Control measures for guarding against some recent fraud cases



Similar documents
The Hong Kong Monetary Authority published today the enclosed first issue of the Operational Incidents Watch.

Cyber Security Risk Management

Supervisory Policy Manual

NOTICE TO BANKS MONETARY AUTHORITY OF SINGAPORE ACT, CAP. 186 PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS

Our Ref.: B4/1C. 14 September The Chief Executive All Authorized Institutions. Dear Sir/Madam, Prudential Measures for Property Mortgage Loans

Practice note on credit risk management for loans to the corporate sector

PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS

CENTENARY COLLEGE POLICIES UNDER THE FAIR & ACCURATE CREDIT TRANSACTION ACT S RED FLAG RULES

Guide to credit card security

PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT

Identity Theft Prevention Program

Identity Theft Prevention Program

Prudential Measures for Property Mortgage Loans

FFIEC CONSUMER GUIDANCE

A multi-layered approach to payment card security.

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

University of Nebraska - Lincoln Identity Theft Prevention Program

CITY OF MARQUETTE, MICHIGAN CITY COMMISSION POLICY

UNIVERSITY OF MASSACHUSETTS IDENTITY THEFT PREVENTION PROGRAM

FFIEC BUSINESS ACCOUNT GUIDANCE

THE LAND REGISTRY E-ALERT SERVICE - APPLICATION FOR CHANGE OF PARTICULARS

Clare College Financial Policies and Procedures Supplier Account Set Up and Change Procedures

SUBJECT: Identity Theft / Patient Misidentification POLICY NUMBER: Page 1 of 16 GENERATED BY: Integrity Compliance Office APPROVED BY:

NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)

Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.

Scope All [Name of Facility] operations

Wake Forest University. Identity Theft Prevention Program. Effective May 1, 2009

I. Purpose. Definition. a. Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.

IDENTITY THEFT PREVENTION PROGRAM

Protecting your business from some of the current fraud threats

Office of Privacy Protection Safeguarding Information for Your Future

Central Oregon Community College. Identity Theft Prevention Program

NCUA LETTER TO CREDIT UNIONS

Identity theft prevention program and red flag compliance policy.

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

identity Theft Prevention and Identification Requirements For Utility

Policy: 208 Subject: Identity Theft Prevention Program Approved for Board Action: December 22, 2009 Dates Amended:

TITLE XVIII: IDENTITY THEFT PREVENTION PROGRAM

Supervisory Policy Manual

The Florida A&M University. Identity Theft Prevention Program. Effective May 1, 2009

Red Flag Rules Information and Training

Administrative Procedure 5800 Prevention of Identity Theft in Student Financial Transactions

Personal Account Opening Form Sole Applicant

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Number of Pages: 5 Number of Forms: 0 Saved As: X:/Policies & Procedures/13. JCAHO STD s (if applicable): N/A

Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Identity Theft Prevention Program

Identity Theft Prevention Program Derived from the FTC Red Flags Rule requirements

IDENTITY THEFT PREVENTION PROGRAM OVERVIEW

DMACC IDENTITY THEFT- RED FLAGS PROCEDURES

Florida International University. Identity Theft Prevention Program. Effective beginning August 1, 2009

CHAPTER 99: IDENTITY THEFT PREVENTION PROGRAM

Z1.01 Guideline: Identity Theft Prevention Program

DBS Bank (China) Limited Debit Card Users Guide

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

We are writing further to your request for a claim form and are very sorry to note the circumstances described.

Our Ref.: B4/1C. 22 February The Chief Executive All Authorized Institutions. Dear Sir/Madam, Prudential Measures for Property Mortgage Loans

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

Delta Township Compiled Policy Manual

CREDIT CARD PAYMENTS ARE NOT ACCEPTED FOR STUDENT TUITION PAYMENTS

TOP TRUMPS Comparisons of how to pay for goods and services online

DHHS POLICIES AND PROCEDURES

AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA

Identity Theft Policy

1.1 For Hong Kong residents who have not opened any account under the CASH Financial Services Group (CASH FSG)

Octopus Automatic Add Value Service Application Form. Fax No.:

Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud

COUNCIL POLICY NO. C-13

Legislative Council Panel on Financial Affairs Congestion in Securities Trading Networks

Deception scams drive increase in financial fraud

Review of banks anti-money laundering systems and controls

State Of Florida's Real Estate Law

Administrative Procedures Memorandum A1452

PREPARED AS GUIDANCE FOR NAAA MEMBERS DO NOT USE WITHOUT CONSULTING LEGAL COUNSEL.

N a t i o n a l F u n e r a l D i r e c t o r s A s s o c i a t i o n

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

University Policy: Identity Theft Prevention Policy

Identity Theft Prevention Program

University Identity Theft and Detection Program (NEW) All Campuses and All Service Providers Subject to the Red Flags Rule

Celestial Commodities Limited ("CCL") Electronic Trading Account - Hong Kong Futures and Options Trading Policy

MasterCard Debit Card Disputes and Fraud Claims

銀 行 操 守 部. Banking Conduct Department. Our Ref: B1/15C C2/5C. 8 December The Chief Executive All Authorized Institutions.

Chatsworth Water Works Commission. Identity Theft Prevention Program. Effective beginning December 1, 2008

How To Calculate Asset Concentration In An Accumulator

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

policy All terms used in this policy that are defined in 16 C.F.R shall have the same meaning provided in that section.

Trade and Industry Department The Government of the Hong Kong Special Administrative Region. Ref. : CR TID/CEPA 7/7 6 December 2013

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

Identity theft. A fraud committed or attempted using the identifying information of another person without authority.

UNION COUNTY S IDENTITY THEFT PREVENTION PROGRAM

City of Hercules Hercules Municipal Utility Identity Theft Prevention Program

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

Florida Agricultural & Mechanical University Board of Trustees Policy

Identity Theft Prevention Program. Effective: November 1, 2009

Green University. Identity Theft Prevention Program. Effective beginning October 31, 2008

Fraud Mitigation and Identity Verification for Card Not Present Transactions Overview

University of St. Thomas. Identity Theft Prevention Program. (Red Flags Regulation Response)

IDENTITY THEFT PREVENTION PROGRAM

Payment Fraud Statistics

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Transcription:

Our Ref.: B1/15C B9/81C 5 June 2014 The Chief Executive All Authorized Institutions Dear Sir/Madam, Control measures for guarding against some recent fraud cases I am writing to draw the attention of your institution to the modus operandi of some fraud cases reported in the past months and certain sound operational control measures for guarding against those cases. Frauds of unauthorized fund transfers related to fake email/remittance instructions According to the observations of Commercial Crime Bureau of the Hong Kong Police Force, one of the frauds reported in the past months warranting banking industry s specific attention was unauthorized fund transfers related to fraudulent email instructions. Typically, such email instructions were sent from fraudsters purporting to be the relevant authorized institutions (AIs) customers by using email addresses similar to those of customers or by gaining unauthorized access to the customers email accounts. After receiving the email instructions, the AIs concerned either did not call back the customers concerned or did not carry out their call back procedures robustly to verify the genuineness of the email instructions before processing the fund transfers. The HKMA has also received reports that fraudsters submitted fictitious outward remittance instructions to AIs after getting hold of the victims personal information (e.g., bank account numbers and HKID card numbers) by stealing the victims letters from their mail boxes with lax security measures and then conducting searches in public registry (such as the Land Registry/Companies Registry for specimen signatures). While the AIs concerned did call back the customers to confirm the instructions, the fraudsters had managed to divert the calls to their phones through activating the call forwarding function 1. As the AIs call-back confirmation procedures were not stringent enough or not properly carried out by relevant staff, the fraudsters were able to answer the verification questions. In the light of these frauds, the HKMA has conducted a series of thematic desktop reviews and on-site examinations to assess the related controls of selected AIs, particularly those 1 These incidents highlight the importance that the authentication and related controls for activating call forwarding implemented by mobile network operators should be robust enough to prevent or detect unauthorized forwarding by fraudsters. The relevant staff of AIs should also remain vigilant in conducting call-back confirmation via the pre-registered telephone numbers provided by customers.

related to handling fund transfer instructions received from e-mail or fax. Based on the review results, the HKMA has identified some sound control practices (at Annex) for preventing and detecting such frauds, particularly: (i) AIs should give serious consideration to not accepting third-party fund transfer instructions via emails. Even in the case that an AI considers such email instructions acceptable, such flexibility should only be available in very limited cases and they should also be covered by adequate compensating controls. In general, it is difficult for AIs to verify the genuineness of email instructions received via the internet. Moreover, any acceptance of email instructions from customers also exposes the customers to the risk of leakage of their authorized signatures shown in any email attachments. This would be highly undesirable, especially if the AI has not reminded the customers of the relevant risks; (ii) In addition to signature verification controls, AIs should put in place further controls to confirm the genuineness of third-party fund transfer instructions received through email or fax before execution. In general, AIs should call back the relevant customer via a pre-registered telephone number provided by the customer to confirm the submission of such instruction. In case a threshold of fund transfer amount is set for mandatory call-back confirmation, the threshold amount should be commensurate with the risk appetite of the relevant business line. For fund transfers associated with a higher risk (e.g. large fund transfer amount), AIs should take further compensating controls; (iii) AIs should establish clear policies and procedures on controls for guarding against fraudulent third-party fund transfers concerned. Apart from AIs periodic internal audit reviews, the relevant business lines should also conduct on-going sample checks to ensure that the required controls are properly implemented by their staff. We expect AIs to give full consideration to the sound control practices when evaluating and strengthening, where appropriate, their existing controls for guarding against the relevant frauds, having regard to their risk assessment, the service needs of their customers and the latest market developments. Frauds of unauthorized cheques withdrawals Another fraudulent technique noted involves the submission of falsified instructions to a bank in order to change the victim s correspondence address and then to request for a new cheque book to be mailed to the new address. We understand that the Hong Kong Association of Banks (HKAB) issued a circular on 19 May 2014 to provide a number of good practices in handling customers requests for new cheque books received by mail, including calling the customer concerned to verify the request or seeking documentary proof where necessary, and notifying the customer by SMS, email or post after the request has been processed. The HKMA expects banks to adopt these good practices to enhance their security procedures. Card-Not-Present (CNP) credit card frauds

We noticed that another fraudulent technique involves conducting CNP credit card transactions (e.g., payments over internet, telephone, physical mail, etc. without physical presentment of credit cards) by fraudsters using stolen credit card information. Although the card issuing banks sent SMS notifications to the cardholders pre-registered mobile phone numbers, the fraudsters had managed to forward the SMS to their mobile phone numbers and the SMS notifications could not reach the cardholders mobile phone numbers. To help cardholders to detect similar frauds, the HKMA has discussed the matter with the HKAB, which in turn reached an agreement with mobile network operators to shortly implement a strengthened control. In particular, SMS notifications related to CNP transactions sent by credit card issuing banks will be sent to both the cardholders pre-registered mobile phone numbers and any mobile phone numbers to which the SMS notifications have been forwarded (if the SMS forwarding services have been activated). Should you have any question on the above-mentioned controls, please do not hesitate to contact Mr Parry Tang at 2878 1524 or Mr Alex Lee at 2878 1484. Yours faithfully, Henry Cheng Executive Director (Banking Supervision) Encl.

Annex Examples of sound control practices related to fake email / remittance instructions Controls related to acceptance of third-party fund transfer instructions received via email or fax 1. AIs should give serious consideration to not accepting third-party fund transfer instructions via email. Even in the case that an AI considers such email instructions acceptable, such flexibility should only be available in very limited cases and they should also be covered by adequate compensating controls. In general, it is difficult for AIs to verify the genuineness of email instructions received via the internet. Moreover, any acceptance of email instructions from customers also exposes the customers to the risk of leakage of their authorized signatures shown in any email attachments. This would be highly undesirable, especially if the AI has not reminded the customers of the relevant risks. 2. AIs should not accept third-party fund transfer instructions via fax unless they have received customers written consents. 3. Before accepting a customer s request to use an email or a fax as a channel for submitting third-party fund transfer instructions, AIs should remind the customer of the possible risks associated with the channel, in line with the principle of maintaining a fair and cordial relationship with their customers. AIs should maintain documentation about such reminders given to customers. Controls related to acceptance of remittance instructions received from non-account holders 4. AIs may give customers the flexibility to pre-register designated non-account holders who are allowed to submit remittance instruction forms in person for third-party fund transfer on behalf of the customers. Where a remittance instruction form for third-party fund transfer is received from a non-account holder (regardless of whether he or she has been pre-registered by the customers), the AI should consider whether to verify his or her identity (e.g. by sight of the HKID card or passport) and record the relevant identity information if permitted under the Personal Data (Privacy) Ordinance for the purpose of crime prevention or detection. Controls related to confirming third-party fund transfer instructions 5. In addition to signature verification controls, AIs should put in place further controls to confirm the genuineness of third-party fund transfer instructions received through email or fax before execution 1. In general, AIs should call back the relevant customer via a pre-registered telephone number provided by the customer to confirm the submission of such instruction. 1 As third-party fund transfer instructions received via post or submitted via branches by non-account holders could also be subject to fraud risk, AIs should also implement additional controls for confirming such instructions that are of a higher risk before execution.

Annex 6. In case a threshold of fund transfer amount (which may vary among channels/business lines) is set where call-back confirmation is mandatory only if the transfer amount of the third-party fund transfer instruction exceeds the predetermined level, the threshold amount should be commensurate with the risk appetite of the relevant business line. It should also be reviewed and endorsed regularly by the senior management or relevant risk committees of the AI. 7. AIs should specify the criteria and factors for identifying third-party fund transfer instructions of particularly higher risk. For instance, these may include instructions involving a large transfer amount or unusual payment pattern or payees received via e-mail or remittance instructions received from non-account holders who have not been pre-registered. For fund transfers associated with particularly higher risk, AIs should take further compensating controls, such as: (a) where applicable, assigning a staff member (e.g. a relationship manager) who knows the relevant personal customer very well to conduct the call-back confirmation via a pre-registered telephone number 2. If the staff member is unable to recognise the relevant customer, he or she should consider asking dynamic questions 3 where practicable, in addition to static questions, during call-back confirmation; (b) contacting pre-registered person(s) of corporate customers to conduct the call-back confirmation via pre-registered telephone number(s). If the fund transfer involves a very large value or there is suspicion, AIs should consider taking further practicable steps to confirm the instruction. Controls related to awareness of relevant staff and periodic audits and reviews 8. AIs should establish clear policies and procedures, which should be subject to regular reviews, on the above-mentioned and any other relevant controls for guarding against fraudulent third-party fund transfers concerned. AIs should also periodically raise the awareness among relevant staff of these policies and procedures. 9. Apart from AIs periodic internal audit reviews, the management of relevant business lines should also conduct on-going sample checks to ensure that the required controls are properly implemented by their staff. 2 3 Some fraud cases highlight the importance that the authentication and related controls for activating call forwarding implemented by mobile network operators should be robust enough to prevent or detect unauthorized forwarding by fraudsters. The relevant staff of AIs should also remain vigilant in conducting call-back confirmation via the pre-registered telephone numbers provided by customers. Following the same principle, certain banks send a SMS message containing a one-time verification code to the customer of a remittance instruction received from non-account holders and then require the customer to provide the code during call-back confirmation.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information