2012 payments fraud survey results - dallas fed/media/documents/outreach/fi/fraudsurv… ·...

2012 Payments Fraud Survey

Summary of Results

Federal Reserve Bank of Dallas FIRM—Financial Institution Relationship Management

August 30, 2012

2012 Payments Fraud Survey Results

©2012 Federal Reserve Bank of Dallas

1. Introduction In April 2012, the Federal Reserve Bank of Dallas’ FIRM—Financial Institution Relationship Management Department conducted research on payments-related fraud experienced by organizations in the Dallas Fed District.1 We asked our financial institution constituents to respond to an online survey about their experiences with payments fraud and the methods they use to reduce fraud risk. In addition, the survey audience was expanded with the help of the following organizations, which sent invitations to complete the survey directly to their members: SWACHA—The Electronic Payments Resource; the Dallas Association for Financial Professionals (AFP), Fort Worth AFP, Austin AFP, Houston Treasury Management Association (TMA) and San Antonio TMA. We thank those organizations for their help in obtaining responses. The survey covered transactions made using cash, check, debit and credit cards, automated clearinghouse (ACH), and wire transfers. This survey effort was part of a broader initiative conducted in conjunction with the Federal Reserve Banks of Minneapolis, Boston and Richmond, as well as the Independent Community Bankers of America. We plan to repeat this survey biannually in the years ahead, which will allow us to analyze trend data on payments fraud in the district over multiple years. 2. Respondent Information There were a total of 139 respondents to the survey based in the Dallas Fed District, 120 (86%) in the financial services industry, almost all of which are financial institutions (FIs),2 and 19 (14%) non-financial services organizations. The remaining non-financial institution respondents classified their organizations in one of 19 industry categories, as shown in Chart A. Respondents are also categorized by their organizations’ annual revenues, shown in Chart B. Just over half of the organizations have annual revenues of less than $50 million. Chart C shows, for financial institution respondents only, the number of respondents in each of various asset-size groups. About 80% of respondents were from organizations with less than $1 billion in assets.

1 Questions about the survey should be directed to Matt Davies, AAP, CTP, Director of Payments Outreach, Federal Reserve Bank of Dallas, at [email protected] or 214-922-5259. 2 For the purposes of this survey, the term “financial institutions” includes both banks and credit unions.

mailto:[email protected]



0% 0% 0%

11%

0%

26%

11%

5% 5%

0% 0%

11%

5%

11%

0%

5%

0% 0%

11%

0%

5%

10%

15%

20%

25%

30%

Chart A: Non-Financial Service Industry Respondent Classification

57%

8%

11%

2%

6%

5%

0%

2%

10%

0% 15

%

10%

0% 15

%

5%

25%

15%

10%

5%

0%

51%

8%

9%

4%

6%

8%

2%

3%

9%

0%

0%

10%

20%

30%

40%

50%

60%

Chart B: Revenue for All Respondents

FI, N=119

Non-FI, N=20

Total, N=139



3. Summary of Survey Results by Question a. Payments Made and Payment Types Used by Respondent Organizations Non-financial institution respondents were asked whether their organization’s payments typically have as their counterparties consumers, other businesses (including government entities) or both. As can be seen in Chart D, respondents were split evenly between payments primarily to/from other businesses and payments to/from both consumers and businesses.

16%

10%

26%

16% 13% 14%

2% 3%

0%

5%

10%

15%

20%

25%

30%

Chart C: FI Respondents by Asset Size (N=117)

50% 50%

0% 0%

10%

20%

30%

40%

50%

60%

Payments to/from both consumers and

businesses

Payments to/ from other businesses

Payments to/ from consumers

Chart D: Payment Volume Counterparties Non-FI

Non-FI, N=20



Chart E shows payment types accepted by non-financial institution respondents, while Chart F shows payment types used for disbursements by the same subset of respondents.

Financial institution respondents were asked to indicate whether their customer base is composed primarily of consumers, commercial clients or both. As can be seen in Chart G, nearly three-fourths of financial institution respondents offer services to both consumer and commercial customers.

100% 95%

90%

60%

70%

45%

25% 20%

15% 0% 0%

20%

40%

60%

80%

100%

120%

Check ACH Credits

Wire Credit Cards

ACH Debits

Cash Debit - Signature

Debit - PIN

Prepaid Cards

Other

Chart E: Payment Types Accepted by Non-FIs

Non-FI, N=20

100%

75%

75%

65%

70%

10%

10%

10%

0%

0%

0%

20%

40%

60%

80%

100%

120%

Check Wire ACH Credits

ACH Debits

Credit Cards

Cash Prepaid Cards

Debit - Signature

Debit - PIN

Other

Chart F: Payment Types Used by Non-FIs for Disbursements

Non-FI, N=20



Chart H illustrates the types of payments offered by financial institution respondents.

b. Payments Fraud Attempts and Financial Losses Only two (1.7%) of the financial institution respondents reported no payments fraud attempts; that figure was four (20%) for all other organizations. Respondents were asked which payment types had the highest number of attempts, as reported in Chart I. Of FI respondents, 83.6%

74%

19%

7%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Both Consumers and Business or Commercial

Clients

Primarily to Consumers Primarily Business or Commercial

Clients

Chart G: Types of Customers to Which FIs Offer Payments Products/Services

FI, N=116

10%

28%

27%

44%

46%

56%

62%

86%

93%

95%

94%

99%

99%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

P2P Payments

Mobile Payments

International Payments

Lockbox Services

Credit Cards

Prepaid Cards

Remote Deposit Capture

Debit - Signature

Bill Payment

ACH

Check

Debit - PIN

Wire

Chart H: Payment Products Offered by FIs

FI, N=117



chose signature debit card attempts, followed by check (49.1%) and PIN debit (45.7%). Check fraud attempts were by far the highest among non-FI organizations at 65%, with credit card second highest at 35%.

For all payment types except signature debit, the majority of financial institution respondents indicated that their fraud prevention costs exceed their actual dollar losses to fraud (Chart J). Non-financial institution respondents tended to offer or use fewer types of payments, but for those payment types offered/used, they also indicated that fraud prevention tends to be more costly than actual fraud losses (Chart K).

84%

49%

46%

16%

22%

8%

2%

3%

1%

0%

5%

65%

0%

35%

10%

5% 20

%

0%

5%

0%

72%

51%

39%

18%

20%

7%

4%

3%

1%

0%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Debit - Signature

Checks Debit - PIN Credit Cards ACH Debits Wire No Fraud ACH Credits Cash Prepaid Cards

Chart I: Top Payment Types with Highest Number of Fraud Attempts (% of Respondents)

FI, N=116

Non-FI, N=20

Total, N=136



Only 2.8% of the FI respondents reported no dollar losses due to payments fraud; that number jumps to 77.8% for all other respondents. Respondents were asked which payment types have the highest dollar losses, as reported in Chart L. Eighty-six percent of the financial institution

77%

73%

68%

56%

55%

39%

30%

28%

30%

21%

25%

21%

42%

41%

12%

65%

16%

5%

2%

2%

12%

2%

4%

49%

5%

56%

65%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Wire ACH Cash Debit - PIN

Checks Prepaid Cards

Debit - Signature

Credit Cards

Mobile

Chart J: Cost of Fraud Prevention vs. Actual Fraud Loss - FIs

Prevention Costs Actual Fraud Loss Don't Offer/Use PYMT

79%

74%

75%

63%

13%

8%

13%

0%

7%

21%

26%

17%

19%

13%

0%

13%

0%

0%

0%

0%

8%

19%

73%

92%

73%

100%

93%

0%

20%

40%

60%

80%

100%

120%

Chart K: Cost of Fraud Prevention vs. Actual Fraud Loss - Non-FIs

Prevention Costs Actual Fraud Loss Don't Offer/Use PYMT



respondents identified signature debit cards as having the highest dollar losses, followed by PIN debit cards and checks. In contrast, non-financial institution respondents identified credit cards and signature debit cards as having the highest dollar losses at about 11% each, followed by checks, ACH and cash at about 6% each.

Over 74% of respondents estimated losses as 0.5% or less of their annual revenue (Table 1). Nearly 63% of all respondents selected the lowest range of loss, or less than 0.3% of annual revenues. These data suggest that losses due to payments fraud are relatively well controlled.

86%

47%

38%

12% 9% 6% 3% 2% 3% 0% 11% 0% 6% 11% 6% 0%

78%

6% 0% 0% 0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Debit - Signature

Debit - PIN

Checks Credit Cards

ACH Debits

Wire No Loss Cash ACH Credits

Prepaid Cards

Chart L: Payment Types with Highest Dollar Losses Due to Fraud

FI, N=107

Non-FI, N=18



Table 1: Payments Fraud Financial Losses by Percentage of Respondents that Incurred Losses

Loss Range as a Percent of Annual Revenue

Column1 0% >0% - .3% .3% - .5% .6% - 1%

1.1% - 5% Over 5%

# of FI respondents (N=102)

2

72

14 9 4 1

% of FI respondents 2% 71% 14% 9% 4% 1%

# of Non-FI respondents (N=18)

14

3 0 1 0 0

% of Non-FI respondents 78% 17% 0% 6% 0% 0%

# of all respondents (N=120)

16

75

14 10 4 1

% of all respondents 13% 63% 12% 8% 3% 1% Nearly 45% of respondents experienced increased fraud loss in 2012 over 2011 (Chart M), while approximately 38% indicated their financial losses due to fraud had stayed the same, and nearly 17% reported that they had decreased.

As shown in Charts N and O below, respondents that reported an increase in loss estimated the size of the increase. Nearly 45% of these respondents cited an increase of 1% to 5%, and 13%

50%

35%

16%

17%

61%

22%

45%

38%

17%

0%

10%

20%

30%

40%

50%

60%

70%

Increased Stayed the same Decreased

Chart M: Change in Payments Fraud Losses

(2011 vs. 2010)

FI, N=107

Non-FI, N=18

Total, N=125



estimated an increase of 10% or more. However, based on Table 1 above, note that, despite these increases, the total loss, estimated as a percentage of revenues, remains relatively small for the vast majority of respondents.

As shown in Chart P below, respondents that reported an increase in loss were also asked to identify the payment type associated with the increased loss. Signature debit led the list for financial institutions, while credit cards were tops for non-financial institution respondents.

30%

13%

11%

45%

0% 10% 20% 30% 40% 50%

Unsure

More than 10%

6 - 10%

1 - 5%

Chart N: Percent Increase in Financial Losses - FIs

FI, N=53

67%

0%

0%

33%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Unsure

More than 10%

6 - 10%

1 - 5%

Chart O: Percent Increase in Financial Losses - Non-FIs

Non-FI, N=3



Charts Q and R below indicate the responses of those that reported a decrease in loss, who were then asked to estimate the size of the decrease.

85%

45%

19%

8%

6%

4%

0%

2%

0%

0%

0%

0%

67%

0%

33%

33%

0%

0%

80%

43%

18%

11%

5%

5%

2%

2%

0%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Debit - Signature

Debit - PIN Check Credit Cards

Wire ACH Debits

Cash ACH Credit Prepaid Cards

Chart P: Payment Type Associated with Increased Loss (% of Respondents w/ Increased Losses)

FI, N=53

Non-FI, N=3

Total, N=56

25%

44%

0%

31%

0% 10% 20% 30% 40% 50%

Unsure

More than 10%

6-10%

1-5%

Chart Q: Percent Decrease in Losses - FI

FI, N=16



Chart S below shows the results for respondents that reported a decrease in loss who were then asked to identify the payment type associated with the decreased loss. In this area, signature debit topped the list for financial institutions, while checks were the biggest contributing factor for non-financial institution respondents.

In total, 14 respondents (12 financial institutions and two non-financial institution respondents) indicated that their organizations had made changes to their payments risk management practices that led to the decrease in 2011 payments fraud losses, while seven indicated that they had not. Among those who had made changes to their practices, the most common change was to enhance the organization’s systems for monitoring fraud (Chart T). Other

50%

25%

25%

0%

0% 10% 20% 30% 40% 50% 60%

Unsure

More than 10%

6-10%

1-5%

Chart R: Percent Decrease in Losses - Non-FI

Non-FI, N=4

0%

0% 6%

12%

6% 12

% 24

%

53%

82%

0%

0%

0%

0%

0%

33%

100%

0%

0%

0%

0% 5%

10%

5% 15

%

35%

45%

70%

0%

20%

40%

60%

80%

100%

120%

Prepaid Cards

Cash Wire ACH Credit

Credit Cards

ACH Debit Checks Debit - PIN Debit - Signature

Chart S: Payment Type Associated with Decreased Loss (% of Respondents w/ Increased Losses)

FI, N=17

Non-FI, N=3



changes included increasing staff training/education and enhancing internal controls and procedures.

Respondents who indicated that enhancements to their organization’s fraud monitoring systems had helped to reduce fraud losses were asked to further identify the payment types to which enhanced monitoring applies. Their responses are summarized in Chart U below.

82%

73%

64%

46% 46%

0%

50% 50%

0% 0% 0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Enhanced fraud

monitoring system

Staff training & education

Enhanced internal

procedures

Adopted or increased use of a Financial

service

Enhanced authentication

methods

Chart T: Changes Made Contributing to Decrease in Losses

FI, N=11

Non-FI, N=2



c. Most Common Fraud Schemes For payments received by non-financial institution respondents, the top two current fraud schemes most often used were altered/forged checks and counterfeit checks (Chart V). Fifty percent of non-FI respondents reported altered or forged checks as the top scheme most often used, followed by counterfeit checks at 43%.

100%

33%

22%

22%

0%

0%

0%

0%

0%

0%

0%

20%

40%

60%

80%

100%

120%

Card transactions

ACH transactions

Wire transactions

Check transactions

Other

Chart U: Payments to which Enhanced Monitoring Applies

FI, N=9

Non-FI, N=0



Financial institution respondents indicated that, in payments by or on behalf of their customers, the top two current fraud schemes most often used by fraudsters were counterfeit or stolen cards used at the point of sale (84%) and used online (70%), with counterfeit checks (48%) rounding out the top three (Chart W). Surprisingly, while “corporate account takeover” is a theme often highlighted in the press as a major issue, it was not cited as a significant theme that affected respondents to this survey.

0%

0%

0%

7%

7%

7%

29%

14%

7%

43%

50%

0% 10% 20% 30% 40% 50% 60%

Telephone-initiated Payments

Wireless-initiated payments

Fraudulent checks converted to ACH

Use of fraudulent credentials/data

Other internet payments

Cash register frauds

Counterfeit currency

Counterfeit or stolen cards used at POS

Counterfeit or stolen cards used online

Counterfeit checks

Altered or forged checks

Chart V: Top 3 Current Fraud Schemes Involving Payments Accepted By % of Non-FI Respondents

Non-FI, N=14



Financial institution respondents that experienced fraud against their organization’s own account(s) identified counterfeit checks and unauthorized or fraudulent ACH debits as the top schemes most often used (Chart X).

1%

0%

0%

6%

4%

6%

3%

6%

15%

31%

48%

70%

84%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Wireless-initiated payments

Power of Attorney documents for schemes

Other

Fraudulent checks converted to ACH

Use of fraudulent credentials/data

Counterfeit currency

Telephone-initiated payments

Account takeover of customers' accounts

Other internet payments


Counterfeit checks

Counterfeit or stolen cards used online

Counterfeit or stolen cards used at POS

Chart W: Top 3 Current Fraud Schemes Involving Payments Accepted By % of FI Respondents

FI, N=101

6%

8%

24%

31%

21%

37%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Internal fraud scheme

Breach of organizations access or security controls

Fraudulent or unauthorized card transactions

Fraudulent or unauthorized ACH debits


Counterfeit checks

Chart X: Fraud Schemes Involving Organization’s Own Accounts by % of FI Respondents

FI, N=83



Charts Y and Z list the top three sources of information used in fraud schemes, as reported by financial and non-financial institution respondents, respectively. Approximately 70% of the financial institution respondents identified “sensitive” information obtained from a lost or stolen card, check or other physical document or device while in the consumer’s control. For non-financial institution respondents, however, the organization's information was most commonly obtained from a legitimate check issued by the organization.

70%

38%

31%

27%

25%

24%

14%

4%

2%

0% 10% 20% 30% 40% 50% 60% 70% 80%

"Sensitive" info obtained from lost or stolen card, check, or other physical doc or device while in

consumer's control

Physical device tampering (e.g., use of skimmer on POS terminal or obtaining magnetic stripe

information)

Email and webpage cyber attacks e.g., phishing, spoofing and pharming to obtain "sensitive" customer

info

Data breach due to computer hacking or cyber attacks

Org's info obtained from legit check issued by org

Info about customer obtained by family or friend

Other

Lost or stolen physical doc or electronic devices while in control of the organization

Employee with legit access to organization or customer info (employee misuse)

Chart Y: Top 3 Information Sources Used in Fraud Schemes - FIs



e. Payments Fraud Mitigation Methods Used Respondents were asked about their use of—and the effectiveness of—various types of fraud mitigation methods and tools. Questions were asked in four areas: i) authentication methods, ii) transaction screening and risk management approach, iii) internal controls, and iv) risk mitigation services offered by financial institutions. i. Authentication. Respondents were asked which authentication methods their organizations currently use or plan to use to mitigate payment risk. Responses are indicated in Charts AA and BB for financial and non-financial institution respondents, respectively. In a hopeful sign for the growth in adoption of the EMV standards3 for card processing, some 17% of FI respondents indicated that they plan to use chip card authentication by 2014. 3 EMV® is a global standard for credit and debit card transactions based on chip card technology. Though widely adopted in other developing countries, the United States is only beginning to move away from magnetic (“mag’) stripe technology to the EMV standards. The standard is commonly referred to as “chip-and-PIN,” although in the U.S. implementation—as led by the card associations Visa, MasterCard, Discover and American Express—both the option of “chip-and-PIN” and “chip-and-signature” will be allowed.

39%

21%

18%

15%

15%

9%

3%

3%

0% 10% 20% 30% 40% 50%

"Sensitive" info obtained from lost/stolen card, check, or other physical document or

device while in consumer's control

E-mail and webpage cyber attacks (e.g., phishing, spoofing

and pharming) to obtain "sensitive" …

Employee with legitimate access to organization or customer info (employee

misuse)

Data breach due to computer hacking or cyber attacks

Other

Lost or stolen physical doc or electronic devices while in control of the organization

Physical device tampering (e.g., use of skimmer on POS terminal or obtaining

magnetic stripe info)

Info about customer obtained by family or friend

Chart Z: Top 3 Information Sources Used in Fraud Scheme - Non-FIs



Respondents who indicated that their institutions use the various types of authentication methods shown above were then asked to rate the effectiveness of those authentication methods. Overall, both categories of respondents indicate that the processes they have in place are effective (Charts CC and DD). For financial institutions using signature verification, it was the authentication method most often thought to be “somewhat ineffective” (11%), while non-

1%

14%

25%

66%

66%

68%

71%

88%

85%

90%

17%

4%

9%

1%

7%

2%

1%

4%

0%

0%

82%

82%

66%

33%

27%

30%

28%

8%

15%

10%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Card chip authentication

Biometrics authentication

Verify customer ID is authentic (magnetic stripe)

Positive ID of purchaser for in-store/person …

Real-time decision support during account …

Magnetic stripe authentication

Verify CID codes on payment card

Customer authentication for online transactions

Signature verification

PIN authentication

Chart AA: Authentication Methods - FIs

Use Use by 2014 Don't use

0%

8%

13%

14%

23%

33%

27%

36%

40%

47%

0%

0%

0%

0%

8%

0%

0%

0%

0%

7%

100%

92%

88%

86%

69%

67%

73%

64%

60%

47%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%






PIN authentication





Chart BB: Authentication Methods - Non-FIs




financial institution respondents using magnetic stripe authentication more often chose that method as “somewhat ineffective” (50%), though the limited number of respondents to this question may make it hard to draw a broad conclusion.

0%

37%

40%

49%

42%

55%

60%

58%

65%

67%

0%

59%

60%

41%

58%

54%

40%

4%

33%

33%

0%

4%

0%

11%

0%

0%

0%

1%

2%

0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%







PIN authentication




Chart CC: Effectiveness of Authentication - FIs

Very effective Somewhat effective Somewhat ineffective

0%

0%

40%

25%

50%

0%

71%

67%

100%

100%

0%

100%

60%

75%

50%

50%

29%

33%

0%

0%

0%

0%

0%

0%

0%

50%

0%

0%

0%

0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%










PIN authentication

Chart DD: Effectiveness of Authentication - Non-FIs




ii. Transaction Screening and Risk Management Approach. Use of different methods to screen transactions and apply centralized risk management varied significantly in overall adoption between FIs and other organizations (Charts EE and FF). While both financial and non-financial institution respondents rely on human review of payment transactions, a larger percent of FI respondents have adopted or plan to adopt centralized fraud information databases (for either one or multiple payment types) and participate in fraudster databases/receive alerts.

43%

52%

48%

76%

83%

87%

85%

86%

94%

11%

4%

11%

4%

7%

0%

1%

0%

3%

47%

44%

42%

20%

10%

13%

14%

14%

2%

0% 20% 40% 60% 80% 100%

Centralized fraud info database - multiple …

Centralized fraud info database - one payment type

Centralized risk management department

Fraud detection software w/ pattern matching

Provide customer education on payment fraud …

Participate in fraudster databases and receive alerts

Human review of payment transactions

Fraud detection pen for currency

Provide staff education on payment fraud risk …

Chart EE: Screening and Risk Management - FIs




Respondents who indicated that they use certain screening and risk management processes were also asked to report on their sense of the effectiveness of those processes. Their responses are indicated in Charts GG and HH. As with the effectiveness of their authentication processes in the section above, in the case of transaction screening and risk management processes, both categories of respondents indicate that the processes they have in place are effective. For non-financial institution respondents, “participate in fraudster databases and receive alerts” was the only method deemed by any respondent(s) to be “somewhat ineffective,” though, again, the limited number of respondents to this question may make it hard to draw a broad conclusion there.

6%

6%

12%

14%

19%

31%

50%

80%

88%

6%

6%

6%

0%

0%

0%

0%

0%

0%

88%

88%

82%

86%

81%

69%

50%

20%

13%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Centralized fraud info database - multiple payment types



Provide customer education on payment fraud risk mitigation




Provide staff education on payment fraud risk mitigation


Chart FF: Screening and Risk Management - Non-FIs




iii. Internal Controls. Respondents were asked which internal controls and procedures their organizations currently use or plan to use (Charts II and JJ). Ninety-seven percent of financial

25%

42%

54%

53%

46%

50%

49%

57%

66%

68%

53%

46%

46%

49%

48%

49%

42%

32%

7%

5%

0%

1%

5%

2%

3%

2%

3%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%










Chart GG: Effectiveness of Transaction Screening and Risk Mgmt. - FIs


0%

43%

50%

50%

50%

64%

100%

100%

100%

100%

57%

0%

50%

50%

36%

0%

0%

0%

0%

0%

50%

0%

0%

0%

0%

0%

0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%










Chart HH: Effectiveness of Transaction Screening and Risk Mgmt. - Non-FIs




institution respondents reconcile bank accounts daily, but only 81% of non-financial institutions do so. Non-financial institution respondents seem to show a strong preference for use of separate accounts for different types of payments. Non-financial institution respondents seem to be more focused on card-related solutions, as by 2014 a number of respondents plan to set transaction limits for corporate card purchases and to review card-related reports daily.

45% 56%

73% 82% 84%

88% 95% 94%

91% 97% 97% 95% 95% 100% 100%

7% 2%

1% 1%

1% 0%

0% 1%

3% 0% 0% 1% 0%

0% 0%

48% 42%

26% 17% 15% 12%

5% 5%

6% 4%

4% 4% 5% 0% 0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Employee hotline to report potential fraud Dedicated computer for transactions w/ FI or for …

Separate banking accounts by purpose or … Transaction limits for corporate card purchases Restrict/limit employee internet use from org's … Physical access controls to payment processing …

Transaction limits for payment disbursements Review card related reports daily

Logical access controls to network/payment … Authentication/authorization controls to payment …

Reconcile bank accounts daily Verify controls applied via audit or management … Dual controls/separation of duties w/in payment …

Address exception items timely Periodic internal/external audits

Chart II: Internal Controls - FIs




Respondents who indicated they used the types of internal controls as shown above were also asked to report on the effectiveness of those controls. Their responses are indicated in Charts KK and LL. As with the effectiveness of both their authentication processes and in the transaction screening and risk management processes (in the sections above), in the case of internal controls, both categories of respondents indicate that the processes they have in place are effective.

53%

47%

50%

69%

87%

67%

81%

88%

87%

18%

100%

100%

93%

100%

94%

13%

0%

0%

6%

0%

0%

0%

0%

7%

6%

0%

0%

0%

0%

0%

33%

53%

50%

25%

13%

33%

19%

13%

7%

13%

0%

0%

7%

0%

6%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Review card related reports daily

Dedicated computer for transactions w/ FI or for …

Employee hotline to report potential fraud

Restrict/limit employee internet use from org's …

Separate banking accounts by purpose or …

Transaction limits for payment disbursements

Reconcile bank accounts daily

Address exception items timely

Verify controls applied via audit or management …

Transaction limits for corporate card purchases

Logical access controls to network/payment …

Authentication/authorization controls to payment …

Periodic internal/external audits

Dual controls/separation of duties w/in payment …

Physical access controls to payment processing …

Chart JJ: Internal Controls - Non-FIs

Use Use by 2014 Don’t use



iv. Risk Mitigation Services Offered by Financial Institutions. Of the various risk mitigation services offered by financial institutions, the top five used by non-financial institution

63% 66% 64%

71% 79%

75% 74% 75%

79% 79% 79% 78%

74% 86%

81%

37% 29% 33%

29% 21%

25% 26% 24%

21% 21% 21% 23%

24% 15%

19%

0% 5% 3% 0% 0% 0% 0% 1% 0% 0% 0% 0%

2% 0% 0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Restrict/limit employee internet use from … Employee hotline to report potential fraud

Separate banking accounts by purpose or … Transaction limits for corporate card purchases

Review card related reports daily Transaction limits for payment disbursements

Verify controls applied via audit or management … Periodic internal/external audits

Physical access controls to payment processing … Address exception items timely

Logical access controls to network/payment … Authentication/authorization controls to payment …

Dual controls/separation of duties w/in payment … Reconcile bank accounts daily

Chart KK: Effectiveness of Internal Controls - FIs


71% 70%

78% 91%

100% 92% 92% 92%

85% 77%

85% 100%

93% 92%

100%

29% 30%

22% 9%

0% 8% 8% 8%

15% 23%

15% 0%

7% 8%

0%

0% 0% 0% 0% 0% 0% 0% 0% 0%

0% 0% 0%

0% 0% 0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Employee hotline to report potential fraud Restrict/limit employee internet use from …

Transaction limits for payment disbursements Separate banking accounts by purpose or …

Transaction limits for corporate card purchases Verify controls applied via audit or management …

Periodic internal/external audits Logical access controls to network/payment …

Physical access controls to payment processing … Address exception items timely

Dual controls/separation of duties w/in payment … Authentication/authorization controls to payment …

Reconcile bank accounts daily Review card related reports daily

Chart LL: Effectiveness for Internal Controls Non-FIs




respondents as reported in Chart MM are: online information services (e.g. statements), multi-factor authentication to initiate payments, fraud loss prevention insurance, check positive pay/reverse positive pay, and ACH debit blocks. Based on the responses as to which services FIs plan to use by 2014, there appears to be significant planned growth in the ACH area, with the use of ACH payee positive Pay (23%) and ACH debit blocks (7%) and debit filters (7%) on the horizon.

When it comes to the effectiveness of these services offered by financial institutions, non-financial institution respondents (users of the services) overall indicated positive responses (Chart NN). The one exception was fraud loss prevention services (e.g., insurance). It is possible that financial institution respondents see insurance as less effective as it does not prevent fraud; it is really only a solution for after fraud has already occurred.

0% 15%

33% 46%

57% 62%

86% 71%

69% 80% 80%

87% 100%

8% 23%

0% 0%

7% 8%

0% 7%

0% 7%

0% 0%

0%

92% 62%

67% 54%

36% 31%

14% 21%

31% 13%

20% 13%

0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Account masking services ACH payee positive pay Post no check services

ACH positive pay Check payee positive pay

Card alert services for commercial/corporate cards Fraud loss prevention services, e.g., insurance

ACH debit filters Account alert services

ACH debit blocks Check positive pay/reverse positive pay

Multi-factor authentication to initiate payments Online information services, e.g., statements

Chart MM: Percentage of Non-FIs Using Risk MitigationServices Offered by FIs




Chart OO provides a view of the various risk mitigation services that are being offered by financial institution respondents. A large majority of respondents are offering services such as online statements to their corporate customers and have implemented multifactor authentication requirements for the initiation of payments. As one moves down the list of service offerings to more complex products, such as positive pay/reverse positive pay and payee positive pay (for both check and ACH), the percentage of financial institution respondents offering those services decreases significantly. It is possible that community bank respondents either cannot offer some of these more sophisticated services or they do not have a commercial customer base that has yet expressed a need for them. In addition, because the financial institution respondents include all types of FIs – both banks and credit unions – the number of respondents may reflect some credit unions that traditionally support individual members, as opposed to corporate customers, and may not need to offer such services to their retail customer base.

55%

57%

86%

86%

80%

80%

92%

80%

83%

100%

100%

100%

0%

27%

43%

14%

14%

20%

20%

8%

20%

17%

0%

0%

0%

0%

18%

0%

0%

0%

0%

0%

0%

0%

0%

0%

0%

0%

0%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Fraud loss prevention services, e.g., insurance

Account alert services

Card alert services for commercial/corporate cards

Online information services, e.g., statements

Post no check services

ACH debit filters

Multi-factor authentication to initiate payments

ACH positive pay

Check positive pay/reverse positive pay

ACH debit blocks

Check payee positive pay

ACH payee positive pay

Account masking services

Chart NN: Effectiveness of Risk Mitigation Services




f. Opportunities to Reduce Payments Fraud Respondents reported on opportunities to reduce fraud in three areas: i) organizational actions, ii) barriers to reducing payments fraud, and iii) legal and regulatory changes. i. Organizational Actions. Respondents were asked what new or improved methods are most needed to reduce payments fraud (Chart PP). Nearly two-thirds of the respondents said their organizations should apply controls over Internet payments, while more than half of all respondents are in favor of replacement of card/magnetic stripe technology. The latter bodes well for the coming adoption of the EMV standards for card transactions in the U.S.4

4 See page 19.

20%

22%

30%

29%

51%

49%

43%

63%

51%

74%

91%

95%

8%

6%

1%

6%

4%

5%

10%

2%

5%

8%

1%

2%

72%

72%

69%

65%

45%

46%

47%

34%

43%

18%

8%

2%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

ACH payee positive pay

Check payee positive pay

Post no check services

ACH positive pay

Check positive pay/reverse positive pay

ACH debit filters

Card alert services for commercial/corporate cards

ACH debit blocks

Account masking services

Account alert services

Multi-factor authentication to initiate payments

Online information services, e.g., statements

Chart OO: Percentage of FI/Svc. Provider Respondents Offering Risk Mitigation Services

Offer Offer by 2014 Don't offer



When asked what authentication methods their organizations might prefer or consider adopting to help reduce payments fraud, the adoption of tokens led the way among non-financial institution respondents, while multifactor authentication was the top method among financial institution respondents. When viewed in total, approximately 58% of respondents were in favor of multifactor authentication (Chart QQ).

5%

22%

29%

30%

50%

53%

51%

55%

53%

64%

8%

23%

39%

39%

39%

46%

54%

39%

31%

31%

5%

22%

27%

28%

52%

54%

51%

58%

57%

69%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Image-survivable check security features for business checks

Industry alert services

Industry-specific education on best prevention practices for fraud

Controls over mobile payments

Information sharing on emerging fraud tactics being conducted by criminal rings

More aggressive law enforcement

Consumer education of fraud prevention

Replacement of card/magnetic strip technology

Controls over internet payments

Chart PP: New/Improved Methods Needed to Reduce Payments Fraud

FI, N=85

Non-FI, N=13

Total, N=98



ii. Barriers to Reducing Payments Fraud. Respondents reported on barriers to further reducing payments fraud. Most identified a version of “cost” as the main barrier, citing lack of staff resources, implementation costs and lack of compelling business case as the main barriers. A complete summary is listed in Chart RR.

3%

18%

30%

42%

46%

38%

42%

58%

51%

11%

0%

33%

78%

11%

56%

22%

44%

44%

2%

21%

30%

39%

49%

36%

45%

59%

52%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Other

Biometrics

Mobile device to authenticate person

Token

Out-of-band/channel authentication …

PIN requirement

Chip for dynamic authentication

Multi-factor authentication

Chip and PIN requirement

Chart QQ: Authentication Methods Preferred/Considered for Adoption to Reduce Payments Fraud

FI, N=83

Non-FI, N=9

Total, N=92



iii. Legal or Regulatory Changes. Respondents were also asked to offer views on legal and regulatory changes that would help reduce payments fraud. Many respondents would like to see increased penalties for fraud and more likely prosecution. Topping the list for FI respondents was placing more responsibility for fraud mitigation with—and shifting liability for fraudulent card payments to—the entity that initially accepts the card. This is interesting in light of the planned liability shifts that are part of the EMV “roadmaps” of all the major card associations (MasterCard, Visa, Discover and American Express). Table 2 lists these and other considerations.

11%

14%

23%

37%

29%

23%

47%

63%

20%

30%

30%

40%

0%

0%

30%

60%

10%

13%

23%

36%

33%

26%

49%

64%

0% 10% 20% 30% 40% 50% 60% 70%

Other

Unable to combine payment information for review due to operating w/ multiple business areas, …

Corporate reluctance to share information due to competitive issues

Lack of compelling business case (cost vs. benefit) to adopt new or change existing methods

Cost of implementing commercially available fraud detection tool/service

Cost of implementing in-house fraud detection tool/service

Consumer data privacy issues/concerns

Lack of staff resources

Chart RR: Main Barriers to Payments Fraud Mitigation

FI, N=80

Non-FI, N=10

Total, N=90



Table 2: Legal and Regulatory Considerations by Percentage of Respondents

h. Conclusions Considered as a whole, the results of our 2012 payments fraud survey suggest the following: • Both financial institutions and corporations of all sizes in the district continue to be

concerned about payments-related fraud.

• Most problematic is fraud that affects checks and debit cards because these are the payment types that were most often attacked by fraud schemes and that sustained the highest losses as a result. These findings are generally consistent with fraud surveys conducted by national industry associations such as the Association for Financial Professionals (AFP).5

• Although fraud involving “corporate account take-over” has been highlighted in the press

recently as a major problem, it was not cited as a significant scheme that affected respondents to this survey.

• Most financial institutions and other corporations report total fraud losses that represent less than .3% of their annual revenues. While any loss due to fraud is undesirable, by this measure these levels are relatively small.

5 See http://www.afponline.org/fraud/

Legal and Regulatory ChangesFI

(N=86)FI

(%)Non-FS(N=13)

Non-FS(%)

Total(N=99)

Total(%)

Place responsibility to mitigate fraud and shift liability for fraudulent card payments to the entity that initially accepts the card payment

67 78% 3 23% 70 71%

Increase penalties for fraud and attempted fraud 63 73% 9 69% 72 73%

Place more responsibility on consumers and customers to reconcile and protect their payment data

63 73% 5 39% 68 69%

Assign liability for fraud losses to the party most responsible for not acting to reduce the risk of payment fraud

60 70% 5 39% 65 66%

Strengthen disincentives to committing fraud through stiffer penalties and more likely prosecution

49 57% 10 77% 59 60%

Improve law enforcement cooperation on domestic and international payments fraud and fraud rings

48 56% 8 62% 56 57%

Focus future legal or regulatory changes on data breaches to where breaches occur

44 51% 3 23% 47 47%

Align Regulation E and Regulation CC to reflect changes in check collection systems' use of check images and conversion of checks to ACH

39 45% 4 31% 43 43%

Assign responsibility for mitigating fraud risk to the party best positioned to take action against fraud

41 48% 2 15% 43 43%

Establish new laws/regs or change existing ones in order to strengthen the management of payments fraud risk

27 31% 5 39% 32 32%



• Organizations are using various internal controls and procedures to mitigate payments fraud risk. Transaction monitoring, authentication, and risk services offered by financial institutions are also used.

• Lack of staff resources is the primary barrier cited by a majority of organizations when considering additional options for mitigating payments fraud risk.

2012 payments fraud survey results - dallas fed/media/documents/outreach/fi/fraudsurv… ·...

Documents