mitigating payment fraud

Presented to:Presented to:Presented to:Mitigating Payment Fraud

July 23, 2014

A perspective on recent fraud experience and best practice approaches for reducing the risk of payment fraud

North Carolina Local Government Investment Association

2

Avoiding the Headlines …

Source: Fraud Advisory for Business: Corporate Account Takeover

Where Are We Now?A look at current state metrics

4

Are Things Improving?% of Organizations with Attempted/Actual Payment Fraud

2014 AFP Payments Fraud and Control Survey

2004 2005 2006 2007 2008 2009 2010 2011 2012 20130

10

20

30

40

50

60

70

80

55

6872 71 71 73 71

6661 60

5

Continuing Increase in the Number of AttemptsBecoming More Concentrated?

2009

+13%2010

+10%2011

+8%2012

+11%2013

+11%Net Increase in Attempts

2013 27% of organizations reported

an increase in attempted fraud 16% reported a decrease 57% reported similar activity


6

Continued Prevalence of Check-based FraudAren’t Check Volumes Declining?

12013 Federal Reserve Payment Survey22014 AFP Payments Fraud and Control Survey (actual and attempted)

ACH Credit

Wire

ACH Debit

Card

Check

0 10 20 30 40 50 60 70 80 90

9

14

22

43

82

% of Organizations2

Total Checks Written1

2003

2012

37.3B

18.3B

7

Increasing ImpactAverage Fraud Losses Continue to Grow


2009$17,100

2010$18,400

2011$19,200

2012$20,300

2013$23,100

8

Fraud Impact by Payment TypePayment Method Responsible for Largest Dollar Loss


Check Card ACH DebitWire ACH Credit

Check

57%Card23%

ACH Debit10%

Wire9

ACH Credit1%

9

Fraud Impact by Payment TypeAverage Value of Unauthorized Transaction ($)

2013 Federal Reserve Payment Survey

Check ACH ATM Credit Card Debit Card0

200

400

600

800

1000

1200

1400

1221

730

207138 105

Series 1

Source of FraudWho and Why?

11

Sources of Attempted Payment FraudWho is initiating?

12014 AFP Payments Fraud and Control Survey22013/14 Kroll Global Fraud Report

Compromised Mobile

Lost Laptop

Account Takeover

3rd Party Processor

Internal

External Ring

External Individual

0 10 20 30 40 50 60 70 80 90

1

3

7

8

11

20

80

Series 1% of Organizations1

A difference of opinion?2

“72% of those surveyed have been hit by a fraud

involving at least one insider in a lead role” within

… 32% involved a senior or middle manager

12

Check-based Fraud LossesOrganizations Suffering Loss from Fraud Attempt


Suffered Loss?

Yes No

YES17%

NO83%

Processed by Check Cashing Agency (38%)

Lack of Timely Recon or Positive Pay Review (28%)

InternalFraud (21%)

Lack of Positive Pay Utilization (17%)

Lack of Timely CheckReturn (10%)

Lack of Post No Check Services on EFT Acct (10%)

Identified Reasons For Loss

13

ACH Fraud LossesOrganizations Suffering Loss from Fraud Attempt


Suffered Loss?

Yes No

YES19%

NO81%

Lack of Debit Block or Filter (50%)

Lack of Timely Reconciliation (38%)

Lack of TimelyReturn (38%)

Lack of ACH Positive Pay Utilization (38%)

Internal Fraud (13%)

Identified Reasons For Loss

14

Card Fraud LossesOrganizations Suffering Loss from Fraud Attempt


Suffered Loss?

Yes No

YES31%

NO69%

Source of Fraud

Yes No

Employee57%

Unknown External

43%

15

Card Fraud LossesPurchasing and Travel Cards

12012 RPMG Purchasing Card Benchmark Survey22013 RPMG Corporate Travel Card Benchmark Survey

PURCHASING CARD1 Employee Misrepresentation

Internal Fraud

External Fraud

Median $ per Incident $200 $350 $100Loss as a % of spend .004% .001% .002%

TRAVEL CARD2 Employee Misrepresentation

Internal Fraud

External Fraud

Median $ per Incident $100 $67 $100Loss as a % of spend .003% .002% .004%

Internal ProcessesBest Practice Activities for Creating a Strong Control Environment

17

Organizational (Internal) FraudPrimary Fraudulent Disbursement Activities

Association of Certified Fraud Examiners (ACFE): 2012 Global Fraud Study-Report to the Nations on Occupational Fraud & Abuse

Category Examples % ofAll Cases

MedianLoss

Ave. Duration

BillingEmployee creates a shell

company and bills employer for services not actually rendered.

24.9% $100,000 24 Months

Expense Reimbursement

Employee files fraudulent expense report, claiming

personal travel, nonexistent meals, etc.

14.5% $26,000 24 Months

Check Tampering

Employee steals an outgoing check to a vendor and deposits

it into his/her own bank account.

11.9% $143,000 30 Months

Payroll Schemes

Employee adds ghost employees to the payroll. 9.3% $48,000 36 Months

18

Internal Control Foundation

5A/P Masterfile

Control

2Sourcing and

Invoice Processing

ESegregation of

Duties

Confirmation of Beneficiary Changes

<Approval and

Execution

6Timely

Reconciliation

External SupportServices and Solutions to Mitigate Payment Fraud Risk

20

Primary Methods of Check Fraud% of Organizations that Suffered Attempted Check Fraud

Check Stock Theft (5%)

Payroll Check Theft (16%)

Dollar Amount Alteration (37%)

Payer Name Alteration (52%)

Counterfeit Check with MICR (62%)


Positive Pay

Positive Pay

Positive Pay

Payee Positive Pay

21

Primary Procedures to Guard Against Check Fraud


Non-bank Fraud Control

Reverse Positive Pay

Post No Checks

Payee Positive Pay

Segregate Accounts

Daily Reconciliation

Positive Pay

0 10 20 30 40 50 60 70 80 90

7

20

46

56

68

78

81

Series 1% of Organizations Deploying1

22

Primary Procedures to Guard Against ACH Fraud


Reconcile Accounts Daily, Identify and Return Unauthorized Debits (78%)

Block ACH Debits Except on a Single Account With ACH Debit Filter/ACH Positive Pay (64%)

Block ACH Debits on All Accounts (31%)

Consumer Debit Block and Commercial Debit Filter (24%)

Separate Account for all 3rd Party Debits (18%)

23

Powerful Bank Services to Mitigate Payment Fraud

:Positive Pay

<ACH Positive Pay

OACH Debit Block

OPost No Checks

24

Are Physical Check Security Features Still Needed?

Thermochromatic Ink

Chemical Reactive Paper

Copy Void Pantograph

Dual Image Numbering

Image Survivable Barcode

Warning Bands

Fourdrinier Watermark

Secure Name Font

F Abignale Fraud Bulletin – Vol 12

Online BankingBest Practice Activities for Securing Information and Controlling Payment Execution

26

Account Take-overDissecting an Attack

:Target Victims

u

Install Malware

v

Operator Logon

wCapture Login

Data

x

Initiate Funds Transfer

y

Fraud Advisory for Businesses: Corporate Account Take Over - United States Secret Service, FBI, IC3, and FS-ISAC.

How Would You React to This Email?

PNC Bank USAPittsburgh, PA Member FDIC 2014

Dear Valued Customer:

We noted that your account transferred $10,000 to Nigerian financial institution on June 15, 2014. Given the suspicious nature of this transaction, we have frozen all transaction activity on your account. Please access the link below to verify your credentials, review this transaction and restore your account to an active state:

http://pncbankUSA.com/suspendedaccount/secureverification

Once you have completed this, PNC’s Fraud team will work to promptly restore these funds.

Thank you for doing business with PNC!

28

Gone Phishin …

Spear Phishing

Phishing - attempt to acquire information such as user name,

passwords, and other financial details by masquerading as a trustworthy entity

… in electronic form

Waterholing

Whaling

Clone Phishing

Social Engineering

29

Account TransferPay Close Attention to Wire Transfer Activity

Fraud Advisory for Businesses: Corporate Account Take Over - United States Secret Service, FBI, IC3, and FS-ISAC.

2.11

Per 1000 Commercial Customers have experienced an account take-over

9%Of all account take-overs resulted in funds being transferred

82% Of fraudulent transfers involved Wires

30

Controlling the Risk of Cyber Fraud

$Education and

Awareness

:Insulate

Workstation

ESeparate

Approval Station

Malware and Virus Protection

<FFIEC

Authentication

+Mobile Threat

Vectors

Card UsageBest Practice Activities for Managing Commercial Card Programs

32

What are Other Organizations Doing?Primary Controls Utilized

Preferred Provider Blocks

MCC Blocking

Dedicated Administrator

Compliance Audits

Cardholder Agreements

Receipt Requirements

Defined Spending Limits

0 10 20 30 40 50 60 70 80 90 100

22

57

62

66

71

81

88

Series 1% of Organizations1

2012 RPMG Purchasing Card Benchmark Survey

33

Controlling Commercial Card Activity

OPoint of Sale

Controls

:Online

Submission and Approval

.Receipt/Proof of

Purchase

Card Security

LAudit and Inspection

POther

34

Who has Borne Card Losses?Parties that Suffered Loss on Commercial/Corporate Card Fraud

Sponsoring Organization (31%)

Merchant (14%)

Issuing Bank (44%)


35

Expected Improvement from Migration to EMV Standard

Expected Effec-tiveness1

Major ReductionSome ReductionNo Change

Some Re-duction

72%

Major Re-duction

20%

No Reduction

8%


EMV(Europay, Mastercard, Visa) – global standard for integrated chip-based card design

‒ Unlike other countries, the US continues to be dominated by magnetic stripe POS terminals

‒ Estimated cost of upgrades > $12B

• Merchant Processing‒ When mag-stripe cards are swiped at POS terminal, data, such as primary

account number and expiration date, are transmitted to the card issuer‒ The data—known as static data—remains the same for each transaction‒ EMV relies on dynamic authentication - use of changing variables unique to

each individual card transaction‒ PIN vs. Signature authentication

Liability Shift‒ Effective October, 2015 liability will shift for domestic and cross-border

counterfeit card-present POS transactions‒ Fuel selling merchants have until 2017‒ Shift from issuing bank to accepting merchant‒ Will not immediately extend to web and phone-based purchases‒ Expected to positively impact POS card fraud

36

Disclaimer

This presentation was prepared for general information purposes only and is not intended as legal, tax or accounting advice or as a recommendation to engage in any specific transaction, including with respect to any securities of PNC, and does not purport to be comprehensive. Under no circumstances should any information contained in this presentation be used or considered as an offer or commitment, or a solicitation of an offer or commitment, to participate in any particular transaction or strategy.

Any reliance upon the presentation is solely and exclusively at your own risk. Please consult your own counsel, accountant or other professional advisor regarding your specific situation. Any opinions expressed in this presentation are subject to change without notice.

mitigating payment fraud

Documents

payment type fraud

fraud advisory

attempted fraud attempts

grow2014 afp payments

recent fraud experience

external fraud attempts

cash payment activity

mitigating payment fraudjuly