March 08, 2010
Smooth landings for payments call for a checklist
This week's blog features an interview with Devon Marsh, senior vice president and treasury management risk manager at Wells Fargo Bank, N.A. We asked Devon about his thoughts on managing risk in electronic retail payments today.
Devon, retail payments are growing increasingly more complex, creating challenges for risk managers in financial institutions. We know that many of the traditional "tried and true" control processes can still be effective in today's changing environment and understand you are a proponent of compliance checklists as a primary risk management tool for your bank. Tell us a little more about why you value the checklist process.
In more than 1,000 landings as a naval aviator, I never once made a gear-up landing. I don't think I even came close to forgetting the landing gear, but I didn't take any chances. I used a checklist every time I landed. The checklist was necessary not because lowering the landing gear is difficult to remember—of course the gear needs to be down to land! It was necessary because any discrete task—even an important one—can be easy to forget. For this reason we see pilots use checklists all the time on television and in movies to ensure completion of important tasks. We even probably consider the use of checklists to be a defining characteristic of a cockpit environment. But aviation is not the only field in which people can benefit from checklists.
I recently read a new book titled The Checklist Manifesto, by Dr. Atul Gawande. Dr. Gawande is a surgeon and regular contributor to The New Yorker magazine. He has written two previous books based on the practice of medicine that provide useful lessons on risk management and process improvement. His new book offers compelling statistical evidence on how the use of simple checklists cuts down on critical errors.
A key example in The Checklist Manifesto recounts the development of a checklist to guide the procedure for inserting a central intravenous line in intensive care patients. The steps include elementary items such as handwashing. Because its content was so basic, the checklist was initially met with scorn by many practitioners. Nevertheless, consistent use of the checklist dramatically reduced central line infection rates and deaths in ICU wards where it was implemented.
This example seems particularly relevant in financial services since significant problems are often avoided through simple yet proactive control processes. Can you draw some parallels to a checklist that might be effective in ACH processing and describe how it might work?
That's right. Errors in payment processing seldom cost lives the way medical errors might, but they can be as costly as a lost or damaged aircraft. For this reason, I believe the checklist concept has great applicability for many of the risks we address in processing payments. For example, an electronic payment checklist for ACH might help payment originators comply with rules and regulations, avoid human errors, and reduce fraud. A basic electronic payment checklist might include 10 steps.
| Electronic Payment Checklist | |
| 1. Authenticate the receiver or requester. | |
| 2. Confirm validity of authorization. | |
| 3. Verify account number of receiver or beneficiary. | |
| 4. Verify routing number of receiver or beneficiary. | |
| 5. Confirm effective date of transaction. | |
| 6. Confirm payment-related information. | |
| 7. Confirm sufficient funds in funding account. | |
| 8. Obtain internal approval for transaction. | |
| 9. Initiate transaction. | |
| 10. Confirm transaction. | |
Some of the steps are required by rule or by law, while others are simply necessary to route the transaction appropriately. When any one of the steps goes wrong, the resulting error decreases the efficiency of the payment process. It can even cause the entire transaction to be misrouted, possibly without an opportunity for recovery. The eighth step in this checklist is particularly important because it represents a traditional fraud mitigation method called "dual control." This traditional method has proven effective in mitigating the risk that outside entities will attempt to initiate or change a company's transactions by using the credentials of internal employees.
The final step in the checklist, confirming the transaction, is one that is frequently overlooked. It makes sure the financial institution receives the transaction that the initiator intended. This step is critical to ensure a payment has been positively handed off to the next participant in the processing flow.
It is interesting that such a simple control mechanism can still be effective. Why do you think some of the steps you’ve outlined in this checklist get overlooked?
Its utility rests on the fact that creating an ACH transaction involves a series of steps, any one of which can be missed or performed incorrectly. Consistent use of a checklist may help those who initiate payments to ensure each transaction complies with rules, is free of processing errors, and is received by the intended recipient. Financial institutions should consider sharing compliance checklists with customers who initiate payments through the ACH. In the world of payments, these are the elements of a smooth landing.
March 8, 2010 in ACH, Fraud, Risk Management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01310f7bdcad970c
Listed below are links to blogs that reference Smooth landings for payments call for a checklist:
Comments
February 08, 2010
Same-day ACH provides faster payments "across the pond"
Speed and convenience are driving innovations in payments. Nowhere can that be seen more clearly than the United Kingdom, where Faster Payments Service (FPS) is described as "ACH on steroids." FPS is a payments innovation that provides near real-time delivery and 24/7 accessibility for consumers. It enables customers to make electronic payments, typically via the phone and Internet, in a matter of hours rather than days.
The need for financial institutions to better compete with other same-day clearing changes (i.e., image exchange) coupled with consumer demand for immediacy and convenience in payments has spurred efforts to introduce expedited payments services like FPS both abroad and in the United States.
How does it work?
Launched on May 27, 2008, FPS was the culmination of a three-year initiative to reduce clearing times on phone, Internet, and standing order payments in the United Kingdom that previously took three days to process. The design and implementation of this new payments infrastructure involved several partners, including the U.K.'s Office of Fair Trading, the Payments System Task Force, the former APACS (Association for Payment Clearing Services), U.K. Payments, VocaLink, and 13 founding member banks.
The new service runs alongside existing payments channels in the United Kingdom such as BACS and CHAPS. The daily operations of FPS are managed by CHAPS, which is also responsible for the U.K.'s real-time, gross settlement payment system (CHAPS Sterling). CHAPS would be the equivalent to Fedwire and CHIPS in the United States. However, VocaLink provides the central infrastructure for FPS through its ATM/Debit network.
FPS only supports credit payments and imposes a £100,000 maximum on standing orders (regular payments made on the same date to a specific beneficiary) and a £10,000 maximum on single immediate payments (SIP) or ad hoc transactions. Customers are able to initiate payments over the phone or online all day, every day.
In its first year, FPS processed 180 million transactions representing £70 billion. According to a recent PricewaterhouseCoopers and VocaLink report, FPS had processed 240 million transactions as of July 2009. Much of this volume is made up primarily of payments between personal account holders or from personal accounts to business accounts (i.e., bill payments).
FedACH to offer same-day service
There is particular interest in the U.K.'s experience with Faster Payments as similar efforts are under way to develop a same-day ACH service in the United States. In March 2009, the Federal Reserve announced plans to develop an intraday service for certain existing ACH debits. In particular, the new service would be limited to consumer checks converted to ACH (ARC, BOC, and POP) as well as consumer debits generated from Internet and telephone transactions (WEB and TEL).
There are at least two key differences in the United Kingdom and FedACH same-day services. Unlike the U.K.'s Faster Payments service, the FedACH settlement of same-day payments will not be real time. Settlement for ACH same-day will occur only once a day at 5 p.m. (see chart below). Also, consumer and corporate credits will not be included in the service.
However, similar to FPS, the FedACH same-day service is not mandatory. An opt-in participation agreement will be required from any financial institution engaging in the service. It is anticipated that the faster settlement will allow participating banks to gain earlier availability of funds as well as to identify return items and potentially fraudulent transactions earlier. Implementation of the service is scheduled for the second quarter of 2010.
| FedACH Same-Day | U.K. Faster Payments Service | |
| What types of payments are eligible? | Consumer checks converted to ACH and debits initiated over the telephone or Internet | Electronic payments made via the Internet, telephone and standing order payments |
| When will the service launch? | Second quarter 2010 | FPS was launched on May 27, 2008. |
| What type of settlement will it offer? | The same-day ACH service will be a batch-processed, gross settlement system. | FPS is a real time (no batches), net settlement system. |
| Is the service real time? | Entries will be deposited by 2 p.m., delivered by 4 p.m., and settled at 5 p.m. | FPS processes near real-time payments made via the phone or internet. P2P payments are processed 24/7/365, while standing orders are processed during banking hours. |
| What infrastructure does it use? | The FedACH network | VocaLink's existing ATM/Debit infrastructure |
| Source: Federal Reserve, CHAPS | ||
Global payments context is changing
The payments world is changing as emerging product innovations provide faster processing and delivery of payments. In general, faster payments reduce temporal risk to the parties to a transaction, which is the lag time between the deposit of an item into a clearing system and the delivery and settlement of that item. There are lessons to be learned with each development—whether in the United States or across the globe—that can help better inform the design and implementation of future payments services. Ultimately, all of the participants benefit by collaborating to ensure a more secure payments system.
By Jennifer Grier, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
February 8, 2010 in ACH, Payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a8677bd9970b
Listed below are links to blogs that reference Same-day ACH provides faster payments "across the pond":
Comments
Posted by:
Brian Crozier |
February 18, 2010 at 02:34 PM
December 21, 2009
"Money mules" carry load for global cybercriminals
In November, Portals and Rails explored the industry implications of hacking attacks that have resulted in fraudulent funds transfers using online banking interfaces. This week, Portals and Rails revisits this topic, focusing on the tactics these fraudsters use to dupe unsuspecting individuals and organizations.
The FDIC released a special alert on October 29, warning financial institutions of an uptick in schemes to recruit individuals to receive and transmit unauthorized electronic funds transfers (EFTs) from deposit accounts to individuals overseas. These funds transfer agents, also referred to as "money mules," are solicited online by criminals who have gained unauthorized access to the account of a business or consumer. Typically, the criminal will originate unauthorized EFTs from the victim's account to the money mule's deposit account. The money mule is then instructed to quickly withdraw the cash and wire it overseas minus a "commission" of from 8 to 10 percent.
Fraudsters perpetrate work-at-home scams using online job postings and social networking sites
A common hiring tactic for money mules are work-at-home jobs or other seemingly legitimate positions. Fraudsters will use online job search Web sites and social networking sites to persuade individuals to receive and forward stolen funds. According to the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), victims are often hired to "process payments," "transfer funds," or "reship products." Other victims sign up to be "mystery shoppers" where they receive fraudulent checks with instructions to cash the checks and wire the funds to "test" the performance of a money service business.
The job scams also provide the criminal an opportunity to commit identity theft against the money mule. The personal information provided on the "employment" application (e.g., Social Security number or bank account information) may be used to open credit cards, post online auctions, etc., in the money mule's name and possibly commit additional crimes.
Sophisticated fraudsters use malicious code and money mules to conduct unauthorized funds transfers
An FBI alert issued last month describes how fraudsters are increasingly using malicious code to conduct unauthorized ACH transfers with the help of money mules. Many of these cases involve exploiting the online banking credentials belonging to small and midsized businesses, municipal governments, and school districts.
A typical scenario involves a "spear phishing" e-mail being sent to someone within the company with either an infected attachment or directing the recipient to an infected website. Spear phishing is a phishing attack that targets a specific person and deceptively appears to come from an individual or organization that the potential victim would normally receive e-mails from. The email recipient would usually have authorization to make funds transfers on behalf of the company.
Once the recipient opened the attachment or visited the Web site, malware (malicious software code) containing a key logger would be installed on the recipient's computer. The key logger captures the keystrokes of the recipient's business or corporate bank account login information. Once this information is compromised, the perpetrator either creates another user account with the stolen login or directly initiates funds transfers through either ACH or wire transfer by assuming the legitimate user's identity. The transactions are typically in increments less than $10,000 to avoid currency transaction reporting. Money mules play an important role in these schemes by helping to facilitate the unauthorized transfer of funds.
Small and midsized businesses lose millions to online banking scams
Reportedly, small to midsized businesses in the United States have lost $40 million to online banking fraud since 2004. FBI analysis has found that the main threat from these schemes is not merely the malware but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider. In most cases, the victims' accounts were held at local community banks and credit unions, some of which used third-party service providers to process ACH transactions.
Many believe that the uptick in these types of fraudulent payment activities directly relate to the decline in the economy. Consequently, financial institutions, businesses, and consumers have to be vigilant in looking for signs of this activity. The Federal Financial Institutions Examinations Council (FFIEC) provides guidance to financial institutions and technology service providers on authentication in an Internet banking environment. Money mule activity in particular is addressed by the Bank Secrecy Act and Anti-Money Laundering regulations. There are also resources available to consumers and businesses on how to protect themselves from these types of online scams.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
December 21, 2009 in ACH, Cybersecurity, Fraud, Law enforcement, Payments, Social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01287671b199970c
Listed below are links to blogs that reference "Money mules" carry load for global cybercriminals:
Comments
November 23, 2009
Banks run more than just security risk with single-factor authentication
As described in a previous Portals and Rails post, various reports have indicated that business customers' online banking credentials are being compromised and the fraudsters are performing unauthorized EFT transactions using either the ACH or wire transfers to move money out of these accounts.
This recent phenomenon could be seen as part of a larger issue for security on the Web, prompting some to consider whether online banking security standards are adequate.
While a lot has been written on how this fraud happens, not much has focused on what happens next. The criminal side of this is fairly cut and dry. Law enforcement tries to track down the fraudsters and bring them to justice. If the FBI, Secret Service, or other agencies are able to track them down, apprehend them, and a conviction is made, the fraudsters spend some time in jail. The civil side of this is a little more complicated.
One civil case that has gotten some recent attention is the Shames-Yeakel case filed in federal court in Illinois. Marsha and Michael Shames-Yeakel had $26,500 stolen when an unknown person gained online access to the Shames-Yeakels' bank accounts by using Ms. Shames-Yeakel's username and password. The thief manipulated a line of credit and subsequently wired the funds out of the Shames-Yeakel's business account to Hawaii and then off to a bank in Austria. While there is probably a good joke about yodeling while playing the ukulele buried in all of this, the Shames-Yeakels are not laughing. In fact, the hills are alive with litigation.
The plaintiffs first turned to their bank, who indicated that under the bank's online banking agreement, the plaintiffs were responsible for the lost funds. They next turned to the Office of Thrift Supervision (OTS), the bank's primary regulator, seeking protections under Regulation E and Regulation Z. The OTS found that these regulations did not apply as they were applicable to consumer loans and lines of credit.
Ultimately, the Shames-Yeakels sued their bank. The legal viability of their claims was considered by the Court in its Aug. 21, 2009, ruling on the bank's motion for summary judgment.
While the court's opinion addressed a number of legal claims, it is the court’s ruling on the plaintiff’s negligence claim that bankers should pay close attention to. The basis of this claim is that the bank and its third-party Internet banking service provider did not follow the Federal Financial Institutions Examinations Council (FFIEC's) updated 2005 guidance on authentication in an Internet banking environment. At the time of the incident, the bank had user name and password access to their online banking system. The FFIEC's guidance does not require banks to use dual-factor or multi-factor authentication for these accounts, but it does state that the federal regulatory agencies consider single-factor authentication, like user name and password, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. In essence, the court indicated that while the facts must still be weighed by a jury, it declined to dismiss a negligence claim that the bank had breached a duty under Indiana law to protect the confidential information of its customers by failing to implement more robust security systems. The court stated: "In light of [the bank's] apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."
Enlarge |
Another case to keep an eye on was filed in Maine this past September. The case involves a Maine based construction company, Patco, who is suing its bank for $588,000; the same amount of money that was stolen from Patco's account over the course of an eight day period in May. Similar to the Shames-Yeakel case, Patco is claiming that the bank failed to provide commercially reasonable protection because only a single-factor authentication system for its online banking system was in place. While no action has been taken as of yet, it will be interesting to see if the state court in Maine agrees that with the U.S. District Court in Illinois, allowing this negligence claim to move forward.
By guest blogger Michael T. Stewart, assistant vice president at the Boston Fed
November 23, 2009 in ACH, Cybersecurity, Fraud, Identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a6c9a4b3970b
Listed below are links to blogs that reference Banks run more than just security risk with single-factor authentication:
Comments
September 28, 2009
Coordinating roles in mobile payments--who will we trust?
The concept of mobile payments is beginning to gain some traction as the industry grapples with environmental complexities—namely the myriad participants in the mobile payments arena, the mulitiple channels for a mobile payment to follow, and the ever-present questions about security. Who can be trusted to intercede among the various entities with an interest in the payments process? While a number of roles in the mobile payments arena are taking shape, the least known and possibly the most confusing is the concept of the trusted service manager (TSM). However, this role is also possibly the most critical to establishing a secure and trusted environment for mobile payments. So what exactly is a TSM and what are its responsibilities?
Complex environment for mobile payments
While anecdotes sometimes dismiss the anticipated speed to market of mobile payments as industry hype, the fact is that the ubiquity of the mobile phone is driving the convergence of telecom and payments. This convergence creates a far more complex environment for payments than ever before. Telecom participants and financial institutions have different regulatory and legal frameworks and distinctly different risk exposure, for example. Furthermore, the U.S. mobile payments environment will leverage existing payment channels, such as the automated clearinghouse (ACH) and the card networks. No one knows if the industry and market will ultimately prefer a particular channel. The result is an array of business models with a vast number of unrelated players with competing interests for customer revenue.
Stakeholders in the mobile payments business model
In addition to the traditional payments model that includes the customer, financial institutions, and perhaps payment processors, the developing mobile payments ecosystem also includes large groups of mobile network operators and handset makers who have no previous payments life cycle experience. For payment system interoperability, all participants must agree to operate under uniform technical operating and security standards. In this context, the role of a TSM is to manage collaboration among the various stakeholders.
Role of the TSM
The concept of the TSM was introduced by the Global System for Mobile Communications Association (GSM) in 2007 in an effort to improve interoperability among various and unrelated proprietary mobile networks. The core function of the TSM is to serve as a neutral and independent middleman between financial institutions, payment network operators, customers, and the mobile network operators.
Responsibilites envisioned for the TSM include managing contractual relationships with the large number of mobile network operators (MNOs) as well as acting as a single point of contact for banks and other payment service providers to communicate with customers they share with the MNOs and handset makers. The key to the TSM’s success clearly is the financial wherewithal to inspire trust on behalf of the other payment participants and to support agreements with a large number of partners. Finally, the TSM should also provide the oversight for various systems among participants to ensure secure transmission of payments and personal data in the transaction.
Who should fill the role?
While the need for a TSM is recognized, there is no consensus on who should fill that role. MNOs, payment network operators, and financial institutions lack the economic incentives to form alliances with other participants in the payment ecosystem because of their competing interests for customer revenue. Whether the role is filled by a consortium of existing players or by a new entity yet to be formed will depend on an ability to fulfill these critical responsibilities from a position of neutrality and independence.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
September 28, 2009 in ACH, Card Networks, Mobile, Mobile Network Operator (MNO), Payments, Trusted Service Manager | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a5a4bf95970b
Listed below are links to blogs that reference Coordinating roles in mobile payments--who will we trust?:
Comments
September 21, 2009
Not all payments are equal under "good funds" laws
Anyone who has participated in a real estate closing can attest that it can be a daunting experience. There are many parties with their hands out at the closing table to consummate the deal—the buyer, seller, and attorneys, to name a few. However, it can all collapse like a house of cards if the funds underlying the transaction are not collected or "good."
Ripple effects can be devestating when a lender fails to properly fund an escrow closing transaction. A notable case is the collapse of mortgage lender Abbey Financial in 1994, which resulted in hundreds of consumers over six states stranded with either unfunded mortgages or double mortgages because their first mortgage was not paid off in a loan refinancing. Many of Abbey's checks were dishonored, which left several attorneys with shortfalls in their trust accounts.
The aftermath of Abbey sent shock waves through the mortgage industry and prompted many states to enact "Good Funds" laws to ensure that the money funding a real estate purchase and refinance transaction is secure and ready for disbursement. The purpose of the law is to provide assurance to the consumer and other parties that the funds are in the proper hands before the deed or mortgage is recorded. This thereby protects the seller from conveying property to a buyer whose check is drawn on an account with insufficient funds.
What makes a payment "good"?
Typically, a closing agent will deposit all funds connected to a real estate transaction into an escrow account for disbursement at the closing. Most good funds laws stipulate the type of funds (e.g., cashier's checks, or wire transfers) that an escrow agent can accept. However, what is considered "good funds" can vary by state. In Georgia, for example, the law expressly permits certain types of checks:
A settlement agent may disburse proceeds from its escrow account after receipt of any of the following negotiable instruments even though the same are not collected funds: (1) a cashier’s check from a federally insured bank, savings bank, savings and loan association, or credit union…; (2) a check drawn on the escrow account of an attorney or real estate broker…; (3) a check issued by the United States or Georgia…; and (4) a check or checks not exceeding $5,000 in aggregate per loan closing.
Several states have taken a stricter approach in defining acceptable funds. Specifically, wire transfers are often the only funding mechanism allowed and, in some cases, are required for transactions over a certain dollar amount. Although not an exhaustive list, a general Internet search revealed that Indiana, Minnesota, Missouri, and Texas are among those states with good funds laws that limit electronic funds transfers to "wire transfers" instead of the broader "electronic payment," as defined in Regulation CC (12 CFR 220.10 (p)), which would otherwise permit funding using automated clearinghouse (ACH).
For example, the Indiana Good Funds Law defines wired funds as "good" but requires that they be "unconditionally held by and irrevocably credited to the escrow account of the closing agent." Only funds transferred through Fedwire or CHIPS are immediate, final, and irrevocable. Consequently, it appears that Indiana’s law excludes electronic fund transfers through ACH since consumer Regulation E rights with regard to unauthorized ACH credits may create some risk that ACH funding of a real estate transaction could be reversed long after the closing.
Secure funds important in uncertain times
The current housing crisis has undoubtedly caused some anxiety for all parties in a real estate transaction about the risk of a deal falling through. Numerous bank failures and increased real estate fraud have further complicated the process. Although there are differences by state, the good funds laws help to mitigate some of the risks by helping to ensure that the funding of real estate transactions is reliable.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
September 21, 2009 in ACH, Checks, Fraud, Risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a5df1b09970c
Listed below are links to blogs that reference Not all payments are equal under "good funds" laws:
Comments
August 17, 2009
Oliver: Funding of risk initiatives faces risky times
This week, we have a special guest blogger: Richard Oliver, an executive vice president with the Federal Reserve Bank of Atlanta. Oliver was a pioneer in electronic payments, working on a Fed system project with the U.S. Treasury to develop direct deposit. He was also instrumental in the Atlanta Fed becoming the second automated clearinghouse (ACH) operation in the United States. Since 1998 he has served as retail payments product manager for the Federal Reserve System. In this capacity, he has responsibility for managing the Fed's check and ACH businesses nationwide.
As we look forward to a slow but steady emergence of the banking industry from the current financial firestorm, the question arises as to how investments in the payment system will fare. More specifically, will banks and other payment system players secure funding for initiatives critical to mitigating payment fraud and risk?
Experiences gained from previous economic crises have reshaped individual and corporate attitudes and practices. Certainly, the folks who experienced the Great Depression turned into a generation of savers, conservative spenders, and cautious borrowers. Recent discussions with payment leaders have given rise to the possibility that conservative spending habits may be with us for some time. These habits may be manifested in restricted, prioritized spending on payment initiatives in general and fraud and risk mitigation efforts more specifically.
Given the already narrowing margins in retail payment profits, coupled with enterprisewide scrutiny of expenses across business silos, it is likely that payment organizations will have to prioritize spending in ways not typical of the last decade of innovation and constant change. These limitations will create choices concerning which investments are mandatory and which are discretionary. Investments in initiatives directed at data security and fraud detection might take a back seat to investments in relieving the pent-up demand for maintenance and enhancements of core payment and settlement systems or investments in exciting new technology.
In an ideal world, focused and well-reasoned business case analysis would dictate the priority of spending. My personal experience, however, has revealed that investments in fraud reduction, data security, etc., face an uphill battle when competing for scarce dollars. This phenomenon stems from three major factors.
First, there is always a perception that risk/fraud expenditures are discretionary. It remains to be seen if the staggering cost of poor risk management that led to the financial crisis, coupled with the everyday visibility of fraud schemes, will help shed the discretionary label. Discretion, by the way, not only involves expenditures on new artificial intelligence software or high-tech encryption devices; it also involves more subtle decisions about the number of staff authorized to monitor systems, notify customers of breaches, and research problems. After all, the risks involved in past lending and investment practice that were at the heart of the financial crisis largely involved "payment" of obligations and not "payments."
Second, to do effective business case analysis, good data must be present. It is not at all clear whether banks and other payment providers have transparent and reliable systems in place to detect, measure, and categorize fraud in a way that allows its financial impacts to be estimated. Certainly, banks have historically been reluctant to share such data externally. Further, do banks have in place systems that can collect and allocate fraud management costs in such a way as to complete a meaningful cost-benefit analysis? Without good data, business case analysis becomes an art, not a science. Clearly, for bad actors fraud is their core business; there is no business case to explore and no budget committee to satisfy. In fact, their pursuits are recession proof.
Finally, investments are about the future, not the past. My personal experience in this area is that the past is a poor predictor of the future. In that light, how does an organization forecast likely trends in fraud losses? Is the past a good predictor of the future? Can recent trends such as the reduction of unauthorized activity in the ACH network reasonably be extrapolated, or will the fraudsters simply move to another payment channel where controls are weaker? More importantly, will new technology help bad actors commit fraud more easily or help banks do a better job of detecting and preventing fraud? Should the business case for the future depend on average industry trend data or should it protect against "the big one," the major incident that culminates in a $100 million–$200 million loss? Answers to these questions will ultimately separate the prepared from the unprepared.
Regardless of the answers to these perpetually difficult questions, most of which will stem from core experiences and individual philosophies, one thing is certain in the wake of our recent experience: Reputation is more important than ever. Positive reputations are difficult to build, hard to maintain, easy to lose, and even harder to reclaim. The value placed on reputation must be carefully considered by senior decision makers in setting the course for the future.
August 17, 2009 in ACH, Payment System, Risk Management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a4f0da3c970b
Listed below are links to blogs that reference Oliver: Funding of risk initiatives faces risky times:
Comments
August 03, 2009
Accounting for ACH losses: What are the right numbers to crunch?
From talking with a number of industry players, it has become increasingly clear that there is both a healthy desire for ACH origination loss data to help understand risks and also business practices that limit the extent to which data to benchmark ACH losses are available in the first place. The challenge is to reconcile these two conflicting objectives.
Many banks today treat ACH origination as credit underwriting, particularly for business customers. Given this, one way banks may account for losses as a result of ACH origination is as credit losses against loan loss reserves or other similar accounts. This method is entirely appropriate as a risk management practice given the potential for losses the ACH originating bank may incur as a result of unauthorized debit items that are returned by the receiver through its bank. The originating bank, having already credited its customer’s account, may find itself unable to collect the returned item and thus may incur a loss.
NACHA does publish aggregate trend data on what is probably the best metric it has available—unauthorized returns as a percentage of all ACH debits in the network. While this is a good starting point, it is not a fully accurate picture of the actual losses banks may incur as a result of ACH origination (whether for debits or credits). While the trend of unauthorized debit returns is instructive, it does not explain the dollar losses to banks.
Further, while it is likely that most banks track or have the ability to track their losses from ACH origination, there is no standard regulatory or other financial reporting for banks to report ACH loss information. Such losses may be attributable to fraud or not, but the extent of these losses in terms of aggregate dollars and velocity is likely to be a more robust data point for analysis of ACH fraud and ACH origination risks than the data available today. Improved data on banks’ ACH loss experience would go a long way to explain the true extent of ACH origination risk within the network overall and may promote banks’ ability to benchmark their own losses in an effective way. It also would enable both the network and individual banks to better tailor their risk management efforts. Most importantly, having more data could help dispel any mistaken assumptions about how much financial loss banks are experiencing from operational and fraud risks in ACH origination activities.
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.
August 3, 2009 in ACH, Banks and Banking, Fraud, Risk, Risk Management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0115725616aa970b
Listed below are links to blogs that reference Accounting for ACH losses: What are the right numbers to crunch?:
Comments
July 24, 2009
Transparency: Seeing through International ACH
There are andecdotal reports that some financial institutions are treating their preparatory efforts for the new international ACH transaction (IAT) rule and format like a Y2K event. However, they shouldn’t lose sight of the fact that the industry stands to reap substantial benefits from the new rule, largely because of improved transparency in the ACH network. As you may be aware, the new IAT rule and format go into effect on Sept. 18, 2009. NACHA, the rulemaking body for the ACH network, has conducted extensive industry outreach to provide education on the new rule and format.
In many respects, the change in the international ACH transaction format is attributable to the Office of Foreign Assets Control (OFAC). OFAC administers and enforces economic and trade sanctions in accordance with U.S. foreign policy and national security goals against targeted foreign entities such as international drug traffickers, terrorists, and other threats. Beginning in the late 1990s, OFAC began to have concerns about abuses from terrorists in cross-border ACH transactions. OFAC had reason to believe that we needed better safeguards for our financial system, especially after 9/11. The ACH network today is increasingly vulnerable to potential abuse with respect to the international cross-border movement of funds because of the expanded use of the ACH for one-off transactions from the practice of recurring transactions between known and trusted parties, as well as the speed and efficiency of the ACH network in general.
To address their concerns, OFAC worked with NACHA to construct a payment format that would permit sufficient information to identify parties to the cross-border transaction. In 2004 NACHA began working with OFAC on a proposed rule change for international ACH transactions and a new format that would include the data elements from the Bank Secrecy Act’s (BSA) “travel rule.” Essentially, the BSA travel rule includes more robust information about the payment originator and beneficiary so that a financial institution can review the transaction for OFAC compliance. When the IAT rule goes into effect, all transactions that meet the new definition of international ACH transactions made via the ACH Network will be required to use the IAT SEC code.
The IAT code will make it easier for financial institutions to identify international payments in the ACH network since currently many transactions are mistakenly coded as domestic. This mistake occurs because today many international payments are introduced into the U.S. ACH network through domestic correspondent relationships and are then inadvertently transmitted as domestic transactions. So the new code will make it easier for financial institutions to identify these payments and comply with their OFAC obligations, which incidentally, have not changed. IAT really creates more transparency in two significant ways: by identifying the transaction as international and by revealing all parties to the cross-border transaction. In the end, transparency in retail payment systems is a good thing and should help the banking industry combat fraud and other abuses in the ACH network.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta FedJuly 24, 2009 in ACH, Fraud, Money laundering, Risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c011572317fcc970b
Listed below are links to blogs that reference Transparency: Seeing through International ACH:
Comments
Thanks for posting this good information and keep posting with more new information...
Regards,
accounts outsourcing
Posted by:
accounting services |
July 28, 2009 at 02:25 AM
June 07, 2009
How much risk lurks in the shadows of daylight overdraft?
With the U.S. banking system in financial distress, the Fed provides payments services to a greater number of problem banks. So how much of an issue is the credit risk associated with retail payments today? As you know, financial institutions, much like the commercial and retail customers they serve, from time to time experience the need for overdraft credit—short-time loans to accommodate the management of incoming and outgoing funds. The Fed provides daylight overdraft protection to financial institutions that experience timing differences in ACH service offerings so that they can meet their cash flow obligations, in the same way a financial institution provides overdraft protection. The Fed, like any prudent lender, also maintains a responsibility to carefully manage the credit risk exposure from these provisions of credit. The need for the Fed to monitor ACH activity for overdraft exposure becomes critical when a financial institution's health is in question.
How does the Fed monitor the financial health of financial institutions?
It is important to remember that the Fed is also a bank regulator, and it works collaboratively with other bank regulators to monitor bank conditions. When a bank's financial condition deteriorates, the agencies communicate the institution's regulatory rating and other relevant information to the Fed in its U.S. payments oversight role. Wearing that hat, the Fed may choose to restrict lending in a number of ways, such as limiting access to daylight credit.
Real-time monitor
One tool that can be used to restrict daylight credit access is "real-time monitoring" (RTM), which is implemented through the Account Balance Monitoring System (ABMS). With RTM, the Fed can reject certain transactions from posting to an institution's account if that posting would cause the institution to exceed its daylight credit limits. Under RTM, any funds transfers from the account or ACH credit originations (which are required to be prefunded) that would cause an institution to exceed its daylight credit capacity would be rejected.
Interest on reserves and daylight overdrafts
One conundrum in this equation is that the need for overdrafts has diminished recently as banks began maintaining higher reserves, prompted by the Fed's decision to start paying interest on reserve balances. Before, banks were reluctant to hold too many reserves because they were a nonearning asset. Since the Fed didn't compensate banks for holding the reserves, banks could find more rewarding uses for their funds. With more reserves in the system, the need for intraday borrowing from the Fed has decreased. Whether that trend will continue as the economy improves and the financial condition of the banking sector stabilizes, thereby creating more lucrative uses for excess reserves, remains to be seen—but then maybe we won't have as many high-risk banks as the economy improves. Let's hope not.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
June 7, 2009 in ACH, Banks and Banking | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c011570c21063970b
Listed below are links to blogs that reference How much risk lurks in the shadows of daylight overdraft?:
E commerce and money transfers require real time payment confirmation. That is why credit cards are so popular. Online banking can do the same. We automate the payment process for the consumer to 3 clicks and confirm the payment in real time to the payee. The funds settle later. 99.999999% good funds.