Skip Navigation Kingsley State Bank

Corporate Account Takeover (CATO)

Corporate Account Takeover is a type of business identity theft where cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves.


Businesses across the United States have suffered large financial losses from electronic crimes through the banking system. These thefts have ranged from a few thousand to several million dollars. They have occurred in banks of all sizes and locations. And, they may not be covered by the bank’s insurance. Along with the financial impact, there is also a very high level of reputation risk for financial institutions.

Recognizing the importance of having banker developed practices specifically to assist the banking industry, the Conference of State Bank Supervisors (CSBS) and the Financial Services – Information Sharing and Analysis Center (FS-ISAC) have joined with the United States Secret Service (US Secret Service) and Texas Department of Banking to make practices for mitigating the risks of Corporate Account Takeover available to financial institutions nationwide.

The Task Force developed a list of nineteen processes and controls for reducing risk of Corporate Account Takeovers. These processes and controls expand upon a three-part risk management framework developed by the FS-ISAC, the US Secret Service, the Federal Bureau of Investigation, and the Internet Crime Complaint (IC3)1. Fundamentally, a bank should implement processes and controls centered on three core elements: Protect; Detect; and Respond.

The Task Force has also compiled a set of best practices for each of the recommended processes and controls under the Protect, Detect, and Respond framework. These best practices are not an all-inclusive list and are provided as guidance to assist in implementing the nineteen processes and controls needed to reduce the risk of Corporate Account Takeover thefts. The Federal Financial Institutions Examination Council’s (FFIEC) Supplement to Authentication in an Internet Banking Environment2 (FFIEC Supplemental Guidance) issued on June 28, 2011, conveys minimum expectations with are noted within this document. It is important to remember that electronic crimes are dynamic as cyber criminals continually change their techniques. Additional changes in risk management processes and controls will be necessary as this type of theft continues to evolve.

1 Refer to the jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” available on the IC3 and FS-ISAC websites (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf) of the FS-ISAC website (http://www.fsisac.com/files/public/db/p265.pdf).

2 The FFIEC Guidance is available at (http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formatted.pdf")

RESOURCES FOR BUSINESS ACCOUNT HOLDERS

EXAMPLES OF DECEPTIVE WAY CRIMINALS CONTACT ACCOUNT HOLDERS

INCIDENT RESPONSE PLANS

INFORMATION SECURITY LAWS AND STANDARDS AFFECTING BUSINESS OWNERS

Although banks are not responsible for ensuring their account holders comply with information security laws, making business owners aware of consequences for non-compliance if the information is breached can reinforce the message that they need to maintain stronger security. Breaches of credit and debit card information can create financial and reputational risks for the business.

When providing security awareness educations to corporate customers, banks may want to also alert business owners of the need to safeguard their own customers’ sensitive information. State statutes related to safeguarding customer information could be provided as part of the educations process.

The Payment Card Industry Security Standards Council was launched in 2006 to manage security standards related to card processing. Any merchant that accepts credit or debit cards for payment is required to secure their date based on the standards developed by the council. The PCI Security Standards Council website: https://www.pcisecuritystandards.org/security_standards/index.php; notes that noncompliance may lead to lawsuits, cancelled accounts, and monetary fines. The website provides information for small business compliance.