Payments Fraud Best Practices

Stephen W. Markwell Disbursements Product Executive J.P. Morgan Pamela R. Malmos Director Finance, Treasury Operations ConAgra Foods, Inc. Fraud Prevention Laura Howley, CTP Director, Global Treasury Operations The Boeing Company Payments Fraud Best Practices

Today s Presenters Stephen W. Markwell Executive Director J.P. Morgan Stephen Markwell is Executive Director and manager of Disbursement Products for J.P. Morgan Treasury Services. Mr. Markwell is responsible for the following products and services: Account Reconciliation Outsourcing, Controlled Disbursements, Check Print Outsourcing, Payables Web Services, and Payment Fraud Protection Solutions. Pamela R. Malmos Director Finance ConAgra Foods, Inc. Pamela Malmos is Director Finance, Treasury Operations for ConAgra Foods, Inc. She is responsible for all aspects of global treasury, including managing in excess of $3b of pension and 401(K) assets. Along with implementing multiple fraud prevention products for more than 160 bank accounts, Ms. Malmos created an internal fraud guideline policy and leads ongoing training on payments fraud prevention. Laura Howley, CTP Director The Boeing Company Laura Howley is Director, Global Treasury Operations for The Boeing Company. She is responsible for managing Boeing s cash investment portfolio, shortterm cash forecast, share repurchase, and global banking infrastructure. She is also the Treasury liaison for all merger and acquisition activity. Ms. Howley led a large initiative to improve the company s fraud prevention by conducting extensive industry research and benchmarking to ensure industry best practices and establishment of an enterprise-wide fraud/risk reduction team. 2

Mitigating the Risk of Payment Fraud J. P. Morgan is proud to sponsor the 2011 AFP Payments Fraud and Control Survey. Today we share highlights of the study as well important information from additional sources that can help your organization combat payments fraud. Only with accurate and up-to-date knowledge of fraudster practices and products and services available to combat them can organizations implement internal procedures and external security services that will protect valuable assets. As we continue to invest in technology, tools and expertise that companies need to prevent fraud attacks, we invite you to rely on J.P. Morgan for accurate and up-to-date news and information as well as a complete arsenal of fraud-fighting tools that can help keep your organization safe from payments fraud. 3

Who s at Risk and What s at Stake? In 2010: 71% of organizations experienced attempted or actual payments fraud. 82% of organizations with annual revenues over $1 billion were victims of payments fraud Percent of Organizations Subject to Attempted or Actual Payments Fraud 80% 60% 40% 55% 68% 72% 71% 71% 73% 71% 58% of organizations with annual revenues under $1 billion were victims of payments fraud 20% 0% 2004 2005 2006 2007 2008 2009 2010 29% of organizations report that incidents of fraud increased The median loss of organizations that sustained any financial losses resulting from payments fraud was $18,400. Source: 2011 AFP Payments Fraud and Control Survey 4

No Payment Type Is Immune 93% of organizations that experienced attempted or actual payments fraud in 2010 were victims of check fraud, up from 90% in 2009 Though electronic fraud is a tougher challenge for criminals, ACH Debit fraud ranks second as a target Consumer credit/debit card fraud is up from 20% in 2009 to 23% in 2010; commercial card fraud is down from 17% to 15% in the same period Prevalence of Payments Fraud in 2010 (Percentage of Respondents) All Respondents Revenues > $1 billion Revenues < $1 billion Checks 93% 95% 84% ACH debits 25 26 26 Consumer credit/debit cards 23 20 19 Corporate/commercial purchasing cards 15 18 19 ACH credits 4 11 * Wire transfers 4 2 2 Source: 2011 AFP Payments Fraud and Control Survey 5

Internal Best Practices Segregate Duties Checks Originate payment, Submit Issuance, Decision Exceptions Wires - Creating, Approving, Releasing Wires Dual Approval Require dual approval at critical checkpoints such as approving wires or approving Positive Pay exception decisions Segregate Accounts Account Type: Deposits or Disbursements Payment Method: Check, ACH, Wire Payment Type: Payroll, Claims Segregating accounts for different payment vehicles is a best practice. Separation of accounts allows for timely and focused review of payment activity. 2011 AFP Payments Fraud and Control Survey, sponsored by J.P. Morgan Payment Amount/Volume: High or low Monitor and reconcile accounts daily Centralized Fraud Protection Governance HR Policy Forced vacations and job rotations Source: 2011 AFP Payments Fraud and Control Survey 6

Check Fraud: #1 and Growing Follow the money Checks as a percent of total payments is decreasing at a rate of approximately 7% However, the value of checks is increasing A Growing Trend? 53% of organizations suffering financial losses report that checks resulted in the greatest loss. 30% of organizations report that check fraud attacks have increased Why Checks? Easy-to-commit, quick-hit crime Requires no special skills Technology-assisted crime (scanners, printers, desktop publishing software) 80% 60% 40% 20% 0% Payment Method Responsible for the Greatest Financial Loss Resulting from Fraud in 2010 ACH credits Wire ACH debits 1% transfers 8% 1% Corporate / commercial cards 14% Consumer cards 23% 68% 56% 35% Checks 53% Most Widely Used Check Fraud Techniques Non-payroll counterfeit checks using MICR line data Payee name alteration on checks issued Dollar amount alteration on checks issued 28% Counterfeit check drawn on fake or another company's account Source: 2011 AFP Payments Fraud and Control Survey 19% Loss / theft / counterfeit of payroll checks 7

Check Fraud: Solutions & Internal Best Practices Use of Check Fraud Protection Solutions Services/Methods Used All Respondents Revenues >$1 billion Revenues <$1 billion Positive Pay & Reverse Positive Pay 84% 87% 82% Payee Name Positive Pay 58 65 51 Post No Checks 42 49 33 Segregating Accounts by Payment Type Best Practices Account Segregation (Right) Outsourcing check print Electronic forms of financial documents Document destruction process Manage check stock orders & storage Segregation of duties and dual approval 80% 70% 60% 50% 40% 30% 20% 10% 0% 75% Disbursements vs. collections 47% 36% 32% Payment type Wire transfers Receiving ACH debit payments 24% Card payments Source: 2011 AFP Payments Fraud and Control Survey 8

ACH Fraud: As Use Broadens, ACH Fraud Schemes Grow Popular ACH Fraud Schemes Account Hijacking Fraudsters use compromised customer credentials to hijack the origination system and use it in the legitimate account holder s name. Identity Fraud Criminals create false identities, social engineer their way into obtaining ACH origination capabilities and then initiate fraudulent debits. ACH Kiting A version of check kiting with a cyber twist, ACH kiting involves a pair of accounts used for fraudulent purposes where an ACH debit is originated from one account and drawn on the other; the available balance is taken out before settlement. Reverse Phishing Instead of e-mails attempting to fraudulently obtain corporate banking information, perpetrators send e-mails to corporates that provide fraudulent banking information, redirecting ACH payments to an account they control. Insider Origination Fraud Insiders at a merchant or bank manipulate an ACH origination file to skim funds from a company. Counterfeiting ACH debits generated through the electronic conversion of a counterfeit check. No attempts 75% ACH Fraud Attempts & Losses Reported attempts - no loss 22% Reported attempts - loss 3% 9 Source: 2011 AFP Payments Fraud and Control Survey

ACH: Fraud Protection Products & Best Practices Use of ACH Fraud Protection Products Services/Methods Used All Respondents Revenues >$1 billion Revenues <$1 billion ACH debit blocks 76% 88% 65% ACH debit filters 61 66 55 ACH positive pay 27 26 27 UPIC for ACH credits 7 8 7 Internal Best Practices Know your customers and vendors Segregate Accounts and Duties Protect Sensitive Information: Mask and Encrypt Monitor and reconcile your accounts daily Ensure tokens are collected and credentials are changed after employees leave Source: 2011 AFP Payments Fraud and Control Survey 10

Phishing Casts a Wider Net Popular Phishing Schemes Vishing - uses the telephone system to solicit sensitive information Smishing - SMS (Short Message Service) phishing Spear Phishing - targets employees or high-profile individuals within an organization Protection from your Bank Encryption Multi-Factor Authentication: Soft or Hard tokens Dual authority or Step Up Authentication for Transactions Comprehensive fraud monitoring and detection systems Customer education programs Sources: RSA Security Inc. (2010). Special Online Fraud Report: What to Expect in 2010. 11

Commercial Cards: Coming of Age In 2010, more than three quarters (76 percent) of businesses used some sort of corporate or commercial cards All organizations using cards are subject to fraud Employees were responsible for nearly one-third (29%) of card fraud in 2010 Types of Cards Used in Making B2B Payments 80% 60% 40% 20% 0% 73% Purchasing cards 44% T&E cards 32% Ghost or virtual cards 29% Multipleuse cards 13% Fleet cards 6% Airline travel cards (UATP) A J.P. Morgan survey of purchasing card clients identified the following best practices: Senior management sponsorship Segregate duties and accounts Promote consistency within Policies and Procedures Effectively train managers and employees Define controls upfront Conduct peer reviews to validate business rules Partner with issuer that provides web based payment tools with rich spend analysis Source: J.P. Morgan Treasury Services. Auditing and Compliance Strategies for a Solid Purchasing Card Program 2011 AFP Payments Fraud and Control Survey 12

Case Study: Needs Assessment Property & Casualty Insurance Provider Midwest Division P&C provider with large check claim payment volume Performs all transactions through single operate account 12 Fraud Attempts in the last 30 days Account Account Type Monthly Activity Recommended Solutions XXXXXX7214 Check: --Claims Payments --Misc Payables ACH: --Payroll through ADP --Vendor Payments --Refunds Deposit --Client Receipts 87,263 Checks 69 ACH Debits 7 ACH Credits 370,440 Deposits Close Compromised Account Segregate activity into multiple accounts Apply Fraud Protection Solutions *Fictitious client created for purposes of this case study 13

Case Study: Segregate Accounts Segregate Accounts By: Purpose Payment Vehicle Volume Amount Account Account Type Monthly Activity Recommended Solutions XXXXXX8765 Check: Client Claims 87,526 Checks XXXXXX8768 ACH: AP, Payroll through ADP 4 ACH Debits XXXXXX8770 XXXXXX8772 Deposit: AR, Client Receipts ACH: Vendor Payments & Refunds 370,440 Deposits 65 ACH Debits 7 ACH Credits XXXXXX8774 Check: Misc Payables 263 Checks *Fictitious client created for purposes of this case study 14

Case Study: Fraud Protection Solutions Protect accounts with Fraud Protection Solutions that match your payment behavior Account Account Type Monthly Activity Recommended Solutions XXXXXX8765 Check: Client Claims 87,526 Checks XXXXXX8768 ACH: AP, Payroll through ADP 4 ACH Debits Positive Pay with Payee Name verification ACH Debit Block-All ACH Debit Block- Exclude all but ADP Post No Checks XXXXXX8770 Deposit: AR, Client Receipts 370,440 Deposits ACH Debit Block-All Post No Checks XXXXXX8772 ACH: Vendor Payments & Refunds 65 ACH Debits 7 ACH Credits ACH Transaction Review Post No Checks XXXXXX8774 Check: Misc Payables 263 Checks Positive Pay with Payee Name verification No Check Cashing. ACH Debit Block-All *Fictitious client created for purposes of this case study 15

Panel Discussion Today s Panel will discuss their Payments Fraud Experience Making payment fraud protection a priority Institutionalizing fraud protection measures across businesses Monitoring and mitigating the latest in fraud trends Calibrating internal best practices Leveraging appropriate fraud protection solutions Stephen W. Markwell Disbursements Product Executive J.P. Morgan Pamela R. Malmos Director Finance, Treasury Operations ConAgra Foods, Inc. Laura Howley, CTP Director, Global Treasury Operations The Boeing Company 16

What Matters Today Fraud Prevention QUESTIONS For more information, please contact: Stephen Markwell stephen.w.markwell@jpmchase.com 919-370-4036 Visit J.P Morgan s Payment Fraud Resource Center at: www.jpmorgan.com/preventfraud

Payments Fraud Best Practices This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client to whom it is directly addressed and delivered (including such client s subsidiaries, the Company ) in order to assist the Company in evaluating, on a preliminary basis, certain products or services that may be provided by J.P. Morgan. This presentation contains information which is confidential and proprietary to J.P. Morgan, which may only be used in order to evaluate the products and services described herein and may not be disclosed to any other person. In preparing this presentation, we have relied upon and assumed, without independent verification, the accuracy and completeness of all information available from public sources or which was provided to us by or on behalf of the Company or which was otherwise reviewed by us. This presentation is for discussion purposes only and is incomplete without reference to, and should be viewed solely in conjunction with, the oral briefing provided by J.P. Morgan. Neither this presentation nor any of its contents may be used for any other purpose without the prior written consent of J.P. Morgan. J.P. Morgan makes no representations as to the legal, regulatory, tax or accounting implications of the matters referred to in this presentation. Notwithstanding anything in this presentation to the contrary, the statements in this presentation are not intended to be legally binding. Any products, services, terms or other matters described in this presentation (other than in respect of confidentiality) are subject to the terms of separate legally binding documentation and/or are subject to change without notice. Neither J.P. Morgan nor any of its directors, officers, employees or agents shall incur any responsibility or liability whatsoever to the Company or any other party in respect of the contents of this presentation or any matters referred to in, or discussed as a result of, this document. J.P. Morgan is a marketing name for the treasury services businesses of JPMorgan Chase Bank, N.A. and its subsidiaries worldwide. J.P. Morgan is licensed under U.S. Pat Nos. 5,910,988 and 6,032,137. 18