1 / 33

Fighting Fraud Using Today’s Technology

Fighting Fraud Using Today’s Technology. Kathryne Daniels, CTP Senior Vice President Government Banking. May 2009. Agenda. Introductions Regulatory Issues Role and Responsibilities Payments Fraud Check Fraud ACH Fraud Online Security Payments Fraud Prevention Best Practices

winola
Download Presentation

Fighting Fraud Using Today’s Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fighting Fraud Using Today’s Technology Kathryne Daniels, CTP Senior Vice President Government Banking May 2009

  2. Agenda • Introductions • Regulatory Issues • Role and Responsibilities • Payments Fraud • Check Fraud • ACH Fraud • Online Security • Payments Fraud Prevention Best Practices • Credit Card Data Security • Why Credit Card Data Security is Important • Anatomy of a Data Compromise • Reducing the Risk of Compromise via PCI Compliance • Data Security Best Practices • Open Discussion

  3. Regulatory Impacts • Uniform Commercial Code Articles 3 and 4 • Reg E • Expedited Funds Availability Act and Fed Reg CC

  4. Role and Responsibilities • Agencies • Must exercise ordinary care. If an agency does not exercise “ordinary care” your financial institution may no longer be held wholly liable. • Definition of ordinary care as I understand it: • “The adherence to reasonable commercial standards prevailing in a company’s region and industry” • Financial Institutions • Bank’s share in the responsibility for establishing systems and controls to help prevent fraud on deposit accounts from occurring.

  5. Payments Fraud October 7, 2008

  6. Why Should I Care? • “I have nothing to worry about, my bank will automatically reimburse us if check fraud occurs.” • “I have too many other goals to attain this year to shave the bottom line -- I have to install that ERP system” • “We’ve never been hit with check fraud…”

  7. Check Fraud: How Simple • More than 1.2 million worthless checks each day enter the banking system • Easy to get away with • Simple technology readily available • Easily obtainable bank account information • Available authorized signatures

  8. Fraud Prevention Tools • Positive Pay • Dollar and date controls • Check outsourcing • Check stock security features

  9. Positive Pay Services • Traditional Positive Pay • Teller Positive Pay • Payee Positive Pay

  10. Dollar and Date Controls • Maximum dollar controls • Reviews and returns checks presented over a specified amount • Stale date controls • Reviews and returns checks that exceed your designated “stale” timeframe

  11. Check Outsourcing • Eliminates need to order and store check stock • Safeguards signatures • Prints and mails checks • Creates positive pay issuance file • Provides postal discounts

  12. Check Stock Security Features: Do They Matter? • Watermarks • Controlled safety paper • COPY BAN + VOID pantograph • Micro printing • Thermachromic ink • Laid lines • Warning bands • Secure number font • Chemical VOIDS • Image-survivable features

  13. About Check 21 Check 21 became effective October 28, 2004 • Purpose • Improves efficiency in the U.S. banking system by eliminating the need to transport paper checks between banks • Encourages innovation in the payment system by removing key barriers to check truncation • What it means • Allows banks to create and provide a substitute check in lieu of an original check • Banks must process substitute checks if received

  14. Check Payment Transformation Check conversion and check truncationare distinct alternatives to transform a check ACH: POP, ARC, RCKEFT networks: SafeCheck,Visa POS Check Conversion Truncation • Check conversion transforms a check to electronic settlement • vs. • Check truncation transforms a check to image-enabled electronic or paper settlement Image Exchange Substitute Checks

  15. Image Survivable • Automated recognition • Bar-coding • Seal-encoding • Digital watermarks

  16. Automated Payee Recognition • Compares payee name on image to issuance database • Character-by-character • Digital interrogation • Only true exceptions reported • Limited integration with traditional Positive Pay

  17. Bar-coding • Key data encrypted into bar-code on the check surface • Resembles a UPC symbol • Read by issuing bank and compared to the image

  18. Seal-encoding • Unique graphic printed on check using vendor supplied software • Check information encoded within seal • Automated interrogation and validation • Permutation keys and secret identifiers • Replaces formal bank signature verification • Seal will fail to decode properly if tampered with

  19. Digital Watermarks • Hidden message on the front surface of check • Similar to seal-encoding capability • Digital scanners compare the digital watermark to MICR and visual data • Real-time identification of alterations possible

  20. ACH Payments • Reduces exposure to costly check fraud activity • Reduces costs • B-2-B payment growth • Electronic payroll solution: • Direct deposit – save $0.89 per payment • Establish dual control over file preparation • Have your bank forward historical origination files to your internal auditors • Payroll cards • Provides employees with ATM cash access and a safe way to make purchases

  21. Potential Fraud Growth • WEB • TEL • POS/POP

  22. ACH Blocks and Filters • Debit blocks • Prevent all ACH debits and/or credits from posting • Prevent consumer entry class debits • Debit filters • Permit ACH debits and/or credits from known trading partners only • Cumulative daily amount limits by trading partner

  23. Online Security • Strong authentication mechanisms, such as digital certificates • 128-bit Single Socket Layer encryption • Dual administration, customizable permissions and authorizations. • Comprehensive audit logs and activity tracking. • Network perimeter and application protection that includes round-the-clock monitoring of firewalls, anti-virus systems and intrusion detection and prevention technologies.

  24. Best Practices • Internal Controls • Practice separation of duties • Keep policies and procedures up to date and associates trained. • Notify bank and law enforcement authorities as soon as suspect fraud. • Perform background checks on new associates, observe employee behavior • Use separate accounts for electronic and paper transactions • Reconcile your accounts daily (or at least within 30 days) • Reconcile ACH transactions daily • Make sure check stock is image-able • Control physical security of check stock, signature plates, temporary access and employee ID cards. • Use laser printed checks with security features • Deliver outgoing checks to mailroom as late in day as possible • Properly destroy critical accounting information • Take advantage of fraud products

  25. Best Practices • Online Controls • Practice safe computing • Use firewall, anti-virus, and spy-ware prevention tools • Do not allow users to download unauthorized software on business PCs • Limit physical access to treasury computers • Assign permissions only for what is needed • Delete old user accounts and access to bank systems • Ensure users do not share passwords • Encrypt sensitive information in storage • Take advantage of bank provided application controls: • Dual administration • Dual approval of payments • User transaction limits • Audit Logging

  26. Why Credit Card Data Security is Important • If you accept payments via credit card, debit, or prepaid cards, your fraud prevention efforts must include the protection of any cardholder account data handled by you, or on your behalf. • If card account information is stolen from you, or a service provider working on your behalf, it can be used by criminals to commit fraud. • Financial Impact: You may be subject to significant fines and losses arising from such fraud and from not properly protecting card account information. • Reputation Impact: Potentially more damaging than the financial impacts, public trust and confidence in your organization can be negatively impacted by this type of data security breach. 1001011001

  27. Card Data Security in the Headlines “11 Charged in Theft of 41 Million Card Numbers…. Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be thelargest hacking and identity theft ring ever exposed.” – August 5, 2008 – New York Times [Major grocery store chain] Malware used in “a massive data breach thatcompromised up to 4.2 million credit and debit cards…” – March 28, 2008, Boston Globe [Major retailer] “Breach of data… is called the biggest ever - stolen card numbers put at 45.7 million… Credit and debit card numbers were stolen by hackers who accessed the computer systems…” – March 29, 2007, Boston Globe

  28. Anatomy of a Data Compromise • A data compromise is an incident involving the breach of a system or network where cardholder data is processed, stored or transmitted. • A data compromise can also involve the suspected or confirmed loss or theft of any material or records that contain cardholder data. • There are three basic types of data security breaches that can lead to a data compromise: • Physical Breach – theft of documents or equipment • Electronic Breach – electronic breach of a system or network environment • Skimming – capture of card magnetic stripe data using an external device

  29. Reducing the Risk of Compromise via PCI Compliance • The major credit card companies, including Visa and MasterCard, require any business which accepts credit, debit, or prepaid card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) • The PCI DSS is a global standard for protecting cardholder account information to reduce the risk of data compromise • The PCI DSS consists of 12, “digital dozen,” requirements for protecting card account information, and operates on the following principles: • If you don’t need cardholder account data, don’t store it. • Never store sensitive authentication data (i.e. full magnetic card stripe data, card verification values, or PIN/PIN block data), after transaction authorization. • If you store permitted cardholder account data (i.e. full Primary Account Number, cardholder name, service code, and expiration date), it must be protected in accordance with the PCI DSS “digital dozen” requirements. • If you use a service provider(s) to handle cardholder account data on your behalf, you must ensure your service provider(s) handles this data in accordance with PCI DSS requirements.

  30. Data Security Best Practices: Beyond PCI Compliance • Merchants may also benefit from applying additional data security measures which go beyond the baseline PCI DSS requirements, such as: • Tokens • Internal Network Segmentation • Encryption of Private Networks • Database Activity Monitoring • Data Loss Prevention • Network Admission Control • Depending on your card payment acceptance method, the above measures may or may not apply.

  31. Next Step for Merchants • Contact your acquirer for guidance. • Familiarize yourself with online, card brand resources. • Understand your cardholder data environment. • Consider engaging a Qualified Security Assessor (QSA) and/or Approved Scanning Vendor (ASV). • Validate PCI DSS Compliance.

  32. Kathryne DanielsSVP, Sr. Client ManagerGovernment Banking Tel: 925.827.3959 • Fax: 916.326.3176 kathryne.daniels@bankofamerica.com Bank of America 2290 Oak Grove Rd, Walnut Creek, CA 94598 Q & A Thank you!

  33. This presentation is for informational purposes only. It does not constitute an offer or commitment to buy or sell or a solicitation of an offer to buy or sell a security or any financial instrument, or a commitment to enter into a transaction, of the type generally described herein. The information contained herein, and any other communications or information provided by Bank of America, is not intended to be, and shall not be regarded or construed as, a recommendation for transactions or tax or investment advice, and Bank of America shall not be relied upon for the same without a specific, written agreement between us. Information contained in this presentation has been obtained from sources believed to be reliable, but its accuracy or completeness is not guaranteed by Bank of America. Also, certain information contained in this presentation speaks as of the date of this presentation (or another date, if so noted) and is subject to change without notice. This presentation is intended solely for your use and under no circumstances may a copy of this presentation be shown, copied, transmitted, or otherwise given to any person other than your authorized representatives.

More Related