August 30, 2010
Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They’re on the rise, but under control
Play podcast (MP3 15:07)
Transcript
NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.
In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.
Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.
Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.
ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.
Direct-access relationships
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.
Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 30, 2010 in account takeovers, ACH, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134868ebe44970c
Listed below are links to blogs that reference Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They’re on the rise, but under control:
Comments
Posted by:
Marcie J. Haitema |
August 31, 2010 at 06:00 AM
August 02, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
|
|
| ENLARGE |
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
|
|
| ENLARGE |
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
|
|
| ENLARGE |
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
|
|
| ENLARGE |
Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
August 2, 2010 in ACH, card networks, check fraud, consumer fraud, fraud, online banking fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485f0df70970c
Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:
Comments
June 29, 2010
Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks
ACH volumes have grown rapidly over the past decade, as the network has expanded beyond prearranged, recurring payments between known and trusted parties to include converted checks and one-time transactions originated over the Internet or by telephone. New ACH services have heightened concerns about risk because of the potential associated growth in ACH returns for reasons such as insufficient funds, presentment to closed accounts, and unauthorized transactions, to name just a few. To gauge the level of risk in a financial institution’s ACH origination business, it may seem reasonable to use the rate of these returned items as a possible benchmark. If an ACH originator's return rate is consistently below the industry average, we should be confident that its ACH risk management practices are generally sound, shouldn't we?
Not necessarily, according to a new Federal Reserve study. The researchers—Olivier Armantier, Michele Braun, and Dennis Kuo of the New York Fed and Ron Feldman, Mark Lueck, and Richard Todd of the Minneapolis Fed—recently conducted a study using FedACH data to look at ways to improve the benchmarks used to monitor ACH returns to shed some light on today's ACH risk environment. The study held some interesting and noteworthy findings.
Average return rates are not necessarily a good benchmark for measuring risk
The Federal Reserve study shows that about 75 percent of all consumer debit originators were below the FedACH average for consumer debit return rates during spring 2006. This large percentage stems from the fact that the average is elevated by a small number of very large originators who also have higher return rates. Consequently, some originators who fall below the average may still have rates significant enough to deserve attention. In short, while average return rates are almost the only benchmark currently available, they do not provide the most effective proxy for assessing ACH return risk management.
Better benchmarks could be constructed
The Fed study illustrates how more informative benchmarks could be computed by exploiting the ACH transactions data. The authors used FedACH data on all consumer debit forward and return items originated for a period in mid-2006. By developing a methodology that matched about 90 percent of return items to their original forward item, they could tabulate rich sets of statistics, covering the whole distribution of ACH return rates, not just the average. Their analysis tabulates return rate distributions for several individual standard entry class (SEC) codes, as well as the overall distribution of ACH transaction types, leading to the following additional results:
- Size doesn't matter much. ACH return rates for small and large originators are not very different for most SEC codes. In fact, overall and for most types of consumer debits, the median small originator has a slightly lower return rate than the median large originator, when size is measured by deposits. Return rates were also not strongly related to the originating depository financial institution's volume of originations. Thus, it would be a mistake to read deposit size or institution size as a proxy for sophistication in managing the quality of ACH originations.
- TEL and WEB are both risky, but in different ways. The average return rates for both telephone-initiated transactions (SEC code TEL) and web-initiated transactions (SEC code WEB) were high relative to most other types of consumer debits, but in different ways. TEL risks were higher across the board, so that well-below-median TEL return rates were still high compared to typical consumer debit return rates. By contrast, most WEB originators experienced lower returns on WEB than on consumer debits generally. However, a minority of WEB originators with significant volumes and very high return rates pulled the average return rate for WEB somewhat above the average return rate of all consumer debits.
- Returns come fast and are mostly the result of insufficient funds. In mid-2006, more than 98 percent of all returns occurred within five days of origination, with more than 70 percent returned due to insufficient funds. For the small minority of returns that take more than five days, authorization issues predominate.
Better benchmarks can help banks manage ACH risk
Using and customizing the type of analysis done in the Fed study has the potential to help originating banks better understand risks and therefore more efficiently deter fraud. For example, both originating banks and bank regulators could analyze the distribution of return rates and reason codes by bank peer group to gain a better sense of an individual institution's risk management practices. At the broadest level, linking returns to forward items can efficiently provide a rich array of benchmarks to help originators better monitor their ACH returns and enhance the quality of information they provide to their boards of directors. Similarly, by going beyond the average return rate concept, regulators could use the approaches adopted in the Fed study to better supervise ACH originators, or industry associations could use them to improve industry standards. In short, the sun could be setting on the days of taking false comfort from the Lake Woebegonish achievement of a below-average return rate.
By guest blogger Richard M. Todd, vice president, Community Affairs and Banking and Policy Studies at the Minneapolis Fed
June 29, 2010 in ACH, bank supervision, fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f1f0d951970b
Listed below are links to blogs that reference Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks:
Comments
March 08, 2010
Smooth landings for payments call for a checklist
This week's blog features an interview with Devon Marsh, senior vice president and treasury management risk manager at Wells Fargo Bank, N.A. We asked Devon about his thoughts on managing risk in electronic retail payments today.
Devon, retail payments are growing increasingly more complex, creating challenges for risk managers in financial institutions. We know that many of the traditional "tried and true" control processes can still be effective in today's changing environment and understand you are a proponent of compliance checklists as a primary risk management tool for your bank. Tell us a little more about why you value the checklist process.
In more than 1,000 landings as a naval aviator, I never once made a gear-up landing. I don't think I even came close to forgetting the landing gear, but I didn't take any chances. I used a checklist every time I landed. The checklist was necessary not because lowering the landing gear is difficult to remember—of course the gear needs to be down to land! It was necessary because any discrete task—even an important one—can be easy to forget. For this reason we see pilots use checklists all the time on television and in movies to ensure completion of important tasks. We even probably consider the use of checklists to be a defining characteristic of a cockpit environment. But aviation is not the only field in which people can benefit from checklists.
I recently read a new book titled The Checklist Manifesto, by Dr. Atul Gawande. Dr. Gawande is a surgeon and regular contributor to The New Yorker magazine. He has written two previous books based on the practice of medicine that provide useful lessons on risk management and process improvement. His new book offers compelling statistical evidence on how the use of simple checklists cuts down on critical errors.
A key example in The Checklist Manifesto recounts the development of a checklist to guide the procedure for inserting a central intravenous line in intensive care patients. The steps include elementary items such as handwashing. Because its content was so basic, the checklist was initially met with scorn by many practitioners. Nevertheless, consistent use of the checklist dramatically reduced central line infection rates and deaths in ICU wards where it was implemented.
This example seems particularly relevant in financial services since significant problems are often avoided through simple yet proactive control processes. Can you draw some parallels to a checklist that might be effective in ACH processing and describe how it might work?
That's right. Errors in payment processing seldom cost lives the way medical errors might, but they can be as costly as a lost or damaged aircraft. For this reason, I believe the checklist concept has great applicability for many of the risks we address in processing payments. For example, an electronic payment checklist for ACH might help payment originators comply with rules and regulations, avoid human errors, and reduce fraud. A basic electronic payment checklist might include 10 steps.
| Electronic Payment Checklist | |
| 1. Authenticate the receiver or requester. | |
| 2. Confirm validity of authorization. | |
| 3. Verify account number of receiver or beneficiary. | |
| 4. Verify routing number of receiver or beneficiary. | |
| 5. Confirm effective date of transaction. | |
| 6. Confirm payment-related information. | |
| 7. Confirm sufficient funds in funding account. | |
| 8. Obtain internal approval for transaction. | |
| 9. Initiate transaction. | |
| 10. Confirm transaction. | |
Some of the steps are required by rule or by law, while others are simply necessary to route the transaction appropriately. When any one of the steps goes wrong, the resulting error decreases the efficiency of the payment process. It can even cause the entire transaction to be misrouted, possibly without an opportunity for recovery. The eighth step in this checklist is particularly important because it represents a traditional fraud mitigation method called "dual control." This traditional method has proven effective in mitigating the risk that outside entities will attempt to initiate or change a company's transactions by using the credentials of internal employees.
The final step in the checklist, confirming the transaction, is one that is frequently overlooked. It makes sure the financial institution receives the transaction that the initiator intended. This step is critical to ensure a payment has been positively handed off to the next participant in the processing flow.
It is interesting that such a simple control mechanism can still be effective. Why do you think some of the steps you’ve outlined in this checklist get overlooked?
Its utility rests on the fact that creating an ACH transaction involves a series of steps, any one of which can be missed or performed incorrectly. Consistent use of a checklist may help those who initiate payments to ensure each transaction complies with rules, is free of processing errors, and is received by the intended recipient. Financial institutions should consider sharing compliance checklists with customers who initiate payments through the ACH. In the world of payments, these are the elements of a smooth landing.
March 8, 2010 in ACH, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01310f7bdcad970c
Listed below are links to blogs that reference Smooth landings for payments call for a checklist:
Comments
February 08, 2010
Same-day ACH provides faster payments "across the pond"
Speed and convenience are driving innovations in payments. Nowhere can that be seen more clearly than the United Kingdom, where Faster Payments Service (FPS) is described as "ACH on steroids." FPS is a payments innovation that provides near real-time delivery and 24/7 accessibility for consumers. It enables customers to make electronic payments, typically via the phone and Internet, in a matter of hours rather than days.
The need for financial institutions to better compete with other same-day clearing changes (i.e., image exchange) coupled with consumer demand for immediacy and convenience in payments has spurred efforts to introduce expedited payments services like FPS both abroad and in the United States.
How does it work?
Launched on May 27, 2008, FPS was the culmination of a three-year initiative to reduce clearing times on phone, Internet, and standing order payments in the United Kingdom that previously took three days to process. The design and implementation of this new payments infrastructure involved several partners, including the U.K.'s Office of Fair Trading, the Payments System Task Force, the former APACS (Association for Payment Clearing Services), U.K. Payments, VocaLink, and 13 founding member banks.
The new service runs alongside existing payments channels in the United Kingdom such as BACS and CHAPS. The daily operations of FPS are managed by CHAPS, which is also responsible for the U.K.'s real-time, gross settlement payment system (CHAPS Sterling). CHAPS would be the equivalent to Fedwire and CHIPS in the United States. However, VocaLink provides the central infrastructure for FPS through its ATM/Debit network.
FPS only supports credit payments and imposes a £100,000 maximum on standing orders (regular payments made on the same date to a specific beneficiary) and a £10,000 maximum on single immediate payments (SIP) or ad hoc transactions. Customers are able to initiate payments over the phone or online all day, every day.
In its first year, FPS processed 180 million transactions representing £70 billion. According to a recent PricewaterhouseCoopers and VocaLink report, FPS had processed 240 million transactions as of July 2009. Much of this volume is made up primarily of payments between personal account holders or from personal accounts to business accounts (i.e., bill payments).
FedACH to offer same-day service
There is particular interest in the U.K.'s experience with Faster Payments as similar efforts are under way to develop a same-day ACH service in the United States. In March 2009, the Federal Reserve announced plans to develop an intraday service for certain existing ACH debits. In particular, the new service would be limited to consumer checks converted to ACH (ARC, BOC, and POP) as well as consumer debits generated from Internet and telephone transactions (WEB and TEL).
There are at least two key differences in the United Kingdom and FedACH same-day services. Unlike the U.K.'s Faster Payments service, the FedACH settlement of same-day payments will not be real time. Settlement for ACH same-day will occur only once a day at 5 p.m. (see chart below). Also, consumer and corporate credits will not be included in the service.
However, similar to FPS, the FedACH same-day service is not mandatory. An opt-in participation agreement will be required from any financial institution engaging in the service. It is anticipated that the faster settlement will allow participating banks to gain earlier availability of funds as well as to identify return items and potentially fraudulent transactions earlier. Implementation of the service is scheduled for the second quarter of 2010.
| FedACH Same-Day | U.K. Faster Payments Service | |
| What types of payments are eligible? | Consumer checks converted to ACH and debits initiated over the telephone or Internet | Electronic payments made via the Internet, telephone and standing order payments |
| When will the service launch? | Second quarter 2010 | FPS was launched on May 27, 2008. |
| What type of settlement will it offer? | The same-day ACH service will be a batch-processed, gross settlement system. | FPS is a real time (no batches), net settlement system. |
| Is the service real time? | Entries will be deposited by 2 p.m., delivered by 4 p.m., and settled at 5 p.m. | FPS processes near real-time payments made via the phone or internet. P2P payments are processed 24/7/365, while standing orders are processed during banking hours. |
| What infrastructure does it use? | The FedACH network | VocaLink's existing ATM/Debit infrastructure |
| Source: Federal Reserve, CHAPS | ||
Global payments context is changing
The payments world is changing as emerging product innovations provide faster processing and delivery of payments. In general, faster payments reduce temporal risk to the parties to a transaction, which is the lag time between the deposit of an item into a clearing system and the delivery and settlement of that item. There are lessons to be learned with each development—whether in the United States or across the globe—that can help better inform the design and implementation of future payments services. Ultimately, all of the participants benefit by collaborating to ensure a more secure payments system.
By Jennifer Grier, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
February 8, 2010 in ACH, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a8677bd9970b
Listed below are links to blogs that reference Same-day ACH provides faster payments "across the pond":
Comments
E commerce and money transfers require real time payment confirmation. That is why credit cards are so popular. Online banking can do the same. We automate the payment process for the consumer to 3 clicks and confirm the payment in real time to the payee. The funds settle later. 99.999999% good funds.
Posted by:
Brian Crozier |
February 18, 2010 at 02:34 PM
The Faster Payments Service commenced on 27 May 2008, not 27 March 2008 as stated in the paragraph titled "How does it work?". Since I was the program director for the Faster Payments program for one of the Top 5 UK banks, I can say that, on 27 March, we were wondering whether we'd be able to go live two months thereafter, but we managed to.
Posted by:
Ketharaman Swaminathan |
February 09, 2010 at 09:37 AM
December 21, 2009
"Money mules" carry load for global cybercriminals
In November, Portals and Rails explored the industry implications of hacking attacks that have resulted in fraudulent funds transfers using online banking interfaces. This week, Portals and Rails revisits this topic, focusing on the tactics these fraudsters use to dupe unsuspecting individuals and organizations.
The FDIC released a special alert on October 29, warning financial institutions of an uptick in schemes to recruit individuals to receive and transmit unauthorized electronic funds transfers (EFTs) from deposit accounts to individuals overseas. These funds transfer agents, also referred to as "money mules," are solicited online by criminals who have gained unauthorized access to the account of a business or consumer. Typically, the criminal will originate unauthorized EFTs from the victim's account to the money mule's deposit account. The money mule is then instructed to quickly withdraw the cash and wire it overseas minus a "commission" of from 8 to 10 percent.
Fraudsters perpetrate work-at-home scams using online job postings and social networking sites
A common hiring tactic for money mules are work-at-home jobs or other seemingly legitimate positions. Fraudsters will use online job search Web sites and social networking sites to persuade individuals to receive and forward stolen funds. According to the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), victims are often hired to "process payments," "transfer funds," or "reship products." Other victims sign up to be "mystery shoppers" where they receive fraudulent checks with instructions to cash the checks and wire the funds to "test" the performance of a money service business.
The job scams also provide the criminal an opportunity to commit identity theft against the money mule. The personal information provided on the "employment" application (e.g., Social Security number or bank account information) may be used to open credit cards, post online auctions, etc., in the money mule's name and possibly commit additional crimes.
Sophisticated fraudsters use malicious code and money mules to conduct unauthorized funds transfers
An FBI alert issued last month describes how fraudsters are increasingly using malicious code to conduct unauthorized ACH transfers with the help of money mules. Many of these cases involve exploiting the online banking credentials belonging to small and midsized businesses, municipal governments, and school districts.
A typical scenario involves a "spear phishing" e-mail being sent to someone within the company with either an infected attachment or directing the recipient to an infected website. Spear phishing is a phishing attack that targets a specific person and deceptively appears to come from an individual or organization that the potential victim would normally receive e-mails from. The email recipient would usually have authorization to make funds transfers on behalf of the company.
Once the recipient opened the attachment or visited the Web site, malware (malicious software code) containing a key logger would be installed on the recipient's computer. The key logger captures the keystrokes of the recipient's business or corporate bank account login information. Once this information is compromised, the perpetrator either creates another user account with the stolen login or directly initiates funds transfers through either ACH or wire transfer by assuming the legitimate user's identity. The transactions are typically in increments less than $10,000 to avoid currency transaction reporting. Money mules play an important role in these schemes by helping to facilitate the unauthorized transfer of funds.
Small and midsized businesses lose millions to online banking scams
Reportedly, small to midsized businesses in the United States have lost $40 million to online banking fraud since 2004. FBI analysis has found that the main threat from these schemes is not merely the malware but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider. In most cases, the victims' accounts were held at local community banks and credit unions, some of which used third-party service providers to process ACH transactions.
Many believe that the uptick in these types of fraudulent payment activities directly relate to the decline in the economy. Consequently, financial institutions, businesses, and consumers have to be vigilant in looking for signs of this activity. The Federal Financial Institutions Examinations Council (FFIEC) provides guidance to financial institutions and technology service providers on authentication in an Internet banking environment. Money mule activity in particular is addressed by the Bank Secrecy Act and Anti-Money Laundering regulations. There are also resources available to consumers and businesses on how to protect themselves from these types of online scams.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
December 21, 2009 in ACH, fraud, law enforcement, payments, social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01287671b199970c
Listed below are links to blogs that reference "Money mules" carry load for global cybercriminals:
Comments
November 23, 2009
Banks run more than just security risk with single-factor authentication
As described in a previous Portals and Rails post, various reports have indicated that business customers' online banking credentials are being compromised and the fraudsters are performing unauthorized EFT transactions using either the ACH or wire transfers to move money out of these accounts.
This recent phenomenon could be seen as part of a larger issue for security on the Web, prompting some to consider whether online banking security standards are adequate.
While a lot has been written on how this fraud happens, not much has focused on what happens next. The criminal side of this is fairly cut and dry. Law enforcement tries to track down the fraudsters and bring them to justice. If the FBI, Secret Service, or other agencies are able to track them down, apprehend them, and a conviction is made, the fraudsters spend some time in jail. The civil side of this is a little more complicated.
One civil case that has gotten some recent attention is the Shames-Yeakel case filed in federal court in Illinois. Marsha and Michael Shames-Yeakel had $26,500 stolen when an unknown person gained online access to the Shames-Yeakels' bank accounts by using Ms. Shames-Yeakel's username and password. The thief manipulated a line of credit and subsequently wired the funds out of the Shames-Yeakel's business account to Hawaii and then off to a bank in Austria. While there is probably a good joke about yodeling while playing the ukulele buried in all of this, the Shames-Yeakels are not laughing. In fact, the hills are alive with litigation.
The plaintiffs first turned to their bank, who indicated that under the bank's online banking agreement, the plaintiffs were responsible for the lost funds. They next turned to the Office of Thrift Supervision (OTS), the bank's primary regulator, seeking protections under Regulation E and Regulation Z. The OTS found that these regulations did not apply as they were applicable to consumer loans and lines of credit.
Ultimately, the Shames-Yeakels sued their bank. The legal viability of their claims was considered by the Court in its Aug. 21, 2009, ruling on the bank's motion for summary judgment.
While the court's opinion addressed a number of legal claims, it is the court’s ruling on the plaintiff’s negligence claim that bankers should pay close attention to. The basis of this claim is that the bank and its third-party Internet banking service provider did not follow the Federal Financial Institutions Examinations Council (FFIEC's) updated 2005 guidance on authentication in an Internet banking environment. At the time of the incident, the bank had user name and password access to their online banking system. The FFIEC's guidance does not require banks to use dual-factor or multi-factor authentication for these accounts, but it does state that the federal regulatory agencies consider single-factor authentication, like user name and password, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. In essence, the court indicated that while the facts must still be weighed by a jury, it declined to dismiss a negligence claim that the bank had breached a duty under Indiana law to protect the confidential information of its customers by failing to implement more robust security systems. The court stated: "In light of [the bank's] apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."
Enlarge |
Another case to keep an eye on was filed in Maine this past September. The case involves a Maine based construction company, Patco, who is suing its bank for $588,000; the same amount of money that was stolen from Patco's account over the course of an eight day period in May. Similar to the Shames-Yeakel case, Patco is claiming that the bank failed to provide commercially reasonable protection because only a single-factor authentication system for its online banking system was in place. While no action has been taken as of yet, it will be interesting to see if the state court in Maine agrees that with the U.S. District Court in Illinois, allowing this negligence claim to move forward.
By guest blogger Michael T. Stewart, assistant vice president at the Boston Fed
November 23, 2009 in ACH, fraud, identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a6c9a4b3970b
Listed below are links to blogs that reference Banks run more than just security risk with single-factor authentication:
Comments
September 28, 2009
Coordinating roles in mobile payments--who will we trust?
The concept of mobile payments is beginning to gain some traction as the industry grapples with environmental complexities—namely the myriad participants in the mobile payments arena, the mulitiple channels for a mobile payment to follow, and the ever-present questions about security. Who can be trusted to intercede among the various entities with an interest in the payments process? While a number of roles in the mobile payments arena are taking shape, the least known and possibly the most confusing is the concept of the trusted service manager (TSM). However, this role is also possibly the most critical to establishing a secure and trusted environment for mobile payments. So what exactly is a TSM and what are its responsibilities?
Complex environment for mobile payments
While anecdotes sometimes dismiss the anticipated speed to market of mobile payments as industry hype, the fact is that the ubiquity of the mobile phone is driving the convergence of telecom and payments. This convergence creates a far more complex environment for payments than ever before. Telecom participants and financial institutions have different regulatory and legal frameworks and distinctly different risk exposure, for example. Furthermore, the U.S. mobile payments environment will leverage existing payment channels, such as the automated clearinghouse (ACH) and the card networks. No one knows if the industry and market will ultimately prefer a particular channel. The result is an array of business models with a vast number of unrelated players with competing interests for customer revenue.
Stakeholders in the mobile payments business model
In addition to the traditional payments model that includes the customer, financial institutions, and perhaps payment processors, the developing mobile payments ecosystem also includes large groups of mobile network operators and handset makers who have no previous payments life cycle experience. For payment system interoperability, all participants must agree to operate under uniform technical operating and security standards. In this context, the role of a TSM is to manage collaboration among the various stakeholders.
Role of the TSM
The concept of the TSM was introduced by the Global System for Mobile Communications Association (GSM) in 2007 in an effort to improve interoperability among various and unrelated proprietary mobile networks. The core function of the TSM is to serve as a neutral and independent middleman between financial institutions, payment network operators, customers, and the mobile network operators.
Responsibilites envisioned for the TSM include managing contractual relationships with the large number of mobile network operators (MNOs) as well as acting as a single point of contact for banks and other payment service providers to communicate with customers they share with the MNOs and handset makers. The key to the TSM’s success clearly is the financial wherewithal to inspire trust on behalf of the other payment participants and to support agreements with a large number of partners. Finally, the TSM should also provide the oversight for various systems among participants to ensure secure transmission of payments and personal data in the transaction.
Who should fill the role?
While the need for a TSM is recognized, there is no consensus on who should fill that role. MNOs, payment network operators, and financial institutions lack the economic incentives to form alliances with other participants in the payment ecosystem because of their competing interests for customer revenue. Whether the role is filled by a consortium of existing players or by a new entity yet to be formed will depend on an ability to fulfill these critical responsibilities from a position of neutrality and independence.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
September 28, 2009 in ACH, card networks, mobile network operator (MNO), payments, trusted service manager | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a5a4bf95970b
Listed below are links to blogs that reference Coordinating roles in mobile payments--who will we trust?:
Comments
September 21, 2009
Not all payments are equal under "good funds" laws
Anyone who has participated in a real estate closing can attest that it can be a daunting experience. There are many parties with their hands out at the closing table to consummate the deal—the buyer, seller, and attorneys, to name a few. However, it can all collapse like a house of cards if the funds underlying the transaction are not collected or "good."
Ripple effects can be devestating when a lender fails to properly fund an escrow closing transaction. A notable case is the collapse of mortgage lender Abbey Financial in 1994, which resulted in hundreds of consumers over six states stranded with either unfunded mortgages or double mortgages because their first mortgage was not paid off in a loan refinancing. Many of Abbey's checks were dishonored, which left several attorneys with shortfalls in their trust accounts.
The aftermath of Abbey sent shock waves through the mortgage industry and prompted many states to enact "Good Funds" laws to ensure that the money funding a real estate purchase and refinance transaction is secure and ready for disbursement. The purpose of the law is to provide assurance to the consumer and other parties that the funds are in the proper hands before the deed or mortgage is recorded. This thereby protects the seller from conveying property to a buyer whose check is drawn on an account with insufficient funds.
What makes a payment "good"?
Typically, a closing agent will deposit all funds connected to a real estate transaction into an escrow account for disbursement at the closing. Most good funds laws stipulate the type of funds (e.g., cashier's checks, or wire transfers) that an escrow agent can accept. However, what is considered "good funds" can vary by state. In Georgia, for example, the law expressly permits certain types of checks:
A settlement agent may disburse proceeds from its escrow account after receipt of any of the following negotiable instruments even though the same are not collected funds: (1) a cashier’s check from a federally insured bank, savings bank, savings and loan association, or credit union…; (2) a check drawn on the escrow account of an attorney or real estate broker…; (3) a check issued by the United States or Georgia…; and (4) a check or checks not exceeding $5,000 in aggregate per loan closing.
Several states have taken a stricter approach in defining acceptable funds. Specifically, wire transfers are often the only funding mechanism allowed and, in some cases, are required for transactions over a certain dollar amount. Although not an exhaustive list, a general Internet search revealed that Indiana, Minnesota, Missouri, and Texas are among those states with good funds laws that limit electronic funds transfers to "wire transfers" instead of the broader "electronic payment," as defined in Regulation CC (12 CFR 220.10 (p)), which would otherwise permit funding using automated clearinghouse (ACH).
For example, the Indiana Good Funds Law defines wired funds as "good" but requires that they be "unconditionally held by and irrevocably credited to the escrow account of the closing agent." Only funds transferred through Fedwire or CHIPS are immediate, final, and irrevocable. Consequently, it appears that Indiana’s law excludes electronic fund transfers through ACH since consumer Regulation E rights with regard to unauthorized ACH credits may create some risk that ACH funding of a real estate transaction could be reversed long after the closing.
Secure funds important in uncertain times
The current housing crisis has undoubtedly caused some anxiety for all parties in a real estate transaction about the risk of a deal falling through. Numerous bank failures and increased real estate fraud have further complicated the process. Although there are differences by state, the good funds laws help to mitigate some of the risks by helping to ensure that the funding of real estate transactions is reliable.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
September 21, 2009 in ACH, checks, fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a5df1b09970c
Listed below are links to blogs that reference Not all payments are equal under "good funds" laws:
Comments
August 17, 2009
Oliver: Funding of risk initiatives faces risky times
This week, we have a special guest blogger: Richard Oliver, an executive vice president with the Federal Reserve Bank of Atlanta. Oliver was a pioneer in electronic payments, working on a Fed system project with the U.S. Treasury to develop direct deposit. He was also instrumental in the Atlanta Fed becoming the second automated clearinghouse (ACH) operation in the United States. Since 1998 he has served as retail payments product manager for the Federal Reserve System. In this capacity, he has responsibility for managing the Fed's check and ACH businesses nationwide.
As we look forward to a slow but steady emergence of the banking industry from the current financial firestorm, the question arises as to how investments in the payment system will fare. More specifically, will banks and other payment system players secure funding for initiatives critical to mitigating payment fraud and risk?
Experiences gained from previous economic crises have reshaped individual and corporate attitudes and practices. Certainly, the folks who experienced the Great Depression turned into a generation of savers, conservative spenders, and cautious borrowers. Recent discussions with payment leaders have given rise to the possibility that conservative spending habits may be with us for some time. These habits may be manifested in restricted, prioritized spending on payment initiatives in general and fraud and risk mitigation efforts more specifically.
Given the already narrowing margins in retail payment profits, coupled with enterprisewide scrutiny of expenses across business silos, it is likely that payment organizations will have to prioritize spending in ways not typical of the last decade of innovation and constant change. These limitations will create choices concerning which investments are mandatory and which are discretionary. Investments in initiatives directed at data security and fraud detection might take a back seat to investments in relieving the pent-up demand for maintenance and enhancements of core payment and settlement systems or investments in exciting new technology.
In an ideal world, focused and well-reasoned business case analysis would dictate the priority of spending. My personal experience, however, has revealed that investments in fraud reduction, data security, etc., face an uphill battle when competing for scarce dollars. This phenomenon stems from three major factors.
First, there is always a perception that risk/fraud expenditures are discretionary. It remains to be seen if the staggering cost of poor risk management that led to the financial crisis, coupled with the everyday visibility of fraud schemes, will help shed the discretionary label. Discretion, by the way, not only involves expenditures on new artificial intelligence software or high-tech encryption devices; it also involves more subtle decisions about the number of staff authorized to monitor systems, notify customers of breaches, and research problems. After all, the risks involved in past lending and investment practice that were at the heart of the financial crisis largely involved "payment" of obligations and not "payments."
Second, to do effective business case analysis, good data must be present. It is not at all clear whether banks and other payment providers have transparent and reliable systems in place to detect, measure, and categorize fraud in a way that allows its financial impacts to be estimated. Certainly, banks have historically been reluctant to share such data externally. Further, do banks have in place systems that can collect and allocate fraud management costs in such a way as to complete a meaningful cost-benefit analysis? Without good data, business case analysis becomes an art, not a science. Clearly, for bad actors fraud is their core business; there is no business case to explore and no budget committee to satisfy. In fact, their pursuits are recession proof.
Finally, investments are about the future, not the past. My personal experience in this area is that the past is a poor predictor of the future. In that light, how does an organization forecast likely trends in fraud losses? Is the past a good predictor of the future? Can recent trends such as the reduction of unauthorized activity in the ACH network reasonably be extrapolated, or will the fraudsters simply move to another payment channel where controls are weaker? More importantly, will new technology help bad actors commit fraud more easily or help banks do a better job of detecting and preventing fraud? Should the business case for the future depend on average industry trend data or should it protect against "the big one," the major incident that culminates in a $100 million–$200 million loss? Answers to these questions will ultimately separate the prepared from the unprepared.
Regardless of the answers to these perpetually difficult questions, most of which will stem from core experiences and individual philosophies, one thing is certain in the wake of our recent experience: Reputation is more important than ever. Positive reputations are difficult to build, hard to maintain, easy to lose, and even harder to reclaim. The value placed on reputation must be carefully considered by senior decision makers in setting the course for the future.
August 17, 2009 in ACH | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a4f0da3c970b
Listed below are links to blogs that reference Oliver: Funding of risk initiatives faces risky times:
To underscore the blog post, please see the folowing post from my blog: thepaymentsblog.com
Everything You Read Is Not Always Accurate
Last week I Tweeted about an article published by Digital Transactions on August 19, 2010 whose headline "A Survey Reveals a Rising Volume of Disputed ACH Debits" could have led readers to believe that all hell was breaking loose within the ACH industry. The article cited a survey conducted by eGistics in which financial institutions and payment processors indicated a 63% rise in disputed or unauthorized ACH transactions in 2009 when compared to 2008.
Well that article troubled me because I know through firsthand experience in running ACH businesses and as a NACHA Board member, how much real progress has been made to effectively manage ACH risk, especially the risks posed by unauthorized ACH transactions. So much work has been done by NACHA, the Risk Management Group and subsequent rules changes to reduce return item risk and volumes. Therefore, I did some investigation to better understand how eGistics came up with their numbers and cross-referenced them to the return numbers tracked and published by NACHA - the organization responsible for establishing and enforcing adherence to ACH rules within the network and NACHA’s numbers depict a far different picture than eGistics.
eGistics conducted a webinar last week to discuss their survey results. In that webinar, eGistics was asked to better describe the processors and financial institutions participating in the survey. eGitics indicated that many of their respondents experienced ACH growth far beyond the industry rate of 2%. These respondents had actually seen their ACH volume grow 20% or more - which then explains how return rates for these specific FI's and processors were higher due their individual origination growth rates; not a true indication that return rates, as an industry, were once gain climbing; nor a true reflection of the experience of all ACH originators. But it did explain to me the Digital Transaction headline – that is and was not representative of all ACH participants. The simple truth is that return rates of all kinds will increase as one’s origination volumes grow. However, the experience of a few does not a trend make and returns ARE going down, not up.
So I hope this provides a more complete picture; dispels any unwarranted fear and set the record straight - return item volume has been declining ever since NACHA’s network rules and enforcement efforts became more robust.
So don’t believe everything you read (and I say that to me too) and ask questions to see what is really behind the headlines.