After the September 11 terrorist attacks turned the Cortlandt Street offices of New York City's Municipal Credit Union into a disaster zone, ATM network queries to the credit union's data center went unanswered. Nevertheless, MCU's management decided to let NYCE, its ATM network processor, authorize offline transactions.
Until the credit union went back online in early November, NYCE was unable to retrieve current account balances. During that time, approximately 4,000 members of the credit union overdrew their accounts by a reported $15 million dollars in total.
In effect, Automated Teller Machines became Unattended Cash Dispensers. "It seemed like playing a very positive slot machine," said Susan Zawodniak, vice president and executive director of the NYCE Network. NYCE is a majority-owned subsidiary of First Data Corp., Greenwood Village, Colo.
From the customer's perspective, the ATMs didn't print balances on the receipts nor did balance inquiries work, said Zawodniak.
But for many Municipal Credit Union customers the temptation was apparently too great, so they made withdrawals and debit card transactions. Again and again. Over 100 members of Municipal Credit Union have been arrested and are awaiting trial on felony charges of grand larceny.
"It's a prime example of how no good deed goes unpunished," said Manhattan District Attorney Robert Morgenthau. MCU's counsel did not respond to requests for an interview.
SAFEGUARDS IN PLACE
Naturally, there was no free lunch. To begin, even if a card-issuing bank suffers a severe operational failure, all financial transactions at ATMs are recorded within the machine itself.
"There's always a journal, whether it's paper or electronic, that can record a transaction," said Jeff Davison, president of Gasper, a Dayton, Ohio-based provider of ATM and network monitoring services.
What's more, NYCE's "stand-in transaction" services include diligent record-keeping and periodic updates.
"We stand in and provide authorizations or declines, as the case may be, depending on the card issuer's options that they have previously established at our switch," said Zawodniak.
"Those options include daily limits on point-of-sale (POS) transactions and cash transactions, and then an overall daily limit," Zawodniak added.
This functionality is most commonly used by banks to ensure that routine maintenance doesn't cause service outages.
But since NYCE only maintains information about "bins" of ATM accounts, it can't authorize account-level decisions.
Although a bank might have "premium" and "standard" customers with daily limits set according to their status, NYCE doesn't track the current balances in specific accounts, nor can it make a decision about a specific customer independently of the bank.
"You need to get the ongoing activity coming in, not just the EFT activity, but the checks that are clearing, the automated deposits that are coming in," said Zawodniak. "It's all of those things that would have to come together."
Yet NYCE does protect its bank clients with PIN validation services and verification against a negative file of lost, stolen or misused ATM account numbers.
"Municipal did have both negative file and PIN validation services in place with NYCE," said Zawodniak. "That's one way you contain or reduce risk."
Furthermore, NYCE's standard service offering includes suspicious activity detection and reporting services from Fair Isaac (formerly HNC) CardAlert Services. But that's primarily designed to detect "multi-card, multi-institution, large-scale fraud events that are related to counterfeiting," said Keir Breitenfeld, senior product manager at Fair Isaac.
For instance, in cases where ATMs were rigged to steal card data, CardAlert kicked out thousands of account numbers to place on the negative file.
"We do have the luxury of detecting other anomalies or other patterns of usage that look suspicious," said Breitenfeld.
"However, that's not our mission or our contractual purpose."
Indeed, a fraud alert service cannot directly act upon its suspicions, no matter how well-founded. Only the bank can shut off service to a particular account.
Yet not all banks are prepared for dealing with a high volume of fraud activity.
"Certain institutions have implemented a process where we'll send a file of card numbers that they need to 'status' (i.e., deactivate)," said Breitenfeld.
"The larger the financial institution, the more beneficial it is for them to implement an automated process to handle larger reports from us."
So far, MCU has recovered, on paper, about half of its losses, in part by converting a portion of the unauthorized ATM withdrawals into unsecured consumer loans.
"Municipal bent over backwards to try to make it easier for these people to repay the money," said Zawodniak. "They took the absolute high road, in my view."
But despite acting in the best interests of its customers and of the city, MCU cannot expect reimbursement from its insurance policy with CUNA Mutual Group, according to a National Credit Union Administration report.
Once Municipal Credit Union made the conscious decision to authorize offline transactions, it was no longer covered under the policy.
The incident brings up the prospect that banks facing the aftermath of any future emergency, whether from natural or man-made events, might refrain from providing access to funds for fear of sustaining uninsured losses.
In response, industry leaders urge adoption of business continuity plans that can prevent extended service outages from occurring in the first place.
But hot backups and mirrored, off-site data recovery centers (see Feature Story, page 36) aren't practical for every type of financial institution.
Several disaster recovery procedures can help a bank avoid trouble during unanticipated downtime.
First, even if reconciliation has to be delayed, it's usually possible to scan the transaction log for unusual activity.
Second, fraud detection services should be an integral component of a disaster recovery plan.
And third, systems and processes should be developed to quickly refresh the negative file during an outage.