We are considering allowing customers with US-based accounts to initiate EFTs to other US-based accounts (not housed at our institution) when the customer is not located in the US. Currently we prohibit the initiation of an EFT if our systems detect the customer is initiating it from a source not physically located in the US.

I can't find anything that addresses this specific type of activity since there is no cross-border transmission of funds. The whole concept seems risky to me but I'm getting pushback from the business side to find a regulatory restriction or precedent to prevent the practice. Otherwise they plan on green lighting the system change.

If anyone can provide some insight or direction I would appreciate it.

1. How many of your customers will actually use your ET services while not on US soil. How many of those customers will be using it for legitimate purposes in those situations.

2. Does this have to be a global change or can this be done on an individual customer level on specific request - like when they plan to be gone.

3. Most hacking and computer take-overs do not happen from domestic locations. I think the bank might as well just get their checkbook out.

You don't really say what size of a bank you are or what type of customer base that you have that would justify even thinking about this.

would they be using an online banking product to initiate the transfers? What type of security do you have for your OLB product? Are their per transfer or daily limits in place? Do you have a way to hold the payment request for verification before it is released? Does it take 2 users to initiate any online wire request? Does your OLB product look at the ISP of the sender to verify their location? Do you only accept from konwn ISP addresses?

1) All customers can do this
2) Online and mobile app
3) There are monitorings for monetary thresholds, velocity, etc. which creates a case for review that holds the transfer but they are the same as for domestic transactions
4) IP is monitored and currently does block for non-US IPs but once opened to the world that would be moot. Also, the ability to spoof addresses is really easy so even now we are only assuming that our IP verification steps are sufficient.