To Receive CPE Credit

Transcription

1 Trends in ACH Fraud & Risk Management Jhn A. Mills, AAP Supervising Cnsultant March 28, 2013 T Receive CPE Credit Participate in entire webinar Answer plls when they are prvided If yu are viewing this webinar in a grup Cmplete grup attendance frm with Title & date f live webinar Yur cmpany name Yur printed name, signature & address All grup attendance sheets must be submitted t training@bkd.cm within 24 hurs f live webinar Answer plls when they are prvided If all eligibility requirements are met, each participant will be ed a CPE certificate within 15 business days f live webinar 2 1

2 Agenda Risk Management Expsure Limits Mnitring Risk Assessment Crprate Accunt Takever Methds Case Studies Third-Party Service Prviders/Third-Party Senders 3 Risk Management ACH expsure limits ACH risk assessment & risk management prgram Perfrm & peridically update Bard & management reprting Crss-channel risk 4 2

3 Expsure Limits Outline staff apprval limits Credit rating system List the requirements t determine expsure limits Onging mnitring & review f expsure limits 5 Steps t Help Reduce Risk Encurage intra-department cmmunicatin Develp & utilize ACH reprts Enhance & fllw security prcedures Dcument all ver-limit activity & keep apprvals in the riginatr s file Prvide nging educatin fr staff & riginatrs 6 3

4 Steps t Help Reduce Risk Best Practices Audit riginatrs Discuss dual cntrl with riginatrs Require pre-funding fr high risk riginatrs Require the riginatr t maintain a reserve accunt Knw Yur Custmer! 7 8 4

5 Mnitring Infrmatin Vlume & Grwth Returns Lsses Fee Incme 9 ACH Rules Article One, Subsectin Risk Assessments Effective June 18, 2010 Each Participating DFI shall cnduct r have cnducted an assessment f the risks f its ACH activities, shall implement r have implemented a risk management prgram n the basis f such an assessment & shall cmply with the requirements f its regulatr(s) with respect t such assessment & risk management prgram 10 5

6 Risk Assessment Guidance FFIEC FFIEC Bank Secrecy Act/Anti-Mney Laundering Examinatin Manual (April 2010) FFIEC Retail Payment Systems IT Examinatin Handbk (February 2010) FAQs n FFIEC Guidance n Authenticatin in an Internet Banking Envirnment (August 2006) FFIEC Guidance n Authenticatin in an Internet Banking Envirnment (Octber 2005) FFIEC E-Banking IT Examinatin Handbk (August 2003) 11 Risk Assessment Guidance FDIC FDIC Issues Guidance fr Managing Third-Party Risk (June 2008) FDIC Issues Guidance n Payment Prcessr Relatinships (Nvember 2008) OCC OCC Issues Guidance n Risk Management Regarding Payment Prcessrs (April 2008) OCC Issues Guidance n Managing Risks f ACH Activity (September 2006) 12 6

7 Crprate Accunt Takever Malware r virus is dwnladed nt a PC r netwrk Criminal harvests infrmatin Criminal uses infrmatin t initiate fraudulent transactins 13 Targets Small t medium size businesses Lack technical resurces IT vendr des nt specialize in IT security Emplyees wear multiple hats Cmmunity Banks Large number f small t medium size businesses Custmer friendly/lack f security prcedures Limited mnitring/resurces Emplyees wear multiple hats 14 7

8 Reasns Nt Prevented Fraudster creates a file that mirrrs riginatr s file, s red flags are nt raised at the bank N dual cntrl, s nly ne PC needs t be infected N ut-f-band authenticatin Accunts are nt reviewed timely Lack f crprate/riginatr awareness f these attacks 15 Cybercrime Study Antivirus prgrams detected less than 12% f the targeted malware samples cllected during 2011 investigatins In 76% f incident respnse investigatins, a third party respnsible fr system supprt, develpment &/r maintenance f business envirnments intrduced the security deficiencies The mst cmmn passwrd is Passwrd1 Surce: Trustwave 2012 Glbal Security Reprt 16 8

9 Preventin f Malware Keep antivirus prgrams up t date Enable firewalls D nt access external services r higher risk sites D nt cnnect t unknwn r public wireless netwrks Stand alne PC fr internet banking Mbile devices 17 Preventin f Malware Disclse t riginatr the bank, NACHA, Federal Reserve, etc. will nt cntact them via abut a rejected ACH file r request cnfidential infrmatin D nt click n links r pen attachments when sender is unknwn 18 9

10 Cntrls t Help Reduce Fraud Dual cntrl Out-f-band authenticatin, i.e., fax, callback, tkens, etc. FFIEC guidance Secure paper files including passwrds Destry paper files when n lnger needed Select strng passwrds & peridically change Assign access rights based n need & reduce number f administratrs 19 Cntrls t Help Reduce Fraud D nt share passwrds Lg ut & lck wrkstatin when unattended D nt share PCs Install updates/patches when available Mnitr cnfirmatin alerts Ntify the bank when an emplyee leaves yur rganizatin r ges n an extended leave Mnitr & recncile bank accunt daily 20 10

11 Electrnic Payment Law Patc August Bank s security prcedures were cmmercially reasnable & nt liable fr lss July 2012 U.S. Federal Curt f Appeals reversed decisin Challenge questins fr high risk transactins High risk transactins were anything ver $1 Cmpany frequently riginated high dllar transfers Bank did nt mnitr transactins r prvide ntice t custmer 21 Electrnic Payment Law Experi-metal Bank did nt act in gd faith & liable fr lss 97 suspicius wires $5 millin verdraft Limited prir wire activity Freign destinatin Did nt terminate current nline sessin 22 11

12 Third-Party Service Prvider Third-Party Service Prvider (TPSP) Functin f ACH prcessing n behalf f riginatr, ODFI r RDFI Originatin agreement between ODFI & riginatr Originatr agreement shuld have language that specifies the riginatr is respnsible fr all entries initiated by TPSP ODFI shuld cnsider agreement with TPSP ACH settlement is in riginatr s accunt at ODFI 23 Third-Party Sender Third-Party Sender (TPS) - Originates n behalf f its custmers/true riginatr Agreement between TPS & ODFI (pssibly TPS & riginatr) Obtain TPS/riginatr agreements Obtain agreement between ODFI & riginatr ACH settlement is in the TPS accunt at the ODFI 24 12

13 TPS Risk Mitigatin Update agreements t address the TPS relatinship ODFI/riginatr agreement is nt sufficient Review TPS dcumentatin abut nbarding/underwriting fr new riginatrs A TPS is required t perfrm an annual ACH audit Review r perfrm ACH audit 25 TPS Risk Mitigatin Set expsure limits per riginatr & per TPS Obtain TPS business strategy Mnitr, mnitr, mnitr Charge fr the risk yu take 26 13

14 Takeaways Educate emplyees & riginatrs D nt let sellers f ACH dictate expsure limits r security prcedures Fllw security prcedures & lk t enhance Implement ntificatin trees internally & fr riginatrs Reversals can be riginated but d nt guarantee recvery Bard reprting Cmmunicatin 27 Jhn A. Mills, AAP Supervising Cnsultant jmills@bkd.cm 14

15 Cntinuing Prfessinal Educatin (CPE) Credits BKD, LLP is registered with the Natinal Assciatin f State Bards f Accuntancy (NASBA) as a spnsr f cntinuing prfessinal educatin n the Natinal Registry f CPE Spnsrs. State bards f accuntancy have final authrity n the acceptance f individual curses fr CPE credit. Cmplaints regarding registered spnsrs may be submitted t the Natinal Registry f CPE Spnsrs thrugh its website: The infrmatin in BKD webinars is presented by BKD prfessinals, but applying specific infrmatin t yur situatin requires careful cnsideratin f facts & circumstances. Cnsult yur BKD advisr befre acting n any matters cvered in these webinars. 29 CPE Credit Up t 1 CPE credit will be awarded upn verificatin f participant attendance; hwever, credits may vary depending n state guidelines Fr questins, cncerns r cmments regarding CPE credit, please the BKD Learning & Develpment Department at training@bkd.cm 30 15