How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck@paymentsnation.com 602-443-2960 phone

About This Presentation

Title:

How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck@paymentsnation.com 602-443-2960 phone

Description:

How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck_at_paymentsnation.com 602-443-2960 phone – PowerPoint PPT presentation

Number of Views:482

Avg rating:3.0/5.0

Slides: 92

Provided by: KimB69

Category:

more less

Transcript and Presenter's Notes

Title: How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck@paymentsnation.com 602-443-2960 phone

1
How to Combat Fraud in the Banking Payment
SystemKim A. Bruck, AAP, VP Risk Management,
PaymentsNation kim.bruck_at_paymentsnation.com
602-443-2960 phone
2
Disclaimer

This course provides a basic overview of
fraud/risk management scenarios that may take
place in the various payment systems. Handout
material and seminar discussion are not intended
to be used as legal advice. Conditions of use
are within the control of individual users.
There is no warranty, expressed or implied, in
connection with making this handout available.

3
AFP Study on Payments Fraud

72 percent of organizations surveyed by the AFP
experienced attempted or actual payments fraud in
2006, up from 68 percent in 2005.
According to the AFP, cheques continue to be the
focus of criminal attacks, as 93 percent of
organizations that experienced payments fraud in
2006 were victims of attempted cheque fraud.
Other payment methods targeted for fraud include
ACH (Automated Clearing House) transfers
consumer credit cards and corporate cards.

4
AFP Study on Payments Fraud

The AFP says that 35 percent of organizations
said they had experienced attempted or actual ACH
fraud in 2006, with 17 percent reporting that
they had suffered fraud involving consumer credit
cards and 14 percent experiencing corporate card
fraud.
In many cases, fraud is perpetrated internally,
according to the AFP
Employees were responsible in about half of the
cases involving fraud associated with the use of
organizations' corporate cards last year, it
says.
In addition, internal fraud appears to be an
important factor in cheque and ACH fraud, the AFP
report warns.

5
Who are the Criminals?

FI Corporate Insiders
Independent Operators
Organized Crime
Use of Runners
Homeless
Students

Criminals are going to look for path of least
resistance!
6
Are you at Risk for ID Theft?

I carry my Social Security Card in my wallet (10)
I use an unlocked, open box at work or at home to
drop off my outgoing mail (10)
I do not cross-cut shred banking and credit
information when I throw it in the trash (10)
I do not cross-cut shred pre-approved
applications (10)
I do not cross-cut shred convenience checks (10)
I provide my SSN whenever asked, without asking
questions as to how that information will be
safeguarded (10) If you provide your SSN orally
without checking to see who might be listening
(5)
I am required to use my SSN at work as an
employee or student I.D. number (5)
I have my SSN or Drivers License number printed
on my personal checks (20)
I carry my insurance card in my wallet and either
my SSN or that of my spouse is the ID (20)
I have not ordered a copy of my credit reports
for past 2 years (10)
I do not believe that people would root around in
my trash looking for credit or financial
information (10)

7
Mitigating Risk in Payments Fraud

Know your employees
Use peer review
Audit regularly
Respect system security

8
Corporations are Responsible for Mitigating Risk
in Payments Fraud

Who in the organization should have
responsibility for originating transactions or
approving transactions
One user creates a transaction and another user
approves it
There should be detailed reporting of all
transactions originated in the system with
comprehensive audit trails to show every user who
touched the transaction, rich user entitlement
and audit trails are going to help when it comes
to Sarbanes-Oxley compliance
Sticky notes are a great invention but consider
the risk if you use them to decorate your
computer with passwords

9
In the News

Identity Theft The 'Business Bust-Out'
A criminal rents space in the same building as
your company
Applies for corporate credit cards using your
firm's name
The application passes a credit check because the
company name and address match, but the cards are
delivered to the criminal's mailbox
He sells them on the street and vanishes before
you discover your firm's credit is wrecked.
The so-called "business bust-out" scam is one way
sophisticated criminals steal business identities
across the country
Identity thieves increasingly target businesses
instead of individuals, experts and law
enforcement officials say, but federal law and
many state statutes don't consider business
identity theft a crime. That's because the raft
of identity theft laws passed in the last decade
apply mostly to individual consumers -- not
business entities.
While business identity theft can often be
prosecuted under other statutes, like mail fraud
or wire fraud, businesses victimized lose many of
the protections afforded to consumers under
identity theft laws, like access to information
about their credit

10
Combating ID Theft A Corporate Perspective

Politicians, reacting to public outrage, have
also framed ID theft as a consumer protection
issue and are placing much of the responsibility
on the shoulders of business
When someone steals sensitive consumer
information from an organization, that person is
actually robbing the organization of three
valuable assets business information, brand
value and self-determination for IT investments.

11
Corporate Fraud

According to the Association of Certified Fraud
Examiners the typical U. S. organization loses 6
of annual revenue to fraud
Thats 660 billion in yearly losses nationwide
May be higher as many companies dont report
fraud
Proper procedures and tools, however, can help
prevent many workplace crimes
Businesses unable or unwilling to identify and
control such problems do so at their own risk

12
Human Resources

Hiring Policy/Background Check/Screening
Verification of SS for employers, more info at
www.ssa.gov/employer/ssnv/htm
Screen cleaning service temporary firms you use
Enforce vacation policies
Keep personal information of employees/customers
in locked files

13
Internal Policies and Procedures

Ethics policies should clearly detail what you
consider to be illegal, improper and fraudulent
behavior
New employees should receive and sign statements
that delineate what they can and cant do
Educate existing and new employees, including
executives, about the use of such policies and
the penalties for defying them and up-date such
training annually

14
Separate Duties

Its critical to separate financial tasks among
several employees
Budgetary cutbacks and downsizing, however, often
result in the same person handling multiple
procedures such as taking orders, readying
invoices and documenting transactions
Compounding such an invitation to fraud is when
those same employeesfearing that other employees
might discover their deeds--work unusually late
and on weekends
Requiring all employees to take vacations often
uncovers fraud that your best employees
perpetrate

15
Fraud Hotline

Independence
Operations should be independent from corporate
management
Privacy
Consult with legal counsel on privacy protections
Tracking
Assign a secure tracking system
Investigations Reporting
Decisions to investigate should be made on case
by case basis

16
Blow the Whistle

Because whistle blowers expose a large percentage
of frauds, 24 hour tip lines encourage employees
to report potential offenses that security
professionals can investigate.
Publicize the confidentiality and anonymity of
fraud prevention hotlines, which are most
effective and secure when outside subscription
services run them.
Keeping employees abreast of such reporting
mechanisms demonstrates your intolerance for
fraud and limits would-be corporate villains
opportunities.

17
Online Attacks Common for Business According to
FBI Survey

Attacks cost companies an average 24,000
Nearly nine out of 10 U.S. businesses suffered
from a computer virus, spyware or other online
attack in 2005 despite widespread use of security
software
Some 44 of attacks came from within the
organization, the survey found
Of those coming from outside, nearly a quarter
could be traced to China

18
Data Breaches

Via hacking, stealing actual computers and hard
drives, stealing laptops or skimming devices
More more thieves are sitting on data hoping to
use it later
Who?
Universities, Government Agencies, Public
Companies, Nonprofits, Financial Institutions,
Call Centers out of the Country (India)

19
Data Security Preventive Tips

Implement data and security programs to safeguard
consumer records
Example Encryption
Notify authorities when a security breach occurs
and make public notification if there is a likely
chance that the stolen data has been or will be
misused

20
Encryption

Encryption is the best and only true way to
protect sensitive information such as consumer
data from unauthorized access
particularly powerful method for securing data at
the perimeter of the corporate network, where it
often leaves the office on laptops, PDAs and
removable storage devices.
any organization that uses encryption to secure
data will have a ready response for authorities
and the public in the event of a security breach
one of the most comprehensive and cost-effective
methods for managing compliance with data
security regulations.

21
Protecting the Corporate Data

Protecting private information looms large as a
crucial corporate challenge.
Is your company vulnerable to loss or theft of
critical and private information?
Is your private customer data safe and secure?
Web security is essential to protect a company's
own private information and must protect
confidential information about its customers.
Preventing Fraud Guarding electronic information
is more difficult.
It's challenging to maintain security and keep up
with technological innovations
New Technology devices being used for illegal
purposes
Keystroke Logger

22
Protecting the Corporate Data

Measures that can be taken to control data stored
on electronic media
Sensitive data files to portable disk and back up
with another disk
Store backup files offsite
Sensitive magnetic media
Password protection
Consistent backup protection
Training and Monitoring
Confidential or personal information should never
be sent in e-mail messages, since it is not a
secure method of transmitting data

23
Your Information on the Internet

Public records such as divorce documents, real
estate records and more
State of Arizona new law 1/1/07 shall no longer
contain more than 5 numbers of SSN and shall not
contain an individuals
Credit, Debit or Charge Card Numbers
Retirement Account Numbers
Savings, Checking or Securities Entitlement
Account Numbers

24
The Convenience of Wireless
25
(No Transcript)
26
Check Fraud
27
Your Account Number

So how did they get my account number?
You wrote them a check
They stole your statement via mail
You received a check and deposited the check
For Deposit Only and Your Acct
Access your account online
Check images with your account number and
signature
ImageMask product from 41st Parameter
www.the41.com
Blurs sensitive data in scanned documents that
are accessed online

28
In the News

The FDIC has been receiving an increasing number
of reports from financial institutions,
businesses and consumers that counterfeit
business checks are in circulation.
Scams that make use of counterfeit business
checks typically involve bogus lotteries,
sweepstakes or contests, and overpayment for
merchandise purchased often over the Internet
In recent examples, counterfeit business checks
have displayed the names of well-known and
recognizable businesses

29
In the News Giving the Bounce to Counterfeit
Check Scams

Its your lucky day! You just won a foreign
lottery! The letter says so. And the cashiers
check to cover the taxes and fees is included.
All you have to do to get your winnings is
deposit the check and wire the money to the
sender to pay the taxes and fees. Youre
guaranteed that when they get your payment,
youll get your prize.
http//www.ftc.gov/bcp/edu/pubs/consumer/credit/cr
e40.htm and http//www.ftc.gov/opa/2007/02/fyi071
6.htm

30
In the News Avoiding Cashiers Check Fraud

OCC Consumer Advisory on Avoiding Cashiers Check
Fraud gives you information on some common scams
and some steps you can take to avoid becoming a
victim.
Although this advisory focuses on cashiers
checks, you may find the information useful if
you transact business using other official bank
instruments, such as money orders and official
checks.
http//www2.fdic.gov/idasp/main_bankfind.asp

31
Can a US Citizen play the lottery in another
country?

Federal Statute Racketeering TITLE 18 gt PART I gt
CHAPTER 95 -Racketeering gt 1953 Prev Next
1953. Interstate transportation of wagering
paraphernalia Release date 2005-08-03 (a)
Whoever, except a common carrier in the usual
course of its business, knowingly carries or
sends in interstate or foreign commerce any
record, paraphernalia, ticket, certificate,
bills, slip, token, paper, writing, or other
device used, or to be used, or adapted, devised,
or designed for use in (a) bookmaking or (b)
wagering pools with respect to a sporting event
or (c) in a numbers, policy, bolita, or similar
game shall be fined under this title or
imprisoned for not more than five years or both

32
Check Washing

Would you hand a complete stranger a blank check?
Of course not. But that's practically what
happens to victims of check washing.
Americans lose as much as 800 million to this
thieving scheme each year.
Each month, most of us send hundreds of dollars
worth of checks in the mail. Nearly all of them
make it to their destination. But if one of those
checks got in the wrong hands, there's no telling
how much money you could lose.
Through a crime called check washing, crooks wipe
the ink off your check, and make it out to
themselves.
But technology is making the life of a crook
harder.
New pens and built in check protection claim to
make the scheme nearly impossible.

33
Check Security Measures

Watermarks
Most are subtle designs on front /back
Not easily visible, unless held up to light at 45
degree angle
Protection from counterfeiting because copiers
and scanners generally cannot accurately copy
watermarks
Copy Void
When photocopied, the pattern changes and the
word VOID appears, making the copy nonnegotiable
Chemical Void
When chemicals are applied, the treatment causes
the word VOID to appear, making the item
nonnegotiable
Checks treated cannot be altered without detection

Deter check fraud by making checks difficult to
copy, alter or counterfeit
34
Check Security Measures

High Resolution Micro-printing
When magnified, the line or pattern contains
series of words that run together or become
totally illegible if the check has been
photocopied or scanned with a desktop scanner
Three Dimension
Metallic Stripe (similar to credit card)
Items are difficult to forge, scan or reproduce
because they are produced by a sophisticated
laser-based etching process
Security Inks
Reduce a forgers ability to modify printed
dollar amount or alter the designated payee
When solvents are applied, a chemical reaction
with the security ink distorts the appearance of
the check
Very difficult to alter without detection

35
Check Security Measures

Optical Variable Ink (OVI)
Special ink containing small flakes of film that
change color as it is being viewed from different
angles
Not easily obtained, making it expensive and
difficult to counterfeit
Used on US Currency
Thermo chromatic Ink
Heat sensitive and will fade and eventually
disappear as the temperature increases
temperature decreases from the raised level the
ink will reappear
Check Fraud ID Theft Document for more info on
check securities
www.abagnale.com

36
Image-Survivable Security Features

PaymentsNation registry for image-survivable
security features
PaymentsNation will be the sole provider and
operator of this industry-wide risk management
tool designed to combat check fraud using
image-survivable security features.
ISCF SIG Website
www.stopcheckfraud.org (members only)

37
Ten Tips Preventing Corporate Fraud

Set an ethical tone that starts from the top
Establish regular fraud detection procedures
Have a hotline
www.fdic.gov/news/news/financial/2005/fil8005.html
Educate employees about fraud
Have Certified Fraud Examiner on Staff

Involve your suppliers in your fraud detection
efforts
Take all tips seriously and investigate
Decide who will be notified about tips
Conduct background checks
Have oversight by member of senior management and
the board

38
Uniform Commercial Code

Since the revision of UCC banks are no longer
100 liable for check fraud incidents
UCC Section 3-406 introduced the term ordinary
care.
Under this section, the accountholder is
restricted from seeking restitution if their
failure to exercise ordinary care (e.g. in their
internal processes and procedures) contributed to
the forged or altered check.
In UCC sections 3-406B and 4-406E the concept of
comparative negligence could place liability on
the account holder in many cases the company
itself.
The liability is allocated according to the
degree to which the bank and accountholder failed
to provide ordinary care. This means that
companies can be held accountable if their
actions or inaction to prevent check fraud fail
and result in a monetary loss to employees or the
bank.

39
UCC Corporate Check Fraud

FIs are not usually liable unless they do
something to be negligent
Check law training from PaymentsNation
Summary of UCC regarding check fraud
www.law.cornell.edu/ucc/
Search specific topic
White Paper Check Fraud, The UCC and YOU
http//www.acom.com/micr_lib/news001.htm
How is corporate check fraud committed so easily?
Once fraudsters acquire a good account they can
create check fraud at will

40
Why is my company potentially liable for a fraud
incident

Lack of security control for the storage of
check stock
Lack of timely bank account reconciliation for
payroll accounts payable
Lack of secure control over storage and access to
signature stamps or machines
Lack of signature verification on canceled
checks during reconciliation process
Lack of timely reporting of potential check
fraud occurrences to your FI
Lack of paper safety features in your check paper
stock
Lack of procedures with your company that
contribute to a forged signature or amt
alteration
Lack of supplying current documentation to your
FI on authorized signers

It is up to each company to prepare to defend
itself against the lack of ordinary care
procedures within their organization.
41
How can I best protect the interests of my
company against check fraud?

Unfortunately there is not a guaranteed method
available of protecting your company against
check fraud but the following suggestions are
recommended to you as a starter
Contact your FI and ask for written copy of their
suggested procedures as regards to check fraud
prevention, check stock considerations and check
reconciliation processes that they expect you to
follow.
Written procedures they follow to reduce check
fraud (back office ordinary care activities)
Positive Pay a key fraud-fighting tool for
disbursement accounts
Implement Internal External Procedures
Check Security Features
Use of Electronic Payments

42
Positive Pay

Whats new in Positive Pay?
Teller Positive Pay
Decision made at teller line
Payee Positive Pay
What if the criminal adds a payee name, alters a
payee name
Image Positive Pay
Review front and back of checks
Per Frank Abagnale
Positive pay is the best product in 25 years to
deal with the problem of forged, altered and
counterfeit checks

43
Internal Procedures for your Company

Consider moving check disbursement activity to
electronic payment
Food for Thought
An employee takes their payroll check to cash
maybe at a retail store, supermarket,
check-cashing store think about the many places
they cash their check and how one of those places
whose unethical employee works at may photo copy
the check and use your account number and routing
number.
What about a disgruntled or recently fired
employee who was paid by check.
What about all the companies you pay by check do
you really want them having your ABA and account
number.

44
Insider - Preventive Measures

New Employees
Background Check
www.myspace.com
Social Security Employee Verification Service
Publication No 20-004
Fingerprinting
Criminal Record Check
Credit Report
Chex Systems
Maintain Separation of functions
Dual Controls

45
Remote Deposit Capture Risks

There is risk in remote deposit ranging from poor
image quality to duplicate check processing,
either innocently if the check is accidentily
scanned twice, or malevolently if its both
scanned and physically deposited.
With corporate customers now keying the check
amounts theres also the risk of incorrect
encoding.
To address these risks, remote deposit
applications should have image quality assessment
capabilities with standards that can be
controlled by the bank.
Many remote deposit applications have
functionality to prevent the checks until they
are destroyed.
Amount recognition technology can address some of
the issues around the keying of the dollar
amounts and deposit balancing features can help
point out discrepancies.

46
www.fakechecks.org
47
ACH Fraud
48
Who Are the Participants?

Originator
Entity that agrees to initiate ACH entries into
the payment system according to an arrangement
with a Receiver
Originating Depository Financial Institution
(ODFI)
Receives payment instructions from Originators
and forwards the entries to the ACH Operator
ACH Operator
Central clearing facility operated by Federal
Reserve Bank or Electronic Payments Network on
behalf of DFIs
Receiving Depository Financial Institution (RDFI)
Receives ACH entries from the ACH Operator and
posts the entries to accounts of the depositors
(Receivers)
Receiver
Natural person or an organization which has
authorized an Originator to initiate an ACH entry
to the Receivers account with the RDFI
May be company or consumer

49
How the ACH Transaction Flow Works
Standard Entry Class Codes
Third Parties
50
Standard Entry Class Codes

Rules based on the Standard Entry Class Codes
Authorization Requirements, Return Time Frames,
etc.
PPD Prearranged Payment Deposit Entry
RCK Represented Check Entry
WEB Internet Initiated Entry
TEL Telephone Initiated Entry
ARC Accounts Receivable Entry
POP Point of Purchase
CCD Cash Concentration Disbursement
BOC Back Office Conversion

51
What is the Strategy?

The ACH Network is a safe, high quality payments
systems.
NACHA, its members and the ACH operators have a
responsibility to ensure that the ACH network
remains a safe, high quality payment system
Protect FIs financial interest and reputations
Implementing a comprehensive risk management
strategy addressing four categories
1) Network entry requirements
2) Ongoing requirements
3) Enforcement
4) ACH Operator tools.

52
Fraud in the ACH Network

Internal ACH Fraud
Corporate or FI
More likely at corporations without dual controls
Payroll clerk can pay herself 1M by direct
deposit if nobody else has to sign of on the file
ODFI Exposure File Limits
Selling or Furnishing Information
Money Laundering
Does the ACH network warranty the product or
service received or not received?

53
ACH Kiting

An originator can use an ACH kite scheme to
inflate an account balance with the offsetting
credits generated from ACH debit origination
activity.
When the originator generates unauthorized debits
or valid debits to accounts that they or their
accomplices own, the account is credited covering
previous unauthorized debits as they are
returned.
The scheme is essentially a check kite executed
electronically.
Even kiting used to cover short term cash flow
problems can put a FI at risk.
Kites of this nature often go undetected because
of a lack of coordination and communication
between the FIs fraud and ACH operations units.
If the fraud unit becomes aware of an unusually
high volume of administrative returns, it may
investigate the situation more closely.
Just as check-based kite schemes are identified
through a source of funds analysis, ACH kite
schemes can be discovered by analyzing the direct
debit activity being originated.

54
Origination System Hacking

Originator or 3rd Party generates invalid
transactions using the name of the true
originator
Perpetrators hack into origination systems using
compromised logon IDs and passwords and originate
ACH credits to mule accounts created for
express purpose of committing fraud
Empty accounts and abandoned them
True originators account is debited for the
invalid origination file
Credits usually irretrievable by the time the
fraud is discovered
How were they compromised?
Keyloggers, trojans or phishing
Compromised by insider (know your employees)

55
Fraud Scenarios Reverse Phishing

The Scenario
A company received e-mails from two trading
partners asking for changes to bank and account
numbers used to receive ACH payments for
invoices
The company believed the requests to be
legitimate, as the e-mails looked like those from
the trading partners
The company originated ACH credits to the new
bank and account numbers for these trading
partners
The ACH credits went to newly opened accounts,
and the funds were withdrawn
Eventually, the company received phone calls from
the real trading partners about failure to pay
The company investigated and discovered that the
original e-mails supplying new payment
instructions were fraudulent.

56
Fraud Scenarios Reverse Phishing

NACHA is calling it a case of reverse phishing
instead of e-mails attempting to fraudulently
obtain corporate banking information, the
perpetrator(s) sent e-mails fraudulently
providing corporate banking information.
Recommendations
Originators should perform due diligence in
accepting changes in payment instructions.
For example, a widely used security procedure is
a callback to a known individual at the trading
partner.
ODFIs can alert their Originators to this type of
fraud scheme.

57
Fraud Scenarios Keylogging Spyware

The scenario
A corporate treasury workstation or computer used
to log on to online banking is infected with
keylogging spyware
The keylogging spyware records the companys
online banking credentials - User ID and Password
when an employee signs in to online banking
The keylogging spyware then sends this
information to the perpetrator
The perpetrator uses the companys credentials to
sign in to online banking on the corporate
banking web site
The perpetrator initiates outbound funds
transfers out of the companys corporate
account(s), either via ACH credits or wire
transfers

58
Fraud Scenarios Keylogging Spyware

The Scenario
The company does not employ any additional means
to confirm the transactions and release funds,
and the bank does not require additional
authentication of the party initiating the
transfers
The perpetrator routes funds to deposit accounts
at various financial institutions these accounts
were recently opened either by the perpetrator,
or arranged to be opened through willing
associates or unknowing individuals
These accounts receive deposited good funds via
ACH credits or wire transfers
The account owners then wire funds overseas, and
are non-recoverable by the company and its bank.

59
Fraud Scenarios Keylogging Spyware

Recommendations for Originators
Originators should use best practices for
treasury management and corporate banking,
including authentication for authorizing
transactions online and/or independent
confirmation of outbound transfers
Originators should reconcile their accounts
daily
Originators should use best practices
for information technology security, covering the
integrity of hardware, software and identity
management.

60
Fraud Scenarios Keylogging Spyware

Recommendations for ODFIs
ODFIs should use best practices for
authenticating corporate customers and executing
instructions for outbound funds transfers
initiated online
ODFIs should work with their Originators on best
practices for corporate banking and IT security
ODFIs can alert their Originators to this type of
fraud scheme.

61
Fraud Scenarios Keylogging Spyware

The scenario takes advantage of compromised IT
security, poor corporate treasury management
practices, and weak authentication. The scenario
is not specific to ACH payments wire transfers
were involved as well.

62
Traditional Uses of the ACH Network

PPDs - Recurring credits or debits
Payroll
Pensions
Social Security
Insurance Premiums
Utility bills
Risk of fraud almost non-existent

2/12/04 - 64,000 .01 ACH credits
63
Check Fraud in the ACH WorldeCheck

Point of Purchase (POP)
Is the source document (check) valid?
Did the retail clerk check ID and document
information about the consumer?
Source document (check) isnt given back to the
consumer
Check converted is counterfeit
Consumer Fraud
States they never wrote check at retailer
Accounts Receivable Entry (ARC) Back Office
Conversion (BOC)
Check converted is counterfeit
Can your systems talk to each other? Are you
monitoring your transactions?

64
Fraud in the ACH Network

Telephone Initiated Entry (TEL)
Existing relationship or Consumer initiates call
Telemarketing Fraud
Merchants operating with fraudulent intent
without having obtained consumers authorization
Merchants violate TEL rules by cold calling
Merchants use of post cards
Merchants with no intent to deliver a product or
service
Consumer Fraud
Consumer never intends to make payment good
Federal Trade Commission
Telemarketing Sales Rules
www.ftc.gov
www.donotcall.gov
What city are most Americans being ripped-off
from?

65
Telemarketing Fraud

Scams
Youve won a prize or lottery
Advance Fee
Credit Cards
Medical Plans/Insurance
Find victims
Telemarketing Lists, Via Obituaries,
First name tells age
Mabel vs. Paula
Leo vs. John
Sharon vs. Pearl
Ramona vs. Greg
Select type of victim
Income range, gender and age
Elderly Female best targets
www.lookstogoodtobetrue.com

66
Fraud in the ACH Network

Internet-Initiated Entry (WEB)
Anonymous nature of internet presents Originator
with unique challenges
ODFI establishes separate WEB exposure limit
Originator verifies the identity of Receiver
Requirements of WEB Originators

www.cybercrime.gov - a great resource on
cybercrime for FI/Corporate
67
WEB Fraud Schemes

Spamming with account numbers searching for
real account number
R03 Invalid or R04 No Account
How many actually posted?
Identity Theft Stolen Bank Account Information
Spoofing Phishing
Obtain sensitive identifying information
Consumer Fraud
Consumer never intends to make payment good

68
Commercially Reasonable Fraudulent Transaction
Detection Systems (FTDS) to screen WEB Entries

Authentication is the most Important feature of a
Transaction Detection System

69
Password Authentication

Passwords Dont use names of spouses or
children, which are easily guessed, or words in
the dictionary, which automated systems may be
able to break with so-called dictionary
attacks.
The use of passwords can be strengthened by
enforcing certain rules, such as requiring
passwords of a certain length, using both
numbers, symbols and letters, and using both
upper and lower case letters.

70
What Technology is Available?

IP Analysis http//www.whatismyipaddress.com/
Browser Authentication
Input Security
Black-List/Clustering
Login Challenge
Session Risk Assessment
Device Authentication Session Clustering
Session Challenge
Device Consumer Payment Protection
Biometric Security

71
ODFI Warranties

Warranty Article Two, Subsection 2.2.1.1 of the
NACHA Operating Rules
Each entry transmitted by the ODFI to an ACH
Operator is in accordance with proper
authorization provided by the Originator and the
Receiver
Breach of Warranty Article Two, Subsection 2.2.3
of the NACHA Operating Rules
Liability for Breach of Warranty

72
RDFIs Role
COLORADO State EFT Law supercedes and there is
no liability. Does your state have statue of
limitations?

Customer Care Issues
Education of Staff about ACH Consumers
Handling of Returns Consumer Unauthorized
Completion of Written Statement Under Penalty of
Perjury Form
Class 4 Felony if they lie
RDFI must supply to ODFI is requested!
Regulation E 60 days from statement date
Beyond 60 days
How do you find out who ODFI is?
www.paymentsnation.com R/T Search
Contact ODFI regarding unauthorized transaction
Request proof of proper authorization and
Originators name and phone number
ODFI Warranties Subsection 2.2.1.1

73
RDFIs ROLE

Corporate entry unauthorized
CCD, CTX or CBR
24 hours to return unauthorized item (R29)
Unless you contact the ODFI and get permission to
return the item (R31)
ODFI Warranties Subsection 2.2.1.1
Sometimes you dont get what you deserve, You
get what you demand
Demand Satisfaction place responsibility for
theft on the perpetrators and enablers not the
victim
ODFIs must live up to their warranty

74
RDFI Corporate Account Prevention

Account Balancing Reconciliation
View Account Daily
Positive Pay
Dollar Limit on ACH Debits or Credits only
UPIC
Transaction Monitoring
Real time
Delayed
Alerts
ACH Debit Blocks Filters

75
ACH Debit Blocks Filters

Allows companies to block all incoming ACH debit
or credit transactions, or both
Allows blocking of all incoming ACH transactions
except those items specifically defined by the
company
Company instructs and authorizes the bank to pay
specific transactions based on specific criteria
they define

76
Network Enforcement Rule Changes

Rule changes approved 11/8/07 will modify the
structure of the National Systems of Fines (now
called Rules Enforcement with December 21, 2007
rules change) and increase the amounts of fines
that may be levied
Permit the ACH Rules Enforcement Panel to direct
an ODFI to suspend an Originator or Third Party
Sender
Looking at an Originator Watch List program
Create new Rules compliance tool based upon
unauthorized return rates

77
Network Enforcement Rule Changes

New rule allows NACHA to request information
about an originator from an ODFI when NACHA
believes that the Originators return rate for
unauthorized reasons exceeds one percent
Allows NACHA to initiate a rules enforcement
proceeding if
ODFI fails to respond appropriately
ODFI fails to reduce the rate to below 1 within
60 calendar days after contact from NACHA
ODFI fails to maintain the rate below 1 for 180
additional days

78
Network Enforcement Rule Changes

Revises rules violation classifications and fines
Class 1 1st, 2nd or 3rd recurrence
1,000 2,500 or 5,000
Class 2 willful disregard 100,000
Class 3 significantly harmful 500,000

79
Electronic Payments Network

Universal Payment Identification Code (UPIC)
Secure bank account identifiers that can be
offered to business customers along with other
security offerings such as debit blocks and
positive pay
UPICs look and act like bank account numbers and
allow companies to receive electronic credit
payments without divulging their sensitive bank
information
Over 1Billion payments with 19 industries and 9
major FIs issuing UPICs

80
Operation Bulletin from NACHA

Use of the Back of a Check for ACH Authorizations
Deceptive practices
Authorization
Federal State Laws

81
Resources

Report any telemarketing fraud scheme
FTC _at_ 1-877-FTC-Help or www.ftc.gov
Contact your local police department if you or
someone you know may be a victim.
Phoenix Police Department 602-262-6151
Arizona Telemarketing Fraud Task Force
602-650-3333
Report if victim of identity theft
Example consumer never gave out their account
information
FTC _at_1-877-IDTHEFT or www.consumer.gov/idtheft

82
Resources

United States Postal Inspection Service
www.usps.com/postalinspectors
Telemarketing Fraud using US Postal Service
877-987-3728
Report any Internet crimes
Internet Fraud Complaint Center
www.ic3.gov
Fraud Alert Flyer
http//www.ic3.gov/media/FraudAlert.pdf

Fraud Originated from Canada
Phonebusters
Federal Canadian anti-fraud call centre
www.phonebusters.com or 888-495-8501
ICE (Telemarketing Fraud only) 866-DHS-2ICE
Department of Justice
www.usdoj.gov/criminal/fraud/telemarket/

83
Public Websites Consumer Can Report Fraud
www.ripoffreport.com www.my3cents.com www.consume
raffair.com www.complaintsboard.com
84
http//onguardonline.gov/index.html
85
(No Transcript)
86
www.electronicpayments.org
87
ftc.gov/infosecurity
88
(No Transcript)
89
Networking Resources