Press

Business Services Offer Credit Unions Growth Potential But Also Increased Risks

NEWS RELEASE:
From CUNA Mutual Group Public Relations
www.cunamutual.com

For more information:
Phil Tschudy 608/231-7188  philip.tschudy@cunamutual.com
Rick Uhlmann 608/231-8940  rick.uhlmann@cunamutual.com

SAN ANTONIO – Credit unions looking to expand membership by adding business accounts and related services, including online banking and depository (checking account) services, need to perform proper due diligence and be wary of potential losses that may be uninsurable, a CUNA Mutual Group risk manager told an America’s Credit Union Conference Discovery breakout session audience Tuesday.

Many credit unions are finding that merely offering business loans is not enough to attract new business members who want more than a source of financing, said Ken Otsuka, senior consultant, Credit Union Protection Risk Management.

“Credit unions are introducing additional services to enhance their service portfolio and be a one-stop source for a business’ needs, but failure to adopt sound banking practices and important loss controls exposes credit unions to significant losses,” Otsuka said.

Business checking accounts and online banking services pose unique risks.

Before opening a new business checking account, credit unions should first perform a risk assessment for two key reasons. “First, you must verify the existence of the business entity to comply with Customer Identification Program rules. Secondly, a risk assessment should be performed to determine the financial condition of the entity to qualify the business for various services,” Otsuka said.

Some of the largest check-related losses have involved unauthorized accounts opened at credit unions by dishonest employees of businesses to aid in their embezzlement schemes against those businesses. The severity of losses could be significant due to the volume and dollar amount of check transactions.

“The embezzlements can take place over several years before they are discovered, and these losses may not be insurable,” he added.

Otsuka went on to address the alarming escalation of online banking fraud in the financial services industry. The root of the problem has been Trojan keyloggers, primarily the Zeus Trojan, which monitors and captures keystrokes, logs them to a file and sends them to cyber thieves. The Trojan resides on users’ computers without their knowledge and is primarily used to capture online banking login credentials.

Trojans like Zeus are spread through phishing emails, generally targeting key employees of an organization. Users of popular social networking websites, such as Facebook, have also been targeted. Thousands of computers infected with customizable Trojans like Zeus form a botnet allowing cyber thieves to control the infected machines through command and control centers. Attacks can infiltrate computers at credit unions and those of business members they serve.

Zeus is also used in man-in-browser (MITB) attacks, whereby the victim’s browser is infected with the Trojan, which sits patiently for the user to access online banking websites, Otsuka added.

“When the user visits a targeted online banking website, Zeus silently springs to life. After the user is successfully authenticated – even with two-factor authentication such as a one-time-password generated by a token – Zeus ‘piggybacks’ on the user’s session. It intercepts and modifies details of a transaction entered by the user and initiates new transactions without the user’s knowledge,” Otsuka said.

To better protect themselves and member accounts, Otsuka urged credit unions to implement the following:

  • Stronger two-factor authentication method, rather than the common method of computer recognition (using cookies) combined with challenge questions;
  • Out-of-band authentication (e.g., by telephone) to authenticate members through a separate communication channel;
  • Fraud detection tools to monitor user access behavior and individual transactions; and
  • Out-of-band transaction verification for large dollar transfers.

Otsuka recommended attendees visit CUNA Mutual’s Protection Resource Center at www.cunamutual.com to access several white papers in the site’s Loss Prevention Library that can help credit unions identify risks associated with offering various services to business members along with important loss controls.

CUNA Mutual Group insurance, retirement and investment products provide financial security and protection to credit unions and their members worldwide. With more than 75 years of true market commitment, CUNA Mutual’s vision is unwavering: To be a trusted business partner who delivers service excellence through customer-focused products and market-driven insight. More information on the company is available on the company’s Web site at www.cunamutual.com.

CUNA Mutual Group is the marketing name of CUNA Mutual Insurance Society, its affiliates and subsidiaries, including CUMIS Insurance Society, Inc.  Product availability and features may vary by jurisdiction and are subject to actual policy language. Corporate headquarters are located in Madison, Wis.

# # #

More News