electronic transfers in our financial system.
Credit Cards in other parts of the world have a PIN associated with the card that is kept separate from the physical card. this too could be required on electronic bank transfers and would cut down on the possibility of fraud.
Now I realize that Massachusetts regulates a small percentage of Banks, and Financial companies. Most are regulated by the Federal Government for the benefit of the Financial industry. I would like to suggest that the Commonwealth and the state regulator of state chartered institutions make a proposal to require that the Banks that it does regulate begin to require stronger more robust security for the small business and individual accounts to make it much harder for ill intentioned groups to to steal from Massachusetts business and individuals, by requiring some kind of independent authentication that a transaction is legit. A advanced setup PIN or a White list would be a small step forward. It may even be a selling point for small businesses and not so small businesses to use locally chartered banks over their federally regulated competitors.
Dan, this is a very worthy suggestion.
I’m happy to follow up on it.
We’ll start by investigating to determine what rules like this exist in other states and/or may be under consideration in Massachusetts.
As Legislative Counsel to Senator Brownsberger, I recently spoke to folks at the Massachusetts Division of Banks about the issues you raise. Massachusetts General Laws Ch. 167B deals with the interaction between financial institutions, businesses, and consumers. This chapter is consumer-oriented and focuses on protecting consumer use of bank accounts and transactions. Massachusetts does not have a corresponding law on point dealing with businesses, but your proposal is well-taken.
As you mentioned, the Commonwealth only regulates a small number of banks since most national banks are regulated by the federal government. Congress is looking into the issue as well. In fact, the House Financial Services Subcommittee on Capital Markets held a hearing on cybersecurity threats in early June.
The First Circuit Court of Appeals recently decided Patco Construction Co., Inc. v. People’s United Bank, No. 11-2031 (1st Cir. July 3, 2012), in which the Court held that People’s United Bank failed to establish “commercially reasonable” measures to prevent fraudulent withdrawals from an account held by Patco Construction Company. Based upon this decision, banks will likely reconsider security measures and provide small businesses with more reliable services in order to authenticate online banking transactions.
As you continue to monitor your business bank accounts, you may also want to consider purchasing fraud insurance to protect your business in the future.
Thank you for sharing your proposal and ideas with us. Going forward, we will consider legislation on this subject matter.
Legislative Counsel & Policy Advisor
Office of State Senator Will Brownsberger
Comments are closed.