Corporate Account Takeover

On March 17, 2010, cyber thieves hacked into the computers of Choice Escrow and stole the login ID and password to their online banking account. With that information, the thieves were able to submit a $440,000 wire transfer from Choice Escrow’s bank account to an account in Cyprus.


Courtesy of

When Choice Escrow and the bank were unable to resolve their differences, Choice Escrow filed suit. The back-and-forth legal battle lasted until March 18, 2013 when a court ruled the loss was the responsibility of Choice Escrow. A major determining factor in the decision was Choice Escrow’s refusal of the dual control security mechanism offered by Bancorpsouth Bank. According to Article 4A of the Uniform Commercial Code, if an institution offers a reasonable security procedure to a commercial customer and that customer turns down that security procedure, then the customer is liable in the event of a loss.

Bancorpsouth Bank offered dual control to Choice Escrow twice. Not only did the bank offer this security feature to Choice Escrow, but Bancorpsouth also documented the customer’s refusal to use the security feature. The documentation of the customer’s refusal of the security features was a determining factor in this case. From a bank’s perspective, this case underscores the importance of a written agreement with commercial online banking customers and, more importantly, the importance of documenting the security procedures offered to those customers. From a user’s perspective, the case highlights the need to use the security procedures offered.

Corporate Account Takeover

Corporate account takeover is a term which has become more prevalent over recent years. Generally speaking, corporate account takeover occurs when an unauthorized person or entity gains access or control over another entity’s finances or bank accounts. This usually results in the theft of money in the form of fraudulent wire transfers or ACH transactions.

These fraud schemes first began to be noticed in 2005 but have since become much more widespread and frequent. Recent statistics have revealed that the fraudsters carrying out these schemes are actually becoming less successful in getting money out of a bank account. This reduction is due to both increased efforts on the part of the financial institutions, as well as better education of the customer to help them avoid becoming a target.

Usually, the financial institutions themselves are not the targets of the attack but rather the corporate customers of the institution. Using malware, social engineering and various other methods, the fraudster obtains information about the customer’s online banking credentials. Once the online banking credentials have been obtained, a request for wire or ACH transfers is placed by the thief. Any business may be targeted for these types of attacks, but those at risk mostly are small businesses, governments, and nonprofits who have limited resources to protect against such threats.

This Post Contributed by John McLeod

This post was contributed by John McLeod, one my firm associates who audits financial institutions and specializes in technology issues. John is a CPA and is CISA certified. He often speaks to banking groups about technology and internal controls. You can reach him at

Click here to see my recent post about wire fraud prevention.

Debt Covenants Changing?

Will debt covenants of some U.S. companies change in the near future? I think so.

Two dynamics will drive these changes.

  1. The lease accounting standard
  2. Use of the AICPA Financial Reporting Framework for Small- to Medium-Sized Entities (FRF for SME) – a new “other comprehensive basis of accounting”

The lease standard has not, as of yet, been adopted by FASB, but it looks like it will be in the near future. If leases with a term of more than twelve months are recorded as lease liabilities (as presently proposed), then the debt to equity ratio of some companies will, in some cases, be non-compliant with existing covenants. This change in lease accounting will be an impetus to changing debt agreements.

The second cause of changing debt covenants is the AICPA’s issuance of FRF for SME, a new other comprehensive basis of accounting that can be used by small- to medium-sized private companies. If debt covenants presently require GAAP, then debt agreements will need to be amended in order for companies to use FRF for SME.

What do you think? Will these factors result in changes to debt covenants?

Unlimited FDIC Coverage Ceases

The unlimited FDIC coverage for noninterest-bearing accounts has expired. (Since the FDIC still has the following notice on its website after December 31, 2012, I am assuming there were no last minute changes to the Transaction Account Guarantee expiration date.)

The following comes from an FDIC FAQ (as of January 2, 2013):

Frequently Asked Questions Regarding Notice of Expiration: Temporary Unlimited Coverage for Noninterest-Bearing Transaction Accounts

Section 343 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) provides temporary unlimited deposit insurance coverage for noninterest-bearing transaction accounts (NIBTAs) at all FDIC-insured depository institutions (IDIs) from December 31, 2010 through December 31, 2012 (the Dodd-Frank Deposit Insurance Provision). In anticipation of the expiration of the Dodd-Frank Deposit Insurance Provision, the FDIC issued Financial Institution Letter FIL-45-2012 to provide related direction and guidance to IDIs.

Below are frequently asked questions and answers concerning the expiration of the Dodd-Frank Deposit Insurance Provision.

1. When the Dodd-Frank Deposit Insurance Provision expires, how will noninterest-bearing transaction accounts be insured by the FDIC? What will be the impact on deposit insurance coverage on other types of accounts?

Beginning January 1, 2013, noninterest-bearing transaction accounts will no longer be insured separately from depositors’ other accounts at the same IDI. Instead, noninterest-bearing transaction accounts will be added to any of a depositor’s other accounts in the applicable ownership category, and the aggregate balance insured up to at least the Standard Maximum Deposit Insurance Amount (SMDIA) of $250,000, per depositor, at each separately chartered IDI.

For example, if after the expiration of the Dodd-Frank Deposit Insurance Provision a depositor under the single ownership category has $500,000 deposited in a noninterest-bearing transaction account and $250,000 deposited in a certificate of deposit, or total deposits of $750,000, the depositor would be insured for up to $250,000 and uninsured for the remaining balance of $500,000.

Depositors should be made aware that Section 335 of the Dodd-Frank Act permanently increases the SMDIA to $250,000.

To see the remainder of the FDIC FAQ, click here.

Extension of Unlimited Coverage Defeated

The CFO Journal reported on December 13, 2012 that the Senate blocked a vote to extend the unlimited FDIC coverage for noninterest-bearing accounts.

Effects on Financial Statement Disclosures and Management Letters

Consider how this change will affect your December 31, 2012 year-end financial statement disclosures. You may also want to consider management letter comments to address the decreased FDIC coverage.

Some governments had moved substantial funds into noninterest-bearing accounts (given the low interest rate returns) in order to receive the unlimited FDIC coverage. These governmental entities need to consider whether they need to seek safety by means of other types of investments such as treasuries. In addition, depositors who had relied on the U.S. government’s sovereign credit risk will now need to consider the bank’s credit risk.

Transaction Guarantee Program (TAG) Continuation Uncertain

A December 2, 2012 Wall Street Journal article reported the following:

On Jan. 1, a program that insures an unlimited amount of money in non-interest-bearing accounts will expire unless Washington moves to extend it. Without the Transaction Account Guarantee program, or TAG, an insurance cap resets to $250,000, affecting about $1.6 trillion in deposits.

And without insurance protection, depositors may be compelled to move amounts above $250,000 to other venues deemed safer, leaving the banks with less business.

The uncertainty surrounding TAG accounts is making it difficult for small banks to deal with year-end planning and is causing banks to slow lending until Congress resolves these issues.

Senator Harry Reid did propose legislation last week to extend the TAG program another two years.