Emerging ACH Issues. Florida Bankers Association 30 th Annual Consumer Compliance Seminar Orlando, Florida April 29- May 1, 2015

Transcription

1 1 Emerging ACH Issues Florida Bankers Association 30 th Annual Consumer Compliance Seminar Orlando, Florida April 29- May 1, 2015 Kristen J. Stogniew, Esquire, AAP, CFE, Shareholder Agenda 2 Where is ACH today? New Rules for 2015 ACH fraud/third Party update New Initiatives Any question, at any time. 1

2 Automated Clearing House - ACH s Special Committee on Paperless Exchange (SCOPE) NACHA 1974 established uniform operating rules for exchange of ACH payments among associations NACHA Operating Rules NACHA Operating Guidelines Every Depository Financial Institution (DFI) is a member Originating Depository Financial Institution (ODFI) Receiving Depository Financial Institution (RDFI) ACH Volume = 40 years of NACHA 2014 statistics : Total ACH volume (including on-us) is 23 billion (+4.6%/1b over 2013) 71 million per day Almost $40 trillion Other figures (including unauthorized return rates) were not released at the time of preparing these slides. 2

3 Types of ACH transactions 5 Standard Entry Class (SEC) Codes, include: PPD Consumer debit or credit recurring deposits or payments CCD Corporate credit or debit transfer between business accounts ARC/BOC/POP Accounts receivable, Back-Office, and point of Purchase ACH transaction is created from check as source document TEL debit entry submitted pursuant to oral authorization by telephone WEB debit entry submitted pursuant to authorization obtained solely via internet or wireless network Each code requires authorization for a debit transaction; e.g., WEB = authentication of ID and assent ACH Growth 6 3

4 Recent ACH Rules Changes 7 Effective SEPTEMBER 10, 2014: Prenotification period reduces current waiting period from 6 to 3 banking days; allows Originators to transmit live entries following a Prenote more quickly. If an untimely Notification of Change (NOC) in response to a Prenote is received by the ODFI, the Originator is required to make the requested correction in the NOC within six banking days or prior to initiating a subsequent Entry to the Receivers account, whichever is later. Proof of Authorization for Non-Consumer entries As ODFI, must provide proof of authorization for CCD, CTX or inbound IAT if requested by an RDFI, within 10 banking days Record of receiver s authorization, or Originator s name, and phone # or address Recent ACH Rules Changes 8 Effective JANUARY 1, 2015: Obligations of third-party senders: TPS* or Third Party Service Provider must provide proof of its Rules compliance audit to DFI if requested by NACHA Makes explicit a TPS s obligation to monitor, assess, and enforce limits on their customer s origination and return activities in the same manner the Rules require of ODFIs NACHA S Enforcement authority: More ways NACHA can initiate a risk identification or rules enforcement proceeding Voluntarily providing info to NACHA re: potential Rules violations by network participants *originates ACH on behalf of an Originator through an ODFI where the ODFI does not have a contract with the Originator. SEE OPS BULLETIN /30/14 4

5 Recent ACH Rules Changes 9 Mandatory MARCH 15, 2015 (optional March 21, 2014): P2P payment: Use WEB Code for P2P credit transaction from a consumer s DDA (was previously a credit-only code) Company Entry Description in Company/Batch Header must contain value (e.g. P2P) to let Receiver know it s a P2P Sender must be identified on periodic statement; RDFI may need to modify system to show Individual ID Number field (Receiver is in the Individual Name field) Up to 80 characters of text in free form addenda record CIE is still proper code for bill payment transactions (P2B) Recent ACH Rules Changes 10 Effective MARCH 20, 2015: Dishonored returns and contested dishonored returns related to an unintended credit to a receiver Removal of Change Code C04 (Incorrect Individual Name/Receiving Company Name) 5

6 Coming ACH Rules Changes 11 Effective SEPTEMBER 18, 2015: Unauthorized Return Rate Threshold: Reduces the current return rate Threshold for unauthorized debit entries (Returns codes R05, R07, R10, R29 and 251) to.5% (from current 1%). New Preliminary Inquiry Process: Establishes 2 new return Levels that allow for preliminary inquiry: 3% - debits returned for admin/account data errors (R02, R03 and R04) 15% - ALL debit entries, except RCK, returned for any reason Coming ACH Rules Changes 12 Effective SEPTEMBER 18, 2015: Reinitiation Of Entries: Codifies Operations bulletin Reinitiations must be identical in: Company name Company ID Amount Other fields can be modified only as necessary to correct an error or facilitate processing If a permissible reinitiation, ODFI must place RETRY PYMT in Company Entry Description field Debits returned unauthorized cannot be reinitiated (unless Originator obtains a new authorization after receiving the return) 6

7 Coming ACH Rules Changes 13 EFFECTIVE OCTOBER 3, 2016: Unauthorized Entry Fee DFI pays a fee to RDFI for each debit that is returned unauthorized (R05, R07, R10, R29, R51) Amount of fee to be determined every 3 years by NACHA, based on expenses in handling the returns Initially will not cover IATs ACH Fraud trends 14 March 2015: AFP Payments Fraud and Control Survey of 2014 Key Survey Findings 27% report an increase in fraud activity; 16% say decrease; and 57% report no change 62% of organizations experienced attempted or actual payments fraud (up 2% from 2013). Targets: 77% checks (down again, from 82%) 34% credit/debit cards (down from 43%) 25% ACH debits (up from 22%) 27% wires (continued up significantly, from 14%) 10% ACH credits (up 1% again, from 9%) As with 2013, 70% experienced no monetary loss. What percent of your (ACH) clients discuss security with you? 7

8 ACH Fraud Update 15 Internal Embezzlement/Theft Unauthorized Debit/Merchant Fraud Account Takeover/Man in the Browser Embezzlement / Theft 16 Use of ACH system to steal money, typically in conjunction with authority to reconcile the subject (funding) account. 8

9 Embezzlement / Theft 17 Red flags: numerous or large WEB based payments to consumer creditors from a corporate bank account; large, even-dollar credits to other depositories Typically identified by the corporate account owner, alleging unauthorized transactions on the business account or through automated fraud detection system alerts on unusual ACH transactions on consumer accounts. NACHA Rules provide automatic 60 day chargeback right to the ODFI for consumer debits (2 days for CCD to corporate account), however, there is an additional warranty by ODFI to RDFI, that extends this to the statute of limitations (5 years for contract in Fla). Unauthorized Debit Transactions 18 NACHA provides an Originator Watch List of originators/tpps that meet the following criteria: ACH Operator reports 500 or more entries returned as unauthorized in a one month period. BBB rating Unsatisfactory, D or an F or any variation of. 500 or more consumer complaints on public, consumer populated Web sites (see list above). A judgment related to the entity s commercial payments practices within the last ten years. The entity has entered into a consent decree or other agreement with regulatory or law enforcement authorities that points to problems with the entity s commercial payments practices within the last ten years. NACHA maintains a terminated Originator Database (TOD) of Originators and Third party Processors that are terminated for cause. 9

10 Unauthorized Debit Transactions 19 SAR reporting Regulatory guidance does not address the requirement to file a SAR for any particular level of unauthorized ACH activity. The new SAR forms, mandatory starting April 1, 2013, have a Fraud category and a specific ACH sub-type. The crime of fraud generally requires a materially false statement made with the intent to deceive. Thus, the SAR reporting requirements may or may not be triggered for an alleged unfair and deceptive business practice. Particularly where a significant number of transactions are NOT returned, and where research indicates that valid authorizations ARE being obtained and the business is legitimate (albeit operating in an industry or originating an SEC code that is of higher risk for returns), the applicability of suspicious activity reporting is a judgment call. Document the decision to file/not file a SAR in any case. FinCEN requests that, when reporting suspicious activity, (1) check the appropriate box on the SAR form to indicate the type of suspicious activity, and (2) include the term Payment Processor in both the narrative portion and the subject occupation portions of the SAR. Account Takeover / Man in the Middle 20 Cyber-thieves use some form of Malware/Trojan Horse/SQL Injection, etc to obtain login credentials to fraudulently transfer money from the victim s account. Victims unknowingly install software by clicking on a link (one received by /phishing or embedded in an ad, P2P download, pop-up) or visiting an infected internet site. Per the Texas Bankers Electronic Fraud Task Force, funds are typically sent initially to money mule accounts within the United States; the mules quickly transfer the stolen funds to either an overseas account or to another intermediate account in the United States before being transferred out of the country. Work-at-home scams 10

11 Account Takeover / Man in the Middle 21 Involves commercial online banking (wire transfers), consumer online banking (bill payer), a Direct Originator or a TPP ACH originator. Targets: Medium and Small businesses; medium and small banks Warning Signs/Red Flags: (Receiver) Unusual ATM activity, Clustered ACH transactions in different geographic areas and/or Sudden wire transfers. High number of PPD and CCD transactions New payee for online banking/bill pay - outside of normal activity. From the customer s standpoint, changes in PC s performance: dramatic loss of speed; computer locks up; unexpected rebooting; unusual pop-ups, etc. Account Takeover / Risk Mitigation 22 Train originators and bill payers dual control; virus protection on PCs; strong passwords that are not stored on the online system (dedicated PCs are desirable as well as clearing the cache ). Require Multifactor authentication for online banking/bill payment Something the user knows (e.g., password, PIN); has (e.g., ATM card, smart card); and is (e.g., biometric characteristic, such as a fingerprint). Offer layered security approach ( commercially reasonable under UCC): Require segregation of duties on user s end New user controls on setting up admin rights Compare established DPL limits and available funds on each file ACH processing schedule/calendar Out-of-band fax transmittal letters or call-backs Review activity of high risk and high activity customers Verify that WEB and TEL originators have a PC security audit (PCI compliant) to verify systems are protected against computer based attacks. 11

12 Account Takeover / SAR filing 23 Per FinCEN Advisory 2011-A016 (12/19/11): Use the term "account takeover fraud" in the narrative section of the SAR and provide a detailed description of the activity Check the "other" box and note "account takeover fraud". If the account takeover involves an ACH transfer, check the "other" box and note "account takeover fraud - ACH." As applicable, also check the boxes for computer intrusion, wire transfer fraud, terrorist financing. and/or identity theft, (unauthorized access to PINs, account numbers, or other identifying information). Include description if other delivery channels (such as telephone banking) or fraudulent activities (such as social engineering). Account Takeover / NACHA 24 NACHA rules OR36, Section 3.3, Subsection and can delay funds availability for an ACH credit when the RDFI reasonably suspects that it is not authorized. If trying to recover stolen funds, submit a fraudulent ACH file alert request to the Federal Reserve Bank; send a reversal file, and a Notice of Fraudulent Activity letter with Indemnification to the RDFI. Your must notify NACHA of a data breach involving a consumer s account, using the form provided at NACHA has more information and resources at: 12

13 Account Takeover / UCC 25 Florida Statutes Authorized and verified payment orders.. (2) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted. (3) The commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank; the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank; alternative security procedures offered to the customer; and security procedures in general use by customers and receiving banks similarly situated. A security procedure is deemed to be commercially reasonable if: (a) The security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer; and (b) The customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer. 26 Federal Reserve s Infrastructure Change Roadmap Strategies Published 1/26/15 Private sector involvement 5 outcomes: Speed and ubiquity Security Efficiency International Scope Collaboration Task Forces: Faster Payments (applications were due 4/17/15) and Secure Payments (applications are due 5/15/15) 13

14 NACHA Same-Day initiative 27 12/8/14 - Request for Comment Multiple same-day clearing and settlement options Current early AM + Mid-day (10AM processing window, noon settlement) + End-of-Day (3PM processing window, 5PM settlement) 3 phases, beginning September 2014 Mandatory for RDFIs ODFIs would pay (e.g., 8.2 cents per) 214 responses Questions? 28 Has your Bank had a change / anticipate a change in ACH offerings? What products / customers? Has your institution had an ACH fraud, or attempted fraud? How was it perpetrated & caught? How much $$? Does your bank offer debit blocks, free PCs, free malware, insurance? How received by customers? Do you charge for the service? 14

15 Saltmarsh, Cleaveland & Gund 29 CPA firm founded in 1944 with offices in Pensacola, Ft. Walton Beach, Tampa and Orlando 7 shareholders are in the Bank Group practice (of 16 of overall), plus 20+ bank consultants Currently serving over 140 financial institutions primarily in Florida with Audit, Tax, and Consulting: Internal Audits Loan/Credit Quality review IRR/ALM reviews Bank Secrecy Act Independent Test & AML Data Validation Compliance risk assessment, reviews, monitoring, training Loan, Deposit, CRA, Fair Lending, NACHA, HMDA scrubs Saltmarsh, Cleaveland & Gund - Bank Group