March 15, 2010
Global challenge: Catching crooks while protecting privacy
As I watched the Winter Olympics unfold in Vancouver, I marveled at the stories of athletes who had gained citizenship in other countries in order to pursue their dreams. A Canadian moguls skier moved to Australia (which I kind of get) and a Japanese pairs figure skater fled to Russia (which I don't get). In both cases, their renationalization was rewarded with Olympic medals, and in both cases, I was reminded of how completely we have merged into a one-world family and a one-world economy.
Amidst this clear and widely embraced trend to global industrialization and trade, we find that our payments systems lag miserably behind. Certainly this is not because of the lack of availability of technology to wire us together; in fact, both good guys and bad guys use the Internet to order and ship goods and services, as well as commit fraud, across the globe in minutes. And, certainly, this is not because of trade practices. As I found out from Linda Coven, a senior executive at the Silicon Valley Bank in California, a technology firm born in the Silicon Valley becomes a global firm the minute they put up their Web site. Even a modest-sized bank such as hers can develop the expertise and partnerships to help such companies cope with the financial aspects of worldwide markets.
Tangled web
The fly in the international payments ointment is the complex web of regulatory and law enforcement regimens that quite naturally do not as yet mesh. In fact, this can still be a problem domestically, no less globally. The global version of this dilemma gained center stage on February 2010 when the folks at the European Parliament voted to reject the interim EU-US agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programs (TFTP). These programs were established by the U.S. Treasury in the wake of the September 11, 2001, attacks. The TFTP allows the Treasury law enforcement agencies to issue administrative subpoenas for terrorist-related data, including the records of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the world's largest network for banking transactions. Privacy laws and liabilities were cited as the major stumbling block in this reversal of form from previous agreements. Efforts by SWIFT to implement new technology to separate their databases into geographical segments may still allow some access to data involving a U.S. institution, but the EU ruling could ultimately impede law enforcement activities aimed at catching criminals that make today's global payments world a bit of the wild, wild West.
For those who feel that today's regulatory/law enforcement climate borders on paranoia, I would counter that in the face of global terrorism and money laundering there may be ample reason for paranoia. It is clear that cross-border payments applications deserve greater scrutiny to make sure they are not vehicles for financing dangerous and unsavory organizations. Strong compliance policies and screening practices are even more critical in this environment than they are domestically. Nevertheless, we see once again the incongruent goals of catching criminals and preserving privacy. In cases where cooperation and trust have been established there have been great successes. Internet corporate takeover rings have been stymied and Nigerian-based fraudulent check schemes have been terminated to the benefit of numerous domestic corporations and consumers.
Building a team
At the Retail Payments Risk Forum, we are working with various parties to find ways to synthesize the conflicting goals of privacy and enforcement to create a more directed and timely approach to catching the bad guys. As we progress, we will have to be ever-mindful of the fact that the next step will be to use our domestic examples as templates for solving the same problems internationally. Useful new work groups and task forces have been established here in the United States, such as the Interagency Payments Fraud Working Group under the current co-chairmanship of the Justice Department and the Federal Reserve Board, that are directed at better cooperation between law enforcement and the bank/non-bank regulatory community. Extending such collaboration into the international arena needs to become a priority for our industry if we are truly going to mitigate payments risk and catch offenders. It is no secret that this will be a difficult challenge, but fighting cyber crime is no longer a domestic issue here in the States or anywhere else. While we cast aside old norms in the payments and technology areas to do business across borders, we must also be open and innovative in regulatory and law enforcement circles if we are to have any chance of keeping up with criminals.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
March 15, 2010 in Cybercrime, Fraud, Internet, Law enforcement, Payments risk, Regulation | Permalink | Comments (0) | TrackBack (0)
March 08, 2010
Smooth landings for payments call for a checklist
This week's blog features an interview with Devon Marsh, senior vice president and treasury management risk manager at Wells Fargo Bank, N.A. We asked Devon about his thoughts on managing risk in electronic retail payments today.
Devon, retail payments are growing increasingly more complex, creating challenges for risk managers in financial institutions. We know that many of the traditional "tried and true" control processes can still be effective in today's changing environment and understand you are a proponent of compliance checklists as a primary risk management tool for your bank. Tell us a little more about why you value the checklist process.
In more than 1,000 landings as a naval aviator, I never once made a gear-up landing. I don't think I even came close to forgetting the landing gear, but I didn't take any chances. I used a checklist every time I landed. The checklist was necessary not because lowering the landing gear is difficult to remember—of course the gear needs to be down to land! It was necessary because any discrete task—even an important one—can be easy to forget. For this reason we see pilots use checklists all the time on television and in movies to ensure completion of important tasks. We even probably consider the use of checklists to be a defining characteristic of a cockpit environment. But aviation is not the only field in which people can benefit from checklists.
I recently read a new book titled The Checklist Manifesto, by Dr. Atul Gawande. Dr. Gawande is a surgeon and regular contributor to The New Yorker magazine. He has written two previous books based on the practice of medicine that provide useful lessons on risk management and process improvement. His new book offers compelling statistical evidence on how the use of simple checklists cuts down on critical errors.
A key example in The Checklist Manifesto recounts the development of a checklist to guide the procedure for inserting a central intravenous line in intensive care patients. The steps include elementary items such as handwashing. Because its content was so basic, the checklist was initially met with scorn by many practitioners. Nevertheless, consistent use of the checklist dramatically reduced central line infection rates and deaths in ICU wards where it was implemented.
This example seems particularly relevant in financial services since significant problems are often avoided through simple yet proactive control processes. Can you draw some parallels to a checklist that might be effective in ACH processing and describe how it might work?
That's right. Errors in payment processing seldom cost lives the way medical errors might, but they can be as costly as a lost or damaged aircraft. For this reason, I believe the checklist concept has great applicability for many of the risks we address in processing payments. For example, an electronic payment checklist for ACH might help payment originators comply with rules and regulations, avoid human errors, and reduce fraud. A basic electronic payment checklist might include 10 steps.
| Electronic Payment Checklist | |
| 1. Authenticate the receiver or requester. | |
| 2. Confirm validity of authorization. | |
| 3. Verify account number of receiver or beneficiary. | |
| 4. Verify routing number of receiver or beneficiary. | |
| 5. Confirm effective date of transaction. | |
| 6. Confirm payment-related information. | |
| 7. Confirm sufficient funds in funding account. | |
| 8. Obtain internal approval for transaction. | |
| 9. Initiate transaction. | |
| 10. Confirm transaction. | |
Some of the steps are required by rule or by law, while others are simply necessary to route the transaction appropriately. When any one of the steps goes wrong, the resulting error decreases the efficiency of the payment process. It can even cause the entire transaction to be misrouted, possibly without an opportunity for recovery. The eighth step in this checklist is particularly important because it represents a traditional fraud mitigation method called "dual control." This traditional method has proven effective in mitigating the risk that outside entities will attempt to initiate or change a company's transactions by using the credentials of internal employees.
The final step in the checklist, confirming the transaction, is one that is frequently overlooked. It makes sure the financial institution receives the transaction that the initiator intended. This step is critical to ensure a payment has been positively handed off to the next participant in the processing flow.
It is interesting that such a simple control mechanism can still be effective. Why do you think some of the steps you’ve outlined in this checklist get overlooked?
Its utility rests on the fact that creating an ACH transaction involves a series of steps, any one of which can be missed or performed incorrectly. Consistent use of a checklist may help those who initiate payments to ensure each transaction complies with rules, is free of processing errors, and is received by the intended recipient. Financial institutions should consider sharing compliance checklists with customers who initiate payments through the ACH. In the world of payments, these are the elements of a smooth landing.
March 8, 2010 in ACH, Fraud, Risk Management | Permalink | Comments (0) | TrackBack (0)
March 01, 2010
Mobile remote capture: Is there a consumer market for on-the-go deposits?
In the last six months, there has been a growing buzz about a few banks that have launched or tested applications that allow their customers to make deposits by taking a picture of a physical check (front and back) with a mobile phone. The photo is converted to a digital image that is encrypted and transmitted to the bank for processing. For security and privacy purposes, no information is stored on the mobile device.
Mobile capture is just the latest innovation in remote deposit capture (RDC) designed to make the service more affordable and convenient for a broader customer base. As with most new payments technologies, risk figures to have a role in how rapidly this innovation is embraced, as I'll discuss below.
The RDC market had generally consisted of large commercial customers with an established banking relationship. However, when RDC vendors tweaked the technology to allow the use of the flatbed scanners typically used in the home, it opened the door for banks to offer a low-cost RDC solution targeted to small businesses and consumers.
Consumer capture initially adopted by credit unions
USAA Federal Savings Bank was the first bank to offer consumer capture in 2006. USAA serves a membership primarily comprised of military personnel and their families who are often deployed far from its sole branch office in San Antonio, Texas. The launch of its Deposit@Home® consumer capture service allowed its customers to make deposits from anywhere in the world using a scanner and Internet connection. Other credit unions have since followed suit with consumer capture products that offer another self-service channel for their customers, much like ATMs and online banking.
In researching a recent paper on consumer capture, I found that several factors make consumer capture an attractive product offering to credit unions. First, credit unions typically have a small branch network, and often their members are geographically dispersed across the country. Second, the disproportionately high per-item processing costs of deposits for credit unions because of their remote customer base make a compelling business case for consumer capture. Third, credit unions may have less concern about fraud issues with consumer capture because they have a "trusted" customer base.
Mobile applications reinvent consumer capture
In August 2009, USAA took the lead again in consumer capture by launching Deposit@MobileTM, a remote capture service for its mobile banking application for Apple's iPhone. In its first six weeks, a reported 270,000 members installed the updated iPhone application, and approximately 40,000 of them used the software to deposit more than 100,000 checks worth a total of $61 million. Within five months, USAA customers deposited more than $300 million using their iPhones. Last month, USAA announced a mobile application for the Android operating platform.
Not surprisingly, the USAA experience has piqued the interest of other banks to either test or consider a mobile capture application. Another driving factor is the ubiquitous nature of the cell phone in the United States, as well as the particular influence of the iPhone. A Javelin study found that iPhone users are one-and-a-half times likelier to use their mobile device to log into a bank account than all other smartphone users. There is also evidence that mobile banking customers are interested in mobile capture technology. According to the Mercatus Mobile RDC Adoption Research study conducted last year, close to two-thirds of today’s mobile banking customers are likely to adopt mobile remote deposit capture if the technology is offered by their banks.
Will concern about the potential fraud risk slow bank adoption?
While some are excited by the potential this technology has for buoying the use of mobile applications in banking, others are more concerned about the potential fraud and compliance risk this service presents to banks. Although the Federal Financial Institutions Examination Council (FFIEC) RDC Risk Management Guidance broadly covers RDC performed at any location, there still appears to be lingering concern about mobile capture. In fact, a recent Celent survey of U.S. banks found that the most common reason cited for not adopting mobile capture technology by the majority of respondents was concerns over risk and compliance.
Currently, there is still a small minority of banks offering mobile capture. For those banks sitting on the sidelines, the question is how long they will have to wait before feeling pressure from their competitors, as well as from customers who demand the functionality. As aptly described by an USAA executive, "Going to the bank to deposit a check soon may be as antiquated as black-and-white TVs."
By Jennifer Grier, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
March 1, 2010 in Checks, Mobile | Permalink | Comments (0) | TrackBack (0)
February 22, 2010
Check fraud: Old problem, new approach?
Despite signs of declining check volume and ongoing predictions of checks' imminent demise, check fraud is a growing problem. Industry experts estimate that check fraud will cost billions in 2010. The question now is whether this fraud can be thwarted with traditional mitigation efforts or if something new is needed.
One explanation for the continued proliferation of check fraud is technology. Fraudsters today have increased access to check paper stock, high-quality color printers, and scanners that facilitate the creation of a near-perfect document that can pass for a real check. Industry experts state that compromised online banking accounts also contribute to check fraud because fraudsters are able to view cleared check images which are then used to extract sequence numbers and other pertinent data for subsequent replication.
Recent studies reveal check fraud's persistence
Last month, the Financial Crimes Enforcement Network (FinCEN) released its Suspicious Activity Report (SAR) filings for mid-year. The report revealed that during the first six months of 2009, SAR filings for suspected check fraud increased for all industries required to file SARs under the Bank Secrecy Act (BSA). A breakdown for each industry revealed that SAR filings by depository institutions increased by 19 percent for check fraud and by 36 percent for suspected counterfeit checks. SAR filings by money services businesses for traveler's check fraud increased by 76 percent.
Similarly, the 2009 AFP Payments Fraud and Control Survey found check fraud dominated the overall payments fraud landscape for those surveyed in 2008. The results underscored the importance of specific fraud control measures to mitigate risk and reduce exposure to losses. Of those who responded to the AFP survey, 91 percent indicated they had experienced actual or attempted check fraud.
|
Types of Fraud Resulting from Using Checks (Percent of organizations that suffered check fraud in 2008) |
|||
| In percentages: | All respondents | Revenue greater than $1 billion | Revenue less than $1 billion |
| Counterfeit checks (other than payroll) with the organization's MICR line data | 72 | 75 | 68 |
| Payee name alteration on checks issued | 59 | 63 | 50 |
| Other | 7 | 5 | 12 | Source: 2009 AFP Payments Fraud and Control Survey, p. 13, available at: http://www.afponline.org/pub/pdf/2009_Payments_Fraud_Survey.pdf. |
Are yesterday's best practices today's best approach?
Check fraud is a decades-old problem that shows persistent signs of survival. Preventive efforts to mitigate check fraud risk range from ceasing all use of checks to using advanced software systems that offer automatic check stock and signature verification and can detect even the most sophisticated counterfeit checks. But can new approaches to check fraud enable a bank's loss prevention team to catch and prevent more check fraud? Or is the fight against check fraud best won through traditional and well-established risk-management practices?
One well-known method for business customers to combat check fraud is through the use of a tool known as positive pay. This bank service allows a company to send to its paying bank an electronic file of check payment information, which the bank then matches against the information provided by its business customer. The paying bank pays checks that match the information provided and dishonors those that do not. Other bank services available to combat check fraud include ACH debit blocks and filters. An ACH debit block works like a stop payment order by automatically returning all ACH debits and credits that, for example, exceed preset dollar limits established by the bank customer. The bank customer can also set filters to permit fund transfers to only preapproved payees.
While there is no "one-size-fits-all" solution, well-established risk-management practices have proven time and again to be successful mitigators of fraud risk. The back-to-basic tools such as segregation of duties, dual controls, and timely reconciliations are just some of the risk-management tools best known for their effectiveness at combating check fraud.
Where do we go from here?
While acknowledging that nothing is impervious, the combination of both new and old techniques can contribute significantly to solving some of the challenges that check fraud presents. Armed with an arsenal of tools, financial institutions can be well-equipped to monitor and maintain a high level of account security effectively.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.
February 22, 2010 in Best practices, Check fraud, Risk Management | Permalink | Comments (0) | TrackBack (0)
