380 likes | 1.02k Views
Risk Management May, 2007. JPMorgan Chase Commercial Card Solutions. Agenda. Definitions Fraud Dispute Case Study – Employee Fraud State of Oklahoma Audit Findings. Definitions. Definitions.
E N D
Risk Management May, 2007 JPMorgan Chase Commercial Card Solutions
Agenda • Definitions • Fraud • Dispute • Case Study – Employee Fraud • State of Oklahoma Audit Findings 2
Definitions • Fraud – Unauthorized use of a payment card resulting from lost, stolen or compromised account. The user has malicious intent and is seeking personal gain from use of account. • Dispute – Authorized cardholder questions the validity of a transaction. More along the lines of a transaction that was “mistakenly” applied to an account. MasterCard defines valid dispute reasons. • Employee Abuse – Authorized cardholder uses card in a manner which the State receives no benefit. MasterCard defines the type of employee abuse for which customers can be indemnified. 4
Fraud 5
Common Fraud Types • Lost/Stolen • Counterfeit Card • Mail Theft/Non-Receipt • Unauthorized Use • Skimming • Phishing 6
Lost/Stolen • Major source of fraud, along with counterfeit cards • Perpetrator not sophisticated • May know cardholder address, date of birth and social security number • Generally does not have false identification • Various types of spending 7
Counterfeit Card • Credit card has been manufactured • Security features will not be present or authentic • Sophisticated perpetrator • False identification used • Often found within organized fraud rings 8
Mail Theft/Non-Receipt • New account or replacement card recently mailed • Perpetrator slightly more sophisticated • Will know cardholder address, usually does not know date of birth and social security number • Generally does not have false identification • In-store purchases or mail/telephone order 9
Unauthorized Use • Transactions are made without an actual plastic via mail or telephone orders • Perpetrator is more sophisticated • Adult or Internet-type transactions 10
Skimming • Magnetic stripe is compromised • Card has been manufactured • Identification matches with a false name embossed on credit card • Sophisticated perpetrator - organized fraud rings • Enhanced security features deter perpetrators 11
Phishing • Phishing is an attempt to gain private information about you and your accounts. Most often via e-mail that looks like it is from your financial institution • You should never reply to or enter any information if you receive a suspicious e-mail • If you are unsure if the e-mail is legitimate call the 800 number on the back of your card 12
Phishing • It is not JPMorganChase’s practice to: • Send e-mail that requires you to enter personal information directly into the e-mail • Send e-mail threatening to close your account if you do not take immediate action of providing personal information • Send e-mail asking you to reply by sending personal information • Send e-mail asking you to enter your user ID, password, or account number into an e-mail or non-secure web page 13
Protection Against Fraud Loss is a Partnership • Fraud statistics vary from customer to customer, depending upon the controls they have in place. • Statistically, customers with higher loss are not taking advantage of the controls and reporting provided by the Bank. • JPMChase is there to assist in reducing fraud losses through preventative measures, reporting, and recovery efforts. • There are a number of things customers can do to guard against fraud. 14
Card Design Security Features • Hologram • Stylized Logo • Tamper-evident signature panel (CVC2) • Unique magnetic stripe coding (CVC1) 15
Top Fraud MCCs • 5411 – Grocery Stores • 5732 - Electronics • 5311 – Department Stores • 5310 – Discount Stores • 4812 – Telecommunication Equipment including telephone sales 16
Fraud Detection System • Criteria for queues based on current fraud trends • Reacts to request for authorization • Queues are populated with authorization “hits” on criteria • Queues can be defined for specific MCCs, dollar amounts, states/countries, etc. 17
Fraud Detection System • Detection cases are reviewed by a fraud analyst • Cardholder or Program Administrator is contacted to validate activity • Accounts may be temporarily suspended until activity is validated • Account analyzed by history, previous spending patterns, type of transaction, recently issued card 18
Disputes 19
Dispute Handling Guidelines • Merchants have 45 days to respond to your dispute claim • Provisional credit provided during the research process • File disputes timely • Maintain sufficient documentation on transactions to support your dispute • Avoid card sharing, it forfeits your dispute rights • Avoid use of department cards 20
Chargeback Tip - Disputes • Cardholder should contact merchant to resolve dispute • Cardholder must tender return of merchandise • Quality of service requires supporting documentation • Issuers may assist with cancellation of recurring payments on behalf of the cardholder 21
Case Study Recovering From Employee Fraud • Classic Fraud Profile • Trusted long term employee • Employee rarely took vacations/time off • Employee had no real backup • Had multiple levels of responsibility • Employee enforced policy for everyone else • Had access to forms to cover fraud • Start small and built up over time • New supervision – limited training 23
Case Study Recovering From Employee Fraud • Internal Weaknesses • Poorly trained supervision • Was a program administrator and a cardholder • Limited transparency • Limited audit/review by department • No internal audit • Limited review by accounts payable • Weak purchase oversight, small dollar purchases • Start small and built up over time • New supervision – limited training 24
Case Study Recovering From Employee Fraud • Best Practices/Learning Points • Act quick and decisively • Advise senior management immediately • Get HR involved • Think before you act or say anything • Consider the consequences • Work the data • There is a reason for the program • There are corrective actions • There have been successful accomplishments 25
Case Study Recovering From Employee Fraud • Best Practices/Learning Points • Clearly define the underlying issues • Have the facts straight • Describe why the program exist • Describe the effectiveness • Describe what you are doing to resolve the issue • Consider the former employee • Consider the current co-workers 26
Case Study Recovering From Employee Fraud • Corrective Action Steps • New reporting requirements • Transaction monitoring • Minimum use requirements • Card Authorizations • Review of authorized levels • Internal audit corrective action plans • New supervisor manual 27
MasterCoverage Liability Protection Program • Coverage afforded by MasterCard to indemnify entities for instances of employee abuse • Maximum coverage of $100K per cardholder • Program administrator action required • Adhere to claim criteria • Limited to certain activity up to 75 days before and 14 days after JPMC is notified of employee termination • Claims available through customer service or program coordinator • Key Requirements • Employee must be terminated • Cards must be cancelled within two business days of employee termination date 28
MasterCoverage Liability Protection Program • Key Exclusion • Department Cards • Charges made by someone who is not an employee 29
State of Oklahoma Purchase Card Audits • 2006 Audit Cycle • Purchase Card Expenditures $17.9MM • For the agencies audited, there was $7MM or 39% of purchase card expenditures • 25 Agencies audited • On average of 42% of the expenditures for each Agency were tested • Estimated administrative cost savings for the State of Oklahoma for calendar year 2006 of $6.4 MM* • *2005 RPMG Research, P-Card Benchmark Survey Results 31
Most Common Purchase Card Audit Findings • Receipts filed were not properly signed, dated, and annotated as “Received” • Internal Procedures were not properly submitted or updated to the Department of Central Services • Memo Statements were not properly signed, dated, or included in the Agency’s purchase documentation • Employee Agreements that were not signed by participating employees of the Purchase Card program 32
Highest Occurrences of Quantifiable Audit Findings • Applicable items that exceeded $500 were not included on the inventory list of the Agency • Receipts reviewed were not properly signed, dated, and annotated as “Received” • Employee Agreements that were not signed by participating employees of the Purchase Card program 33
Findings Associated with Highest Dollar Amount • Total purchase card expenditures exceeding the amount encumbered by the agency • Purchase card transactions not having appropriate documentation • Purchase card transactions not having a detailed or itemized receipt 34
Highest Error Rate Associated with Purchase Card Findings • Agencies who reported lost cards did not have Missing Lost Card Reports on file at the time of the audit • Items for Inventory were not included on the inventory list of the Agency 35
Outcome of Continuous Monitoring Performed • 13 agency directors voluntarily deactivated cards due to lack of or inappropriate Approving Officials • 4 more agency directors deactivated their cards during or regular audits • 5 purchase cards were cancelled and 4 were placed on hold due to cardholders not recorded on the DCS training log 36
Questions? 37
Contacts Lisa Martin Department of Central Services State of Oklahoma (504) 522-1654 David W Cox Vice President JPMorganChase (312) 954-3533 38