60 likes | 277 Views
Industry Perspectives on Emerging Risks and Public/Private Engagement: NACHA and the ACH Network. Retail Payments Risk Forum November 5, 2009 Jane Larimer EVP ACH Network Services General Counsel NACHA -The Electronic Payments Association. NACHA and The ACH Network.
E N D
Industry Perspectives on Emerging Risks and Public/Private Engagement: NACHA and the ACH Network Retail Payments Risk Forum November 5, 2009 Jane Larimer EVP ACH Network Services General Counsel NACHA -The Electronic Payments Association
NACHA and The ACH Network • As administrator of the ACH Network, NACHA creates and maintains the NACHA Operating Rules, enforces the Rules, proactively develops Network risk policy, and responds to Network risk events • Risk events are managed to minimize the long-term effect on consumers and financial institutions • NACHA’s risk strategy includes making changes to the NACHA Operating Rules, disseminating best practices and developing tools to manage the risk profile of the Network on an ongoing basis • As ACH Network volume has grown and usage has expanded, there has been great attention to risk and fraud mitigation. The ACH Network has experienced lower rates of return for unauthorized entries and other returns indicative of fraud • Since 2001, debit unauthorized return rates reduced from .09% to .04%.
Unauthorized Debit Rate • One measurement of risk in the ACH Network continues to trend down: • Where is the path of least resistance? • Risk across payment channels – the “keys” to the house • Risk management tools
Perspective on Risk and Losses * • 71% of organizations: attempted or actual payments fraud (consistent with past years) • 55% report same incidence of attempted or actual fraud – check fraud increasing faster • 30% - increased incidents, while 15% decreased incidents • Only 17% of organizations that experienced ACH-related fraud attempts incurred losses • Didn’t follow best practices: no debit block / no ACH positive pay / not timely return * Source: AFP 2009 Fraud Study
Emerging Risks and Public/Private Engagement: Corporate Account Takeover • In 2007 and again in 2009, NACHA issued risk alerts about keylogging and “Corporate Account Takeover” – a compromise of businesses’ online banking credentials • Referenced 2005 FFIEC Guidance – Authentication in an Internet Banking Environment • Best practices • Once the fraudster has access to the account, can do anything the legitimate account holder can do – often including assuming administrative rights • Add accomplices to payroll – “money mules” • Send funds transfers • ACH credits and debits • Wire transfers • Collaboration with FS-ISAC and FBI on FI Alert • Communicated issues and best practices to financial Institutions and industry • Drafted new section for Better Business Bureau Data Security publication for small businesses • Held Keylogging Teleseminar on issues to educate FIs and Network participants • Speakers from: Justice Department, Federal Reserve, a large FI • Risk Management Vendor Showcase • FFIEC Regulatory Panel • Direct Member Summit Session with FBI and FS-ISAC
Paradigm Shift? • When using the ACH Network to process payments “traditional” frauds including telemarketing fraud, credit repair, and membership clubs have used ACH debit applications • So, traditionally we have looked to unauthorized debit rates as the key indicator of fraud because unauthorized debits are coded and returned • But there has been more activity lately regarding unauthorized funds transfers from DDAs – mainly credit payments • Corporate account takeover • Credit transactions that the Originator claims are unauthorized cannot be monitored through the Network (as of now) • Need Network-wide data to assess extent of problem • benchmarking