Notes from Memento's Michael Wlodyka, Fraud Consultant, and Matt Doremus, Sr. Solutions Architect

 
Michael Wlodyka, Memento Fraud Consultant, on Reputational Risk

On day 2 of the BAI Payments Connect 2012 conference, I had the opportunity to attend a very interesting presentation by John Carlson, EVP for fraud prevention and cyber security at BITS, entitled ‘Hardening’ Payment Systems for the Next Generation. In his talk, John highlighted the fact that trust and reputation are two of the most valuable assets that financial institutions have in retaining existing customers and acquiring new clients.

Whether deserved or not, the persistent threats of account takeover, identity theft, check, card, ACH, wire, and mortgage fraud, along with continued insider and elder abuse can lead to a perception of insecurity. In order to effectively combat the increased risk of new channels, players, and products, there is a need for cooperation between and amongst financial institutions and their providers ...

In a recent Bank Info Security article, Account Takeover: Better or Worse?, Tracy Kitten interviews Doug Johnson, Vice President of Risk Management Policy for the American Bankers Association to get his expert opinion on the state of account takeovers and identity theft.

ACH fraud may be defined as many different fraud types including account takeover and payments fraud. Because there are no statistics on the total ACH losses for 2011, there may be the illusion that losses are down. In my opinion, the trend may seem that ACH fraud is decreasing due to tighter controls, but when I speak with industry colleagues, I tend to hear the opposite.

At year’s end, I like to take a step back and assess the main fraud trends I’ve seen and heard when speaking with our customers. Not only have we seen a lot of movement in the ACH area due to the FFIEC Supplement released this year, but there also have been some major events in the news this year that have driven action in fraud prevention measures overall. There are a few trends, in particular, that stand out to me more than others.

1. Internal Fraud is Here to Stay: The interest in Internal Fraud continues to be high, and without a proactive monitoring system in place, banks are at higher risk of being exposed to theft from their own employees. Some of the more common fraud strategies in Internal Fraud include ...

With the new year here, I figured it was a good time to step back and take stock of our progress – as an industry – in the ongoing battle against fraud. A frank assessment: we could be doing a lot better.

Sure, there are always improvements that can be made to the organizations, processes and technologies that must come together to solve a complex issue like fraud management. But I think the more important barriers our industry faces are more fundamental and structural in nature. Specifically, I see the following:

The Boiling Frog
Our industry’s slow reaction to the growing, morphing fraud problem makes me think of the boiling frog phenomenon. If you haven’t heard of it ...

Last week, ACH payments and fraud prevention professionals attended the NACHA Council Mega Meeting held on the waterfront in Boston, MA. In the sessions related to quicker payment processing, the overall sentiment was that banks need to do a better job of monitoring to manage the increased exposure. Two of the hottest topics were Expedited Processing and Settlement and, of course, the new supplement to the 2005 FFIEC Guidance.

Expedited Processing and Settlement (EPS): As anyone who is involved in ACH payments knows, NACHA is proposing a new payment option called EPS, which would allow ...

The FFIEC recently supplemented its 2005 Guidance in response to what it calls an “increasingly hostile online environment”. Regardless of the size of institution, if it provides banking products online, it is a target. On almost a weekly basis, we hear of a new online fraud case that caught one or more banks unprepared. The Guidance is timely, but it stops short of providing a “step-by-step” approach. Here’s what I believe financial institutions can do in light of the Guidance:

1) Revisit the risk assessment
Not surprisingly, risk assessments are hated by most bankers and viewed as a useless exercise. I have personally spent countless hours locked in a conference room attempting to document all the types of fraud that might happen. Unfortunately, risk assessments are a necessary part of fraud prevention. Moreover the supplement to the 2005 Guidance stresses the importance of keeping the risk assessment current. Here is a suggestion ... 

In most college towns, this is the time of year when swarms of U-Hauls and overstuffed cars bear down onto college campuses. Students will settle into their dorms and likely kick off their social lives before their classes even begin. The funds that they have for day-to-day expenses will begin to run low, and students will look for ways to supplement their income. This is prime opportunity for fraudsters to seek out and prey upon students.

Given that, we can deduce why college campuses are a ‘hang out’ for fraudsters - because students are easy targets. The sheer volume of students makes it easy to recruit vulnerable, needy, and/or naive students. I find it interesting that the scams have not changed much since I was in college. Scams relating to fraudulent grant letters, credit cards applications, work from home, check cashing and the ever so popular ATM card scams are still thriving. It is still common for fraudsters to not only pay students to pass bad checks through their accounts for nominal compensation, but also to ...

As you probably have heard by now, the FFIEC has issued new Guidance for authenticating online customers, and we should expect these guidelines to take effect in January 2012. That doesn’t leave a lot of time for financial institutions to get themselves ‘in compliance’.

The new guidelines are an enhancement to those originally issued in 2005. As one banker said to me, “These guidelines aren’t revolutionary like the original ones, they are evolutionary”. As the FFIEC points out, the internet is far more risky today than it was in 2005, and criminals are much more effective at compromising accounts despite existing bank controls. The FFIEC strongly encourages banks to perform periodic risk assessments and enhance their current controls due to this new environment.

In 2005, the FFIEC ...

In a recent Bank Fraud Forum blog post, Discussing Multi-Factor Authentication, Shirley Inscoe stated that cross-channel fraud detection enables the analysts "...to see the complete picture with regards to a customer or account, and detect suspicious events that would otherwise result in losses...” Having been an investigator as well as a manager of a cross-functional fraud team for over 2 decades, I could not agree more.

However, it must be said that even if you provide a holistic picture of fraud to the analysts, it does not do them - or your customers - any good if they are not skilled in investigating and properly mitigating cross-channel fraud alerts. For those who have worked fraud over multiple channels, there are varying rules and regulations that may entail some compliance issues, including Reg E, Reg CC, UCC Articles 3 and 4, Reg J, Check 21, Clearinghouse Rules ...

For those keeping score in the legal battles between financial institutions and their commercial account holders, a recent decision by Judge Patrick J. Duggan in the Experi-Metal Inc. (EMI) vs. Comerica case evened the score at one a piece for the interested parties…or did it? Two weeks ago the recommendation by the magistrate in the Patco vs. Ocean Bank case favored the bank. The District Court has yet to decide if that recommendation will be accepted, but observers have expressed the opinion it will be. With the Michigan bench opinion out, maybe not. Now we get an opposing view that the bank may be liable for the losses. This could have serious repercussions for the industry, because anyone paying attention knows that commercial accounts are regulated under UCC statutes, not Reg. E. Commercial customers and their banks are subject to the UCC4a guidelines, specifically by § 4A-202.(c), which reads, “Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.” I can see in part where ...