March 08, 2010
Smooth landings for payments call for a checklist
This week's blog features an interview with Devon Marsh, senior vice president and treasury management risk manager at Wells Fargo Bank, N.A. We asked Devon about his thoughts on managing risk in electronic retail payments today.
Devon, retail payments are growing increasingly more complex, creating challenges for risk managers in financial institutions. We know that many of the traditional "tried and true" control processes can still be effective in today's changing environment and understand you are a proponent of compliance checklists as a primary risk management tool for your bank. Tell us a little more about why you value the checklist process.
In more than 1,000 landings as a naval aviator, I never once made a gear-up landing. I don't think I even came close to forgetting the landing gear, but I didn't take any chances. I used a checklist every time I landed. The checklist was necessary not because lowering the landing gear is difficult to remember—of course the gear needs to be down to land! It was necessary because any discrete task—even an important one—can be easy to forget. For this reason we see pilots use checklists all the time on television and in movies to ensure completion of important tasks. We even probably consider the use of checklists to be a defining characteristic of a cockpit environment. But aviation is not the only field in which people can benefit from checklists.
I recently read a new book titled The Checklist Manifesto, by Dr. Atul Gawande. Dr. Gawande is a surgeon and regular contributor to The New Yorker magazine. He has written two previous books based on the practice of medicine that provide useful lessons on risk management and process improvement. His new book offers compelling statistical evidence on how the use of simple checklists cuts down on critical errors.
A key example in The Checklist Manifesto recounts the development of a checklist to guide the procedure for inserting a central intravenous line in intensive care patients. The steps include elementary items such as handwashing. Because its content was so basic, the checklist was initially met with scorn by many practitioners. Nevertheless, consistent use of the checklist dramatically reduced central line infection rates and deaths in ICU wards where it was implemented.
This example seems particularly relevant in financial services since significant problems are often avoided through simple yet proactive control processes. Can you draw some parallels to a checklist that might be effective in ACH processing and describe how it might work?
That's right. Errors in payment processing seldom cost lives the way medical errors might, but they can be as costly as a lost or damaged aircraft. For this reason, I believe the checklist concept has great applicability for many of the risks we address in processing payments. For example, an electronic payment checklist for ACH might help payment originators comply with rules and regulations, avoid human errors, and reduce fraud. A basic electronic payment checklist might include 10 steps.
| Electronic Payment Checklist | |
| 1. Authenticate the receiver or requester. | |
| 2. Confirm validity of authorization. | |
| 3. Verify account number of receiver or beneficiary. | |
| 4. Verify routing number of receiver or beneficiary. | |
| 5. Confirm effective date of transaction. | |
| 6. Confirm payment-related information. | |
| 7. Confirm sufficient funds in funding account. | |
| 8. Obtain internal approval for transaction. | |
| 9. Initiate transaction. | |
| 10. Confirm transaction. | |
Some of the steps are required by rule or by law, while others are simply necessary to route the transaction appropriately. When any one of the steps goes wrong, the resulting error decreases the efficiency of the payment process. It can even cause the entire transaction to be misrouted, possibly without an opportunity for recovery. The eighth step in this checklist is particularly important because it represents a traditional fraud mitigation method called "dual control." This traditional method has proven effective in mitigating the risk that outside entities will attempt to initiate or change a company's transactions by using the credentials of internal employees.
The final step in the checklist, confirming the transaction, is one that is frequently overlooked. It makes sure the financial institution receives the transaction that the initiator intended. This step is critical to ensure a payment has been positively handed off to the next participant in the processing flow.
It is interesting that such a simple control mechanism can still be effective. Why do you think some of the steps you’ve outlined in this checklist get overlooked?
Its utility rests on the fact that creating an ACH transaction involves a series of steps, any one of which can be missed or performed incorrectly. Consistent use of a checklist may help those who initiate payments to ensure each transaction complies with rules, is free of processing errors, and is received by the intended recipient. Financial institutions should consider sharing compliance checklists with customers who initiate payments through the ACH. In the world of payments, these are the elements of a smooth landing.
March 8, 2010 in ACH, Fraud, Risk Management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01310f7bdcad970c
Listed below are links to blogs that reference Smooth landings for payments call for a checklist:
Comments
January 25, 2010
Connecting the dots needed to reduce payment risks
Some say baseball is not only America's Game, but also a metaphor for life in America. As a lifelong fan I have noticed that each year a couple of rookie players explode onto the scene in April, putting up terrific numbers and establishing themselves as the sport's next great icons. Usually by mid-May they have disappeared from the league leader boards as their numbers fall precipitously. Why? Because the league knows very little about the players' strengths and weaknesses in April, but as time wears on, pitchers make adjustments to exploit the rookies' weaknesses. Don Sutton, an announcer for the Atlanta Braves, says that baseball is a game of continuous adjustments. The rookie wunderkinds will only be successful over the long run if they are able to make the adjustments necessary to counter the pitchers' new approach.
In today's payments world, rookie fraudsters are having significant success penetrating corporate payroll and accounting systems using Trojan horse and key-logging software to insert bogus payments into the company's disbursement streams without the company realizing until it is much too late. So called "money mules," hired by the kingpin fraudster, receive the "stolen" funds in new accounts and immediately wire them to faraway places after taking their promised cut. Such schemes have been much discussed in the payments industry press over the past few months.
My wife's sister is the bookkeeper for a small firm, and in that role she is responsible for most of the company's disbursements, including payroll. Over a glass of eggnog or some acceptable substitute, I told her about these schemes and she listened, wide-eyed. We discussed the controls that were in place in the company that could detect and prevent them from becoming a victim, and I began to realize the problem we face as an industry in addressing such new threats. Like the rookie baseball player, we must begin to adopt a mentality of constantly adjusting to the ploys of the fraudsters to ensure our future success. For example, a company could add a new step to their disbursement process that would check payroll totals for reasonableness in terms of numbers and dollars, scan preliminary logs of payees, names or accounts, etc., before pressing the transmit button. The challenge is to figure out how to share threat information broadly enough to reach the point of common sense protection. There can be no remedy if there is no awareness.
A number of organizations are working on education and communications efforts within their industries, but the best protection is always a first-line defense at the point of greatest vulnerability—the corporate originator of payments. While we in banking view the depth and breadth of our industry as daunting, it is trivial compared to the universe of American business, from large mega-corporations who can invest millions in protection to small entrepreneurs engaged in realizing their lifelong dreams, totally oblivious to the dangers of the brave new world. What, then, can we do to address this seemingly impossible challenge?
The answer would seem to lie in harnessing the amazing technology present in the world today, the same technology being used by the bad guys. Just as nuclear technology can be used to pursue both good and bad objectives, so can e-mail systems, social networking, twittering, and other yet-to-be-discovered advents of the new century. My sense is that the problem lies in discerning how to connect the dots. In other words, how can we as a society create a massive web of "community of interest" associations that allows information to reach the eyes and ears of all (or most) of those who need to hear it?
From my background as a math major, I know that the shortest distance between two points is a straight line (actually, I think you can get this from high school geometry). Noting that every company needs a bank, my sense is that the straight line for this effort runs directly from the central industry sources of fraud knowledge, to the banking community, to a bank's business customer base. Simultaneously, another connection at the top of the chain runs from industry sources to other parties in the regulatory and law enforcement businesses.
Over the past few months, we at the Retail Payments Risk Forum have become aware of and frequently engaged with several organizations who are interested in and trying to enhance the current communications and education process. For example, a new interagency fraud working group, co-chaired by the Department of Justice and the Federal Reserve Board, has been created to share information between bank and nonbank regulators and the law enforcement community. An effort to construct an educational toolkit for banks to use to report fraudulent activity is being developed under the auspices of BITS. In an ideal world, we would all work together to harvest the unique capabilities of each of the many efforts under way and try to coordinate them in such a way as to minimize duplication, maximize knowledge, ensure accuracy, and expedite wide distribution of information. In the months ahead, the Forum will be trying to work across many interested parties to see if there is a model for accomplishing this goal that could be deployed to the benefit of all possible victims in the "fraud value chain."
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
January 25, 2010 in Corporate Internet fraud, Fraud, Fraud awareness, Internet fraud education, Money mules, Payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0128770e3999970c
Listed below are links to blogs that reference Connecting the dots needed to reduce payment risks:
Comments
December 21, 2009
"Money mules" carry load for global cybercriminals
In November, Portals and Rails explored the industry implications of hacking attacks that have resulted in fraudulent funds transfers using online banking interfaces. This week, Portals and Rails revisits this topic, focusing on the tactics these fraudsters use to dupe unsuspecting individuals and organizations.
The FDIC released a special alert on October 29, warning financial institutions of an uptick in schemes to recruit individuals to receive and transmit unauthorized electronic funds transfers (EFTs) from deposit accounts to individuals overseas. These funds transfer agents, also referred to as "money mules," are solicited online by criminals who have gained unauthorized access to the account of a business or consumer. Typically, the criminal will originate unauthorized EFTs from the victim's account to the money mule's deposit account. The money mule is then instructed to quickly withdraw the cash and wire it overseas minus a "commission" of from 8 to 10 percent.
Fraudsters perpetrate work-at-home scams using online job postings and social networking sites
A common hiring tactic for money mules are work-at-home jobs or other seemingly legitimate positions. Fraudsters will use online job search Web sites and social networking sites to persuade individuals to receive and forward stolen funds. According to the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), victims are often hired to "process payments," "transfer funds," or "reship products." Other victims sign up to be "mystery shoppers" where they receive fraudulent checks with instructions to cash the checks and wire the funds to "test" the performance of a money service business.
The job scams also provide the criminal an opportunity to commit identity theft against the money mule. The personal information provided on the "employment" application (e.g., Social Security number or bank account information) may be used to open credit cards, post online auctions, etc., in the money mule's name and possibly commit additional crimes.
Sophisticated fraudsters use malicious code and money mules to conduct unauthorized funds transfers
An FBI alert issued last month describes how fraudsters are increasingly using malicious code to conduct unauthorized ACH transfers with the help of money mules. Many of these cases involve exploiting the online banking credentials belonging to small and midsized businesses, municipal governments, and school districts.
A typical scenario involves a "spear phishing" e-mail being sent to someone within the company with either an infected attachment or directing the recipient to an infected website. Spear phishing is a phishing attack that targets a specific person and deceptively appears to come from an individual or organization that the potential victim would normally receive e-mails from. The email recipient would usually have authorization to make funds transfers on behalf of the company.
Once the recipient opened the attachment or visited the Web site, malware (malicious software code) containing a key logger would be installed on the recipient's computer. The key logger captures the keystrokes of the recipient's business or corporate bank account login information. Once this information is compromised, the perpetrator either creates another user account with the stolen login or directly initiates funds transfers through either ACH or wire transfer by assuming the legitimate user's identity. The transactions are typically in increments less than $10,000 to avoid currency transaction reporting. Money mules play an important role in these schemes by helping to facilitate the unauthorized transfer of funds.
Small and midsized businesses lose millions to online banking scams
Reportedly, small to midsized businesses in the United States have lost $40 million to online banking fraud since 2004. FBI analysis has found that the main threat from these schemes is not merely the malware but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider. In most cases, the victims' accounts were held at local community banks and credit unions, some of which used third-party service providers to process ACH transactions.
Many believe that the uptick in these types of fraudulent payment activities directly relate to the decline in the economy. Consequently, financial institutions, businesses, and consumers have to be vigilant in looking for signs of this activity. The Federal Financial Institutions Examinations Council (FFIEC) provides guidance to financial institutions and technology service providers on authentication in an Internet banking environment. Money mule activity in particular is addressed by the Bank Secrecy Act and Anti-Money Laundering regulations. There are also resources available to consumers and businesses on how to protect themselves from these types of online scams.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
December 21, 2009 in ACH, Cybersecurity, Fraud, Law enforcement, Payments, Social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01287671b199970c
Listed below are links to blogs that reference "Money mules" carry load for global cybercriminals:
Comments
November 23, 2009
Banks run more than just security risk with single-factor authentication
As described in a previous Portals and Rails post, various reports have indicated that business customers' online banking credentials are being compromised and the fraudsters are performing unauthorized EFT transactions using either the ACH or wire transfers to move money out of these accounts.
This recent phenomenon could be seen as part of a larger issue for security on the Web, prompting some to consider whether online banking security standards are adequate.
While a lot has been written on how this fraud happens, not much has focused on what happens next. The criminal side of this is fairly cut and dry. Law enforcement tries to track down the fraudsters and bring them to justice. If the FBI, Secret Service, or other agencies are able to track them down, apprehend them, and a conviction is made, the fraudsters spend some time in jail. The civil side of this is a little more complicated.
One civil case that has gotten some recent attention is the Shames-Yeakel case filed in federal court in Illinois. Marsha and Michael Shames-Yeakel had $26,500 stolen when an unknown person gained online access to the Shames-Yeakels' bank accounts by using Ms. Shames-Yeakel's username and password. The thief manipulated a line of credit and subsequently wired the funds out of the Shames-Yeakel's business account to Hawaii and then off to a bank in Austria. While there is probably a good joke about yodeling while playing the ukulele buried in all of this, the Shames-Yeakels are not laughing. In fact, the hills are alive with litigation.
The plaintiffs first turned to their bank, who indicated that under the bank's online banking agreement, the plaintiffs were responsible for the lost funds. They next turned to the Office of Thrift Supervision (OTS), the bank's primary regulator, seeking protections under Regulation E and Regulation Z. The OTS found that these regulations did not apply as they were applicable to consumer loans and lines of credit.
Ultimately, the Shames-Yeakels sued their bank. The legal viability of their claims was considered by the Court in its Aug. 21, 2009, ruling on the bank's motion for summary judgment.
While the court's opinion addressed a number of legal claims, it is the court’s ruling on the plaintiff’s negligence claim that bankers should pay close attention to. The basis of this claim is that the bank and its third-party Internet banking service provider did not follow the Federal Financial Institutions Examinations Council (FFIEC's) updated 2005 guidance on authentication in an Internet banking environment. At the time of the incident, the bank had user name and password access to their online banking system. The FFIEC's guidance does not require banks to use dual-factor or multi-factor authentication for these accounts, but it does state that the federal regulatory agencies consider single-factor authentication, like user name and password, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. In essence, the court indicated that while the facts must still be weighed by a jury, it declined to dismiss a negligence claim that the bank had breached a duty under Indiana law to protect the confidential information of its customers by failing to implement more robust security systems. The court stated: "In light of [the bank's] apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."
Enlarge |
Another case to keep an eye on was filed in Maine this past September. The case involves a Maine based construction company, Patco, who is suing its bank for $588,000; the same amount of money that was stolen from Patco's account over the course of an eight day period in May. Similar to the Shames-Yeakel case, Patco is claiming that the bank failed to provide commercially reasonable protection because only a single-factor authentication system for its online banking system was in place. While no action has been taken as of yet, it will be interesting to see if the state court in Maine agrees that with the U.S. District Court in Illinois, allowing this negligence claim to move forward.
By guest blogger Michael T. Stewart, assistant vice president at the Boston Fed
November 23, 2009 in ACH, Cybersecurity, Fraud, Identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a6c9a4b3970b
Listed below are links to blogs that reference Banks run more than just security risk with single-factor authentication:
Comments
November 02, 2009
Payments Spotlight Podcast: WACHA's Gilmeister discusses commercial account takeovers and other emerging risks
Play (MP3 7:58)
Transcript
We invite you to listen to an interview with Mary Gilmeister, President of the Wisconsin Automated Clearinghouse Association (WACHA) and a member of the Retail Payments Risk Forum’s Advisory Group. Launched in August 2009, this is the second iteration of the Retail Payments Risk Forum’s Payments Spotlight podcast series.
In this interview, Ms. Gilmeister touches upon the following topics:
- The roles of regional payments associations like WACHA,
- thoughts on managing the emerging risk of commercial account takeovers which result in fraudulent ACH transfers,
- protecting the elderly from financial fraud,
- the role of the NACHA Risk Management Advisory Group, and
- new risk issues in the emerging payments environment.
If you have not already, we also invite you to give a listen to the first installment of Payments Spotlight, which featured a conversation with Woody Tyner, payments strategist at BB&T Bank in North Carolina.
We hope that you will not only check out this installment but also tune in on a regular basis as we feature other leading thinkers and practitioners representing a wide array of perspectives. You can listen to the Payments Spotlight podcast using any computer audio software that will play MP3 files. To subscribe to the podcast series directly, go to the Atlanta Fed podcast page, click on the "SUBSCRIBE" button next to Payments Spotlight, and follow the instructions for adding the series to your aggregator. You can also follow the series by staying tuned to Portals and Rails, where we will post information about new podcasts as they become available.
Let us know what you think!
November 2, 2009 in Emerging payments, Fraud, Payments, Risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a64ac853970b
Listed below are links to blogs that reference Payments Spotlight Podcast: WACHA's Gilmeister discusses commercial account takeovers and other emerging risks:
Comments
October 20, 2009
Building a bridge: Will proactive discussions of fraud concerns help drive financial services and telecom industry collaboration in the emerging mobile payments context?
Much has been written in this blog and elsewhere about the emergence of mobile phone-enabled payments. Recently, we had the pleasure of attending two excellent conferences that stimulated thinking about how the lines between two major industries, telecoms and financial services, are beginning to blur. First was the Finovate 2009 conference in New York. Among a wide array of financial services technologies and business model demos presented was a fascinating lineup of emerging methods for accomplishing payments transactions using the mobile phone. Clearly, much new innovation is emerging in this area. Technology providers are building bridges between banks and telecoms in this environment. All of this fertile stew of ideas bears watching in the years to come.
Second, we recently attended a joint session put together by the Santa Fe Group Vendor Council and the Communications Fraud Control Association in Atlanta. This meeting offered an opportunity for those thinking about fraud controls in the payments arena and those concerned about fraud in the communications (telecoms) industry to begin to discuss issues of mutual concern as mobile payments emerge in the United States and abroad.
For example, issues at the table included the following:
- Registration protocols vary significantly between mobile services and bank payment services. This variation can complicate the forensics on a fraudulent transaction in the aftermath as either investigators within banks or telecoms or law enforcement may find it very difficult to map a transaction to a particular person through mobile payments channels.
- Authentication protocols are also differentiated because of regulatory requirements and industry practices. These protocols complicate investigations as varying audit trails create complexities.
- Malware concerns such as SMiShing in mobile phones are emerging and may be creating new and poorly understood vulnerabilities and hacker threats in the payments environment.
- Fraud detection "flags" may not be translated or communicated well between the two industries. What happens when a phone is reported as lost to the mobile carrier, and it is a fully enabled mobile wallet? Does the bank with whom the customer is affiliated also need to be notified? Does a compromised account at a bank also need to be reported to the telecom provider when the phone is a transaction device?
- Are fraud investigators duplicating efforts when they investigate a fraudulent episode involving a mobile payments transaction? How could these efforts be better coordinated?
- Do privacy restrictions in the banking and telecom environments create undue barriers to sharing of useful information to help track down bad actors?
- If a payment transaction is reliant upon an “always on” mobile connection, what happens to the transaction when and if a connection is lost midstream? Who is responsible? What about the fraud risk?
These and other issues were raised in the context of the discussion, and all agreed that further elaboration of these issues was needed to determine the best opportunities for collaborative action. However, it seemed clear that when it comes to fraud, open channels between the two industries could go a long way to ensuring effective deterrence and loss mitigation in the mobile payments environment.
On a larger scale, these conversations are likely to deepen as many of the emerging mobile payments business models take hold. In this emerging environment, collaborative cross-industry work on fraud issues could be a positive launching point for breaking down industry silos for the good of financial services and telecommunications companies, and it could benefit their customers, which will in turn further support the utilization of all those innovative mobile payments models we heard about at Finovate.
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
October 20, 2009 in Collaboration, Fraud, Innovation, Micropayments, Mobile | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a6010fa2970b
Listed below are links to blogs that reference Building a bridge: Will proactive discussions of fraud concerns help drive financial services and telecom industry collaboration in the emerging mobile payments context?:
Comments
September 21, 2009
Not all payments are equal under "good funds" laws
Anyone who has participated in a real estate closing can attest that it can be a daunting experience. There are many parties with their hands out at the closing table to consummate the deal—the buyer, seller, and attorneys, to name a few. However, it can all collapse like a house of cards if the funds underlying the transaction are not collected or "good."
Ripple effects can be devestating when a lender fails to properly fund an escrow closing transaction. A notable case is the collapse of mortgage lender Abbey Financial in 1994, which resulted in hundreds of consumers over six states stranded with either unfunded mortgages or double mortgages because their first mortgage was not paid off in a loan refinancing. Many of Abbey's checks were dishonored, which left several attorneys with shortfalls in their trust accounts.
The aftermath of Abbey sent shock waves through the mortgage industry and prompted many states to enact "Good Funds" laws to ensure that the money funding a real estate purchase and refinance transaction is secure and ready for disbursement. The purpose of the law is to provide assurance to the consumer and other parties that the funds are in the proper hands before the deed or mortgage is recorded. This thereby protects the seller from conveying property to a buyer whose check is drawn on an account with insufficient funds.
What makes a payment "good"?
Typically, a closing agent will deposit all funds connected to a real estate transaction into an escrow account for disbursement at the closing. Most good funds laws stipulate the type of funds (e.g., cashier's checks, or wire transfers) that an escrow agent can accept. However, what is considered "good funds" can vary by state. In Georgia, for example, the law expressly permits certain types of checks:
A settlement agent may disburse proceeds from its escrow account after receipt of any of the following negotiable instruments even though the same are not collected funds: (1) a cashier’s check from a federally insured bank, savings bank, savings and loan association, or credit union…; (2) a check drawn on the escrow account of an attorney or real estate broker…; (3) a check issued by the United States or Georgia…; and (4) a check or checks not exceeding $5,000 in aggregate per loan closing.
Several states have taken a stricter approach in defining acceptable funds. Specifically, wire transfers are often the only funding mechanism allowed and, in some cases, are required for transactions over a certain dollar amount. Although not an exhaustive list, a general Internet search revealed that Indiana, Minnesota, Missouri, and Texas are among those states with good funds laws that limit electronic funds transfers to "wire transfers" instead of the broader "electronic payment," as defined in Regulation CC (12 CFR 220.10 (p)), which would otherwise permit funding using automated clearinghouse (ACH).
For example, the Indiana Good Funds Law defines wired funds as "good" but requires that they be "unconditionally held by and irrevocably credited to the escrow account of the closing agent." Only funds transferred through Fedwire or CHIPS are immediate, final, and irrevocable. Consequently, it appears that Indiana’s law excludes electronic fund transfers through ACH since consumer Regulation E rights with regard to unauthorized ACH credits may create some risk that ACH funding of a real estate transaction could be reversed long after the closing.
Secure funds important in uncertain times
The current housing crisis has undoubtedly caused some anxiety for all parties in a real estate transaction about the risk of a deal falling through. Numerous bank failures and increased real estate fraud have further complicated the process. Although there are differences by state, the good funds laws help to mitigate some of the risks by helping to ensure that the funding of real estate transactions is reliable.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
September 21, 2009 in ACH, Checks, Fraud, Risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a5df1b09970c
Listed below are links to blogs that reference Not all payments are equal under "good funds" laws:
Comments
August 24, 2009
Forum launches “Payments Spotlight” podcast series
Since February 2009, the Retail Payments Risk Forum has regularly posted to the Portals and Rails blog interesting and thought-provoking topics related to retail payments risk issues. This online forum provides a dynamic platform to spark conversation and foster ideas about these topics. In an effort to further expand the dialogue, we are excited to announce the launch of the Payments Spotlight podcast series this month.
Payments Spotlight will be posted regularly on the Federal Reserve Bank of Atlanta’s Web site. The podcast will feature recorded interviews with leading experts in the payments industry on relevant issues. The first installment features a conversation with Woody Tyner, payments strategist at BB&T Bank in North Carolina. In his comments, Mr. Tyner provides an insightful perspective that is definitely worth a listen on how the payments industry can balance innovation and risk management.
We hope that you will not only check out this installment but also tune in on a regular basis as we feature other leading thinkers and practitioners representing a wide array of perspectives. You can listen to the Payments Spotlight podcast using any computer audio software that will play MP3 files. To subscribe to the podcast series directly, go to the Atlanta Fed podcast page, click on the "subscribe" button next to Payments Spotlight, and follow the instructions for adding the series to your aggregator. You can also follow the series by staying tuned to Portals and Rails, where we will post information about new podcasts as they become available.
Let us know what you think, and please submit any suggestions you have for future podcast topics.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
August 24, 2009 in Checks, Fraud, Innovation, Payments, Risk Management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a51797cf970b
Listed below are links to blogs that reference Forum launches “Payments Spotlight” podcast series:
Comments
August 10, 2009
Collaboration to address payments risks and fraud
In the world of payments, all players share an interest in seeing that risks are detected and mitigated quickly and effectively. However, when threats emerge, is it everyone for themselves? How does the variety of interests and goals among all the players converge? In a private marketplace mixed with government actors, how can we work better together?
Participants at a 2008 conference hosted by the Retail Payments Risk Forum discussed these issues and described the challenges and potential solutions. A year later, the findings of this forum are worth revisiting.
Information sharing
Real or perceived information-sharing limitations among financial institutions, regulators, law enforcement, and others can substantially impede addressing retail payments risks
on a timely and effective basis. Examples include inconsistent or incomplete payments data, varying success levels of intra- and interagency collaborations, varied and
overlapping jurisdictions, an incomplete network of memoranda of understanding (MOUs), privacy restrictions, perceived barriers beyond legal restrictions, competitive interests,
costs, and trust. Suggestions for improvement in this area focused on:
- collection, consistency, and commonality of payments data, better understanding of its utility, and analysis tools. While data needs vary, a first step would be to focus on data elements of shared interest. A working group could facilitate ongoing payments data compilation and analysis efforts;
- formal and informal dialogue among various agencies and others, including simple measures such as shared contact lists;
- development of a “matrix” of various roles/responsibilities/information sources for shared use to facilitate more timely location of information and expertise available; and
- a more systematic, organized mechanism for information sharing, perhaps by establishing “brokers” for relevant information such as payments data.
Policing bad actors
Many noted that communication about bad actors is often ad hoc and that information is too widely dispersed to be useful and timely. Individual agency efforts, published
enforcement actions, SAR filings, interbank collaborations, and industry self-regulatory efforts, while all worthwhile, have not fully promoted effective information gathering
and sharing among all the parties who can have an impact. Suggestions for improvement in this area included:
- better understanding of risks across payment channels, both for front-end access point(s) and back-end processing, to mitigate fraudster arbitrage of vulnerabilities;
- publishing enforcement actions and related settlements more effectively as a deterrent;
- establishing a central “negative list” or “watch list” of bad actors;
- extending registration requirements for third parties participating in payments networks beyond existing targeted voluntary efforts;
- strengthening and clarifying regulatory guidance, such as that for counterfeit checks and consumer account statements;
- better educating consumers and banks regarding common issues;
- a more direct means of compensating victims;
- mining specific activity reports and other existing agency databases such as consumer complaints data; and
- potential new SEC codes within ACH to better track risks.
Collaboration
Participants identified collaborative efforts to help detect and/or mitigate retail payments risk issues and identified benefits and gaps. Examples included bank regulatory
groups (intra- and interagency), national and regional law enforcement partnerships, interstate collaboration, federal-state working collaborations, joint investigative task
forces, examination- or case-driven ad hoc efforts, and industry data-sharing efforts. Potential avenues for improved collaborative action included:
- a law enforcement/regulatory payments fraud working group;
- a virtual collaborative forum via Web sites, e-mail lists, or regular phone calls;
- greater attention paid to requests for comments on proposed NACHA rules;
- examiner and law enforcement training opportunities;
- participation in and/or support for industry database sharing efforts;
- engagement with industry groups to improve best practices;
- a Web-based resource for consumers supported by all (“fraud.gov”);
- implementation of further MOUs among agencies; and
- efforts to identify fraud patterns across agencies, such as the federal government’s Eliminating Improper Payments Initiative.
Substantive areas of concern
Participants were asked to describe substantive retail payments risk issues that keep them up at night. Some common themes emerged, including:
- strengthening the oversight of third-party payments processors and others not covered by the Bank Service Company Act;
- quantifying and better managing the misuse of remotely created checks;
- understanding and mitigating risks associated with “cross-channel” fraud;
- “Know Your Customers’ Customer” due diligence, compliance, and associated risks and potential liabilities for fraud detection/mitigation purposes;
- establishing a common means of redress for consumers regardless of the payment channel; and
- improving the clarity of consumer account statements by instituting standards and reducing jargon.
Progress has been made on a number of these ideas in the past year, including the formation of new working groups and other collaborations. The Retail Payments Risk Forum continues to explore opportunities and implement solutions to help foster collaborative action to address these and other industry concerns. Your input in the form of comments to Portals and Rails on these or other topics is welcomed!
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.
August 10, 2009 in Bank Supervision, Collaboration, Fraud, Law enforcement | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a536794d970c
Listed below are links to blogs that reference Collaboration to address payments risks and fraud:
Comments
August 03, 2009
Accounting for ACH losses: What are the right numbers to crunch?
From talking with a number of industry players, it has become increasingly clear that there is both a healthy desire for ACH origination loss data to help understand risks and also business practices that limit the extent to which data to benchmark ACH losses are available in the first place. The challenge is to reconcile these two conflicting objectives.
Many banks today treat ACH origination as credit underwriting, particularly for business customers. Given this, one way banks may account for losses as a result of ACH origination is as credit losses against loan loss reserves or other similar accounts. This method is entirely appropriate as a risk management practice given the potential for losses the ACH originating bank may incur as a result of unauthorized debit items that are returned by the receiver through its bank. The originating bank, having already credited its customer’s account, may find itself unable to collect the returned item and thus may incur a loss.
NACHA does publish aggregate trend data on what is probably the best metric it has available—unauthorized returns as a percentage of all ACH debits in the network. While this is a good starting point, it is not a fully accurate picture of the actual losses banks may incur as a result of ACH origination (whether for debits or credits). While the trend of unauthorized debit returns is instructive, it does not explain the dollar losses to banks.
Further, while it is likely that most banks track or have the ability to track their losses from ACH origination, there is no standard regulatory or other financial reporting for banks to report ACH loss information. Such losses may be attributable to fraud or not, but the extent of these losses in terms of aggregate dollars and velocity is likely to be a more robust data point for analysis of ACH fraud and ACH origination risks than the data available today. Improved data on banks’ ACH loss experience would go a long way to explain the true extent of ACH origination risk within the network overall and may promote banks’ ability to benchmark their own losses in an effective way. It also would enable both the network and individual banks to better tailor their risk management efforts. Most importantly, having more data could help dispel any mistaken assumptions about how much financial loss banks are experiencing from operational and fraud risks in ACH origination activities.
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.
August 3, 2009 in ACH, Banks and Banking, Fraud, Risk, Risk Management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0115725616aa970b
Listed below are links to blogs that reference Accounting for ACH losses: What are the right numbers to crunch?:
