What is Corporate Account Takeover?

Corporate Account Takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited to no computer safeguards and minimal or no disbursement controls for use with their bank’s online business banking system. These businesses are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves. Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets.  Losses from this form of cyber-crime range from the tens of thousands to the millions with the majority of these thefts not fully recovered.  These thefts have affected both large and small banks.

This type of cyber-crime is a technologically advanced form of electronic theft.  Malicious software, which is available over the Internet, automates many elements of the crime including circumventing one time passwords, authentication tokens, and other forms of multi-factor authentication. Customer awareness of online threats and education about common account takeover methods are helpful measures to protect against these threats.  However, due to the dependence of banks on sound computer and disbursement controls of its customers, there is no single measure to stop these thefts entirely.  Multiple controls or a “layered security” approach is required.

Policy on Risk Management of Corporate Account Takeovers   

The Texas Department of Banking issued Supervisory Memorandum 1029  which establishes minimum standards for the Risk Management of Corporate Account Takeovers.  The policy requires banks to implement appropriate practices in the risk management of corporate account takeovers. Examiners began reviewing bank implementation efforts in March 2012.