380 likes | 651 Views
Mitigating Payment Fraud. North Carolina Local Government Investment Association. July 23, 2014. A perspective on recent fraud experience and best practice approaches for reducing the risk of payment fraud. Avoiding the Headlines ….
E N D
Mitigating Payment Fraud North Carolina Local Government Investment Association July 23, 2014 A perspective on recent fraud experience and best practice approaches for reducing the risk of payment fraud
Avoiding the Headlines … Source: Fraud Advisory for Business: Corporate Account Takeover
Where Are We Now? A look at current state metrics
Are Things Improving?% of Organizations with Attempted/Actual Payment Fraud 2014 AFP Payments Fraud and Control Survey
Continuing Increase in the Number of AttemptsBecoming More Concentrated? Net Increase in Attempts • 2013 • 27% of organizations reported an increase in attempted fraud • 16%reported a decrease • 57% reported similar activity +13% +10% +8% +11% +11% 2009 2010 2011 2012 2013 2014 AFP Payments Fraud and Control Survey
Continued Prevalence of Check-based FraudAren’t Check Volumes Declining? Total Checks Written1 2003 37.3B 2012 18.3B 12013 Federal Reserve Payment Survey 22014 AFP Payments Fraud and Control Survey (actual and attempted)
Increasing ImpactAverage Fraud Losses Continue to Grow 2013 $23,100 2012 $20,300 2011 $19,200 2010 $18,400 2009 $17,100 2014 AFP Payments Fraud and Control Survey
Fraud Impact by Payment TypePayment Method Responsible for Largest Dollar Loss ACH Credit 1% 2014 AFP Payments Fraud and Control Survey
Fraud Impact by Payment TypeAverage Value of Unauthorized Transaction ($) 2013 Federal Reserve Payment Survey
Source of Fraud Who and Why?
Sources of Attempted Payment FraudWho is initiating? A difference of opinion?2 “72% of those surveyed have been hit by a fraud involving at least one insider in a lead role” within … 32% involved a senior or middle manager 12014 AFP Payments Fraud and Control Survey 22013/14 Kroll Global Fraud Report
Check-based Fraud LossesOrganizations Suffering Loss from Fraud Attempt Identified Reasons For Loss Processed by Check Cashing Agency (38%) Lack of Timely Recon or Positive Pay Review (28%) Internal Fraud (21%) Lack of Positive Pay Utilization (17%) Lack of Timely Check Return (10%) Lack of Post No Check Services on EFT Acct (10%) 2014 AFP Payments Fraud and Control Survey
ACH Fraud LossesOrganizations Suffering Loss from Fraud Attempt Identified Reasons For Loss Lack of Debit Block or Filter (50%) Lack of Timely Reconciliation (38%) Lack of Timely Return (38%) Lack of ACH Positive Pay Utilization (38%) Internal Fraud (13%) 2014 AFP Payments Fraud and Control Survey
Card Fraud LossesOrganizations Suffering Loss from Fraud Attempt 2014 AFP Payments Fraud and Control Survey
Card Fraud LossesPurchasing and Travel Cards 12012 RPMG Purchasing Card Benchmark Survey 22013 RPMG Corporate Travel Card Benchmark Survey
Internal Processes Best Practice Activities for Creating a Strong Control Environment
Organizational (Internal) FraudPrimary Fraudulent Disbursement Activities Association of Certified Fraud Examiners (ACFE): 2012 Global Fraud Study-Report to the Nations on Occupational Fraud & Abuse
Internal Control Foundation E < 5 2 6 A/P Masterfile Control Sourcing and Invoice Processing Segregation of Duties Confirmation of Beneficiary Changes Approval and Execution Timely Reconciliation
External Support Services and Solutions to Mitigate Payment Fraud Risk
Primary Methods of Check Fraud% of Organizations that Suffered Attempted Check Fraud Positive Pay Positive Pay Positive Pay Payee Positive Pay 2014 AFP Payments Fraud and Control Survey
Primary Procedures to Guard Against Check Fraud 12014 AFP Payments Fraud and Control Survey
Primary Procedures to Guard Against ACH Fraud Reconcile Accounts Daily, Identify and Return Unauthorized Debits (78%) Block ACH Debits Except on a Single Account With ACH Debit Filter/ACH Positive Pay (64%) Block ACH Debits on All Accounts (31%) Consumer Debit Block and Commercial Debit Filter (24%) Separate Account for all 3rd Party Debits (18%) 12014 AFP Payments Fraud and Control Survey
Powerful Bank Services to Mitigate Payment Fraud < : O O Positive Pay ACH Positive Pay ACH Debit Block Post No Checks
Are Physical Check Security Features Still Needed? Copy Void Pantograph Image Survivable Barcode Thermochromatic Ink Warning Bands Dual Image Numbering Secure Name Font Chemical Reactive Paper Fourdrinier Watermark F Abignale Fraud Bulletin – Vol 12
Online Banking Best Practice Activities for Securing Information and Controlling Payment Execution
Account Take-overDissecting an Attack u v w x y : Target Victims Install Malware Operator Logon Capture Login Data Initiate Funds Transfer Fraud Advisory for Businesses: Corporate Account Take Over - United States Secret Service, FBI, IC3, and FS-ISAC.
How Would You React to This Email? Dear Valued Customer: We noted that your account transferred $10,000 to Nigerian financial institution on June 15, 2014. Given the suspicious nature of this transaction, we have frozen all transaction activity on your account. Please access the link below to verify your credentials, review this transaction and restore your account to an active state: http://pncbankUSA.com/suspendedaccount/secureverification Once you have completed this, PNC’s Fraud team will work to promptly restore these funds. Thank you for doing business with PNC! PNC Bank USA Pittsburgh, PA Member FDIC 2014
Gone Phishin … Phishing- attempt to acquire information such as user name, passwords, and other financial details by masquerading as a trustworthy entity … in electronic form Spear Phishing Waterholing Whaling Clone Phishing Social Engineering
Account TransferPay Close Attention to Wire Transfer Activity Per 1000 Commercial Customers have experienced an account take-over Of fraudulent transfers involved Wires 2.11 82% Of all account take-overs resulted in funds being transferred 9% Fraud Advisory for Businesses: Corporate Account Take Over - United States Secret Service, FBI, IC3, and FS-ISAC.
Controlling the Risk of Cyber Fraud E $ < : + Education and Awareness Insulate Workstation Separate Approval Station Malware and Virus Protection FFIEC Authentication Mobile Threat Vectors
Card Usage Best Practice Activities for Managing Commercial Card Programs
What are Other Organizations Doing?Primary Controls Utilized 2012 RPMG Purchasing Card Benchmark Survey
Controlling Commercial Card Activity . L : O P Point of Sale Controls Online Submission and Approval Receipt/Proof of Purchase Card Security Audit and Inspection Other
Who has Borne Card Losses?Parties that Suffered Loss on Commercial/Corporate Card Fraud Sponsoring Organization (31%) Issuing Bank (44%) Merchant (14%) 2014 AFP Payments Fraud and Control Survey
Expected Improvement from Migration to EMV Standard • EMV(Europay, Mastercard, Visa) – global standard for integrated chip-based card design • Unlike other countries, the US continues to be dominated by magnetic stripe POS terminals • Estimated cost of upgrades > $12B • Merchant Processing • When mag-stripe cards are swiped at POS terminal, data, such as primary account number and expiration date, are transmitted to the card issuer • The data—known as static data—remains the same for each transaction • EMV relies on dynamic authentication - use of changing variables unique to each individual card transaction • PIN vs. Signature authentication • Liability Shift • Effective October, 2015 liability will shift for domestic and cross-border counterfeit card-present POS transactions • Fuel selling merchants have until 2017 • Shift from issuing bank to accepting merchant • Will not immediately extend to web and phone-based purchases • Expected to positively impact POS card fraud No Reduction 8% 12014 AFP Payments Fraud and Control Survey
Disclaimer This presentation was prepared for general information purposes only and is not intended as legal, tax or accounting advice or as a recommendation to engage in any specific transaction, including with respect to any securities of PNC, and does not purport to be comprehensive. Under no circumstances should any information contained in this presentation be used or considered as an offer or commitment, or a solicitation of an offer or commitment, to participate in any particular transaction or strategy. Any reliance upon the presentation is solely and exclusively at your own risk. Please consult your own counsel, accountant or other professional advisor regarding your specific situation. Any opinions expressed in this presentation are subject to change without notice.