Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

August 19, 2013

Curbing Identity Theft and Fraud

To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.

Identity Theft Victims and Fraud Amounts

A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.

Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.

New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.

The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.

Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.

Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.

As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.

We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 19, 2013 in account takeovers, authentication, banks and banking, consumer fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0192ac9f8e60970d

Listed below are links to blogs that reference Curbing Identity Theft and Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 29, 2013

It's Time for Better Online Authentication Solutions

I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.

Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.

Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?

Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 29, 2013 in account takeovers, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901bae212d970b

Listed below are links to blogs that reference It's Time for Better Online Authentication Solutions:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 20, 2012

Finding a Reasonable Definition of Commercially Reasonable

Corporate account takeovers have cost businesses millions of dollars over the last several years. According to 2011 congressional testimony of Gordon Snow, assistant director of the FBI's cyber division, the FBI was at that time investigating more than 400 reported cases of corporate account takeovers. These 400 cases involved the attempted theft of over $255 million, resulting in actual losses of approximately $85 million.

Corporate accounts are not offered the same protections as consumer accounts, which are protected from financial loss from online fraud through the Electronic Funds Transfer Act and Regulation E. Article 4A of the Uniform Commercial Code (UCC) states that as long as a bank adopts commercially reasonable security measures, its business customers are accountable for fraud losses arising from funds transfers. Unfortunately, Article 4A does not provide a definition for "commercially reasonable," which leaves the term open to interpretation.

A recent ruling by a court of appeals reveals one court's opinion on what is commercially reasonable versus unreasonable. Despite the bank's compliance with Federal Financial Institutions Examination Council (FFIEC) guidance, the court found in favor of the bank's customer. In accordance with the FFIEC guidance, the bank employed multifactor authentication and had the capacity to detect and stop possible fraud. However, the court still found the bank's security measures unreasonable due to two factors.

First, the bank failed to consider the circumstances of its customer's frequency and volume of ACH transactions when implementing security measures and developing security procedures. And second, it failed to monitor and provide notice of possible fraudulent transactions to the customer. A key takeaway from this court's opinion is that financial institutions must take a holistic approach to preventing and detecting fraud. Having the proper prevention and detection tools in place is just one aspect of a fraud mitigation strategy. Financial institutions should also have policies and procedures in place to effectively use their deployed resources and technology for the unique circumstances of each of their customers. Unfortunately, a "one-size-fits-all" approach does not work in the fraud prevention arena.

Though the court did not offer an opinion on the customer's obligations in this particular case, it did recognize that commercial customers also have "obligations and responsibilities" under Article 4A of the UCC. So, at least according to this court's opinion, the holistic approach to fraud prevention does not stop with the financial institution. Corporate customers must also incorporate systems and policies to prevent unauthorized access to its financial accounts and other sensitive documents. With corporate account takeover fraud showing no signs of slowing down, it is imperative that financial institutions and their corporate customers discuss each others' roles and obligations to effectively minimize their risks.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 20, 2012 in account takeovers, ACH | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0176175624e1970c

Listed below are links to blogs that reference Finding a Reasonable Definition of Commercially Reasonable:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 31, 2011

Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens

Play Play podcast (MP3 7:23) TranscriptTranscript

Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.

Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.

Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.

Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.

Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.

Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.

Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.

Photo of Ana Cavazos-WrightBy Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 31, 2011 in account takeovers, ACH, banks and banking, cybercrime, data security, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c823e9d8970c

Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 18, 2010

Fighting back: Good news on the law enforcement front

I've noticed that blogs by their nature tend to focus on pointing out problems, this blog included. But I think it's also important to identify progress and celebrate victory in a society that appears to approach every topic from a negative angle. So here goes!

In the past, we've reported on all kinds of complications and issues in the cooperative efforts necessary to catch bad actors intent on defrauding folks in the payments space. This includes the sometimes difficult efforts of government and law enforcement to work together across borders. In the past few months, though, we've seen some significant accomplishments with respect to industry collaboration to address payments-related crimes.

First, we reported some time ago that a rift between the European Union and the FBI had resulted in the European Parliament's rescinding the FBI's access to the wire transaction data of SWIFT—short for the Society for Worldwide Interbank Financial Telecommunication. In late June 2010, the European Union, via the European Council, signed with little fanfare a new five-year contract with the United States, allowing U.S. authorities to continue sharing European bank data for the purpose of counterterrorism. The key to the renewal was the promise of stronger controls over data privacy and the presence of a third-party overseer to make sure that data provided to U.S. authorities were accurately maintained and procedures existed to manage redress if a person's private data was abused. This five-year deal ensures that the global fight to address the financial aspects of terror activities can proceed aggressively.

Second, we've spent some time in this space talking about the growing problem of corporate account takeovers over the Internet, in addition to traditional identity theft forays, particularly from foreign sources. We've also described the complexity of U.S. and foreign law enforcement authorities working together to apprehend instigators of such schemes. In the last few weeks, however, we've been delighted to see a spate of successes by European and U.S. authorities—often working together—that will send a message to perpetrators who may believe that they are free to conduct crime in cyberspace.

In partnership with Slovenian Criminal Police and the Spanish Guardia Civil, the FBI announced in July that a two-year investigation into European-based fraud activity had resulted in the arrest of the operators of the Mariposa Botnet, quickly followed by the arrest in Slovenia of the Botnet's creator, who was code-named "Iserdo." All parties lauded the value of the strong law enforcement partnerships present in this effort.

In August, U.S. and French authorities worked together to arrest a notorious cybercriminal owning the moniker of "BadB." Otherwise known as Vladislav Horohorin, BadB had been targeted by the U.S. Secret Service for some time. He was arrested by French authorities while traveling in France. If extradited to the United States, Horohorin faces up to 12 years in prison.

In September, U.S. and British authorities made what seems to be well-coordinated announcements concerning the wide-ranging arrests of Eastern European cybercriminals engaged in hacking and account takeover activities of British and U.S. small businesses. U.K. officials announced that the Metropolitan Police's e-crime Unit arrested in a predawn raid 11 individuals on charges of fraud and money-laundering activities that netted close to $40 million dollars. This announcement was followed by an announcement from the New York U.S. Attorney's office that they had issued 60 arrest warrants and made 20 arrests for U.S.-based perpetrators involved in similar account takeover schemes. At least 37 of the individuals involved were so-called "money mules," hired by overseas criminals to open bank accounts and deposit funds stolen from businesses, then wire the funds overseas after keeping a nice fee. This effort featured extraordinary cooperation among the U.S. Attorney's Office for the Southern District of New York, the FBI, the New York Police Department, the Department of State Diplomatic Security Service, the New York Office of Homeland Security Investigation, and the U.S. Secret Service. The gang appears to have stolen at least $4.2 million from small businesses and security brokers in the United States.

At any rate, our hats are off to the various law enforcement authorities who successfully participated in these actions. We look forward to more such efforts as a growing deterrent to those who use cyberspace as a playground for financial crime. Mr. Horohorin may have plenty of company during his stay in the United States.

By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum

October 18, 2010 in account takeovers, fraud, law enforcement | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348849138a970c

Listed below are links to blogs that reference Fighting back: Good news on the law enforcement front:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 30, 2010

Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control

Play Play podcast (MP3 15:07) TranscriptTranscript

NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.

In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.

Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.

Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.

ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.

Direct-access relationships
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.

Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

August 30, 2010 in account takeovers, ACH, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134868ebe44970c

Listed below are links to blogs that reference Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control:

Comments

To underscore the blog post, please see the folowing post from my blog: thepaymentsblog.com

Everything You Read Is Not Always Accurate


Last week I Tweeted about an article published by Digital Transactions on August 19, 2010 whose headline "A Survey Reveals a Rising Volume of Disputed ACH Debits" could have led readers to believe that all hell was breaking loose within the ACH industry. The article cited a survey conducted by eGistics in which financial institutions and payment processors indicated a 63% rise in disputed or unauthorized ACH transactions in 2009 when compared to 2008.

Well that article troubled me because I know through firsthand experience in running ACH businesses and as a NACHA Board member, how much real progress has been made to effectively manage ACH risk, especially the risks posed by unauthorized ACH transactions. So much work has been done by NACHA, the Risk Management Group and subsequent rules changes to reduce return item risk and volumes. Therefore, I did some investigation to better understand how eGistics came up with their numbers and cross-referenced them to the return numbers tracked and published by NACHA - the organization responsible for establishing and enforcing adherence to ACH rules within the network and NACHA’s numbers depict a far different picture than eGistics.

eGistics conducted a webinar last week to discuss their survey results. In that webinar, eGistics was asked to better describe the processors and financial institutions participating in the survey. eGitics indicated that many of their respondents experienced ACH growth far beyond the industry rate of 2%. These respondents had actually seen their ACH volume grow 20% or more - which then explains how return rates for these specific FI's and processors were higher due their individual origination growth rates; not a true indication that return rates, as an industry, were once gain climbing; nor a true reflection of the experience of all ACH originators. But it did explain to me the Digital Transaction headline – that is and was not representative of all ACH participants. The simple truth is that return rates of all kinds will increase as one’s origination volumes grow. However, the experience of a few does not a trend make and returns ARE going down, not up.

So I hope this provides a more complete picture; dispels any unwarranted fear and set the record straight - return item volume has been declining ever since NACHA’s network rules and enforcement efforts became more robust.
So don’t believe everything you read (and I say that to me too) and ask questions to see what is really behind the headlines.

Posted by: Marcie J. Haitema | August 31, 2010 at 06:00 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 24, 2010

Bank revenues and fraud detection: A marriage made in heaven?

Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.

The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.

Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.

The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.

Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

May 24, 2010 in account takeovers, banks and banking, malware, wire transfer fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ee5157af970b

Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven?:

Comments

Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.

Posted by: richard oliver | May 24, 2010 at 02:13 PM

The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.

It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.

Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.

Posted by: Rob | May 24, 2010 at 01:49 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in