EFT Industry and BSA/AML Dan Altman

Transcription

1 EFT Industry and BSA/AML Dan Altman Sr. IT and Risk Consultant

2 Background Dan Altman, Sr. IT and Risk Consultant SHAZAM Internal Audit SHAZAM Secure o IT Exam, ACH Exam, BSA Exam, IT Consulting, Security Assessments FDIC Sr. IT Examiner, Kansas City Region

3 SHAZAM Services Core Debit Card Mobile Banking ATM ACH Merchant Fraud Security

4 Discussion Topics Person-to-Person (P2P) Debit Cards ACH Identity Theft Red Flags Prepaid Cards Merchant Program SHAZAM Help Desk

5 Discussion Topics Fraud Monitoring Cybersecurity Other Considerations o Marijuana businesses o Wire o ATMs o Bill Pay o Deposit Capture o Payday o HIDTA and HIFCA o Monitoring (aml)

6 Person-to-Person (P2P) Network Requirements SHAZAM P2P Other Networks {see following slide}

7 Person-to-Person (P2P)

8 Person-to-Person (P2P) VISA Initiative FIs must complete an AML/ATF questionnaire Per Visa Core Rules and Visa Products and Service Rule Fraud Monitoring Service provider reports and analytics SHAZAM AML Report Fraud Observations

9 Person-to-Person (P2P) Customer Risk Process SHAZAM Risk Services Observations P2P is automatically turned on for all customers P2P is not addressed in the risk assessment P2P limits may be overly generous Fraud analytics reports are not reviewed

10 Debit Cards Fraud Statistics SHAZAM Fraud Rate Trending PIN Signature - NET SHAZAM Overall % % % % % % % % % Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

11 Debit Cards Fraud Statistics 2% 1% 58% 39% Stolen Lost Counterfeit Acct Takeover Fraud Apps NRI CNP

12 Fraud Statistics VISA

13 Fraud Statistics MASTERCARD

14 Debit Cards counterfeiting = Account takeover Social Engineering Phishing o Increase in attempts to gain information PIN, CVV2, CVC2 o FI scam using EMV reissuance as part of scam o Other types

15 Debit Cards Cyber-attacks using compromised login credentials to online portals for debit and ATM cards. The hackers have created fictitious cards, changed limits and available balances on cards, and then used these cards at POS systems. Increasing due to enhanced security of EMV Ohio Division of Financial Institutions o 3/2/16 letter to FIs o Addresses numerous pertinent security controls

16 Debit Cards Fraud Monitoring Scoring systems Service provider reports and analytics Case Management Process Transaction Limits Maintain reasonable limits 3 $$ transaction settings (SHAZAM) o Daily limit (e.g. $800) o Unmanned limit (e.g. $310) o 3-day limit (e.g. $700)

17 Debit Cards SHAZAM Risk Services Observations FIs vary with respect to the $$ transaction limits established Debit Card service/function is missing from the risk assessment process FIs neglect to lower limits for customers with temporary limit increases No periodic process to review customer portfolio relative to limit increases.

18 ACH ACH Originators (third party senders) Know who the Originators are Implement a comprehensive contract Annual Due Diligence o ACH rules audits annually o CATO o Vendor Management Fraud Analytics SHAZAM Case Management Fraud software (FIs)

19 ACH NACHA Third-Party Sender Identification Tool Flow Chart for ODFIs and Businesses Helps FIs and their ACH customers understand their roles when an intermediary is involved in some aspect of ACH payment processing.

20 ACH Third-Party Sender Registration Request for Comment See Proposed rules change Third-Party Sender registry (risk mitigation tool) o Standardizes for ODFIs the basic data collected for all TPSs o Provides high-level information on TPSs that would enable better monitoring by NACHA of trends and any risks associated with TPSs in the ACH Network.

21 ACH Same Day ACH Implementation Phases Reviewing Originators for same day ACH risk High Risk ACH Originators Initial/Ongoing due diligence; Board involvement; monitoring and controlling risk

22 ACH SHAZAM Risk Services Observations FIs are not including high risk originators in their risk rating process. Incomplete due diligence of third-party senders. Agreements between FI and Originator s clients are not needed No dual control over administrators as well as batch release. Minimal utilization of fraud monitoring services Third-party senders are not having ACH audits

23 Identity Theft Red Flags Customer Risk Program Regulators (in Iowa) want FIs to be more proactive Identity theft for opening an account is increasing (Iowa Bankers) Community FIs utilize simple analytics Utilization of reporting services ChexSystems o Credit Builders Alliance (2015): about 80% of FIs utilize this Others o E.g. Fiserv Onboard Advisor

24 Identity Theft Red Flags Fraud Trends 2015 migration to EMV cards o 2016 Identity Fraud Study released by Javelin Strategy & Research Instances of new account fraud increased 113% in 2015 from Increase in identity fraud victims was 3% Increasing threat of employee fraudsters? Tellers are increasingly involved in identity theft ( ) o Part of larger identity theft rings

25 Identity Theft Red Flags Controls (security) Balance fluctuation report (customers) Suspect kiting report (customers) Monitoring for data leakage (staff) Lock down USB ports (staff) Policies for storing and protecting paper / documents (staff) Procedures for paper shredding (staff) SAR Activity Review (May 2013) Elder abuse Insider abuse

26 Identity Theft Red Flags SHAZAM Risk Services Observations No red flags checklist for staff members who deal with new accounts No red flags reference sheet Infrequent and general training of staff members Risk assessments may not address some components o E.g. Different methods for opening an account o E.g. Likelihood of red flags occurring (based upon FIs historical experience)

27 Prepaid Cards FFIEC Guidance on Prepaid Cards (3/2016) Clarifies that certain prepaid cards issued by an FI should be subject to the CIP For purposes of CIP, prepaid cards that provide a cardholder with: o (a) the ability to reload funds or o (b) access to credit or overdraft features should be treated as accounts.

28 Prepaid Cards

29 Prepaid Cards Service Providers Liability Fraud monitoring / Neural Dollar Limits Gift Cards (no cash, domestic only) o Midwest Processor: $1,000 per gift card (max load) [one of the higher levels] o Typical processor load is $500 or $700. Reloadable Travel Cards o Midwest Processor: reload limit of 2x per day

30 Prepaid Cards ATM Withdrawals 3x per day and $500 maximum reload. 3x per day for travel cards POS gift card charge up to $695, reloadable is $995 FIs can set their own limits.

31 Prepaid Cards Customer Risk Rating Process SHAZAM Risk Services Observations Need to do proper due diligence on service provider (e.g. SSAE16) Should be able to see the processor's written BSA and AML program Is the processor directly examined by a regulatory agency?

32 Merchant Program VISA and MasterCard Brand damaging merchants o Flag these merchant types as high risk in fraud system Separate from your other merchants.

33 Merchant Program Visa and MasterCard standards for merchant exception processing monitoring o Based upon established rules

34 Merchant Program The above table is what Visa says should be configured for the standard merchants. If SHAZAM takes on a traditional merchant that is high risk, the SHAZAM Merchant department both flags the merchant as high risk and modifies the above defaults. You should adjust these to lower rates so merchant exception activity is not missed on these high risk merchants

35 Merchant Program Fraud Monitoring Processor should monitor for unusual activity and report such activity to the merchant s FI. All activity volumes should be modified at least every ninety days so averages of normal processing can be established. SHAZAM Fraud section selectively adjusts each merchant s criteria for unusual activity pertaining to transaction size, daily volume, monthly volume, and other metrics.

36 Merchant Program FI with its own Merchant Program Rules say you have to do MATCH o Merchant Alert To Control High risk merchants o MasterCard product o VISA and Discover also require FIs to check MATCH. MOST o Merchant Online Status Tracking. This is for merchant setting fraud thresholds. MasterCard requires. RIS o Risk Identification System. o VISA

37 Merchant Program Merchant underwriting / due diligence 2 basic risk elements inherent in business dealings: o General Risk (merchant category codes) o Specific risk Higher risk Lower Risk High Risk Industry High General Risk Low Risk Merchant Low Specific Risk Low Risk Industry Low General Risk Low Risk Merchant Low Specific Risk Risk Matrix High Risk Industry High General Risk High Risk Merchant High Specific Rick Low Risk Industry Low General Risk High Risk Merchant High Specific Rick Highest Risk Higher Risk

38 Merchant Program Customer Risk Rating Process SHAZAM Risk Services Observations [Traditional Program] FIs do not do proper due diligence FIs lack formal programs o No merchant program / policy o No risk assessment o No management and/or Board reporting

39 SHAZAM Help Desk Core Services department The top 5 BSA-related inquiries received: o o o o o What is the record retention for BSA? Are we allowed to make copies of drivers licenses? What is the deadline for filing a SAR? How many days do you have to file a CTR? Who is the customer? Individual with power of attorney opening the account? Or, the individual named on the account?

40 Cybersecurity BSA Officer Involvement The inherent risk and maturity analyses both address some areas that may be overseen by the BSA officer. Inherent Risk Elements {see next slide}

41 Cybersecurity

42 Other Considerations {Marijuana} Business of marijuana FINCEN Guidance February 2014 FIs can do business if proper due diligence is followed.

43 Other Considerations {Wire} Wire Transfer No known wire fraud incidents with SHAZAM community banks in 2015 Community FIs perform few if any wires for noncustomers Customer Risk Process Clients who perform repetitive wires may represent more risk. Clients who perform international wires may present more risk.

44 Other Considerations {Wire} SHAZAM Risk Services Observations FIs need to safeguard pre-established PINs / passwords used with repetitive customers Network breach could lead to fraudulent use of PINs / passwords

45 Other Considerations {ATM Skimming} Regularly check terminals (daily) Look for signs of tampering o Adhesive residue o Skimmer devices Monitor Outages Video o View daily o Position correctly o Monitor Outages o Notify law enforcement if skimming is detected

46 Other Considerations {Bill Pay} Fraud Negligible fraud reported by community FIs Customer Risk Rating Process SHAZAM Risk Services Observations FIs aren t setting reasonable dollar limits, if any FIs are automatically granting Bill Pay services along with traditional internet banking services FIs are not monitoring bill pay activity (e.g. pending bill pay report) Few systematic fraud monitoring systems in place.

47 Other Considerations {Deposit Capture} Business Consumer SHAZAM Risk Services Observations CATO Multi-Factor Duplicate entries

48 Other Considerations {PayDay} Account funding Debit Card or Prepaid Card If a credit on the card, what does it relate to? Can you identify where it is coming from.

49 Other Conditions {HIDTA, HIFCA} High Intensity Drug Trafficking Area (HIDTA) High intensity drug trafficking regions Benton, Jefferson, Pulaski and Washington counties in Arkansas

50 Other Conditions {HIDTA, HIFCA} High Intensity Financial Crime Area (HIFCA) High intensity money laundering zones No counties in Arkansas ex.html Maps can change without notice so check list of counties when updating your risk assessment

51 Monitoring