Client BulletinEnterprise Payment Solutions™ (EPS)An integrated suite of remote deposit capture, ACH and card transaction processing solutions, risk management tools, reporting capabilities, and more for financial institutions of all sizes.

Volume 1 Issue 4

JUNE 2013

02

Contents

An Invitation to Join the ProfitStars® Enterprise Payment

Solutions (EPS) User Group 3

Fraud Prevention Partners: ACH Client™ and ACH Alert™ C.O.P.S. 4

Special Webinar Opportunity! Account Takeover & FFIEC Guidance:

Are You Layered Enough? 6

Same-Day ACH: The Tipping Point? 8

Education on the Learning Management System (LMS) 9

EPS Resources and Contact Information 10

EPS Client Bulletin 11

03

EPS CLIENT BULLETINJUNE 2013

What Is the EPS User Group?We invite all EPS customers to become members of the ProfitStars EPS User Group. For the benefit of all, this group was formed to:

■ Facilitate the exchange of information and experiences among member organizations to advance the use of EPS products and improve the services delivered.

■ Facilitate and stimulate communication between users of the EPS product line to foster greater knowledge as well as exchange ideas and/or problem-solving resolutions.

■ Provide cooperation in achieving common goals and objectives between users of EPS products and to ensure that our solutions remain in the forefront of the financial services industry.

■ Communicate to ProfitStars the desired system modifications and enhancements to EPS products, plus suggestions for improvements to education, documentation, user communication, and user services support areas.

■ Provide ProfitStars with a formalized avenue to facilitate product research, development, and analysis.

■ Provide leadership and assistance where needed with Regional User Groups, if applicable.

How Do User Group Members Interact?Do you have questions that fall outside a technical support call, but you just can’t find the right person to ask? The User Group can help. The challenging questions below (and many others) have been answered by members of the group in the discussion area.

■ “We are installing RDA and are trying to come up with the best way to handle the following issues: (1.) Terms and Conditions/Disclosures – How do customers agree to Terms and Conditions (T&C)? (2.) What is the best way to sign up new customers?”

■ “Would anyone be willing to share (if you know) what you did to meet the ‘awareness and education’ requirements of the FFIEC guidance, if you did anything other than post a document/message on your website?”

■ “We have received the majority of the annual assessments back from our customers. I am finding that many customers are not in compliance due to the retention of scanned checks. We state that checks should be retained no fewer than 30 days nor kept longer than 60 days, and then shredded after the retention period. However, I have received multiple comments from customers saying that they keep the scanned checks for a year, keep them as payment records, or keep them for audit purposes, etc. I am wondering if anyone else has the same outcome, and if so, how do you handle this, and do you make any exceptions? Any input would be helpful!”

■ “We are currently starting a task force to roll out this new product. We are torn between charging or not charging consumers. Is anyone willing to share their pricing? Or, is this a product to offer for free, and if so, are there so many items free per month, and then you charge for additional?”

■ “It is finally time for us to replace the single-feed RDM scanners with either the Epson Capture One or CheXpress CX30; these appear to be the two front-runners. Would you mind weighing in with your favorite? I will be happy to publish the results to all who respond. Thanks!”

An Invitation to Join the ProfitStars® Enterprise Payment Solutions™ (EPS) User Group By Jacob Hutchinson, SVP, Operations, MainStreet Bank

04

EPS CLIENT BULLETINJUNE 2013

How Does the User Group Influence the EPS Product Line?Would you like to help shape the future of the EPS products you use? Is there a particular feature or option that you would like to see added to an EPS product? The User Group membership votes to identify the top enhancement requests and to prioritize those requests. The prioritized items are then submitted to EPS for inclusion on the product roadmaps. As a member of the User Group, you have the opportunity to gather support for the enhancement requests that you would like to see implemented by encouraging others to vote for those enhancements as well. Add your voice by joining today!

How Do I Join?Membership is easy and free. As long as your financial institution is an active user of one or more ProfitStars EPS solutions, you may join.

■ Go to https://groups.google.com/forum/#!forum/profitstars-user-group.

■ Sign in with a Google™ account associated with your work email address.

■ Click Apply for membership.

■ Select how you would like to be notified of new group posts, set your nickname, and click Apply to this group.

Fraud Prevention Partners: ACH Client™ and ACH Alert™ C.O.P.S. By Debbie Peace, AAP, Chief Executive Officer, ACH Alert

Making a technology investment decision is never an easy task, particularly when it involves making a purchase to simply satisfy a compliance objective or prevent loss from fraud that hasn’t occurred yet. But then again, most of us probably don’t relish the thought of paying for insurance either.

When the Federal Financial Institutions Examination Council (FFIEC) issued its supplement (June 2011) to Authentication in an Internet Banking Environment (October 2005), it mandated layered security, calling for “different controls at different points in the transaction process” and “the ability to detect and respond to suspicious activity” because “virtually every form of authentication can be compromised.”

A plethora of “effective controls” were cited, and financial institutions were left to decide which controls and how many to put in place to satisfy the regulatory requirement and prevent losses from fraud that could be perpetrated on their customers’ computers.

Many financial institutions acted quickly to strengthen authentication. Out-of-band authentication, tokens, and secure browser sessions were adopted, but since the guidance itself states virtually every form of authentication can be compromised (and most of them have already been compromised), financial institutions added another layer to monitor customer patterns of behavior, the first effective control cited in the supplemental guidance.

Behavioral monitoring can be very effective when a less-sophisticated fraudster originates an ACH file that is not within the normal dollar amount, frequency, or number of transactions an originator usually creates. Staff can typically spot the suspicious behavior quickly and reach out to the originator to verify the integrity of the file before processing it. Unfortunately, fraudsters have become more sophisticated, and financial institutions relying solely on behavioral monitoring systems are finding that the responsibility they have taken on to detect and respond to suspicious activity can quickly translate into liability if something critical is missed.

05

EPS CLIENT BULLETINJUNE 2013

Significant losses have occurred when financial institutions have relied solely on behavioral monitoring systems that didn’t detect unusual behavior because an ACH file came in with the correct dollar amounts, within the expected frequency, and with the normal number of transactions in the file, but the destination of the transactions within the ACH file had been manipulated, routing funds to unintended accounts.

Hence the need for additional layers: “different controls at different points in the transaction process so if one method fails, it can be compensated by another.” But what do these additional layers need to be? Is there a way to add layers without adding more staff, more responsibility, and potentially more liability to a financial institution?

The FFIEC supplemental guidance cites other effective controls, such as positive pay, alerts, the use of separate access devices, and out-of-band verification of transactions (not to be confused with out-of-band authentication), and while it calls for administrative controls to be maintained by the financial institution (FI), it certainly doesn’t mandate that financial institutions shoulder all the responsibility.

Operation High Roller, which netted fraudsters $78 million out of a $1-billion-dollar attempted heist, led to a more specific recommendation by the European Network and Information Security Agency (ENISA) that ironically mirrored the deeper levels of control cited by the FFIEC guidance but put it in more user-friendly language. ENISA recommended systematic anomaly detection to cross-check the value and destination of transactions and verify anomalies with the user via a trusted channel like an SMS text or a phone call.

The United States and European agencies seem to align on one key point: systematic review of where the money is going and the value of engaging customers to perform the verification/approval process outside of the online channel where the fraud is being perpetrated.

ProfitStars® shared this vision when they partnered with ACH Alert to provide C.O.P.S. (Credit Origination Positive-Pay Service) to their financial institution customers last year. We have just completed the integration effort between ACH Client and C.O.P.S., making compliance and customer-engaging fraud prevention a completely automated and user-friendly reality.

C.O.P.S. isn’t a single control. It is a single solution that provides multiple layers of security with different controls at different points in the transaction process!

■ FI Administrative Control – The FI controls the setup of users and where an originator’s alerts are sent, so fraudsters cannot divert alerts.

■ Systematic Anomaly Detection/Positive Pay – C.O.P.S. examines the routing/account number of every ACH credit against an originator’s list of valid payment recipients (that can only be introduced to C.O.P.S. by the FI and approved by the originator with a valid authorization code).

■ Separate Access Device – C.O.P.S. can notify the originator via SMS text when an anomaly is detected.

■ Alerts – C.O.P.S. alerts the originator of exceptions, providing a one-time, system-generated authorization code to allow secure approval of exceptions.

■ Out-of-Band Verification – C.O.P.S. allows the originator to view the exceptions online and then reject fraudulent entries or authorize funds to be released to a payment recipient (one-time or for all future transactions, by adding them to the list of valid payment recipients), provided the originator enters the one-time system-generated code sent via the separate access device.

■ Confirmation Alerts – C.O.P.S. transmits a confirmation alert to the originator of any action registered by C.O.P.S.

Financial institutions that use ACH Client and want to leverage C.O.P.S.’s highly automated, customer-engaging, (and revenue-generating) fraud prevention services can do so quite easily.

06

EPS CLIENT BULLETINJUNE 2013

How Does the ACH Client/C.O.P.S. Integration Work?Financial institutions enroll originators and their contacts into C.O.P.S. via the FI user portal. In ACH Client, the FI enables C.O.P.S. monitoring for each category and/or customer. When ACH batches are initiated in ACH Client, that application will call on C.O.P.S. to verify the routing/account number combination of each ACH credit entry against each originator’s list of pre-approved payment recipients.

If all transactions are verified, the batch is released and processed in the normal manner. If an anomaly is detected by C.O.P.S., the batch is marked as pending by ACH Client, and an out-of-band alert with a one-time, system-generated authorization code is sent to the originator (preferably via SMS text, although email is supported). The originator logs in to C.O.P.S., views the exception, and makes the decision to pay or reject the batch with exceptions.

ACH Client continually pings C.O.P.S. looking for a status update. When the originator acts, the batch status goes from pending to approved or rejected, and ACH Client handles the batch accordingly. If a batch is rejected by the originator via C.O.P.S., ACH Client will detain the batch to insure fraudulent transactions designated to go to unknown accounts are not processed.

Why Strategic-Thinking Financial Institutions Want ItThe integration of ACH Client and C.O.P.S. helps financial institutions using ACH Client meet FFIEC compliance objectives, shift responsibility (and potential liability) to originators, improve operational efficiencies, effectively combat sophisticated fraud, and engage customers to participate in their own self-protection via their mobile devices.

A side benefit is new revenue potential. C.O.P.S. can be presented as a mobile fraud prevention service using the educational sales video we brand and produce for our FI clients to help them promote the service to their originators.

Effective, compliant, and convenient. Finally, a technical investment decision that is an easy task and “makes cents”!

Special Webinar Opportunity! Account Takeover and FFIEC Guidance: Are You Layered Enough? By Ron Harman, AAP, EPS Education Manager

The ProfitStars® EPS Education group will be presenting an informative one-hour webinar, Account Takeover and FFIEC Guidance: Are You Layered Enough, on Wednesday, June 12, 2013 at 10 a.m. CT.

This special presentation will emphasize how experts at compromising entry points, who are both creative and technology-savvy, can steal online banking credentials to create fraudulent transfers from customers’ accounts. When this occurs, funds are lost, litigation can occur, and relationships are damaged.

Financial institution employees attending this session will learn about the logic behind the multiple layering requirement of the supplemental Federal Financial Institutions Examination Council (FFIEC) guidance issued in June 2011, as well as the international continuity it displays in light of the post-Operation High Roller recommendations made by the European Network and Information Security Agency (ENISA) just last year.

The educational webinar will explain legal case studies and reputation impact, as well as best practices to prevent account takeover and how to respond, should it occur.

07

EPS CLIENT BULLETINJUNE 2013

Register for the June 12 webinar!Guest presenter for this webinar will be Debbie Peace, AAP. Currently the CEO of ACH Alert, Debbie has more than 20 years of experience in the ACH industry, specializing in areas involving operations, marketing, and product development. Debbie has conducted numerous educational ACH seminars across the country and has served on the Consumer Advisory Council of the Federal Reserve Board. She was invited to demonstrate the innovative fraud prevention tools developed by ACH Alert to the Office of the Comptroller of the Currency (OCC) in New York, and she was engaged by the State of Tennessee Bank Commissioner to provide ACH training for the State of Tennessee Bank Examiners.

Special No-Cost Bonus OpportunityAll FI employees who register for the above webinar will be invited to attend a special 30-minute demonstration, Maximum Account Takeover Protection/Minimal Effort and Positive Impact, which will immediately follow the first presentation.

The demonstration will explain the use of ACH Alert™ C.O.P.S., a credit origination, positive-pay service designed to protect financial institutions and their originators from becoming victims of account takeover.

ACH Alert C.O.P.S., recently integrated into the ProfitStars ACH Client™ origination software, will detain batches with suspect transactions and thereby prevent losses from account takeover.

C.O.P.S. systematically examines the routing/transit and account number combination of each outbound ACH credit entry and compares them to each enrolled originator’s list of valid payment recipients. If an anomaly is detected, an out-of-band alert (with a one-time system-generated authorization code) is sent via the method and to the contact that the financial institution enrolled for that originator.

The ACH originator would then log in to view the exceptions. If the transactions are fraudulent, the transactions are detained by C.O.P.S. and are never entered into the ACH Network. If the transactions are valid, the originator can approve the transactions one time or add the payment recipient to their approved list to prevent future exceptions and alerts. Any action taken by the originator is followed up with an alert confirming the action taken.

Six effective layers of security cited in the FFIEC supplemental guidance as effective controls are contained in the simple and effective C.O.P.S. solution.

Join us to learn how easy it is for you and your ACH originators to obtain maximum account takeover protection with minimal effort and positive impact!

08

EPS CLIENT BULLETINJUNE 2013

Some argue that when paper checks can clear faster than an all-electronic payment, something is amiss in the payments world. While most agree that innovation and change are needed to support market demands, the real question is, “How do we get there?”

Looking back to the recent efforts by both the Federal Reserve and NACHA, the path to same-day ACH appears rocky. In 2010, the Federal Reserve rolled out the FedACH® SameDay Service for select debit transaction types. There were many critics of the limited, opt-in approach, and with only 16 banks signing up over the course of the last two-plus years, the motivation for others to participate was low. The next step on the path was the Expedited Processing and Settlement (EPS) initiative that NACHA introduced in September 2011. Their proposal mandated RDFI participation and supported both debit and credit transaction types (except IATs). Much industry discussion ensued, and several groups voiced concerns that the impact needed to be more thoroughly analyzed. The end result in August 2012 was a failure to pass the measure. The NACHA proposal would have had significant impacts both positive and negative, but did its demise leave us back at square one?

Fast forward to April 2013 to find the Federal Reserve’s latest rendition of the SameDay Service. The new service supports debits and credits and all SEC codes except IAT and the little-used TRC and TRX. The service is still opt-in and not mandatory for any FI. It continues to allow RDFIs to elect to receive on a multilateral (all participants) or unilateral (only specified participants) basis. Critics are still vocal about the lack of ubiquity in the service, which could prove to keep the number of participants low. Steven Cordray, Product Manager for the Federal Reserve service, remains hopeful, however, that the recent changes will spark interest. In speaking to a packed house at the NACHA Payments conference in April, Cordray said that the participation of banks had doubled in the few weeks since the April 1 rollout of the enhanced service.

The ACH network hasn’t experienced changes in the settlement process in decades, but is the lack of innovation to support the evolving needs of today a hindrance to the future viability of the network? Technology has created the expectation of an on-demand world, and payment options are no exception. Business cases to support the need for same-day ACH include person-to-person (P2P) payments, expedited bill payment options, and more flexibility in payroll processing to allow for later files. However, some question the validity of these applications and if the batch-based ACH system is the correct rail for transactions that need near real-time response.

Even if the changes are justified, we should consider if the cost associated with these changes is supported by the need. Same-day ACH has a sizable impact both operationally and technologically. The later release of incoming files forces later-in-the-day staffing needs. Exception processing and reporting systems have to adjust to accommodate the new shortened window of receipt to posting. There is concern that fraud and risk management could be compromised due to the limited opportunity to review anomalies. While ODFIs can charge a premium to same-day originators, it leaves the RDFI in an unfortunate position with few options to recoup the costs for supporting the service. Since the ODFI business case is dependent upon having receivers, we end up with the age-old chicken-and-egg situation.

Though the Federal Reserve solution has its faults, starting down the path and making adjustments could be viewed as progress, but maximum benefit will only be experienced when there is collective participation, only truly likely with a mandate. Another consideration at this point is whether investment in same-day ACH is going to get us where we need to be long term, or if we should be instead planning the support of a real-time platform. When there isn’t an existing solution, competing options step in to fill the gap. We are starting to see this today, but it is a challenge to replicate the reach of the ACH network.

While NACHA considers how to proceed with an industry-wide solution, we should consider what is required of us to adapt to changing market needs. Hopefully, the tipping point will not be one that shifts the balance to an alternative solution that isn’t as efficient, cost effective, and manageable as the ACH network has been and strives to continue to be.

Same-Day ACH: The Tipping Point? By Tammy Wilson, EPS Sr. Product Manager

09

EPS CLIENT BULLETINJUNE 2013

Frequently asked questions (FAQs) about the Learning Management System.

1. Log in to the For Clients portal, go to http://www.jackhenrybanking.com/clientslogin and select the click here link to submit an access request.

2. Select Education | Learning Management System. The Welcome page should display.

Please note: If the Learning Management System option is missing under the Education menu, your For Clients portal Admin will need to grant you the authority to use the LMS.

3. On the right under Browse for Training, select ACH (to search for general, ACH/Remote Deposit/Check eLearnings), or select EPS twice (to search for product-specific eLearnings). The Search page will display.

4. Deselect the checkboxes under the Event, Test, and Material icons. (Only the checkboxes under the Online Class and Curriculum icons should be selected to access eLearnings.)

5. Select the Search button.

6. A list of the available eLearning training will display at the bottom of the page. Select the eLearning titles to review the respective course descriptions.

Please note that only designated eLearning courses are eligible for AAP Continuing Education credits.

7. Once you have chosen an eLearning for which you want to register, under the course description select Add to Cart.

8. On the bottom-right, select Proceed to Checkout.9. Review the contents of your shopping cart. If applicable, enter your coupon code. Select Next.10. From the drop-down menu, choose one of the available payment methods (i.e., Credit Card, Send Bill,

or Training Unit).

• IfyouchooseCreditCard,enteryourcreditcardinformation,andthenselectNext.• IfyouchooseSendBill,selectNext.• IfyouchooseTrainingUnit,typeyourTrainingUnitKeyCodeintheavailablefield,and

select Apply. Then select Next.11. To confirm your purchase, select Place Order.12. Once you have completed registration, you will receive a confirmation email. When an eLearning

request has been received in the LMS, access to the eLearning will be available for a period of five (5) business days. During this period, you (as the registered user) will have unlimited access to the eLearning.

For general questions about eLearning, please contact EPS Education by sending an email to epseducationtraining@profitstars.com.

Education on the Learning Management System (LMS)

10

EPS CLIENT BULLETINJUNE 2013

EPS SupportHours: 8:00 a.m. – 9:00 p.m. ET Phone: 877-542-2244 Fax: 877-482-5641 epssupport@profitstars.com

EPS Product Help/DocumentationComments/Suggestions epspublications@profitstars.com Release and support documentation are available on the Partner Portal and the For Clients Portal: https://forclients.jackhenry.com

ITMS User Code Requestsepssupport@profitstars.com

Audit-Related Requestsgldc@jackhenry.com

Billing/Accounting Requestsacctrec@jackhenry.com

Hardware Sales Requestsepshardwaresales@profitstars.com

Sales Inquiriesepssales@profitstars.com

EPS Education Inquiriesepseducationtraining@profitstars.com

EPS Bulletin Suggestionsepspublications@profitstars.com

EPS Resources and Contact Information

11

EPS CLIENT BULLETINJUNE 2013

June 2013, Volume 1 Issue 4

© 2013 Jack Henry & Associates, Inc.®

Contributors: Laura Goforth, Ron Harman, Jacob Hutchinson, Amber Mitchell, Debbie Peace, and Tammy Wilson.

EPS Client Bulletin is a publication of ProfitStars Enterprise Payment Solutions. It is distributed quarterly to our contact database. To unsubscribe, please contact EPS Support at epssupport@profitstars.com.

We welcome any comments or suggestions you may have about this newsletter. Please send them to epspublications@profitstars.com.

The following are trademarks or registered trademarks of Jack Henry & Associates, Inc.: ACH Client, ACH Manager, Customer Payment Portal, Jack Henry & Associates, ProfitStars, Remote Deposit Complete, Remote Deposit Anywhere, Remote Deposit Express, and SmartSight.

All other trademarks are the property of their respective owners.

EPS Client Bulletin

Additional information is available at www.ProfitStars.com or by calling 877.827.7101Copyright © 2013. Jack Henry & Associates, Inc.® All rights reserved. ProfitStars is a registered trademark of Jack Henry & Associates, Inc.