Corporate Account Takeover

On March 17, 2010, cyber thieves hacked into the computers of Choice Escrow and stole the login ID and password to their online banking account. With that information, the thieves were able to submit a $440,000 wire transfer from Choice Escrow’s bank account to an account in Cyprus.

iStock_000000470563XSmall

Courtesy of istockphoto.com

When Choice Escrow and the bank were unable to resolve their differences, Choice Escrow filed suit. The back-and-forth legal battle lasted until March 18, 2013 when a court ruled the loss was the responsibility of Choice Escrow. A major determining factor in the decision was Choice Escrow’s refusal of the dual control security mechanism offered by Bancorpsouth Bank. According to Article 4A of the Uniform Commercial Code, if an institution offers a reasonable security procedure to a commercial customer and that customer turns down that security procedure, then the customer is liable in the event of a loss.

Bancorpsouth Bank offered dual control to Choice Escrow twice. Not only did the bank offer this security feature to Choice Escrow, but Bancorpsouth also documented the customer’s refusal to use the security feature. The documentation of the customer’s refusal of the security features was a determining factor in this case. From a bank’s perspective, this case underscores the importance of a written agreement with commercial online banking customers and, more importantly, the importance of documenting the security procedures offered to those customers. From a user’s perspective, the case highlights the need to use the security procedures offered.

Corporate Account Takeover

Corporate account takeover is a term which has become more prevalent over recent years. Generally speaking, corporate account takeover occurs when an unauthorized person or entity gains access or control over another entity’s finances or bank accounts. This usually results in the theft of money in the form of fraudulent wire transfers or ACH transactions.

These fraud schemes first began to be noticed in 2005 but have since become much more widespread and frequent. Recent statistics have revealed that the fraudsters carrying out these schemes are actually becoming less successful in getting money out of a bank account. This reduction is due to both increased efforts on the part of the financial institutions, as well as better education of the customer to help them avoid becoming a target.

Usually, the financial institutions themselves are not the targets of the attack but rather the corporate customers of the institution. Using malware, social engineering and various other methods, the fraudster obtains information about the customer’s online banking credentials. Once the online banking credentials have been obtained, a request for wire or ACH transfers is placed by the thief. Any business may be targeted for these types of attacks, but those at risk mostly are small businesses, governments, and nonprofits who have limited resources to protect against such threats.

This Post Contributed by John McLeod

This post was contributed by John McLeod, one my firm associates who audits financial institutions and specializes in technology issues. John is a CPA and is CISA certified. He often speaks to banking groups about technology and internal controls. You can reach him at jmcleod@mmmcpa.com.

Click here to see my recent post about wire fraud prevention.

Debt Covenants Changing?

Will debt covenants of some U.S. companies change in the near future? I think so.

Two dynamics will drive these changes.

  1. The lease accounting standard
  2. Use of the AICPA Financial Reporting Framework for Small- to Medium-Sized Entities (FRF for SME) – a new “other comprehensive basis of accounting”

The lease standard has not, as of yet, been adopted by FASB, but it looks like it will be in the near future. If leases with a term of more than twelve months are recorded as lease liabilities (as presently proposed), then the debt to equity ratio of some companies will, in some cases, be non-compliant with existing covenants. This change in lease accounting will be an impetus to changing debt agreements.

The second cause of changing debt covenants is the AICPA’s issuance of FRF for SME, a new other comprehensive basis of accounting that can be used by small- to medium-sized private companies. If debt covenants presently require GAAP, then debt agreements will need to be amended in order for companies to use FRF for SME.

What do you think? Will these factors result in changes to debt covenants?