faster payments talk - jack henry & associates

© 2021 Jack Henry & Associates, Inc.®1 © 2021 Jack Henry & Associates, Inc.®

Faster Payments Talk:Do Faster Payments Lead to Sneakier Fraud?

© 2021 Jack Henry & Associates, Inc.®2

QUICK POLLFaster Payment Networks and Fraud


Mary-Helen McElfreshSr. Director, Fraud Risk Management

Early Warning®

© 2021 Early Warning Services, LLC. All Rights Reserved. Confidential and proprietary.

EXECUTIVE SUMMARY

4

• Security and consumer protection are top priorities, and we are constantly optimizing Zelle® to achieve the right balance between reducing consumer friction and the need for security and fraud controls.

• Cybercriminals deploy a variety of tactics, and phishing is one of the most popular. Fraudsters send out mass emails and trick users into surrendering their app login details, which they then use to take over accounts and either send money to their own bank accounts or steal personal data.

• Preventing fraud is a collaboration among financial institutions, Zelle and consumers.

• Our approach to staying ahead of fraud is focused on addressing two critical areas –enrollment and transactions – and we have a mitigation strategy that complements this approach.


Common fraud trend reported by participating financial institutions

5

ZELLE® PARTICIPANT APPLICATION – COMMON FRAUD SCENARIO

Common Fraud Scenario

Fraudster gathers PII by phishing and/or taking advantage of massive data breaches within credit bureaus, phone carriers, social media companies, etc.

Fraudster then abuses password reset functionality of the financial institution, either: a) Online, orb) Via call center.

Fraudster enrolls with Zelle within the app and initiates a transfer.

Many financial institutions generate an SMS OTP at this point. However, the fraudster bypasses by: a) Calling the phone carrier & redirecting the OTP, or b) Calling the victim, impersonating the FI or other third party

and convincing the victim to read the OTP code.

Fraudster then completesthe transfer to another card or DDA in their control.

Mitigation Strategy

Educate consumers to watch out for scammers that use email or text messages to trick you into giving them your personal information.

Review password reset processes for weaknesses prior to participation in the Zelle Network®.

Each token a consumer enrolls with Zelle must be verified via OTP, Mobile Authorization or a similar process.

Remind the consumer that the FI will never ask for the OTP code. They should never share the OTP with anyone.

Utilize internal ‘negative lists’ of tokens, IP addresses, and account numbers related to ‘known’ frauds/bad tokens to prevent transactions in real time.

1 2 3 4 5


All financial institutions within the Zelle Network® must follow these onboarding requirements

6

KEY FRAUD MITIGATION ONBOARDING REQUIREMENTS – ENROLLMENT

Fraud Mitigation

Authentication

• Passive enrollment is not allowed – consumers must enroll with Zelle first before they can send or receive money

• Each Token a consumer enrolls with Zelle must be verified via OTP, Mobile Authorization or a similar process

• This verification can occur at the time of Zelle enrollment or when the consumer adds contact information to the demographic profile

Real Time Fraud Detection

• Stop/prevent a transaction prior to sending a transaction with Zelle• Integrate digital data captured from the PC or mobile phone during the customer’s interaction• Critical digital data that should be utilized includes device prints, IP addresses, carrier names,

etc.

Negative List – Blocking • Utilize internal ‘negative lists’ of tokens, IP addresses, and account numbers related to ‘known’ frauds/bad tokens to prevent transactions in real time


All financial institutions within the Zelle Network® must follow these onboarding requirements

7

FRAUD MITIGATION ONBOARDING REQUIREMENTS – SENDING FUNDS

Fraud Mitigation

Password Reset

• Any “forgot password” processes for self-service online or phone/agent assisted interactions should be reviewed for weakness prior to participation in the Zelle Network (i.e. too reliant on static PII)

• Provide password reset information to Fraud Detection system to use when evaluating risk of a transaction

SMS OTP Messaging

• Explicitly warn consumer not to read/share OTP with anyone• Let consumer know that FI will never ask for OTP• Provide the warning in all caps• Send OTP message notifying the consumer that they are about to send money• Provide clear messaging to consumers that sending money via Zelle® is like sending cash and is

irreversible

Negative List – Blocking • Utilize internal ‘negative lists’ of tokens, IP addresses, and account numbers related to ‘known’ frauds/bad tokens to prevent transactions in real time

Sender/Receiver Fraud Strategies

• The fraud detection system must have the ability to aggregate, count, and derive certain variables, such as velocity of sending/receiving, length of time since first Zelleusage/registration, tenure of DDA account, etc.


BEST PRACTICES FOR MITIGATING FRAUD

8

Alerts & NotificationsConsumer alerts for registration and sent funds. Triggering notifications for Zelle App registrations.

Authentication

It is recommended that Participants leverage 3rd party sources or screening practices to identify when OTPs may be re-routed due to carrier ATO (sim swap) or email inbox takeover. Current Zelle Network Participants have observed Email/SMS OTP being manipulated.

Consumer Education Education on scams and how to bank online safely.

Additional Fraud Detection Fraud detection on RECEIVING funds and Token change actions.


2021 FRAUD INITIATIVES

9

Initiatives Description

Fraud Performance Monitoring & Enforcement Program • Effective April 2021• Identify and work with Participants experiencing higher rates of

fraud both send and receive

Fraud/Scam Type improvements – Fraud Reporting • Simplified Fraud Types to provide improved reporting consistency• Detailed scam types e.g., merchandise, charity, services etc.• April 2021 release (optional)

3D Secure – CMA Send Transactions • Reduce Acquirer (Participating FI) transaction liability risk • Support higher CMA transactions limits

Financial Crimes Framework • Develop Financial Crime framework to provide Zelle participants with a value-added service to identify human trafficking, CTF, drugs, or other illicit activities based on enhanced network view of activity, which may not be visible to the FI participating in a single transaction.

• Liaise with participating Financial Institutions to refer and escalate potential unusual activity for further investigation

Zelle Risk Insights • Provide Network risk insights with emphasis on the receiving token for send transactions

• Fraud/Scam loss reduction


Zelle® Fraud Performance Monitoring Program (FPMP)

10

Purpose: To ensure integrity of the Network, a Fraud Performance Monitoring Program (FPMP) is being established to identify Participants experiencing higher rates of fraud relative to their peers. Release date – October 2020 publication, April 2021 implementation.

Fraud Performance Monitoring CriteriaParticipants whose monthly fraud $ basis points:• Exceed $30,000 in monthly send or receive fraud and• Exceed 2 standard deviations above the mean of the Participant’s peer group’ previous Quarter mean

Participant Peer GroupingThe Participant Peer groups will be divided into 2 groups (1) Average monthly send dollars and (2) Average monthly receive dollars.


ADDITIONAL RESOURCES FOR LEARNING AND SHARING BEST PRACTICES

11

• Zelle Fraud Forum – open to all direct Zelle participants and Resellers, held the fourth Thursday of every month

• Direct Participant Zelle Fraud Review Sessions –Zelle fraud review sessions for a specific Participant, held bi-weekly or monthly

• Reseller Zelle Fraud Review Sessions – Zelle Reseller fraud review sessions for each Reseller, held twice a month


QUICK POLLFraud News and Concerns


Chad KillingsworthSenior Director of Engineering for Digital


Account Takeover Fraud Prevention


Anatomy of a Takeover Event

Fraudster FraudsterUser


Prevention with Magic Link

Fraudster UserFraudster User


Looking Forward

• Real Time Risk Scoring


Elspeth BloodgoodProduct Manager, JHA PayCenter


Mitigating Fraud?

• Authentication– In the digital platform and throughout the session

• Education– Of consumers– At the institution

• Recipient Scoring– The next step


Zelle® NetworkLive

RTP® NetworkLive

FedNowSM

Coming in 2023 - 2024

SUPPORTED NETWORKS


Education of Consumers

• Consumer messaging – At point of delivery– Proactively– Reactively


Proactive /Reactive MessagingHelp outsmart fraudsters. When it comes to your money, don’t share personal info or one-time passcodes on calls, texts or in reply to emails appearing to come from [Bank Awesome]. Protect yourself and call us directly instead at [XXX-XXX-XXXX]. At [Bank Awesome], we’ll NEVER call you and ask you to share a passcode, account number, SSN or [XXXX] over the phone. If someone asks you for any of these details and says they are from [Bank Awesome], it should raise a red flag. Hang up and call us directly.

We’re aware of fraudulent [phone calls, texts, emails] that appear to be coming from [Bank Awesome/CU Awesome] being received by our [customers/members]. These [calls/texts/emails] are not being initiated by us. Please contact us at [XXX-XXX-XXXX] before providing any personal information via phone or email, even if the [caller ID/sender] appears to be coming from [Bank Awesome]. As a reminder we will never call and ask for your personal information such as your social security number, bank account details (account numbers, username and passwords), one-time security passcodes or answers to security questions. Proactive

Reactive


Anti Fraud Campaigns

• Account takeover prevention

• Safety and Security• Configurable hosted

landing page• Available in JHA

Resource Center


Education at the Institution

• Count it all– Break down silos – Analyze across payment methods

• Track and report scams even if they aren’t your liability


Recipient Scoring – the next step

• Additional Fraud Data Elements – PayCenter is expanding data elements available to the fraud rules engine.

• Zelle Risk Insights – New fraud service will provide network-level recipient review– Data elements (release 1)– Scoring (release 2)


Zelle Risk Scoring

Prevent Sending to a Bad Actor


Zelle Risk Scoring

Limit Updates


QUICK POLLFraud Tracking and Reporting


[email protected]

QUESTIONS?

mailto:[email protected]

faster payments talk - jack henry & associates

Documents