mitigating payment fraud risk: it's a war on two fronts · the uniform commercial code (ucc)...

clients share responsibility for taking appropriate steps to mitigate fraud risk, and any failure on the part of a business to take such steps can lead to it bearing liability for fraud losses.

Prevention efforts then become critical. With that in mind, this report will offer several important suggestions, tips and best practices — as well as describe a variety of bank products and solutions — all aimed at helping businesses protect themselves against fraud attempts, minimize liability and reduce the potential for incurring payment fraud losses.

CHECK FRAUD — TAKING ON THE TOP THREATCheck fraud has been around for a long time. However, in recent years criminals have become more prolific. The advent of inexpensive desktop publishing equipment has assisted in their ability to create incredibly authentic-looking counterfeit checks.

In 2011, AFP’s fraud survey reported on the prevalence of different methods of check fraud. Counterfeit checks using an organization’s MICR line data was the most common method cited. Other popular forms of check fraud were payee name alteration on checks issued; dollar amount alteration on checks issued; and loss, theft or counterfeit of employee paychecks.

CHECK FRAUD LIABILITYThe Uniform Commercial Code (UCC) is the legal basis for determining liability in cases of check fraud losses. Revisions to the UCC in 1990 increased corporate responsibilities in check fraud loss situations while softening the burden for banks.

The concept of “ordinary care” in the UCC requires corporate account holders to follow “reasonable commercial standards” to prevent check fraud. Another UCC principle, “comparative fault,” says banks and corporate account holders can share in the responsibility for a loss based on the extent to which each party’s failure to meet these standards contributed to the loss.

The potential for corporate liability in check fraud loss situations was recently confirmed in a legal case, Cincinnati Insurance Company v. Wachovia Bank. In July 2010, Wachovia won its lawsuit against a business customer’s insurance company after the customer failed to implement the bank’s positive pay service.

Payment fraud continues to be one of the biggest risk management challenges facing corporate treasury managers today. What makes it so daunting is that businesses must battle payment fraud on two fronts. Criminals continue to attack business bank accounts by targeting paper checks for fraud — as they have for years — but now, increasingly, they are also looking to initiate fraudulent electronic payments.

Much of what you read these days about payment fraud relates to the emergence of technically sophisticated online banking scams. The rise of such crime is clearly of great concern. But industry research reveals that check fraud, a longtime nemesis, remains the top payment fraud threat.

According to the 2012 AFP Payments Fraud and Control Survey conducted by the Association for Financial Professionals (AFP), two-thirds of organizations experienced attempted or actual payments fraud in 2011. AFP reports that checks continued to be the dominant payment form targeted by fraudsters, with 85% of affected organizations reporting check fraud attempts.

Meanwhile, fewer than one-quarter of respondents said they were subjected to attempts at Automated Clearing House (ACH) debit fraud (23%), commercial card fraud (20%) or wire transfer fraud (5%), although the potential losses are greater for these electronic methods.

The typical financial loss due to payment fraud in 2011 was $19,200, according to the AFP.

In its survey results analysis, the association framed the challenge for corporate treasury managers: “The vulnerability of all payment methods — especially checks — to fraud from external and internal sources demands a range of fraud-fighting tools and the constant vigilance of those financial and treasury professionals responsible for protecting the assets of their organizations.”

One factor that can contribute to successful payment fraud is the mistaken belief by some corporate treasury managers that banks will necessarily bear liability for fraud losses. When one doesn’t fear fraud losses, prevention steps don’t seem so critical. But as this report will discuss, the notion that businesses can never be liable is simply not true. These days, both banks and their business

CAPITAL PERSPECTIVESDECEMBER 2012

MITIGATING PAYMENT FRAUD RISK: IT’S A WAR ON TWO FRONTS

Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC. ©2012 Capital One. Capital One is a federally registered service mark. All rights reserved.

Positive pay is a reconciliation service in which a bank compares the check issuance information its client provides — essentially, the client’s electronic check register — against those checks that are presented for payment to the bank. Through this matching process, the bank identifies potentially fraudulent items. Wachovia had reportedly recommended that its customer use positive pay, but the customer declined and suffered a $150,000 check fraud loss.

A court determined that the customer was liable due to its deposit agreement with Wachovia. The agreement included a conditional release of Wachovia’s liability if the customer failed to use the bank’s products designed to detect or deter check fraud.*

A case summary and the court order can be found online at www.safechecks.com/services/fraudprevention.html

BANK SERVICES THAT COMBAT CHECK FRAUDPositive pay, the bank service at the heart of the above court case, is generally considered the most effective check fraud deterrent available.

In addition to standard positive pay services, many banks offer a “positive payee” service enhancement to help fight the payee name alteration form of check fraud. Positive payee requires businesses to include payee name information in the check issuance files they regularly send to their banks. In that way, the bank can red-flag checks presented for payment that have the correct dollar amount, account number and serial number, but a different payee name from the one reported in the client’s positive pay check issuance file.

The bank refers items that have been red-flagged by positive pay and enhanced positive payee services to its business client. The client can then investigate to determine if the item is legitimate and whether or not it wants to direct the bank to pay it.

Other helpful bank services that businesses can use to reduce exposure to check fraud and monitor for fraud attempts include:

• Account reconciliation

• Balance reporting

• “Post no checks” restrictions on depository accounts

• Credit- and debit-only restrictions on accounts

• Check image services

Additionally, we recommend that businesses adhere to the following check fraud prevention best practices:

• Segregate disbursement duties — don’t have the people who issue checks at your business also assume responsibility for reconciling corporate checking accounts

• Maintain strong internal controls over check printing and check stock

• Destroy unused checks from closed accounts immediately and thoroughly

• Use highly secure check stock with multiple security features, including overt features such as watermarks and warning bands, and covert features such as microprinting and multi-chemical sensitivity

ADDRESSING LOW-TECH ACH FRAUDACH fraud can occur in a couple of different forms. One is the kind of low-tech ACH fraud that has been around for years. In this form, ACH fraud can begin when a criminal gets hold of one of your company’s checks.

A criminal can use the routing and bank account numbers on a stolen check to order goods either online or by phone and have funds for those purchases debited from your account. In other cases, a disgruntled or dishonest employee can use the MICR line information on a paycheck to initiate a fraudulent ACH debit.

To protect your organization against ACH fraud of this nature, you must operate within the return window established by NACHA — the Electronic Payments Association. NACHA rules stipulate that you have only 24 hours to contact your bank to dispute a fraudulent ACH debit. Failure to initiate a dispute within the 24-hour window shifts all liability for fraud losses to the corporate account holder.

Banks offer several solutions to support ACH fraud prevention efforts:

• ACH debit blocks, which allow you to tell your bank to reject any ACH debits against a particular account or accounts.

• ACH debit filters, which enable you to establish criteria for which ACH debits to your account that your bank should accept. You can set general parameters — for instance, establish dollar

* Information on this case prepared by Frank Abagnale of Abagnale & Associates and Greg Litster of SafeChecks.


limits for single transactions or provide a list of acceptable payees. Or you can give the bank detailed criteria for each authorized payment, such as the approved payee name, exact dollar amount and payment initiation date. Such detailed filtering is sometimes referred to as “ACH positive pay.”

• Credit- and debit-only account restrictions are also becoming commonplace in an effort to combat electronic payment fraud. Banks are recommending that commercial clients have separate accounts for paper payments (checks) and for electronic payments.

Further, segregating electronic payments is also becoming more prevalent, with banks recommending that commercial clients have credit- and debit-only ACH accounts to further combat the increasing fraud in the electronic payment space. When a paper-only account receives an electronic debit or credit, the payment automatically rejects since the account is set up for paper items only. The same holds true on the electronic payment-only accounts. If an ACH debit were initiated on a credit-only account, the payment would reject.

ONLINE BANKING FRAUD TAKES CENTER STAGEIn recent years, a new type of ACH fraud threat has emerged as criminals try to take advantage of the corporate world’s adoption of efficient online banking.

New online banking scams are being introduced almost daily. One of the earliest was “phishing.” In a phishing attack, a corporate treasury professional receives an e-mail from what appears to be a well-known, trusted business such as a bank. Often the e-mail will ask you to open an attachment or click on a link and go to what appears to be a legitimate, branded business website, but in actuality is a counterfeit site.

Once you have been lured to the counterfeit site, you are asked to divulge information such as bank account numbers and online banking credentials, including log-in user names and PIN passwords. With this information in hand, fraudsters can steal from your company’s accounts.

When phishing, scam artists often send out thousands of e-mails at a time, hoping for a few nibbles from unsuspecting victims. But financial managers also need to beware of more targeted attacks. One type is called “reverse phishing.”

A reverse phishing attack typically begins when you receive an e-mail falsely purporting to be from one of your vendors. Rather than asking you for online banking credentials, the e-mailer requests that you alter existing information such as payment instructions. For instance, you might be asked to redirect an electronic trade payment to a different bank account.

If you comply, you may not realize you have been scammed until weeks later when the actual vendor telephones your company to ask why you haven’t paid his invoice.

CORPORATE ACCOUNT TAKEOVERSMany fraudsters today try to trick their victims into installing malicious, credential-stealing software known as “malware” on their PCs. In a typical scam, a financial manager receives an e-mail falsely purporting to be from a credible source such as the Better Business Bureau. The recipient is directed to view a document by opening an attachment or clicking on a link, which installs malware on his computer.

The malware later alerts the fraudster when the victim visits an online banking site, and the criminal employs keystroke logging which captures the victim’s log-in and security credentials. The attacker can then take control of the victim’s online banking sessions and use the stolen credentials to initiate fraudulent ACH or wire transactions.

As with our earlier discussion about check fraud liability, treasury professionals are wrong to assume that banks will be liable for losses when fraudsters access bank accounts by compromising an online banking platform. The fact is that businesses are responsible for protecting their computers against these sorts of attacks. Businesses need to implement appropriate software protection and best practices for preventing fraud, such as segregation of duties and dual control on electronic payment approvals.

Liability is typically outlined in the online services agreement with your bank. However, in general, companies are liable for payment fraud losses if they occur because of a failure to protect their systems.

A MULTILAYERED APPROACH TO FRAUD PREVENTIONThere is no single solution or practice that will ensure the prevention of payment fraud. Businesses need to take a multilayered approach that uses a combination of best practices and bank services designed to mitigate fraud risk.



An important best practice for protecting online payment and account data is dual control. Here’s what NACHA recommends in its “Sound Business Practices for Companies to Mitigate Corporate Account Takeover” white paper, which you can find in the Corporate Account Takeover Resource Center at the NACHA website (www.nacha.org):

“Initiate payments under dual control, with assigned responsibility for transaction origination and authorization. Dual control involves file creation by one employee with file approval and release by another employee on a different computer. Or, require dual use of tokens where a single employee creates a file, but can only release the same file by logging in a second time using a new pass code on the token.”

Other best practices include:

• Allowing no Internet browsing or e-mail exchange on computers used for online banking transactions

• Deleting online user IDs as part of the exit procedure when employees leave your company

• Establishing transaction limits for employees who initiate and approve online payments

• Using templates to lock in beneficiary and recipient information

• Using appropriate multifactor authentication tools offered by your bank, such as tokens, or out-of-band options like telephone applications

MORE BEST PRACTICES FOR ONLINE BANKING SECURITY Some additional steps you can take to prevent criminals from accessing your computers and confidential data are:

• Use strong, complex passwords

• Change your passwords regularly and use a different password for each website you access

• Never reveal your confidential login ID, password, PIN or answers to security questions to anyone

• Never share your security token, and immediately report lost or stolen tokens

• Never bank online using computers at kiosks, cafes or anywhere in which the computer or wireless network is unsecured

CARDS ARE TARGETS, TOOSome 87% of respondents to the AFP’s 2012 payment fraud survey reported that their organizations use commercial cards for business-to-business payments, and cards are another form of electronic payment subject to fraud. In fact, of those respondents reporting that they experienced attempted or actual fraud related to B2B card transactions in 2011, 55% said it resulted from the use of their own commercial cards.

About two-thirds of those companies (65%) reported experiencing commercial card fraud at the hands of an unknown external party.

One common card fraud scam is “vishing.” A cardholder receives a call from someone who has the cardholder’s card number and pretends to be reporting a fraudulent transaction when asking for the cardholder’s CVV2 code over the phone. With the card number and code, the criminal can successfully make unauthorized purchases by phone and online.

Meanwhile, nearly two out of five organizations (38%) in the AFP survey said they were subject to fraud perpetrated by their own employees. For instance, an employee might use his commercial card for a non-business-related purchase.

Interestingly, respondents said their organizations were liable for card fraud losses 34% of the time — equally as often as the card-issuing bank and significantly more often than the merchant (22%).

The key to curtailing card fraud and related losses? “Organizations need to continue to use the card controls available to them in managing how, when and where employees (and criminals) can use their cards,” the AFP suggests in its survey results analysis.

ESTABLISH CARD SPENDING RESTRICTIONSOne of the best ways to assert such control is by imposing spending restrictions on individual cardholders. Most banks allow you to establish a variety of such limits. For instance, a commercial card program administrator might tell the bank that a particular cardholder can spend no more than $500 per transaction. Or the administrator could dictate that the cardholder spend no more than a certain amount each day or each month. If the cardholder tries to exceed the restriction, the transaction will be declined.

To minimize unauthorized purchases, a card program administrator can also use merchant category codes to establish that a card can only be used at certain types of businesses. For example, the administrator might dictate that a particular employee who never travels for business not be able to use his card at hotels.

Capital Perspectives is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N.A., or any of its subsidiaries or affiliates, and is given without any warranty whatsoever. Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC. ©2012 Capital One. Capital One is a federally registered service mark. All rights reserved.

TIPS TO AVOID PHISHING, SPYWARE AND MALWARE

• Don’t open e-mail from unknown sources

• Never respond to a suspicious e-mail or click on any hyperlink embedded in a suspicious e-mail

• Educate your staff about current scams and loss-prevention steps

• Make sure all of the computers your staff members use for work-related business — at the office and at home — have the latest versions and patches of both anti-virus and anti-spyware software

• Update important patches from systems such as Internet Explorer and Adobe Reader that include security fixes

Merchant restrictions can also help in cases of unknown external party fraud. In cases where a card or card number is stolen and the card has such restrictions, the thief will only be able to make purchases from merchants in approved categories.

MONITOR CARD SPENDING ONLINETreasury managers and card program administrators can also use online reporting tools to monitor employee card spending and detect fraud.

Using such an online tool, a program administrator can establish and alter spending limits for individual cardholders, and issue and cancel cards, all in real time.

Online card management tools also typically allow administrators to generate reports on spending activity by cardholder. They don’t have to wait until they receive a monthly statement to note cases where employees have made unauthorized purchases or purchases that don’t comply with company spending policies.

KEYS TO CURBING PAYMENT FRAUDIn this report, we have looked at how fraudsters are targeting both paper and electronic payment methods, and we suggested practices and bank services that treasury managers can use to thwart such activity. That’s the two-front war on fraud that treasury professionals face. However, when you analyze recent fraud activity, it’s clear that protecting checks must remain a major focus of payment fraud prevention.

In fact, according to the AFP, eliminating checks — and replacing them with electronic funds transfers — continues to be the single best way for organizations to combat fraud.

Still, with more criminals eyeing electronic transactions, treasury managers also must also be vigilant in protecting account access from hackers, the association notes.

Other keys to effectively managing payment fraud risk and reducing liability include becoming educated about the wide range of threats, learning about and adhering to best practices for managing fraud risk (like positive pay and dual control), and taking full advantage of the protections that banks offer.

Capital One Bank is well positioned with information and products to help business clients protect their payments from fraud. To learn more, contact your Capital One Bank relationship manager or Treasury Management advisor.

mitigating payment fraud risk: it's a war on two fronts · the uniform commercial code (ucc)...

Documents