After a keystroke logger took over a customer's computer and redirected $160,000 in ACH payments to unauthorized recipients during summer 2010, Chattanooga, Tenn.-based CapitalMark Bank & Trust realized that traditional cash management best practices weren't always good enough. "Our customer's bookkeeper logged in from an unsecure home computer," recalls CapitalMark's Barry Rich, CFO of the de novo institution, which was founded in 2007.
"The hacker had obtained all of the control data needed to mimic authorized transactions," he continues. "We were able to recover about half of the funds before they were disbursed. But the incident led to significant legal expenses for settling with the customer out of court."
With its business model built around electronic banking rather than branch banking, CapitalMark ($719 million in total assets) needed better ACH and wire services protections — fast. "Because we leverage electronic banking similar to banks twice our size, improving protections was imperative," acknowledges Rich. "And due to the U.S. Secret Service's involvement, we'd learned we needed an out-of-band solution, that is, one that uses a channel separate from the payments processing channel to mitigate the takeover risk."
Coincidentally, CapitalMark was working with a local start-up, ACH Alert (Ooltewah, Tenn.), on a related technology that ultimately proved incompatible with the bank's core systems. "But we saw the potential in that solution to solve our ACH/wires challenges," says Rich.
Initially, CapitalMark's internal team attempted to modify the ACH Alert solution, according to Rich, but the bank then decided to approach the vendor. By early fall 2010 ACH Alert agreed to create a completely new solution based on CapitalMark's experiences. Near the end of the year, ACH Alert installed the first beta iteration of what would be known as C.O.P.S., short for Credit Origination Positive-Pay Services. "Originally, we installed it on an existing physical server," notes Pratt Lewis, technology and operations director at CapitalMark. "Since then we've moved it into our virtual environment."
[Fiserv Partners With Earthport on Global ACH Payments.]
Essentially, C.O.P.S. compares every outgoing ACH and wire to a white list of recipients that a financial institution sets up for each originating customer. Exceptions to the white list trigger an alert to the bank as well as to the originator, requiring manual intervention to release the funds.
After ACH Alert refined the solution based on CapitalMark's feedback, C.O.P.S. went live at the institution successfully in April 2011 and issued its first alert within weeks, reports Rich. "To date, we've turned back close to a million dollars in attempted thefts — from as far away as Australia and as close as across town," he says.
So far, the solution has proven extremely reliable and low-maintenance, according to Lewis. "It just runs," he says.
And CapitalMark's regulatory and risk management positions have improved. "Our regulators are very pleased," Rich affirms. "C.O.P.S. has definitely mitigated risks."
But, Rich notes, solutions such as C.O.P.S. can't remain static. "No product that's effective today will stay effective," he insists. "That's why an important piece of our relationship with ACH Alert is the assistance they provide with looking down the road."
Indeed, CapitalMark and ACH Alert will be discussing ways to enhance the system, including implementing biometrics, electronic keys or live video chats. "It would be great to use Apple's [Cupertino, Calif.] FaceTime or similar technology so we could see who is calling in the authorization after an alert," says Rich.
In the meantime, CapitalMark stands behind C.O.P.S. "If you're not using out-of-band authentication and you wind up in court, you'll likely discover you're taking an unacceptable risk," Rich points out. "It's no fun having an attorney grill you during depositions. It's infinitely better to be on top of the curve."
CASE STUDY SNAPSHOT
Institution: CapitalMark Bank & Trust (Chattanooga, Tenn.)
Assets: $719 million.
Business Challenge: Improve ACH and wire transfer security with out-of-band authentication.
Solution: ACH Alert's (Ooltewah, Tenn.) C.O.P.S. (Credit Origination Positive-Pay Services) payment origination anti-theft solution.