payment fraud trends and preventionaz9194.vo.msecnd.net/pdfs/110401/232.pdf · payment fraud trends...
TRANSCRIPT
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Trends and Prevention
Brad Larson Clairersquos Boutiques
Terry Crawford AMC Theatres
Jerl Rossi Northrop Grumman Corporation
Claudia Swendseid Federal Reserve Bank of Minneapolis
April 4 2011
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
bull Please turn off all cell phones or mobile devicesbull Thank you to todayrsquos sponsors
ndash This morningrsquos Continental Breakfast sponsored by
Javelin
ndash Breakfast Roundtables sponsored by SWACHA
ndash Thought Leadership Spotlight Session sponsored by
Fundtech
ndash Monday Night Celebration sponsored by Fiserv
bull Most of the education sessions at the conference can be counted towards your continuing AAP accreditation If you are interested in becoming an Accredited ACH Professional (AAP) please stop by the NACHA amp RPA booth
bull Please take a moment to complete session evaluations Each evening attendees will receive an email link to access session evaluations that are offered each day Attendees are automatically entered into a daily drawing for a chance to win a $50 gift card
bull Register now for PAYMENTS 2012 ndash Receive the PAYMENTS 2011 Early-Bird Rates ndash Only available onsite ndash Visit the Registration Desk for more details
Thanks to all of our
Track Sponsors
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Agenda
Who We Are
Payment Fraud Trends
Payment Fraud by Instrument
Fraud Prevention
Conclusions
3
Disclaimer The views expressed in this presentation are those of the speakers and do NOT necessarily reflect the views of the organizations for which they work
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Clairersquos amp Payments Consumer payments received by
cash check credit card debit card (signature amp PIN) amp gift cards
Payroll is made by paper check direct deposit ACH and payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards
B2B payments received by check ACH credits amp wires
4
Clairersquos
Specialty retailer of value-
priced jewelry amp accessories
operating under trade names
Claires amp Icing
Operates over 3000 stores in
approximately 25 countries
through company-owned
joint ventures amp franchises
Global workforce of 16500
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
AMC amp Payments Consumer payments received by cash credit
cards debit cards (signature amp PIN) amp gift cards
Credit card volume (over 12 billion per year) is about 55 of total revenue PCI DSS ldquolevel 1rdquo merchant
Payroll is made by paper check direct deposit ACH amp payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards B2B payments received by check ACH credits wires amp credit cards
5
AMC One of the worldrsquos most innovative amp
largest theatrical exhibition companies 2nd largest US exhibitor
Operates over 380 theatres with over 5325 screens in 30 states the District of Columbia amp 4 countries
Privately held amp headquartered in Kansas City Missouri since its founding in 1920 Employs about 16800 full amp part-time associates
Hundreds of millions of guests attend AMC theatres each year
(Annualized) transactions $(000rsquos)
Wires 300 191677
ACH 400000 1474190
Checks 1110000 927666
Credit Card (receipts)
72782500 1318326
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
NOC amp Payments 95 payroll is via direct deposit 5 check
Customer Remittance
Vendor Payments
6
Northop Grumman (NOC) Leading global security company that has
achieved historic accomplishments from transporting Lindbergh across the Atlantic to carrying astronauts to the moon amp back
120000 employees provide systems products amp solutions in aerospace electronics information systems shipbuilding amp technical services to government amp commercial customers worldwide
Conducts business mostly with the US GovernmentDepartment of Defense Other customers include local state amp foreign governments amp domestic amp international commercial companies
In 2009 delivered 6 ships to the US Navy amp Coast Guard amp launched 2 space tracking amp surveillance system satellites
(Annualized) VolumeAmount
($ millions)
Wires 8000 $ 3000
ACH 64000 $ 28000
Checks 35000 $ 300
Credit Card 1258000 $ 22
(Annualized) VolumeAmount
($ millions)
Wires 10000 $ 10100
ACH 700000 $ 16885
Checks 500000 $ 4458
Credit Card 297787 $ 150
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Federal Reserve System Sets amp implements nationrsquos monetary
policy
Supervises amp regulates range of financial institutions amp activities to ensure safe amp sound banking practices
Provides payments services to financial institutions (FIs) amp the federal government
Mission in payments to foster the integrity efficiency amp accessibility of US dollar payments amp settlement systems issue a uniform currency amp act as the fiscal agent amp depository for the US government
Fed amp Payments The Fed clears amp settles a large
portion of US interbank payments
7
Service Average
Volume Daily
AverageValue Daily
Fedwire Funds 494 000 $24 trillion
Fedwire Securities
78000 $12 trillion
FedACH 399 million $654 billion
Check 29 million $414 billion
National Settlement
2100 $55 billion
commercial volume only data through 3rd quarter 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
bull Please turn off all cell phones or mobile devicesbull Thank you to todayrsquos sponsors
ndash This morningrsquos Continental Breakfast sponsored by
Javelin
ndash Breakfast Roundtables sponsored by SWACHA
ndash Thought Leadership Spotlight Session sponsored by
Fundtech
ndash Monday Night Celebration sponsored by Fiserv
bull Most of the education sessions at the conference can be counted towards your continuing AAP accreditation If you are interested in becoming an Accredited ACH Professional (AAP) please stop by the NACHA amp RPA booth
bull Please take a moment to complete session evaluations Each evening attendees will receive an email link to access session evaluations that are offered each day Attendees are automatically entered into a daily drawing for a chance to win a $50 gift card
bull Register now for PAYMENTS 2012 ndash Receive the PAYMENTS 2011 Early-Bird Rates ndash Only available onsite ndash Visit the Registration Desk for more details
Thanks to all of our
Track Sponsors
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Agenda
Who We Are
Payment Fraud Trends
Payment Fraud by Instrument
Fraud Prevention
Conclusions
3
Disclaimer The views expressed in this presentation are those of the speakers and do NOT necessarily reflect the views of the organizations for which they work
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Clairersquos amp Payments Consumer payments received by
cash check credit card debit card (signature amp PIN) amp gift cards
Payroll is made by paper check direct deposit ACH and payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards
B2B payments received by check ACH credits amp wires
4
Clairersquos
Specialty retailer of value-
priced jewelry amp accessories
operating under trade names
Claires amp Icing
Operates over 3000 stores in
approximately 25 countries
through company-owned
joint ventures amp franchises
Global workforce of 16500
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
AMC amp Payments Consumer payments received by cash credit
cards debit cards (signature amp PIN) amp gift cards
Credit card volume (over 12 billion per year) is about 55 of total revenue PCI DSS ldquolevel 1rdquo merchant
Payroll is made by paper check direct deposit ACH amp payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards B2B payments received by check ACH credits wires amp credit cards
5
AMC One of the worldrsquos most innovative amp
largest theatrical exhibition companies 2nd largest US exhibitor
Operates over 380 theatres with over 5325 screens in 30 states the District of Columbia amp 4 countries
Privately held amp headquartered in Kansas City Missouri since its founding in 1920 Employs about 16800 full amp part-time associates
Hundreds of millions of guests attend AMC theatres each year
(Annualized) transactions $(000rsquos)
Wires 300 191677
ACH 400000 1474190
Checks 1110000 927666
Credit Card (receipts)
72782500 1318326
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
NOC amp Payments 95 payroll is via direct deposit 5 check
Customer Remittance
Vendor Payments
6
Northop Grumman (NOC) Leading global security company that has
achieved historic accomplishments from transporting Lindbergh across the Atlantic to carrying astronauts to the moon amp back
120000 employees provide systems products amp solutions in aerospace electronics information systems shipbuilding amp technical services to government amp commercial customers worldwide
Conducts business mostly with the US GovernmentDepartment of Defense Other customers include local state amp foreign governments amp domestic amp international commercial companies
In 2009 delivered 6 ships to the US Navy amp Coast Guard amp launched 2 space tracking amp surveillance system satellites
(Annualized) VolumeAmount
($ millions)
Wires 8000 $ 3000
ACH 64000 $ 28000
Checks 35000 $ 300
Credit Card 1258000 $ 22
(Annualized) VolumeAmount
($ millions)
Wires 10000 $ 10100
ACH 700000 $ 16885
Checks 500000 $ 4458
Credit Card 297787 $ 150
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Federal Reserve System Sets amp implements nationrsquos monetary
policy
Supervises amp regulates range of financial institutions amp activities to ensure safe amp sound banking practices
Provides payments services to financial institutions (FIs) amp the federal government
Mission in payments to foster the integrity efficiency amp accessibility of US dollar payments amp settlement systems issue a uniform currency amp act as the fiscal agent amp depository for the US government
Fed amp Payments The Fed clears amp settles a large
portion of US interbank payments
7
Service Average
Volume Daily
AverageValue Daily
Fedwire Funds 494 000 $24 trillion
Fedwire Securities
78000 $12 trillion
FedACH 399 million $654 billion
Check 29 million $414 billion
National Settlement
2100 $55 billion
commercial volume only data through 3rd quarter 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Agenda
Who We Are
Payment Fraud Trends
Payment Fraud by Instrument
Fraud Prevention
Conclusions
3
Disclaimer The views expressed in this presentation are those of the speakers and do NOT necessarily reflect the views of the organizations for which they work
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Clairersquos amp Payments Consumer payments received by
cash check credit card debit card (signature amp PIN) amp gift cards
Payroll is made by paper check direct deposit ACH and payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards
B2B payments received by check ACH credits amp wires
4
Clairersquos
Specialty retailer of value-
priced jewelry amp accessories
operating under trade names
Claires amp Icing
Operates over 3000 stores in
approximately 25 countries
through company-owned
joint ventures amp franchises
Global workforce of 16500
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
AMC amp Payments Consumer payments received by cash credit
cards debit cards (signature amp PIN) amp gift cards
Credit card volume (over 12 billion per year) is about 55 of total revenue PCI DSS ldquolevel 1rdquo merchant
Payroll is made by paper check direct deposit ACH amp payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards B2B payments received by check ACH credits wires amp credit cards
5
AMC One of the worldrsquos most innovative amp
largest theatrical exhibition companies 2nd largest US exhibitor
Operates over 380 theatres with over 5325 screens in 30 states the District of Columbia amp 4 countries
Privately held amp headquartered in Kansas City Missouri since its founding in 1920 Employs about 16800 full amp part-time associates
Hundreds of millions of guests attend AMC theatres each year
(Annualized) transactions $(000rsquos)
Wires 300 191677
ACH 400000 1474190
Checks 1110000 927666
Credit Card (receipts)
72782500 1318326
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
NOC amp Payments 95 payroll is via direct deposit 5 check
Customer Remittance
Vendor Payments
6
Northop Grumman (NOC) Leading global security company that has
achieved historic accomplishments from transporting Lindbergh across the Atlantic to carrying astronauts to the moon amp back
120000 employees provide systems products amp solutions in aerospace electronics information systems shipbuilding amp technical services to government amp commercial customers worldwide
Conducts business mostly with the US GovernmentDepartment of Defense Other customers include local state amp foreign governments amp domestic amp international commercial companies
In 2009 delivered 6 ships to the US Navy amp Coast Guard amp launched 2 space tracking amp surveillance system satellites
(Annualized) VolumeAmount
($ millions)
Wires 8000 $ 3000
ACH 64000 $ 28000
Checks 35000 $ 300
Credit Card 1258000 $ 22
(Annualized) VolumeAmount
($ millions)
Wires 10000 $ 10100
ACH 700000 $ 16885
Checks 500000 $ 4458
Credit Card 297787 $ 150
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Federal Reserve System Sets amp implements nationrsquos monetary
policy
Supervises amp regulates range of financial institutions amp activities to ensure safe amp sound banking practices
Provides payments services to financial institutions (FIs) amp the federal government
Mission in payments to foster the integrity efficiency amp accessibility of US dollar payments amp settlement systems issue a uniform currency amp act as the fiscal agent amp depository for the US government
Fed amp Payments The Fed clears amp settles a large
portion of US interbank payments
7
Service Average
Volume Daily
AverageValue Daily
Fedwire Funds 494 000 $24 trillion
Fedwire Securities
78000 $12 trillion
FedACH 399 million $654 billion
Check 29 million $414 billion
National Settlement
2100 $55 billion
commercial volume only data through 3rd quarter 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Clairersquos amp Payments Consumer payments received by
cash check credit card debit card (signature amp PIN) amp gift cards
Payroll is made by paper check direct deposit ACH and payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards
B2B payments received by check ACH credits amp wires
4
Clairersquos
Specialty retailer of value-
priced jewelry amp accessories
operating under trade names
Claires amp Icing
Operates over 3000 stores in
approximately 25 countries
through company-owned
joint ventures amp franchises
Global workforce of 16500
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
AMC amp Payments Consumer payments received by cash credit
cards debit cards (signature amp PIN) amp gift cards
Credit card volume (over 12 billion per year) is about 55 of total revenue PCI DSS ldquolevel 1rdquo merchant
Payroll is made by paper check direct deposit ACH amp payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards B2B payments received by check ACH credits wires amp credit cards
5
AMC One of the worldrsquos most innovative amp
largest theatrical exhibition companies 2nd largest US exhibitor
Operates over 380 theatres with over 5325 screens in 30 states the District of Columbia amp 4 countries
Privately held amp headquartered in Kansas City Missouri since its founding in 1920 Employs about 16800 full amp part-time associates
Hundreds of millions of guests attend AMC theatres each year
(Annualized) transactions $(000rsquos)
Wires 300 191677
ACH 400000 1474190
Checks 1110000 927666
Credit Card (receipts)
72782500 1318326
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
NOC amp Payments 95 payroll is via direct deposit 5 check
Customer Remittance
Vendor Payments
6
Northop Grumman (NOC) Leading global security company that has
achieved historic accomplishments from transporting Lindbergh across the Atlantic to carrying astronauts to the moon amp back
120000 employees provide systems products amp solutions in aerospace electronics information systems shipbuilding amp technical services to government amp commercial customers worldwide
Conducts business mostly with the US GovernmentDepartment of Defense Other customers include local state amp foreign governments amp domestic amp international commercial companies
In 2009 delivered 6 ships to the US Navy amp Coast Guard amp launched 2 space tracking amp surveillance system satellites
(Annualized) VolumeAmount
($ millions)
Wires 8000 $ 3000
ACH 64000 $ 28000
Checks 35000 $ 300
Credit Card 1258000 $ 22
(Annualized) VolumeAmount
($ millions)
Wires 10000 $ 10100
ACH 700000 $ 16885
Checks 500000 $ 4458
Credit Card 297787 $ 150
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Federal Reserve System Sets amp implements nationrsquos monetary
policy
Supervises amp regulates range of financial institutions amp activities to ensure safe amp sound banking practices
Provides payments services to financial institutions (FIs) amp the federal government
Mission in payments to foster the integrity efficiency amp accessibility of US dollar payments amp settlement systems issue a uniform currency amp act as the fiscal agent amp depository for the US government
Fed amp Payments The Fed clears amp settles a large
portion of US interbank payments
7
Service Average
Volume Daily
AverageValue Daily
Fedwire Funds 494 000 $24 trillion
Fedwire Securities
78000 $12 trillion
FedACH 399 million $654 billion
Check 29 million $414 billion
National Settlement
2100 $55 billion
commercial volume only data through 3rd quarter 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
AMC amp Payments Consumer payments received by cash credit
cards debit cards (signature amp PIN) amp gift cards
Credit card volume (over 12 billion per year) is about 55 of total revenue PCI DSS ldquolevel 1rdquo merchant
Payroll is made by paper check direct deposit ACH amp payroll card
B2B payments made by check wire ACH credits ACH debits TampE cards Fleet Cards amp Purchase Cards B2B payments received by check ACH credits wires amp credit cards
5
AMC One of the worldrsquos most innovative amp
largest theatrical exhibition companies 2nd largest US exhibitor
Operates over 380 theatres with over 5325 screens in 30 states the District of Columbia amp 4 countries
Privately held amp headquartered in Kansas City Missouri since its founding in 1920 Employs about 16800 full amp part-time associates
Hundreds of millions of guests attend AMC theatres each year
(Annualized) transactions $(000rsquos)
Wires 300 191677
ACH 400000 1474190
Checks 1110000 927666
Credit Card (receipts)
72782500 1318326
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
NOC amp Payments 95 payroll is via direct deposit 5 check
Customer Remittance
Vendor Payments
6
Northop Grumman (NOC) Leading global security company that has
achieved historic accomplishments from transporting Lindbergh across the Atlantic to carrying astronauts to the moon amp back
120000 employees provide systems products amp solutions in aerospace electronics information systems shipbuilding amp technical services to government amp commercial customers worldwide
Conducts business mostly with the US GovernmentDepartment of Defense Other customers include local state amp foreign governments amp domestic amp international commercial companies
In 2009 delivered 6 ships to the US Navy amp Coast Guard amp launched 2 space tracking amp surveillance system satellites
(Annualized) VolumeAmount
($ millions)
Wires 8000 $ 3000
ACH 64000 $ 28000
Checks 35000 $ 300
Credit Card 1258000 $ 22
(Annualized) VolumeAmount
($ millions)
Wires 10000 $ 10100
ACH 700000 $ 16885
Checks 500000 $ 4458
Credit Card 297787 $ 150
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Federal Reserve System Sets amp implements nationrsquos monetary
policy
Supervises amp regulates range of financial institutions amp activities to ensure safe amp sound banking practices
Provides payments services to financial institutions (FIs) amp the federal government
Mission in payments to foster the integrity efficiency amp accessibility of US dollar payments amp settlement systems issue a uniform currency amp act as the fiscal agent amp depository for the US government
Fed amp Payments The Fed clears amp settles a large
portion of US interbank payments
7
Service Average
Volume Daily
AverageValue Daily
Fedwire Funds 494 000 $24 trillion
Fedwire Securities
78000 $12 trillion
FedACH 399 million $654 billion
Check 29 million $414 billion
National Settlement
2100 $55 billion
commercial volume only data through 3rd quarter 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
NOC amp Payments 95 payroll is via direct deposit 5 check
Customer Remittance
Vendor Payments
6
Northop Grumman (NOC) Leading global security company that has
achieved historic accomplishments from transporting Lindbergh across the Atlantic to carrying astronauts to the moon amp back
120000 employees provide systems products amp solutions in aerospace electronics information systems shipbuilding amp technical services to government amp commercial customers worldwide
Conducts business mostly with the US GovernmentDepartment of Defense Other customers include local state amp foreign governments amp domestic amp international commercial companies
In 2009 delivered 6 ships to the US Navy amp Coast Guard amp launched 2 space tracking amp surveillance system satellites
(Annualized) VolumeAmount
($ millions)
Wires 8000 $ 3000
ACH 64000 $ 28000
Checks 35000 $ 300
Credit Card 1258000 $ 22
(Annualized) VolumeAmount
($ millions)
Wires 10000 $ 10100
ACH 700000 $ 16885
Checks 500000 $ 4458
Credit Card 297787 $ 150
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Federal Reserve System Sets amp implements nationrsquos monetary
policy
Supervises amp regulates range of financial institutions amp activities to ensure safe amp sound banking practices
Provides payments services to financial institutions (FIs) amp the federal government
Mission in payments to foster the integrity efficiency amp accessibility of US dollar payments amp settlement systems issue a uniform currency amp act as the fiscal agent amp depository for the US government
Fed amp Payments The Fed clears amp settles a large
portion of US interbank payments
7
Service Average
Volume Daily
AverageValue Daily
Fedwire Funds 494 000 $24 trillion
Fedwire Securities
78000 $12 trillion
FedACH 399 million $654 billion
Check 29 million $414 billion
National Settlement
2100 $55 billion
commercial volume only data through 3rd quarter 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Who We Are
Federal Reserve System Sets amp implements nationrsquos monetary
policy
Supervises amp regulates range of financial institutions amp activities to ensure safe amp sound banking practices
Provides payments services to financial institutions (FIs) amp the federal government
Mission in payments to foster the integrity efficiency amp accessibility of US dollar payments amp settlement systems issue a uniform currency amp act as the fiscal agent amp depository for the US government
Fed amp Payments The Fed clears amp settles a large
portion of US interbank payments
7
Service Average
Volume Daily
AverageValue Daily
Fedwire Funds 494 000 $24 trillion
Fedwire Securities
78000 $12 trillion
FedACH 399 million $654 billion
Check 29 million $414 billion
National Settlement
2100 $55 billion
commercial volume only data through 3rd quarter 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Fraud Defined
Payments focused on today
Check
ACH credits amp debits
Card
Impact of cyberspace on payment fraud
Payments Fraud Definition Fraud that occurs when someone gains
financial or material advantage by using a payment instrument or
information from a payment instrument to complete a transaction that
is not authorized by the legitimate account holder
8
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Accurate Data on Payment Fraud is Limited
No definitive data on total number of payment fraud attacks or amount of losses in US
Practices of FIs companies amp industries to monitor fraud vary
Fraud data collected is often not shared data that is shared is not comparable
Fraud ldquofactsrdquo reported are subject to hype
0
20
40
60
80
100Internally track loss
Internally track loss avoidedPeer benchmarking
Report to Natl Shared Databases
0
20
40
60
80
100
Internally track loss amp loss avoided
Peer benchmarking
of FIs Tracking amp Sharing ATMDebit Card Fraud Data
Chart Data Source ABA 2007 Deposit Account Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Fraud Attacks amp Losses
10
Source 2010 AFP Payments Fraud amp Control Survey
Nearly frac34 of corporations
reported payments fraud
attacks in 2009 about 30
suffered losses
Large companies are more
often the target of fraud
small companies more often
suffer losses
Fraud attempts have been
steady since 2006 fraud
losses have declined since
2006
55
6872 71 71 73
17 19
58
37 37
30
0
10
20
30
40
50
60
70
80
90
100
2004 2005 2006 2007 2008 2009
Respondents
Fraud Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Payment Types
Check ACH1 Corporate amp Commercial
Cards2
Consumer Cards
(DbCr)
Subject to Fraud 90
25 Debits 7 Credits
17 20
Financial Loss From Fraud 17 11
43 Own 16 Accepted
NA
Responsible for Greatest Financial Loss
645 Debits1 Credits
8 20
Primary Reason for Loss
Did not use positive pay
services
Did not use debit blocks
filters amp positive pay
Illicit use of own card data amp inadequate
internal controls
NA3
Corporate Fraud by Payment Type
Check fraud most attempted amp most subject to losses consistent trend since 2004
Card fraud losses growing
Main reasons for losses
Internal controls not enforced
Common prevention services not used
AFP 2010 Payments Fraud amp Control Survey
1Includes ACH debits amp credits except as noted2Includes payments made on organizationrsquos own cards amp B2B card payments accepted3NA ndash data not collected in 2010 survey
11
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Corporatersquos Own Accounts
12
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH hellip
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Top Fraud Schemes Involving Payments Accepted
13
9
9
13
13
16
16
16
19
31
34
34
Telephone initiated payments
Other
Counterfeit currency
Fraudulent checks converted to ACH payments
Counterfeit or stolen cards used online
Other Internet initiated payments
Fraudulent credentials to defraud accounts
Cash register frauds
Counterfeit or stolen cards used at point-of-hellip
Altered or forged checks
Counterfeit checks
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
External Parties Responsible for Most Payments Fraud
Perpetrators of Payments Fraud that Resulted in Financial Loss in 2009
AllRespondents
Revenues gt$1 B
Revenues lt $1 B
Outside Individual (eg check forged stolen card)
87 87 88
Organized Crime Ring 15 15 12
Internal Party 11 12 8
External known party (eg vendor 3rd party service provider trading partner)
8 10 4
Criminal invasion(eg hacked system malware)
4 3 7
Other 4 2 6
Lost or stolen laptop or other devise 2 1 2
14
Source 2010 AFP Payments Fraud amp Control Study
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Comparative Cost of Payments Fraud
Payment Method
Comparative ValueRange
Total DollarValue
Estimated
Loss
Source of Information
Credit Card $07 - $14per$100 purchases
$21 trillion $147 - 294 billion(20072008)
Nilson Report 2008 Javelin 2009 ID Fraud Survey Report
Debit Card ndashPIN
$001 - $028 per$100 purchases
$03 trillion $327 million (2007) Pulse 2008 Debit Issuer Study
Debit Card ndashSignature
$024 - $096 per$100 purchases
$06 trillion $324 million(2007)
Pulse 2008 Debit Issuer Study
Debit Card ndashATM
$025 per $100 value or $025 per transaction
$0579 trillion(58 billion trans)
$145 million(2007)
Pulse 2008 Debit Issuer Study
ACH $023 per $100 value of transactions
$31 trillion $698 billion(20052006)
NACHA 2005 ABA 2006
Check $027 per $100 value of checks paid
$416 trillion $11 billion(2006)
ABA 2006 Nilson Report 2007 FRB Kansas City
Cash $008 per $100 value of cash in circulation
$079 trillion In circulation YE lsquo07
$61 million (2007)
US Secret Service press release March 2008
DATA IS NOT PRECISE INTENDED TO ENABLE GENERAL COMPARISON OF FRAUD ACROSS PAYMENT TYPES
Estimated values For cards aggregate losses were calculated by applying the 2007 average loss rate to the 2006 payment value For check amp ACH the loss range was calculated based on the aggregate loss estimate amp 2006 payment value
Total dollar values reflect 2006 estimates from the 2007 Federal Reserve Payments Study except currency in circulation
15
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud
16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Small Biz Accounts Targeted More by Check Fraud than Larger Biz
2218
5
1216
1 6
4
4
5
1
4
16 95
Community Mid-Sized Regional Money Center All
Target of Check Fraud By Size of Bank amp Account Type
Large Corporation
Middle Market
Small Business
Source 2009 ABA Deposit Account Fraud Survey
17
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Check Fraud Losses Caused Most by Counterfeits Forgeries or Bad Accounts
RDIs35
Forgeries26
Counterfeit26
Kiting4
Alteration4
Other5
RDIs35
Forgeries22
Counterfeit30
Alterations4
Kiting6
Other3
Based on Number of Cases with Losses Based on Actual Loss Amount
Average Percentage per Bank
Source 2009 ABA Deposit Account Fraud Survey
18
RDI Returned Deposited Items eg closed accounts NSFs stop payments
Type of Check Fraud Causing Losses
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Why is Check Fraud Persistent amp Widespread
Low risk crime
Low barriers amp costs to entry
Account amp other information needed is accessible
Attributes of paper facilitate fraud
Remote deposit capture (RDC) may increase aspects of fraud risk Check alterations forged or missing endorsements amp counterfeits may be
harder to detect
Certain check security features may be lost through imaging process
Certain physical alterations such as check ldquowashingrdquo may be obscured by imaging process
Insider fraud potential may increase as customer employees are not subject to FI screeningmdasheg presenting checks more than once stealing personal information on checks
Use of RDC by foreign correspondent banks amp services may raise money laundering risks
19
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Check Fraud Risk
Institute positive pay Require signature verification Reconcile accounts daily Consider using image-survivable check security
features egmodulus check serial numbersreference numbers encrypted check data (eg payee amount) printed on
check
Secure check stock amp implement dual control around key treasury functions
20
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Fraud
21
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Total ACH Fraud Appears to be Low
22
ACH debit transactions grew 161 CAGR while unauthorized returned debits grew only 36 CAGR
Impact of Network-wide rules shows in downward trend of absolute volume of unauthorized debit returns
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
But ACH Fraud Remains a Concern of Corporates
On a scale of 1 ndash 5 with 5 = Very Important corporations have high degree of concern about ACH debit fraud
ACH fraud that affects corporations
Unauthorized debits to accounts
ACH kiting
Invalid debit originationCounterfeit ACH
Fraudulent claims of unauthorized debits
Insider origination fraud
Corporate account takeovers that issue fraudulent ACH payments
23
Source Phoenix Hecht 2010 Report to Treasury Management Monitor Respondents
Middle Market Large Corporate
Fraud Concern 2009 2010 2009 2010
ACH Debits 406 403 424 412
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
ACH Origination Fraud
24
Source 2010 AFP Payment Fraud amp Control Survey
68
108
3
12
61
8
13
5
13
75
11
0 0
14
0
10
20
30
40
50
60
70
80
1-5 6-10 11-15 16-20 gt 20
Number of Attempts
Corporate ACH Fraud
All Respondents (Median = 3)
Revenues gt $1 B (Median = 4)
Revenues lt $1 B (Median = 3)
ACH Fraud Resulting in
Financial Loss
All Respondents 11
Revenues gt $1 B 9
Revenues lt $1 B 18
33 of middle market
corporations amp 102 of
large corporations report
a major ACH fraud issue
in past two years
Source 2010 AFP Payment Fraud amp Control Survey
2011 Phoenix Hecht After the Financial Crisis
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Corporate Account Takeover Criminal element has identified the ACH as vulnerable have begun targeting
smaller corporates amp their banks
Methods used to gain access to account Employee visits social network site - opens infected document
Trick employee into downloading malware (eg keystroke capture virus) from internet
Social engineeringvishing eg calling amp tricking employee to disclose credentials
Phishingspearphishing to trick employee into entering credentials
Fraudsters send millions of e-mails from ldquolegitimaterdquo organization to lure employees into clicking on spoofed link
Hacking computer system that is inadequately protected
Once account is accessed fraudster transfers funds to ldquomulerdquo account via ACH transaction mule accounts are emptied amp abandoned
Mules are individuals recruited as ldquopayment processorrdquo or ldquofinancial agentrdquo via work-at-home advertisements or from resumes posted on job search websites May believe job is legitimate may be lower-level criminal or been previously defrauded
25
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate ACH Fraud Risk
26
Implement best practices for online amp IT data security authenticating customers amp initiating payments
Use ACH Positive Pay debit blocks amp filters as appropriate
Implement proactive detection amp monitoring Develop amp use files of known fraudulent recipients
eg develop blacklists Reconcile accounts daily amp make timely returns Retain rights of refusal Require due diligence of 3rd party processors Educate customers amp employees on fraud amp how to
report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud
27
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Card Fraud Losses
28
2009 card fraud losses estimated at $689 billion a 7 increase from 2008 (Pulse) 20 respondents experienced consumer creditdebit card
fraud 17 experienced corporatecommercial purchasing card fraud
Signature debit card fraud increased 43 PIN debit fraud loss rose by 24 Credit card fraud affected 65 million victims Debit card fraud affected 35 million victims
Source 2010 AFP Payments Fraud amp Control Study Pulse 2010 Debit Issuer Study
Payment Type Costs ($B)
Losses by online retailer due to credit card fraud $36
Losses by brick-and-mortar retailer due to debit amp credit card fraud $20
Cost of compliance with debit amp credit card security eg PCI $20 ndash $55
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud by Type of B2B Card
72
45
2723 23
70
10
20
30
40
50
60
70
80
Purchasing Card
TampE Card Multi-Use Card
Ghost Card Fleet Card Other
29
Source 2010 AFP Payments Fraud amp Control Survey
Type of Fraud of Respondents
Experienced Fraud from Own B2B Card Use 42
Experience Loss Due to Accepting B2B Card 16
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Stolen amp Counterfeit Cards Are Main Sources of Debit Fraud Losses
Signature Debit Fraud Losses
Account Takover
3
Stolen Card 21
Lost Card 9
Counterfeit 37
e-Commerce amp MOTO
25
Other 5
PIN Debit Fraud LossesAccount
Takeover 7
Stolen Card 45
Lost Card 7
Counterfeit 23
e-Commerce amp MOTO
6Other 12
30
Source ABA Deposit Account Fraud Survey Report - 2009
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Best Ways to Mitigate Card Fraud Risk
Use intelligent fraud prevention amp detection systems to identify high-risk transactions
Validate compliance with PCI standards Use real-time authorization amp address verification
systems Use check card verification codes amp secure payment
services for card-not-present acceptance Respond immediately to fraud amp chargeback issues Implement programs amp protective controls to prevent
misuse of corporate payment cards by employees Set transaction limits amp block unauthorized vendors Use payment tools that provide real-time spend visibility
amp detailed reporting
31
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Impact of Cyberspace on Payments Fraud
32
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Main Effects of Cyberspace on Payments Fraud
Another environment for direct payments fraudmdasheg fraudulent payment used to buy goodsservices online
Facilitates cyber crimes central to committing other types of payments fraud later
Stolen data used to make purchasesmdash40 in-person amp 37 online (Javelin 2009 Identity Fraud Survey Report)
Increases velocity of payments fraud
33
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Cyberspace Crime Lowers the Cost of Payments Fraud
Source RSA Security Survey September 2010
Estimated cost of buying information amp services online to perpetrate fraud
34
Cost on Black Market Estimate (2010)
Credit Card $150 - $300
SSN amp Date of Birth (DOB) $150 - $300
Full data setCredit card CVV2 code expiration date username amp password address SSN DOB
$5 - $20
Online Banking AccountDepends on account type amp balance
$50 - $1000
Denial of Service Attack $50 for 24 hours tosingle target
Zeus Trojan Virus Kit $3000 - $4000
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Phishing Activity Targets by Industry
35
APWG Phishing Activity Trends Report 2nd Q 2010
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Prevention
36
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Fraud Detection More Is Needed
76
4841
26 23
0
10
20
30
40
50
60
70
80
90
100
Customer Notifies Us At the Point of transaction
Third-Party Notification
At the Point of Origination
During Account AuditReconciliation
When is Fraud Usually Detected
37
Source Information Security Media Group 2010 Faces of Fraud Survey
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Education amp Technology Most Used to Detect amp Prevent Fraud
77
6758
45
28
0
10
20
30
40
50
60
70
80
90
Employee Education Customer Awareness Fraud Tools amp Technologies
Real-Time Decision Tools
Manual Account Monitoring
Most Effective Fraud Prevention Tools
38
Source Information Security Media Group 2010 Faces of Fraud Survey
Internal controls are central to fraud prevention
Top 3 internal controls considered effective
Authenticationauthorization for payment processes
Dual controls amp separation of duties
Audit amp management review to verify controls are applied
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Risk Services by Corporations
Corporate Views on Risk Services Used amp Effectiveness
39
16 Use
22 Use
23 Use
28 Use
29 Use
36 Use
42 Use
49 Use
49 Use
51 Use
57 Use
71 Use
Account masking services
Post no check services
ACH payee positive pay
ACH positive pay
Card alert services for corp cards
Account alert services
Check payee positive pay
Multi-factor authentication to initiate payments
ACH debit filters
Check positive payreverse positive pay
ACH debit blocks
Online information services
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Use amp Effectiveness of Internal Controls by Corporations
40
8 Use
8 Use
8 Use
11 Use
16 Use
18 Use
22 Use
32 Use
37 Use
44 Use
57 Use
65 Use
Magnetic stripe or card chip authentication
Biometrics authentication
Participate in fraudster databases amp alerts
Centralized fraud database for multiple pymt types
Centralized fraud database for one pymt type
Verify customer state ID card is authentic
Software wpattern matching or other indicators
Fraud detection pen for currency
Positive ID of purchaser or account for POS trx
Centralized risk management department
Customer authentication for online transactions
Human review of payment transactions
Use amp very effective
Use amp somewhat effective
Use amp somewhat ineffective
Use amp very ineffective
Plan to use win 12 to 24 months
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Barriers to More Effective Fraud Mitigation
Main Barriers to Reducing Payments Fraud
Lack of staff resources 53
Consumer data privacy issuesconcerns 41
Cost of implementing commercially available fraud detection toolservice 41
Cost of implementing in-house fraud detection toolmethod 38
Lack of compelling business case (cost vs benefit) to adopt new or change existing methods
35
Unable to combine payment information for review due to operating in multiple states
3
Unable to combine payment information for review due to operating with multiple different banks
3
Corporate reluctance to share information due to competitive issues 3
Other 15
41
Source Federal Reserve Bank of Minneapolis 2010 Payments Fraud Survey Summary of Results
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Conclusions
1 Any level of payments fraud is undesirable but aggregate data suggests US payments fraud is mitigated reasonably well today
2 But fraud attacks are growing in most payment types amp to a lesser extent fraud related losses so companies FIs amp others must continue investing in defenses that adapt to changing fraud schemes
3 The Internet amp other new technology are important enablers of payments fraud but low-tech traditional fraud schemes remain prevalent
4 Effective management of fraud risk begins with understanding your own organizationrsquos specific fraud profile
5 Using multiple ldquotoolsrdquo amp practices to prevent amp detect payments fraud is always more effective than single threaded strategies
6 Review results regularly of fraud risk management program to assess its effectiveness amp to adapt ldquotoolsrdquo amp practices as appropriate
42
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Questions
43
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Contact Information
44
Brad LarsonVice President Global TreasurerClaires Stores847-765-3144bradlarsonclairescom
Terry CrawfordSenior Vice President amp TreasurerAMC Entertainment Inc816-489-4690tcrawfordamctheatrescom
Jerl RossiCorporate Director Treasury OperationsNorthrop Grumman Corporation310-556-4523jerlrossingccom
Claudia Swendseid Senior Vice PresidentFederal Reserve Bank of Minneapolis612-204-5448claudiaswendseidmplsfrborgwwwfrbservicesorg
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Resources
Industry Linksbull American Bankers Association wwwabacombull Association for Financial Professionals wwwafponlineorgbull Bank Administration Institute wwwbaiorgbull BITS wwwbitsinfoorgbull Credit Union National Association wwwcunaorgbull Board of Governors of the Federal Reserve System wwwfederalreservegovbull Electronic Check Clearing House Organization (ECCHO) wwwecchocombull Federal Financial Institutions Examination Councils (FFIEC) wwwffiecgovbull Federal Reserve Financial Services wwwfrbservicesorgbull Independent Community Bankers of America wwwicbaorgbull National Automated Clearing House Association wwwnachaorgbull National Association of Federal Credit Unions wwwnafcunetorgbull X9 Financial Industry Standards wwwx9org
45
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Online Sales amp Revenue Lost to Fraud
15 17 21 19 26 28 31 37 4 33 27
417
531
724
1118
1444
1750
2214
2643
28572750
3000
0
50
100
150
200
250
300
350
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Total e-commerce Revenue Lost to Fraud
In $Billions
46
Source Cybersource 2011 Online Fraud Report
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent
Relative Losses Declining Among Online Retail Sites
36
32
29
1718
16
14 14 14
12
09
00
05
10
15
20
25
30
35
40
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Revenue Lost to Online Fraud$15
$17
$21
$19$26
$28$31 $40
$33
47
Source Cybersource 2011 Online Fraud Report
$37
$27
Revenue lost as a percentage of total online sales amp total online fraud losses ($ billions)
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 48
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
ACH
Credit Items (PPD) $0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) Originating Depository Financial
Institution (ldquoODFIrdquo) is liable for
breach of warranty that item is
authorized
Credit Items can be returned at
any time
The ODFI warranty
is set forth in
NACHA OR 2211
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
credit items is set
forth in NACHA OR
614
Debit Items
(ARC BOC IAT POP and
RCK have similar recredit
rights pursuant to
NACHA OR Sections 862
through 865)1
$0
Consumer not liable if report
fraud within 60 days after
receiving statement
Reg E 12 CFR 2056(b)(3) ODFI is liable for breach of
warranty that item is authorized
ODFI must accept the return of
unauthorized items that the RDFI2
returns within 60 days after the
settlement date
Separate warranty claims can be
brought after the 60-day period
outside of the ACH network
The ODFI warranty
is set forth in
NACHA OR 2211
NACHA OR3 Section 861
Consumer has right of immediate
recredit if notifies bank within 15
days after receiving statement
Liability for breach
of warranty is set
forth in NACHA
223
Return deadline for
debit items is set
forth in NACHA OG4
102 103
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
1 ARC means lockbox items pursuant to NACHA OR 37 POP means Point of Purchase conversion items pursuant to NACHA OR 38 BOC
refers to Back Office Conversion items Re-presented check entries (RCK) which means items that are collected via ACH after the original
paper check has been dishonored are not covered by Reg E as it specifically excludes items that were first originated by a check 2 Receiving Depository Financial Institution 3 NACHA Operating Rules (2009) 4 NACHA Operating Guidelines (2009) The number
following OG refers to the page number
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 49
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Check5
Forged (counterfeit)
check
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Forged drawerrsquos
signature
$0
Consumer not liable as the check
is not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit the amount
of the fraudulent check
Paying bank is liable as there is no
breach of presentment warranty
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumerrsquos failure
to timely report forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Forged endorsement $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer warranties
are set forth in UCC
3-416 and 4-207
5These protections also apply to business checks
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 50
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster
or merchant
Legal Authority
Check
Fraudulent Alteration $0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 3-407 UCC 4-401 If check
is not properly payable the
depository bank must not charge
or is required to recredit amount
of fraudulent check
Depository bank is liable as there
is breach of transfer or
presentment warranties
Presentment
warranties are set
forth in UCC 3-417
and 4-208
Transfer
warranties are set
forth in UCC 3-416
and 4-207
Possible exception if consumerrsquos
negligence substantially
contributed to the forged
signature or if consumer failed to
timely report the forgery
UCC 3-406 drawerrsquos negligence
UCC 4-406 drawerrsquos failure to
report
Remotely Created
Checks
$0
Consumer not liable as check is
not properly payable which
means that it was not authorized
or not in accordance with any
agreement
UCC 4-401 If check is not
properly payable the depository
bank must not charge or is
required to recredit amount of
the fraudulent check
Depository bank is liable for all
kinds of fraud for remotely
created checks
Reg CC 12 CFR
22934 contains
transfer and
presentment
warranties for
remotely created
checks in which
depository bank
warrants that the
check is authorized
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 51
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Credit Cards
Card Present
(signature or Pin
required)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Issuing Bank is generally
liable for fraudulent transactions
VISA and
MasterCard Rules6
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Card not present
(telephone or web
initiated use)
$50
The consumerrsquos maximum liability
under federal law is $50 for
unauthorized use
Truth in Lending Act (ldquoTILArdquo) 15
USC 1643(a) and Reg Z 12 CFR
22612(b)
The Acquiring Bank is generally
liable for fraudulent transactions
if the Acquirer is not able to pass
the liability on to the merchant
pursuant to the merchant
agreement
VISA and
MasterCard Rules
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card and has not
acted negligently in failing to
report the loss timely
VISA MasterCard websites
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
6The VISA and MasterCard network rules apply only between the Issuing Bank (the bank that issues cards to cardholders) and the Acquiring Bank (the bank that has the relationship with the merchant) These rules are not public and the legal authority is derived from statements made by VISA and MasterCard in litigation and from other secondary sources
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 52
Payment
Type
Subtype
(Fraud Type) Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card Present (signature
or PIN required)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Issuing Bank is generally liable
for fraudulent transactions if
merchant has obtained signature
or required use of PIN
VISA and
MasterCard Rules
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Reg E 12 CFR 2056(b)(1)
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting 60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 53
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Card not Present
(telephone or web
initiated use)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites The Acquiring Bank is generally
liable for fraudulent transactions if
the Acquirer is not able to pass the
liability on to the merchant
pursuant to the merchant
agreement
Secondary Sources7
Reg E 12 CFR 2056(b)(1)
Up to $50
If the consumer provides notice
within two business days after
learning of the loss of the debit
card
Up to $500
of unauthorized transfers incurred
after the close of the two business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 2056(b)(2)
Unlimited consumer liability for
transactions occurring in the
period starting60 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 2056(b)(3)
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question
copy2011 Federal Reserve Bank of Minneapolis - Materials are not to be used without consent 54
Payment
Type
Subtype
(Fraud Type)Consumer Protection Legal Authority
Who is liable if cannot
recover against fraudster or
merchant
Legal Authority
Debit Cards
Decoupled Debit Cards
(Cards issued by
Institution other than
Bank in which consumer
maintains an account
Settlement between
merchant and card issuer
is through branded
payment networks such
as VISAMasterCard
Settlement between Card
issuer and consumer is
via ACH debits to
consumerrsquos bank account)
$0
The consumer has no liability for
unauthorized use under VISA
MasterCard consumer policies
provided that the consumer has
taken reasonable measures to
protect the card or has acted
negligently in failing to report the
loss timely
VISA MasterCard websites Under NACHA Rules the ODFI
which is likely the Card Issuerrsquos
bank is liable for breach of
warranty as described above under
ACH Debits The ODFI is likely to
pass liability to card issuer by
agreement
Under Payment network rules it is
either the Card Issuer or the
Acquiring Bank that is liable
depending on whether it is a card-
present or card not present
situation See above for debit
cards
Up to $50
If the consumer provides notice
within four business days after
learning of the loss of the debit
card
Reg E 12 CFR 20514(b)(5)(V)
Up to $500
of unauthorized transfers incurred
after the close of the four business
day timeframe and until consumer
actually provides notice
Reg E 12 CFR 20146(b)(5)(v)
Unlimited consumer liability for
transactions occurring in the
period starting 90 days after the
consumerrsquos receipt of the
statement and until notice is
provided
Reg E 12 CFR 20514(b)(5)(V)
Consumer has right of immediate
recredit under NACHA Rules if
notifies its bank within 15 days
after receiving statement
NACHA OR Section 861
Appendix A Payments Fraud Liability Matrix Disclaimer This appendix is for informational purposes only The information dates to January 2010 amp may no longer be entirely current It does not constitute legal advice Consult an attorney about a particular case problem or question