1 / 91

Combatting Fraud in Banking Payments

This course provides an overview of fraud risk management in payment systems, highlighting the prevalence of fraud in various payment methods and the need for organizations to mitigate risk. It also discusses the tactics used by criminals and provides tips to protect against identity theft.

paiva
Download Presentation

Combatting Fraud in Banking Payments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How to Combat Fraud in the Banking Payment SystemKim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck@paymentsnation.com602-443-2960 phone

  2. Disclaimer • This course provides a basic overview of fraud/risk management scenarios that may take place in the various payment systems. Handout material and seminar discussion are not intended to be used as legal advice. Conditions of use are within the control of individual users. There is no warranty, expressed or implied, in connection with making this handout available.

  3. AFP Study on Payments Fraud • 72 percent of organizations surveyed by the AFP experienced attempted or actual payments fraud in 2006, up from 68 percent in 2005. • According to the AFP, cheques continue to be the focus of criminal attacks, as 93 percent of organizations that experienced payments fraud in 2006 were victims of attempted cheque fraud. • Other payment methods targeted for fraud include ACH (Automated Clearing House) transfers; consumer credit cards; and corporate cards.

  4. AFP Study on Payments Fraud • The AFP says that 35 percent of organizations said they had experienced attempted or actual ACH fraud in 2006, with 17 percent reporting that they had suffered fraud involving consumer credit cards and 14 percent experiencing corporate card fraud. • In many cases, fraud is perpetrated internally, according to the AFP • Employees were responsible in about half of the cases involving fraud associated with the use of organizations' corporate cards last year, it says. • In addition, internal fraud appears to be an important factor in cheque and ACH fraud, the AFP report warns.

  5. FI & Corporate Insiders Independent Operators Organized Crime Use of “Runners” Homeless Students Who are the Criminals? Criminals are going to look for path of least resistance!

  6. Are you at Risk for ID Theft? • I carry my Social Security Card in my wallet (10) • I use an unlocked, open box at work or at home to drop off my outgoing mail (10) • I do not cross-cut shred banking and credit information when I throw it in the trash (10) • I do not cross-cut shred pre-approved applications (10) • I do not cross-cut shred convenience checks (10) • I provide my SSN whenever asked, without asking questions as to how that information will be safeguarded (10) If you provide your SSN orally without checking to see who might be listening (5) • I am required to use my SSN at work as an employee or student I.D. number (5) • I have my SSN or Driver’s License number printed on my personal checks (20) • I carry my insurance card in my wallet and either my SSN or that of my spouse is the ID# (20) • I have not ordered a copy of my credit reports for past 2 years (10) • I do not believe that people would root around in my trash looking for credit or financial information (10)

  7. Mitigating Risk in Payments Fraud • Know your employees • Use peer review • Audit regularly • Respect system security

  8. Corporations are Responsible for Mitigating Risk in Payments Fraud • Who in the organization should have responsibility for originating transactions or approving transactions • One user creates a transaction and another user approves it • There should be detailed reporting of all transactions originated in the system with comprehensive audit trails to show every user who touched the transaction, rich user entitlement and audit trails are going to help when it comes to Sarbanes-Oxley compliance • Sticky notes are a great invention but consider the risk if you use them to decorate your computer with passwords

  9. In the News • Identity Theft: The 'Business Bust-Out' • A criminal rents space in the same building as your company • Applies for corporate credit cards using your firm's name • The application passes a credit check because the company name and address match, but the cards are delivered to the criminal's mailbox • He sells them on the street and vanishes before you discover your firm's credit is wrecked. • The so-called "business bust-out" scam is one way sophisticated criminals steal business identities across the country • Identity thieves increasingly target businesses instead of individuals, experts and law enforcement officials say, but federal law and many state statutes don't consider business identity theft a crime. That's because the raft of identity theft laws passed in the last decade apply mostly to individual consumers -- not business entities. • While business identity theft can often be prosecuted under other statutes, like mail fraud or wire fraud, businesses victimized lose many of the protections afforded to consumers under identity theft laws, like access to information about their credit

  10. Combating ID Theft: A Corporate Perspective • Politicians, reacting to public outrage, have also framed ID theft as a consumer protection issue and are placing much of the responsibility on the shoulders of business • When someone steals sensitive consumer information from an organization, that person is actually robbing the organization of three valuable assets: business information, brand value and self-determination for IT investments.

  11. Corporate Fraud • According to the Association of Certified Fraud Examiners the typical U. S. organization loses 6% of annual revenue to fraud • That’s $660 billion in yearly losses nationwide • May be higher as many companies don’t report fraud • Proper procedures and tools, however, can help prevent many workplace crimes • Businesses unable or unwilling to identify and control such problems do so at their own risk

  12. Human Resources • Hiring Policy/Background Check/Screening • Verification of SS# for employers, more info at www.ssa.gov/employer/ssnv/htm • Screen cleaning service & temporary firms you use • Enforce vacation policies • Keep personal information of employees/customers in locked files

  13. Internal Policies and Procedures • Ethics policies should clearly detail what you consider to be illegal, improper and fraudulent behavior • New employees should receive and sign statements that delineate what they can and can’t do • Educate existing and new employees, including executives, about the use of such policies and the penalties for defying them and up-date such training annually

  14. Separate Duties • It’s critical to separate financial tasks among several employees • Budgetary cutbacks and downsizing, however, often result in the same person handling multiple procedures such as taking orders, readying invoices and documenting transactions • Compounding such an invitation to fraud is when those same employees—fearing that other employees might discover their deeds--work unusually late and on weekends • Requiring all employees to take vacations often uncovers fraud that your “best employees” perpetrate

  15. Fraud Hotline • Independence • Operations should be independent from corporate management • Privacy • Consult with legal counsel on privacy protections • Tracking • Assign a secure tracking system • Investigations & Reporting • Decisions to investigate should be made on case by case basis

  16. Blow the Whistle • Because whistle blowers expose a large percentage of frauds, 24 hour tip lines encourage employees to report potential offenses that security professionals can investigate. • Publicize the confidentiality and anonymity of fraud prevention hotlines, which are most effective and secure when outside subscription services run them. • Keeping employees abreast of such reporting mechanisms demonstrates your intolerance for fraud and limits would-be corporate villains’ opportunities.

  17. Online Attacks Common for Business According to FBI Survey • Attacks cost companies an average $24,000 • Nearly nine out of 10 U.S. businesses suffered from a computer virus, spyware or other online attack in 2005 despite widespread use of security software • Some 44% of attacks came from within the organization, the survey found • Of those coming from outside, nearly a quarter could be traced to China

  18. Data Breaches • Via hacking, stealing actual computers and hard drives, stealing laptops or skimming devices • More & more thieves are sitting on data hoping to use it later • Who? • Universities, Government Agencies, Public Companies, Nonprofits, Financial Institutions, Call Centers out of the Country (India)

  19. Data Security Preventive Tips • Implement data and security programs to safeguard consumer records • Example: Encryption • Notify authorities when a security breach occurs and make public notification if there is a likely chance that the stolen data has been or will be misused

  20. Encryption • Encryption is the best and only true way to protect sensitive information such as consumer data from unauthorized access • particularly powerful method for securing data at the perimeter of the corporate network, where it often leaves the office on laptops, PDAs and removable storage devices. • any organization that uses encryption to secure data will have a ready response for authorities and the public in the event of a security breach • one of the most comprehensive and cost-effective methods for managing compliance with data security regulations.

  21. Protecting the Corporate Data • Protecting private information looms large as a crucial corporate challenge. • Is your company vulnerable to loss or theft of critical and private information? • Is your private customer data safe and secure? • Web security is essential to protect a company's own private information and must protect confidential information about its customers. • Preventing Fraud Guarding electronic information is more difficult. • It's challenging to maintain security and keep up with technological innovations • New Technology devices being used for illegal purposes • Keystroke Logger

  22. Protecting the Corporate Data • Measures that can be taken to control data stored on electronic media • Sensitive data files to portable disk and back up with another disk • Store backup files offsite • Sensitive magnetic media • Password protection • Consistent backup protection • Training and Monitoring • Confidential or personal information should never be sent in e-mail messages, since it is not a secure method of transmitting data

  23. Your Information on the Internet • Public records such as divorce documents, real estate records and more • State of Arizona new law 1/1/07 shall no longer contain more than 5 numbers of SSN and shall not contain an individual’s • Credit, Debit or Charge Card Numbers • Retirement Account Numbers • Savings, Checking or Securities Entitlement Account Numbers

  24. The Convenience of Wireless

  25. Check Fraud

  26. Your Account Number • So how did they get my account number? • You wrote them a check • They stole your statement via mail • You received a check and deposited the check • For Deposit Only and Your Acct # • Access your account online • Check images with your account number and signature • ImageMask product from 41st Parameter www.the41.com • Blurs sensitive data in scanned documents that are accessed online

  27. In the News • The FDIC has been receiving an increasing number of reports from financial institutions, businesses and consumers that counterfeit business checks are in circulation. • Scams that make use of counterfeit business checks typically involve bogus lotteries, sweepstakes or contests, and overpayment for merchandise purchased – often over the Internet • In recent examples, counterfeit business checks have displayed the names of well-known and recognizable businesses

  28. In the News – Giving the Bounce to Counterfeit Check Scams • It’s your lucky day! You just won a foreign lottery! The letter says so. And the cashier’s check to cover the taxes and fees is included. All you have to do to get your winnings is deposit the check and wire the money to the sender to pay the taxes and fees. You’re guaranteed that when they get your payment, you’ll get your prize. • http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre40.htm and http://www.ftc.gov/opa/2007/02/fyi0716.htm

  29. In the News – Avoiding Cashier’s Check Fraud • OCC Consumer Advisory on Avoiding Cashier’s Check Fraud gives you information on some common scams and some steps you can take to avoid becoming a victim. • Although this advisory focuses on cashier’s checks, you may find the information useful if you transact business using other official bank instruments, such as money orders and official checks. • http://www2.fdic.gov/idasp/main_bankfind.asp

  30. Can a US Citizen play the lottery in another country? • Federal Statute: Racketeering TITLE 18 > PART I > CHAPTER 95 -Racketeering > § 1953 Prev | Next 1953. Interstate transportation of wagering paraphernalia Release date: 2005-08-03 (a) Whoever, except a common carrier in the usual course of its business, knowingly carries or sends in interstate or foreign commerce any record, paraphernalia, ticket, certificate, bills, slip, token, paper, writing, or other device used, or to be used, or adapted, devised, or designed for use in (a) bookmaking; or (b) wagering pools with respect to a sporting event; or (c) in a numbers, policy, bolita, or similar game shall be fined under this title or imprisoned for not more than five years or both

  31. Check Washing • Would you hand a complete stranger a blank check? Of course not. But that's practically what happens to victims of check washing. • Americans lose as much as $800 million to this thieving scheme each year. • Each month, most of us send hundreds of dollars worth of checks in the mail. Nearly all of them make it to their destination. But if one of those checks got in the wrong hands, there's no telling how much money you could lose.  • Through a crime called check washing, crooks wipe the ink off your check, and make it out to themselves. • But technology is making the life of a crook harder. • New pens and built in check protection claim to make the scheme nearly impossible. 

  32. Check Security Measures • Watermarks • Most are subtle designs on front /back • Not easily visible, unless held up to light at 45 degree angle • Protection from counterfeiting because copiers and scanners generally cannot accurately copy watermarks • Copy Void • When photocopied, the pattern changes and the word VOID appears, making the copy nonnegotiable • Chemical Void • When chemicals are applied, the treatment causes the word VOID to appear, making the item nonnegotiable • Checks treated cannot be altered without detection Deter check fraud by making checks difficult to copy, alter or counterfeit

  33. Check Security Measures • High Resolution Micro-printing • When magnified, the line or pattern contains series of words that run together or become totally illegible if the check has been photocopied or scanned with a desktop scanner • Three Dimension • Metallic Stripe (similar to credit card) • Items are difficult to forge, scan or reproduce because they are produced by a sophisticated laser-based etching process • Security Inks • Reduce a forger’s ability to modify printed dollar amount or alter the designated payee • When solvents are applied, a chemical reaction with the security ink distorts the appearance of the check • Very difficult to alter without detection

  34. Check Security Measures • Optical Variable Ink (OVI) • Special ink containing small flakes of film that change color as it is being viewed from different angles • Not easily obtained, making it expensive and difficult to counterfeit • Used on US Currency • Thermo chromatic Ink • Heat sensitive and will fade and eventually disappear as the temperature increases; temperature decreases from the raised level the ink will reappear • Check Fraud & ID Theft Document for more info on check securities • www.abagnale.com

  35. Image-Survivable Security Features • PaymentsNation registry for image-survivable security features • PaymentsNation will be the sole provider and operator of this industry-wide risk management tool designed to combat check fraud using image-survivable security features. • ISCF – SIG Website • www.stopcheckfraud.org (members only)

  36. Set an ethical tone that starts from the top Establish regular fraud detection procedures Have a hotline www.fdic.gov/news/news/financial/2005/fil8005.html Educate employees about fraud Have Certified Fraud Examiner on Staff Involve your suppliers in your fraud detection efforts Take all tips seriously and investigate Decide who will be notified about tips Conduct background checks Have oversight by member of senior management and the board Ten Tips: Preventing Corporate Fraud

  37. Uniform Commercial Code • Since the revision of UCC banks are no longer 100% liable for check fraud incidents • UCC Section 3-406 introduced the term “ordinary care”. • Under this section, the accountholder is restricted from seeking restitution if their failure to exercise ordinary care (e.g. in their internal processes and procedures) contributed to the forged or altered check. • In UCC sections 3-406B and 4-406E the concept of comparative negligence could place liability on the account holder in many cases the company itself. • The liability is allocated according to the degree to which the bank and accountholder failed to provide ordinary care. This means that companies can be held accountable if their actions or inaction to prevent check fraud fail and result in a monetary loss to employees or the bank.

  38. UCC & Corporate Check Fraud • FIs are not usually liable unless they do something to be negligent • Check law training from PaymentsNation • Summary of UCC regarding check fraud • www.law.cornell.edu/ucc/ • Search specific topic • White Paper – Check Fraud, The UCC and YOU • http://www.acom.com/micr_lib/news001.htm • How is corporate check fraud committed so easily? • Once fraudsters acquire a “good” account they can create check fraud at will

  39. “Why is my company potentially liable for a fraud incident” • Lack of security control for the storage of “check stock” • Lack of timely bank account reconciliation for payroll & accounts payable • Lack of secure control over storage and access to signature stamps or machines • Lack of signature verification on “canceled checks’ during reconciliation process • Lack of timely reporting of potential “check fraud” occurrences to your FI • Lack of paper safety features in your check paper stock • Lack of procedures with your company that contribute to a forged signature or amt alteration • Lack of supplying current documentation to your FI on authorized signers It is up to each company to prepare to defend itself against the lack of “ordinary care” procedures within their organization.

  40. How can I best protect the interests of my company against check fraud? • Unfortunately there is not a guaranteed method available of protecting your company against check fraud but the following suggestions are recommended to you as a starter: • Contact your FI and ask for written copy of their suggested procedures as regards to check fraud prevention, check stock considerations and check reconciliation processes that they expect you to follow. • Written procedures they follow to reduce check fraud (back office “ordinary care” activities) • Positive Pay – a key fraud-fighting tool for disbursement accounts • Implement Internal & External Procedures • Check Security Features • Use of Electronic Payments

  41. Positive Pay • What’s new in Positive Pay? • Teller Positive Pay • Decision made at teller line • Payee Positive Pay • What if the criminal adds a payee name, alters a payee name • Image Positive Pay • Review front and back of checks • Per Frank Abagnale • Positive pay is the best product in 25 years to deal with the problem of forged, altered and counterfeit checks

  42. Internal Procedures for your Company • Consider moving check disbursement activity to electronic payment • Food for Thought… • An employee takes their payroll check to cash maybe at a retail store, supermarket, check-cashing store – think about the many places they cash their check and how one of those places whose unethical employee works at may photo copy the check and use your account number and routing number. • What about a disgruntled or recently fired employee who was paid by check. • What about all the companies you pay by check do you really want them having your ABA and account number.

  43. Insider - Preventive Measures • New Employees • Background Check • www.myspace.com • Social Security Employee Verification Service Publication No 20-004 • Fingerprinting • Criminal Record Check • Credit Report • Chex Systems • Maintain Separation of functions • Dual Controls

  44. Remote Deposit Capture Risks • There is risk in remote deposit ranging from poor image quality to duplicate check processing, either innocently if the check is accidentily scanned twice, or malevolently if it’s both scanned and physically deposited. • With corporate customers now keying the check amounts there’s also the risk of incorrect encoding. • To address these risks, remote deposit applications should have image quality assessment capabilities with standards that can be controlled by the bank. • Many remote deposit applications have functionality to prevent the checks until they are destroyed. • Amount recognition technology can address some of the issues around the keying of the dollar amounts and deposit balancing features can help point out discrepancies.

  45. www.fakechecks.org

  46. ACH Fraud

  47. Who Are the Participants? • Originator • Entity that agrees to initiate ACH entries into the payment system according to an arrangement with a Receiver • Originating Depository Financial Institution (ODFI) • Receives payment instructions from Originators and forwards the entries to the ACH Operator • ACH Operator • Central clearing facility operated by Federal Reserve Bank or Electronic Payments Network on behalf of DFI’s • Receiving Depository Financial Institution (RDFI) • Receives ACH entries from the ACH Operator and posts the entries to accounts of the depositors (Receivers) • Receiver • Natural person or an organization which has authorized an Originator to initiate an ACH entry to the Receiver’s account with the RDFI • May be company or consumer

  48. How the ACH Transaction Flow Works Standard Entry Class Codes Third Parties

  49. Standard Entry Class Codes • Rules based on the Standard Entry Class Codes • Authorization Requirements, Return Time Frames, etc. • PPD – Prearranged Payment & Deposit Entry • RCK – Represented Check Entry • WEB – Internet Initiated Entry • TEL – Telephone Initiated Entry • ARC – Accounts Receivable Entry • POP – Point of Purchase • CCD – Cash Concentration Disbursement • BOC – Back Office Conversion

More Related