EFT Industry and BSA/AML Dan Altman

Similar documents
Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

Fraud Protection, You and Your Bank

ABA Deposit Account Fraud Survey

USDA: Handling Fraud and Disputes. Deanna Hanson CPS Fraud Support Analyst

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Managing TPPPs and TPSs in the Current Regulatory Environment

Best Practices: Reducing the Risks of Corporate Account Takeovers

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Government Crime Prevention Regulations. Richard Fraher VP & Counsel to the Retail Payments Office Federal Reserve Bank of Atlanta

Effectively Managing Data Breaches

ACI Response to FFIEC Guidance

FFIEC BSA/AML Examination Manual. Four Key Components of a Suspicious Activity Monitoring Program

Payments Fraud: It's Not Fun & Games

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Validating Third Party Software Erica M. Torres, CRCM

Selecting a Secure and Compliant Prepaid Reloadable Card Program

Quick Reference Guide

Information Technology

A BSA/AML RISK ASSESSMENT. Page 1 of 35

HUNTINGTON BUSINESS SECURITY SUITE USER GUIDE

FFIEC CONSUMER GUIDANCE

Online Account Takeover. Roger Nettie

Recommended Practices for Anti- Money Laundering Compliance for U.S.-Based Prepaid Card Programs

Protecting the POS Answers to Your Frequently Asked Questions

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Merchant Account Glossary of Terms

Consumer ID Theft Total Costs

REGULATION E DISCLOSURE

FEDERAL ELECTRONIC FUND TRANSFER DISCLOSURES

PAYROLL CARD FREQUENTLY ASKED QUESTIONS

Benton State Bank Shullsburg Community Bank Tennyson/Potosi Community Bank 42 W Main PO Box 27 Benton WI / /

Credit and Debit Card Handling Policy Updated October 1, 2014

Banking Solutions for Nonprofits 101. Four Money Saving Strategies for Nonprofits with Bank Products

Incident Response. Proactive Incident Management. Sean Curran Director

Electronic Funds Transfer, Internet and Mobile Banking Agreement and Disclosure For Personal Accounts

Guide to credit card security

IMPORTANT ACCOUNT INFORMATION FOR OUR CUSTOMERS from

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Student Fraud Project: Forensic Analysis of Personal and Corporate Bank Statements

Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets Control

Retail/Consumer Client. Internet Banking Awareness and Education Program

Cybersecurity. WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Analysis One Code Desc. Transaction Amount. Fiscal Period

Information Technology. A Current Perspective on Risk Management

GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014)

ACH Welcome Kit. Rev. 10/2014. Member FDIC Page 1 of 8

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Questions You Should be Asking NOW to Protect Your Business!

IMPORTANT ACCOUNT INFORMATION FOR OUR CUSTOMERS from. The Roscoe State Bank 117 Cypress St. Roscoe, TX (325)

A Cautionary Tale Plus Cross-Channel Risk

IT Security Risks & Trends

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PCI Compliance: How to ensure customer cardholder data is handled with care

Bill Payment and Electronic Funds Transfer Service Agreement

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Member FDIC. Checking Account Guide

How To Control Credit Card And Debit Card Payments In Wisconsin

ipayu TM Prepaid MasterCard FREQUENTLY ASKED QUESTIONS

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Third Party Payment Processors Job Aid

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Prepaid Fraud Mitigation: Leveraging the Processing Relationship to Prevent Fraud Throughout the Prepaid Lifecycle

Continuous compliance through good governance

The Home Depot Provides Update on Breach Investigation

MASTERCARD PREPAID CARDHOLDER TERMS & AGREEMENT

ELECTRONIC FUND TRANSFERS AGREEMENT AND DISCLOSURE

The Webster Visa Prepaid Debit Card Frequently Asked Questions

Failure to follow the following procedures may subject the state to significant losses, including:

Debit MasterCard Application

Emerging ACH Issues. Florida Bankers Association 30 th Annual Consumer Compliance Seminar Orlando, Florida April 29- May 1, 2015

Deception scams drive increase in financial fraud

PCI Compliance: Protection Against Data Breaches

Corporate Account Take Over (CATO) Guide

Third-Party Senders Risks and Best Practices

Transcription:

EFT Industry and BSA/AML Dan Altman Sr. IT and Risk Consultant

Background Dan Altman, Sr. IT and Risk Consultant SHAZAM Internal Audit SHAZAM Secure o IT Exam, ACH Exam, BSA Exam, IT Consulting, Security Assessments FDIC Sr. IT Examiner, Kansas City Region

SHAZAM Services Core Debit Card Mobile Banking ATM ACH Merchant Fraud Security

Discussion Topics Person-to-Person (P2P) Debit Cards ACH Identity Theft Red Flags Prepaid Cards Merchant Program SHAZAM Help Desk

Discussion Topics Fraud Monitoring Cybersecurity Other Considerations o Marijuana businesses o Wire o ATMs o Bill Pay o Deposit Capture o Payday o HIDTA and HIFCA o Monitoring (aml)

Person-to-Person (P2P) Network Requirements SHAZAM P2P Other Networks {see following slide}

Person-to-Person (P2P)

Person-to-Person (P2P) VISA Initiative FIs must complete an AML/ATF questionnaire Per Visa Core Rules and Visa Products and Service Rule Fraud Monitoring Service provider reports and analytics SHAZAM AML Report Fraud Observations

Person-to-Person (P2P) Customer Risk Process SHAZAM Risk Services Observations P2P is automatically turned on for all customers P2P is not addressed in the risk assessment P2P limits may be overly generous Fraud analytics reports are not reviewed

Debit Cards Fraud Statistics SHAZAM Fraud Rate Trending PIN Signature - NET SHAZAM Overall 0.08000% 0.07000% 0.06000% 0.05000% 0.04000% 0.03000% 0.02000% 0.01000% 0.00000% Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Debit Cards Fraud Statistics 2% 1% 58% 39% Stolen Lost Counterfeit Acct Takeover Fraud Apps NRI CNP

Fraud Statistics 2015 - VISA

Fraud Statistics 2015 - MASTERCARD

Debit Cards counterfeiting = Account takeover Social Engineering Phishing o Increase in attempts to gain information PIN, CVV2, CVC2 o FI scam using EMV reissuance as part of scam o Other types

Debit Cards Cyber-attacks using compromised login credentials to online portals for debit and ATM cards. The hackers have created fictitious cards, changed limits and available balances on cards, and then used these cards at POS systems. Increasing due to enhanced security of EMV Ohio Division of Financial Institutions o 3/2/16 letter to FIs o Addresses numerous pertinent security controls

Debit Cards Fraud Monitoring Scoring systems Service provider reports and analytics Case Management Process Transaction Limits Maintain reasonable limits 3 $$ transaction settings (SHAZAM) o Daily limit (e.g. $800) o Unmanned limit (e.g. $310) o 3-day limit (e.g. $700)

Debit Cards SHAZAM Risk Services Observations FIs vary with respect to the $$ transaction limits established Debit Card service/function is missing from the risk assessment process FIs neglect to lower limits for customers with temporary limit increases No periodic process to review customer portfolio relative to limit increases.

ACH ACH Originators (third party senders) Know who the Originators are Implement a comprehensive contract Annual Due Diligence o ACH rules audits annually o CATO o Vendor Management Fraud Analytics SHAZAM Case Management Fraud software (FIs)

ACH NACHA Third-Party Sender Identification Tool Flow Chart for ODFIs and Businesses Helps FIs and their ACH customers understand their roles when an intermediary is involved in some aspect of ACH payment processing.

ACH Third-Party Sender Registration Request for Comment See www.nacha.org Proposed rules change Third-Party Sender registry (risk mitigation tool) o Standardizes for ODFIs the basic data collected for all TPSs o Provides high-level information on TPSs that would enable better monitoring by NACHA of trends and any risks associated with TPSs in the ACH Network.

ACH Same Day ACH Implementation Phases Reviewing Originators for same day ACH risk High Risk ACH Originators Initial/Ongoing due diligence; Board involvement; monitoring and controlling risk

ACH SHAZAM Risk Services Observations FIs are not including high risk originators in their risk rating process. Incomplete due diligence of third-party senders. Agreements between FI and Originator s clients are not needed No dual control over administrators as well as batch release. Minimal utilization of fraud monitoring services Third-party senders are not having ACH audits

Identity Theft Red Flags Customer Risk Program Regulators (in Iowa) want FIs to be more proactive Identity theft for opening an account is increasing (Iowa Bankers) Community FIs utilize simple analytics Utilization of reporting services ChexSystems o Credit Builders Alliance (2015): about 80% of FIs utilize this Others o E.g. Fiserv Onboard Advisor

Identity Theft Red Flags Fraud Trends 2015 migration to EMV cards o 2016 Identity Fraud Study released by Javelin Strategy & Research Instances of new account fraud increased 113% in 2015 from 2014. Increase in identity fraud victims was 3% Increasing threat of employee fraudsters? Tellers are increasingly involved in identity theft (3-16-16) o Part of larger identity theft rings

Identity Theft Red Flags Controls (security) Balance fluctuation report (customers) Suspect kiting report (customers) Monitoring for data leakage (staff) Lock down USB ports (staff) Policies for storing and protecting paper / documents (staff) Procedures for paper shredding (staff) SAR Activity Review (May 2013) Elder abuse Insider abuse

Identity Theft Red Flags SHAZAM Risk Services Observations No red flags checklist for staff members who deal with new accounts No red flags reference sheet Infrequent and general training of staff members Risk assessments may not address some components o E.g. Different methods for opening an account o E.g. Likelihood of red flags occurring (based upon FIs historical experience)

Prepaid Cards FFIEC Guidance on Prepaid Cards (3/2016) Clarifies that certain prepaid cards issued by an FI should be subject to the CIP For purposes of CIP, prepaid cards that provide a cardholder with: o (a) the ability to reload funds or o (b) access to credit or overdraft features should be treated as accounts.

Prepaid Cards

Prepaid Cards Service Providers Liability Fraud monitoring / Neural Dollar Limits Gift Cards (no cash, domestic only) o Midwest Processor: $1,000 per gift card (max load) [one of the higher levels] o Typical processor load is $500 or $700. Reloadable Travel Cards o Midwest Processor: reload limit of 2x per day

Prepaid Cards ATM Withdrawals 3x per day and $500 maximum reload. 3x per day for travel cards POS gift card charge up to $695, reloadable is $995 FIs can set their own limits.

Prepaid Cards Customer Risk Rating Process SHAZAM Risk Services Observations Need to do proper due diligence on service provider (e.g. SSAE16) Should be able to see the processor's written BSA and AML program Is the processor directly examined by a regulatory agency?

Merchant Program VISA and MasterCard Brand damaging merchants o Flag these merchant types as high risk in fraud system Separate from your other merchants.

Merchant Program Visa and MasterCard standards for merchant exception processing monitoring o Based upon established rules

Merchant Program The above table is what Visa says should be configured for the standard merchants. If SHAZAM takes on a traditional merchant that is high risk, the SHAZAM Merchant department both flags the merchant as high risk and modifies the above defaults. You should adjust these to lower rates so merchant exception activity is not missed on these high risk merchants

Merchant Program Fraud Monitoring Processor should monitor for unusual activity and report such activity to the merchant s FI. All activity volumes should be modified at least every ninety days so averages of normal processing can be established. SHAZAM Fraud section selectively adjusts each merchant s criteria for unusual activity pertaining to transaction size, daily volume, monthly volume, and other metrics.

Merchant Program FI with its own Merchant Program Rules say you have to do MATCH o Merchant Alert To Control High risk merchants o MasterCard product o VISA and Discover also require FIs to check MATCH. MOST o Merchant Online Status Tracking. This is for merchant setting fraud thresholds. MasterCard requires. RIS o Risk Identification System. o VISA

Merchant Program Merchant underwriting / due diligence 2 basic risk elements inherent in business dealings: o General Risk (merchant category codes) o Specific risk Higher risk Lower Risk High Risk Industry High General Risk Low Risk Merchant Low Specific Risk Low Risk Industry Low General Risk Low Risk Merchant Low Specific Risk Risk Matrix High Risk Industry High General Risk High Risk Merchant High Specific Rick Low Risk Industry Low General Risk High Risk Merchant High Specific Rick Highest Risk Higher Risk

Merchant Program Customer Risk Rating Process SHAZAM Risk Services Observations [Traditional Program] FIs do not do proper due diligence FIs lack formal programs o No merchant program / policy o No risk assessment o No management and/or Board reporting

SHAZAM Help Desk Core Services department The top 5 BSA-related inquiries received: o o o o o What is the record retention for BSA? Are we allowed to make copies of drivers licenses? What is the deadline for filing a SAR? How many days do you have to file a CTR? Who is the customer? Individual with power of attorney opening the account? Or, the individual named on the account?

Cybersecurity BSA Officer Involvement The inherent risk and maturity analyses both address some areas that may be overseen by the BSA officer. Inherent Risk Elements {see next slide}

Cybersecurity

Other Considerations {Marijuana} Business of marijuana FINCEN Guidance February 2014 FIs can do business if proper due diligence is followed.

Other Considerations {Wire} Wire Transfer No known wire fraud incidents with SHAZAM community banks in 2015 Community FIs perform few if any wires for noncustomers Customer Risk Process Clients who perform repetitive wires may represent more risk. Clients who perform international wires may present more risk.

Other Considerations {Wire} SHAZAM Risk Services Observations FIs need to safeguard pre-established PINs / passwords used with repetitive customers Network breach could lead to fraudulent use of PINs / passwords

Other Considerations {ATM Skimming} Regularly check terminals (daily) Look for signs of tampering o Adhesive residue o Skimmer devices Monitor Outages Video o View daily o Position correctly o Monitor Outages o Notify law enforcement if skimming is detected

Other Considerations {Bill Pay} Fraud Negligible fraud reported by community FIs Customer Risk Rating Process SHAZAM Risk Services Observations FIs aren t setting reasonable dollar limits, if any FIs are automatically granting Bill Pay services along with traditional internet banking services FIs are not monitoring bill pay activity (e.g. pending bill pay report) Few systematic fraud monitoring systems in place.

Other Considerations {Deposit Capture} Business Consumer SHAZAM Risk Services Observations CATO Multi-Factor Duplicate entries

Other Considerations {PayDay} Account funding Debit Card or Prepaid Card If a credit on the card, what does it relate to? Can you identify where it is coming from.

Other Conditions {HIDTA, HIFCA} High Intensity Drug Trafficking Area (HIDTA) High intensity drug trafficking regions Benton, Jefferson, Pulaski and Washington counties in Arkansas http://www.nhac.org/news/hidta_counties.htm

Other Conditions {HIDTA, HIFCA} High Intensity Financial Crime Area (HIFCA) High intensity money laundering zones No counties in Arkansas https://www.fincen.gov/law_enforcement/hifca/ind ex.html Maps can change without notice so check list of counties when updating your risk assessment

Monitoring

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information