Bank custodial accounts could be penetrated by skilled computer hackers, although the likelihood is remote, consultants say.
And, some pension executives are concerned that outsiders could set up a bogus account and trick a pension fund's computers into sending automatic deposits into the account.
Concern about bank security measures has increased following recent press reports that hackers got into Citicorp's corporate cash management accounts. Indeed, pension executives increasingly are asking their bank representatives about the banks' security systems and procedural safeguards.
Executives at major custodial banks are reluctant to discuss their computerized account security systems for fear of encouraging hackers to test their skills against bank security. Still, most believe it is next to impossible for outsiders to gain unauthorized access to customer accounts and transfer funds without help from inside the bank.
"I'd think that (gaining access to custodial accounts) could be done," said a computer specialist at a consulting firm, who didn't want to be identified.
He said it "may be easier" to mess with custodial accounts than cash management accounts - because cash accounts are reconciled daily while many custodial accounts are reconciled on a monthly basis.
"But you would be caught," he said. "You might be able to do it, but it is a very difficult process. It would take inside help to provide information about security. If you tried through trial and error .*.*. you can only dial in so many times without being kicked off the system."
But, "if the person is familiar with the security scheme of the bank and has specialized knowledge of how to get into the system via phone lines, they may try to download the password files and run a program to decode and crack the system."
"In some cases," he said, "you can generate a program called 'spoofing,' which looks like legitimate access, which makes the main computer believe you are a high-security customer. Strictly speaking, while it is difficult to do, all systems are penetrable ultimately."
Some pension funds have systems to prevent fraudulent transactions.
James O. Woods, executive director of the Louisiana State Employees' Retirement System, Baton Rouge, said his fund restricts access to the fund's computer system to "a few" insiders and changes its access codes every six weeks. In addition, he said, there is no outside telephone dial-in access to the system.
He said the fund, which distributes $260 million in benefit payments annually, is evaluating a system that would allow participants to use a program to provide them with information on their pension benefits.
"But we will be very careful to restrict access, and there will be no direct dial-in access to the system," he said.
Trust bankers and pension consultants say preventing illegal access to customer accounts is a matter of constant surveillance, preventing outside dial-in access and following established security procedures, including encryption, call-back procedures and restricted access.
"There is no truly fail-safe security system," conceded a master trust bank spokesman who wouldn't be identified. "Nothing is impossible, but most major master trust banks are as close to it (fail-safe) as we can get."
Richard Bort, president of Richard Bort & Associates, a Sherman Oaks, Calif., treasury management consultant, said that while it is extremely difficult for outsiders acting alone to gain unauthorized access to customer bank accounts, collusion from inside the bank makes such access much easier.
"As far as data security, you can keep out hackers to some extent. But if you have two people well placed and one of them is inside the bank, it would be difficult to prevent and it could be the sky is the limit," he said.
Mr. Bort said there is no reason for excessive concern, as long as clients and banks observe proper account monitoring and perform "appropriate due diligence."
One of the best security systems available is the call-back system, but it must be rigorously and properly used. With a call-back system, an authorized bank client calls the bank and hangs up the phone. The bank, using confidential access codes and a series of passwords, calls the client back to verify the identity of the caller before access is granted to an account.
And despite consultants' claims that custodial accounts are reconciled only monthly, some bank executives say the accounts are reconciled daily, with an audited report prepared monthly.
"Funds and transactions are reconciled daily; information is available for clients daily," said the mast trust bank spokesman.
"They can get a very good feel for their accounts on a daily basis."
He also noted the bank uses data encryption and other safeguards he declined to divulge.
"In order to move securities from an account, we need authorization from the money managers, then we have our compliance people involved also. (An outsider) could probably get in and view the portfolio, but in terms of moving anything out, it's virtually impossible."
George C. White, president of White Papers Inc., a Montclair, N.J., electronic funds transfer consultant, said he doubts outsiders could gain unauthorized access to custodial accounts without inside assistance.
"I don't find the banks fearful in this area," said Mr. White. "They are more concerned about losses suffered in bad real estate loans."
