Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Fighting Fraud:Safeguarding Your Business
November 5th, 2015
Duane Bunn, SVP, Dealer Financial Services
Treasury Management Sales Manager
Duane BunnBank of America Merrill Lynchy
Duane BunnDealer Financial Services, Treasury Management Sales Manager
Provides advise and strategies with Treasury Management services to automotive, marine and recreational vehicle dealerships throughout Bank of AmericaBank of America.
Establishes fraud prevention strategies for clients within Dealer Financial Services
Directs ecommerce solutions, i.e., data transmissions, file transfer, data enrichment through EDI processes
Debugged first Positive Pay Issue File in conjunction with ADP, Reynolds and Reynolds UCS EDS and othersReynolds and Reynolds, UCS, EDS and others
More than 26 years of extensive banking experience
Bachelor’s of Business Administration in Institutional Finance from the f h l dUniversity of North Florida
Master’s of Business Administration (concentration in Finance) from the University of North Florida
3
Member of the Association of Certified Fraud Examiners
Agenda
Fraud LandscapeFraud Landscape
Payments data compromise (Merchant)
ACH Fraud
Fraud Landscape
In the News
White House Cybersecurity Event to Draw Top Tech, Wall Street Execs1
Sony Pictures5100 terabytes of data
Sony Pictures5100 terabytes of dataWall Street Execs
Obama convenes top executives, including Bank of America, to help improve information sharing as breaches get more sophisticated.
$ 2
100 terabytes of data
Home Depot556 MM customer records
100 terabytes of data
Home Depot556 MM customer records
Impostors bilk Omaha company out of $17.2 million2 An employee‐owned commodities trader founded 120 years ago, has been taken for $17.2 million in an international email swindle, according to federal court documents.
eBay5145 MM user records
eBay5145 MM user recordsaccording to federal court documents.
80 million social security records stolen from insurance giant Anthem Inc 3
145 MM user records
Target556 MM credit card
145 MM user records
Target556 MM credit card insurance giant Anthem, Inc.
FBI: North Korea to Blame for Sony Hack4recordsrecords
White House Cybersecurity Event to Draw Top Tech, Wall Street ExecsImpostors bilk Omaha company out of $17.2 million Insurance giant Anthem hit by massive data breach (Feb. 6, 2015)Despite evidence, FBI insists North Korea to blame for Sony hacking http://www.informationisbeautiful.net/visualizations/worlds‐biggest‐data‐breaches‐hacks/
Contributors to Online Fraud
• 2015 AFP Payments Fraud & Control Survey
• 62% of organizations were I i i t• 62% of organizations were targets of payments fraud in 2014
– 70% of companies that were subject to payments fraud in
Increasing variants of malware and
viruses
subject to payments fraud in 2014 did not suffer a financial loss from the attack
– $20,000 was typical financial loss, reduced from $23,100 the prior year
More sophisticated and targeted
threats
Fraud prevention services not being used or leveraged
correctlyKey Key prior year
• 76% of organizations that experienced attempted or actual payments fraud in 2014 did so as a result of actions by
Not utilizing all the available company,
user account
Segregation of duties not being
contributors contributors to online to online fraudfraud
did so as a result of actions by an outside individual
• 34% of organizations experienced credit/debit card f d i 2014
user, account controls
Opt out of
implemented
fraud in 2014• 27% of companies
experienced wire transfer fraud in 2014, up from 14% in
padministrative
and application controls
2013
AFP is a registered trademark of the Association for Financial Professionals
When was the Last Time You Reviewed and Tested Your Fraud Plan?1
Fraud Plan
10%
43%
13%No plan
43%
13%
Within last 3 months7‐12 monthsOver 1 year13%3‐6 months
21%
1. Bank of America Merrill Lynch April 8 fraud webinar registration stats
Make A Cyber Attack Plan
Prevention
ESTABLISH sound internal
payment processes using
b t ti
COMMUNICATE and
enforce processes across
i ti
ESCALATE any transaction
that does not follow the
t bli h dbest practices organization established process
Response
CONTACT your treasury
representative and follow
th i i t ti
DISABLE impacted
electronic equipment
d
YOU determine based on
your internal controls
their instructions and user access ____________________
60% of companies do not60% of companies do nothave a response planfor a cyber breach
companies surveyed in 2015 AFP1 Risk SSurvey
1. AFP is a registered trademark of the Association for Financial Professionals.
Global Fraud Landscape Fraud has many faces
h
aud
ersphone fraud ‐ social engineering
aud
posit
reversemortgageponzi
schemes
cashchecking
frauddating fraudscam
s Internetticket fraud
fra
orde
cams
tate fra
remote de
g gscams
schemespyramidschemes us
esjans
line
bilcounterfeit cashier checks
dating fraudemail phishing
ploymen
t s
d rity
identity theftoney
Pal sc
real est
erfeit and rschemes
viru
troj onlmobile
Keyloggers funeral and cemetery fraud
emp
Fraud har identity theft
mail fraud
mo
PayPr
coun
te
money orders –counterfeit and remote deposit
telemarketing fraudhealth care and
ATM
/ mming
Phone fraud ‐ social engineering
realestate fraudcmail fraud health insurance fraudAT AT
MCard sk
im
Internet investment scams wire and ACH fraud Internet auction fraudmailfraud
10
Client Attack – Malware Threats
User TargetedUser TargetedUser Targeted& Malware Installed
User Targeted& Malware Installed
Phishing & SMishing: g g Infected files/malicious links sent through email or SMS message
Drive by Downloads:Drive by Downloads: Clicking on a document, ad, or video, posted on legitimate website initiates malware download
Using infected flash drive
Attack is Launched and Fraud Committed: Credential theft and/or HTML injection Credential theft and/or HTML injection
Transaction manipulation
Keylogging
Covert action of tracking (or logging) the keys struck on a keyboard, so that the person using the keyboard is unaware that their actions are being monitored
Keylogger products have been available to purchase for years Originally developed for legitimate uses but are also used for illicit purposes Can be a piece of hardware or a thumb-drive that attaches to a computer and records
keystrokeskeystrokes Can be software that can capture and relay similar information All of these devices and software applications are readily available for purchase. Hardware
keyloggers can be bought online for around $40
Phishing Email
Looks like a legitimate correspondenceCallMe.org | Support | myCallMe Account
Looks like a legitimate correspondence from the company
Wording does not have the level of refinement expected from an authentic
Your wireless bill is ready to view
Dear Customer,
Your monthly wireless bill for you account is now available
Get Piece of Mind
Set up secure AutoPay refinement expected from an authentic company message
Has an attention getter – High dollar amount of a cell bill in this example
Your monthly wireless bill for you account is now available online.
Total Balance Due: $1720.40
Log in to myCallMe to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment – it’s free.
S t h d l d th f t
p yfrom your checking account.
Learn more Go Paperless
Save time, money and the environment.
Learn moreO li D l !
Embedded links activate Malware download on your device
Often works whether or not you have a
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank youCallMe Online Servicescallme.org
Contact Us
Online Deals!
Shop the Best Deals in your area for Phone, TV, Internet and Wireless.
Learn more
yrelationship with the company
Contact UsCallMe Support – quick & easy support is available 24/7.
Device TutorialsInformation specific about your phone
Smart ControlsBlock calls, set mobile purchase limits, manage usage, and more
Payment ArrangementsExplore your options for arranging a payment plan
PLEASE DO NOT REPLY TO THIS MESSAGE
©2012 CallMe Intellectual Property, All rights reserved. CallMe, The CallMe logo and marks contained
13
© p y, g , gherein are trademarks of CallMe Intellectual Property. CallMe Inc. provides products and services under the CallMe brand.Privacy Policy
13
Employee Phishing
From: [email protected]: Thursday, March 28, 2013 11:35amTo: Pfeiffer, Margaret Be alert for Email phishing campaigns , gSubject: Good morning
Account #: 8364927193
From: [email protected] h d h 28 20 3 0
Be alert for Email phishing campaigns against employees that appear to be internal
– Employees are sent emails in the form of Sent: Thursday, March 28, 2013 10:16amTo: Pfeiffer, MargaretSubject: Good morning
I am in my nephew’s funeral service at the moment but I have an urgent outstanding transaction which I’ll need you to complete today. Firstly, I will need you to update me with the available balance in my account Secondly am in the middle of a
Phishing attempts
– Company employee’s internal email address has been compromised Has an attention getter – High dollar amount of me with the available balance in my account. Secondly, am in the middle of a
meeting now and will not be able to make or receive calls kindly email me information you will require to initiate an ongoing domestic wire transfer. I will be very busy but will frequently check my email for your response. We can schedule your furniture delivery for Monday next week if I hear from you. Please acknowledge the receipt of this email.
attention getter High dollar amount of a cell bill in this example
Emails attempt to drive action such as payment or profile change
From: [email protected]: Thursday, March 28, 2013 5:59amTo: Pfeiffer, MargaretSubject: Good morning
Hi i t b t th ffi t d ? I h t t t di t ti
Be able to recognize requests that are not consistent with their usual behavior
Follow your Authentication proceduresHi – are you going to be at the office today? I have an urgent outstanding transaction that I would like you to complete for me today.
Thanks.
y p
1414
Spoofing
Once fraudsters have Malware or Spyware on your computer system they can:
From: [email protected]: Tuesday, July 8, 2014 11:17amTo: [email protected]: FW: Wire Transfer
Harvest your access credentials; internal systems, financial systems, email, etc.
Read your business contacts and collect their i f ti
This is the third one. We are pulling the confirmation now and will send to you.
From: [email protected]: Wednesday, June 11, 2014 11:30amTo: [email protected]: FW: Wire Transfer
FYI this needs to get processed today I checked with (insert name here) to get your helpinformation
Initiate email to accounts payable pretending to be you
Ask the recipient to process a payment to pay an
FYI, this needs to get processed today. I checked with (insert name here) to get your help processing it along. I will assume we take care of any vendor forms after the fact. I can send an email directly to (insert name here) or let you drive from here. Let me know.
From: [email protected]: Wednesday, June 11, 2014 9:59amTo: [email protected]: FW: Wire TransferAsk the recipient to process a payment to pay an
invoice
Await receipt of payment or as in this example, they follow up to check on payment
Process a wire of $73,508.32 to the attached account information. Code it to admin expense. Let me know when this has been completed.
Thanks.
------------------------Forwarded message---------------------------------
From: [email protected]
If you receive an email such as this:
Contact the sender by an alternate method to validate the instruction
@ y p ySent: Wednesday, June 11, 2014 6:45amTo: [email protected]: Wire Transfer
Insert name (Treasurer),
Per our conversation, I have attached the wiring instructions for the wire. Let me know when donevalidate the instruction
Follow your authentication procedures
Employ dual controls prior to making payment changes or processing payments Look at the spelling of the words and names carefully
done.
Thanks. Insert name, (CEO)
15
changes or processing payments
Validate that presented invoices are legitimate
15
Recognizing Fake URLs and Websites
Understanding a few simple rules can help you spot a fraudster
Good General RuleGood General Rule
Type the Web site address in your address bar directly, rather than use a link in an email message, especially if you are going to a financial site
Check the URL or emailCheck the URL or email
By simply hovering over the link with your mouse.
The URL will appear in your browser or status bar (the bar that is usually at the b tt f ) d h t th f th it i b femailemail
Fake URLs “@”Fake URLs “@”
bottom of your screen) and you can see what the name of the site is before you actually click on it
For examples, if you go to a website that is [email protected] i t th B k f A i it t llFake URLs‐ “@”
sign in middle of address
Fake URLs‐ “@” sign in middle of address
you are not going to the Bank of America site at all
Legitimate site and companies use a domain name as part of their name rather than the “@” sign
Fake URLS –spelling mistakesFake URLS –spelling mistakes
Some URLs look very much like the name of a well‐known company but there may be letters transposed or left out
An example might be “mircosoft.com” instead of microsoft.com
These slight difference can be easy to miss and what phishers are counting on
Payments data compromise and technologies h l bto help secure your business
Data Compromises Are Constantly in the News
18
Typical data breach/fraud cycle
Hackers search for merchants or
Hackers identify target and steal sensitive information by:• Breaching the system/network
agents with weak controls or known security vulnerabilities.
• Compromising point‐of‐sale (POS) software• Tampering with POS devices and ATMs (PIN theft)• Skimming
2 3Merchant/Agent fails to comply with payment
Network fraud mitigation activities• Compromise investigation/forensics • Distribution of compromised accounts Development
12
Criminals manufacture counterfeit cards for use at retail stores or at ATMs. Fraudsters may also use subsequent phishing attacks
4py p y
industry security standards.
• Distribution of compromised accounts Development of fraud fighting technologies Dispute resolution andloss recovery processes
• Execution of fraud and data security compliance programs
to steal additional information to conduct identity theft or card‐not‐present (CNP) fraud.
7 5 Fraudulent transactions are conducted at merchant locations (retail, CNP or ATMs). Criminals often target products that can be
67Issuer fraud mitigation activities begin.• Issuer contacts cardholder to investigate suspicious
5target products that can be quickly converted to cash.Fraudulent transactions are
identified by issuer risk detection systems or by cardholders monitoring their
g ptransactions.
• Or, cardholder contacts issuer to report a lost or stolen card or a suspicious transaction.
• Issuer conducts a fraud investigation.• If fraud is confirmed, the issuer blocks the card and lists it on h k f l
19
Source: Visa Franchise Data Compromise Trends and Cardholder, Security Best Practices (October 26, 2010, Visa, Inc.).
account activity.the network exception file.• Issuer sends the cardholder a new card.
16
Common Causes of a Breach or Compromise
Trivial and Common Passwords for POS
Not Changing the Vendor Supplied Passwords for POS
SystemsVendor‐Supplied Password Upon Installation
Improper Firewall Configuration
Outdated Antivirus Software Definitions ConfigurationSoftware Definitions
Use of Vulnerableor Non‐Compliant
Remote Access to Systems by Third‐Party or Non Compliant
Software
Having Remote Access Turned On at All Times
Systems by Third Party Providers
Turned On at All Times
Enhancing Payment Data Security with aMulti‐Layered Approach
There is no “magic bullet” that protects your business from all security threats all the time and across the entire enterprise However businesses can significantly improve their security posture
Point‐to‐Point Encryption (P2PE)
across the entire enterprise. However, businesses can significantly improve their security posture with a layered solution that includes three elements like:
Point‐to‐Point Encryption (P2PE)
Encryption is designed to protect cardholder data from the point of data entry– Uses a key management feature making cardholder data unreadable to anyone who does not have the
encryption keyencryption key
– Protects cardholder data in transit
– If properly implemented, P2PE can reduce your scope of PCI DSS validation
21
Multi‐Layered ApproachTokenization Technology
Tokenization Technology
Replaces cardholder data (PAN) with surrogate values (token)
Designed to work in concert with encryption to eliminate storage of cardholder data
Allows merchant to limit the storage of cardholder data with the tokenization system
If properly implemented, tokenization can reduce your scope of PCI DSS validation
22
Tokenization Overview
What is a Token? Why is it Important?
Tokenization is the process of substituting a sensitive data element with a proxy.
The proxy will have limited to no value outside of its i t d d
Enhanced Security ‐ By securing token provisioning through strong detection capabilities, and continuing to push for stronger authentication practices, we can count on tokenized transactions intended use.
Tokenization of Card Number: A proxy value is used as the payment “token” during the transaction so that true card number is never exposed to
practices, we can count on tokenized transactions being more secure – potential to reduce card alerts.
Reduce Physical Card Issuance (expense impact)pmerchant. Opportunity to Impact Non‐Approval Rate
Risks?
Card Not Present (request token) becoming Card Present (Contactless)
Fraud Token Issuance (from increase in Account Takeover, PHISHing, and plastic card number compromises).
23
Multi‐Layered ApproachEMV Chip Technology
EMV Chip Technology
EMV Chip Technology
Protects against counterfeit cards by replacing static data with dynamic
Works with card‐present transaction only
Requires a dual processing terminal (mag strip and chip)q p g ( g p p)
24
ACH FraudACH Fraud
Fraud in the ACHExample Scenarios
Fraud risk occurs when a payment transaction is initiated or altered in an attempt to misdirect or misappropriate funds by any party to the transaction(s) with fraudulent intent (1)
Fraud can occur on ACH credits…
or misappropriate funds by any party to the transaction(s) with fraudulent intent. ( )
Example of a Fraudulent e‐Mail
An employee receives an email that leads him to an infected site, which installs malware to access th ti ti i f ti d i iti t dit
Subject: ACH Transfer ReviewSubject: ACH Transfer Review
Fraud can occur on ACH credits… Example of a Fraudulent e Mail
authentication information and initiate credit transfers.
“Since 2011 cybercriminals have been using“Since 2011 cybercriminals have been using
ACH Transfer (ID:03847439) is going to be reviewed because of the incorrectly input data when sending the payment.
Important: Please fill in the application form attached
ACH Transfer (ID:03847439) is going to be reviewed because of the incorrectly input data when sending the payment.
Important: Please fill in the application form attached Since 2011, cybercriminals have been using NACHA’s name, logo, contact information and product names, such as Direct Deposit via ACH, through phishing email communications and
Since 2011, cybercriminals have been using NACHA’s name, logo, contact information and product names, such as Direct Deposit via ACH, through phishing email communications and
attentively and send it to us. After that your transfer will be processed.
If you have any questions or comments contact us at [email protected]. Thank you for using www.nacha.org.
attentively and send it to us. After that your transfer will be processed.
If you have any questions or comments contact us at [email protected]. Thank you for using www.nacha.org.
social engineering tactics to gain access to consumer and business computer devices.” (NACHA Website)
social engineering tactics to gain access to consumer and business computer devices.” (NACHA Website)
Employee Name
Risk Management Services
Employee Name
Risk Management Services
26 (1) ACH Risk Management Handbook (NACHA).
Fraud in the ACH (Cont.)Example Scenarios
Fraud can occur on ACH credits…
A bookkeeper creates “ghost” employee records to originate fictitious payroll payments
June 19, 2013 (Reuters) – Three women pleaded guilty on Wednesday to criminal charges arising out of what prosecutors say was a corrupt payroll project that cost more than $600 million.June 19, 2013 (Reuters) – Three women pleaded guilty on Wednesday to criminal charges arising out of what prosecutors say was a corrupt payroll project that cost more than $600 million.
“The average instance of payroll fraud lasts about 36 months. That’s three years of paying ghost employees or overpaying existing ones.” (Forbes 9/10/13)
Under ACH Rules, the time limit for attempting to reverse an erroneous credit is 5 days
(1) ACH Risk Management Handbook (NACHA).
Fraud in the ACHExample Scenarios
A f d t th t i f ti t k f th MICR li f ’ h k t i iti t
… Or, on ACH debits
A fraudster uses the account information taken from the MICR line of a company’s check to initiate an unauthorized debit to the company’s account
A business prints its account information on invoices to encourage electronic payments, but the information is intercepted by fraudsters who use it to debit the accountinformation is intercepted by fraudsters who use it to debit the account
“Despite the continued decline in their use, paper checks remain dominant payment method…The typical organization makes 50% of its B2B payments by check.” (AFP 2013 Electronic payments Survey)“Despite the continued decline in their use, paper checks remain dominant payment method…The typical organization makes 50% of its B2B payments by check.” (AFP 2013 Electronic payments Survey)
A consumer provides stolen or erroneous bank account information to pay bills or make purchases via ACH debit
Nationwide Utility Payment Scam Hurts ThousandsUSA Today 7/12/12
… Victims are told that all they have to do is provide their personal information. In exchange, they are given a bank routing number and checking account number to provide their utility company when making a payment
Nationwide Utility Payment Scam Hurts ThousandsUSA Today 7/12/12
… Victims are told that all they have to do is provide their personal information. In exchange, they are given a bank routing number and checking account number to provide their utility company when making a paymentbank routing number and checking account number to provide their utility company when making a paymentbank routing number and checking account number to provide their utility company when making a payment
Under ACH rules, the timeframe for returning unauthorized corporate transactions is one day after the settlement of the entry. The time‐frame for returning consumer entries is 60 daysy g yafter settlement.
Utility Industry Focused Phishing
Phishing Scam: Federal Government to pay your utility bills
Utility Bill Payment Scam
Scam: Fraudsters claim a government grant will pay your utility bill in full for one month.
Example: [Collected via e‐mail, May 2012]
Scam: Fraudsters claim a government grant will pay your utility bill in full for one month.
Example: [Collected via e‐mail, May 2012]
My friend just informed me that President Obama is paying her electric bill this month. That supposedly you call and use your SS# as the bank account, then give them the routing number of 061000146 and that's it, it pays for your electric bill but only once a year.
My friend just informed me that President Obama is paying her electric bill this month. That supposedly you call and use your SS# as the bank account, then give them the routing number of 061000146 and that's it, it pays for your electric bill but only once a year.
My daughter called me a couple of days ago asking me if I had already paid my Florida Power & Light (FPL) bill, I told her that I hadn’t and she proceeded to tell me that the accounts were being funded by some entity for this month onlyMy daughter called me a couple of days ago asking me if I had already paid my Florida Power & Light (FPL) bill, I told her that I hadn’t and she proceeded to tell me that the accounts were being funded by some entity for this month onlyher that I hadn t and she proceeded to tell me that the accounts were being funded by some entity for this month only for Florida residents. I have her my account information, including SS#. I received a confirmation # from FPL. Today she calls me to tell me that she had found out this was a scam. She has no idea of how this was distributed, of friend of hers is the one who provided all of the information.
her that I hadn t and she proceeded to tell me that the accounts were being funded by some entity for this month only for Florida residents. I have her my account information, including SS#. I received a confirmation # from FPL. Today she calls me to tell me that she had found out this was a scam. She has no idea of how this was distributed, of friend of hers is the one who provided all of the information.
29
ACH Fraud PreventionSteps Businesses Can Take to Minimize Fraud Risk
Monitor and reconcile your accounts daily1
Consolidate your ACH debit activity to one account (or a limited number)to facilitate this monitoring
Use ACH fraud prevention services
2
3 Use ACH fraud prevention servicesDebit BlocksDebit Authorizations
3
ACH Positive Pay
Remove account numbers from websites and correspondence4
Consider UPIC to mask the account where you receive ACH credits
Convert more payments from check to electronic
5
6
Notify your bank promptly about any discrepancy in your account
Return unauthorized transactions within the NACHA time‐frames
7
8
ACH Fraud PreventionSteps Businesses Can Take to Minimize Fraud Risk
If you originate ACH payments1
Segregate duties and set dollar limits appropriate for users and payment types Leverage your bank’s reporting tools to validate files and totals Deactivate entitlements of employees who have left the company immediately
If you are a biller using ACH debit…
Consider establishing limits on ACH debits (e.g. dollar amount, customer type, etc.) Always obtain proper authorization from the Receiver Use prenotes when possible Use prenotes when possible Address returns promptly and monitor return rates
If you use WEB, you must employ commercially reasonable systems to detect fraud
(1) Please refer to www.nacha.org for complete information about the obligations of ACH Origination
How the Industry Addresses Fraud and Risk Examples of NACHA Rules (1)
Network Enforcement Rule (11/8/07) Allows NACHA to request data from ODFIs about any Originator that appears to exceed a threshold of 1% for debits returned
as unauthorized
Company Name Identification (6/20/08) Expands the description of the Company Name Field to require that it contain a name of the Originator that is known and
readily recognized by the Receiverreadily recognized by the Receiver
Corporate Account Takeover (1/1/12) Provides an RDFI that reasonably suspects that a credit is unauthorized with an exemption to the funds availability
requirement under Reg CC
ACH Security Framework (9/20/13) Establishes minimum data security obligations for ACH Network participants to protect data within their purview
Stop Payments (9/20/13) p y ( / / ) Expands rule language governing effective period for stop payment orders on debit Entries to non‐consumer accounts
ODFI Return Rate Reporting (3/15/13) Reduces the ODFI Return Rate Reporting period from 60 to 30 days for reducing return rates below the return rate threshold
Data Passing (3/15/13) Prohibits sharing of certain customer information for the purpose of initiating debits not covered by the original authorization
Proof of Authorization for Non‐Consumer Entries (9/19/14)oo o ut o at o o o Co su e t es (9/ 9/ ) Permits an RDFI to request proof of a non‐consumer Receiver’s authorization for a debit
(1) For the complete NACHA Rules, please refer to www.achrulesonline.org
How the Industry Addresses Fraud and Risk Unauthorized ACH Debits – A Key Indicator
How the Industry Addresses Fraud and RiskThe rate of unauthorized debit returns has declined to 0.03%, but the volume of unauthorized entries is increasing as the use of the ACH for debit transactions grows.
0.14%4.00
s
Unauthorized ACH Debits and Return Rates (1)
0 08%
0.10%
0.12%
2.50
3.00
3.50
Debit R
eturns
ns)
Unauthorized
0 02%
0.04%
0.06%
0.08%
1.00
1.50
2.00
thorize
d AC
H (M
illion d R
eturn Rate
0.00%
0.02%
0.00
0.50
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Unau
Unauthorized Debit Returns Unauthorized Return RateUnauthorized Debit Returns Unauthorized Return Rate
“Returns for authorization issues are due to a problem with authorization, including unauthorized, revoked authorization, stopped payments or customer disputes. The authorization‐related return rate for ACH entries is lower than reported fraud rates for credit cards (0.07 %) and signature debit cards (0.06%)”
33
(NACHA)
(1) NACHA.
How the Industry Addresses Fraud and Risk
NACHA Requests for Comment on Additional Rules to Address Risk and Quality the ACH (1)
Risk and Network Enforcement
b l d f d f l h bl f h h d d Improve ability to identify and enforce Rules against those responsible for highest, and most disproportionate, levels of exceptions
Reduce number of exceptions caused by these “outliers”
ACH Quality Fees
Establish economic incentives for ODFIs to improve origination quality Establish economic incentives for ODFIs to improve origination quality Reduce number of exceptions across the entire ACH Network Provide partial cost‐recovery to RDFIs for exception handling
(1) Request for Comment period closed on January 13, 2014
Q&AQ&A
Best Practices for Protecting Against Fraud Online – checklist
Be attentive during online session: are login prompts occurring where they should? Do your online screens look correct?
Make use of fraud prevention tools like Positive Pay for checks and ACH transactions.
Educate all users to recognize phishing scams and know to not open file attachments or click links in suspicious emails. Always be on lookout for:
U i h i i i I i idi i l ki &
– Any requests for personal information
– Urgent appeals claiming your account will be closed if you fail to respond
– Messages about system/security updates Use caution when visiting Internet sites, avoiding social networking &
unknown sites that are not trusted and used for business purposes
Consider the use of dedicated, hardened computer
Keep your anti‐virus software/system patches up to date. Consider anti‐malware software that specifically protects your Internet Browser
Implement duty segregation/dual administration
Prohibit shared user names/passwords and avoid using automatic login features that save usernames/passwords
Never access online banking via Internet cafes, public libraries or open Wi‐Fi hotspots
Report suspicious transaction activity to bank/authorities immediately36
Resources
Duane BunnSVP, DFS Treasury Sales ManagerSVP, DFS Treasury Sales Manager904‐987‐7015 office904‐476‐4922 [email protected]
37
Disclaimer
““Bank of America Merrill Lynch” is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker‐dealers and members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA.
This document is intended for information purposes only and does not constitute a binding commitment to enter into any type of transaction or business relationship as a consequence of any information contained herein.
These materials have been prepared by one or more subsidiaries of Bank of America Corporation solely for the client or potential client to whom such materials are directly dd d d d li d (th “C ”) i ti ith t l t ti l b i l ti hi d t b d li d f th thaddressed and delivered (the “Company”) in connection with an actual or potential business relationship and may not be used or relied upon for any purpose other than as specifically contemplated by a written agreement with us. We assume no obligation to update or otherwise revise these materials, which speak as of the date of this presentation (or another date, if so noted) and are subject to change without notice. Under no circumstances may a copy of this presentation be shown, copied, transmitted or otherwise given to any person other than your authorized representatives. Products and services that may be referenced in the accompanying materials may be provided through one or more affiliates of Bank of America, N.A.
We are required to obtain, verify and record certain information that identifies our clients, which information includes the name and address of the client and other f h ll ll d f h l d h h ( l f b d d ( d l b )) d hinformation that will allow us to identify the client in accordance with the USA Patriot Act (Title III of Pub. L. 107‐56, as amended (signed into law October 26, 2001)) and such
other laws, rules and regulations.
We do not provide legal, compliance, tax or accounting advice. Accordingly, any statements contained herein as to tax matters were neither written nor intended by us to be used and cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on such taxpayer.
For more information, including terms and conditions that apply to the service(s), please contact your Bank of America Merrill Lynch representative.
Investment Banking Affiliates are not banks. The securities and financial instruments sold, offered or recommended by Investment Banking Affiliates, including without limitation money market mutual funds, are not bank deposits, are not guaranteed by, and are not otherwise obligations of, any bank, thrift or other subsidiary of Bank of America Corporation (unless explicitly stated otherwise), and are not insured by the Federal Deposit Insurance Corporation (“FDIC”) or any other governmental agency (unless explicitly stated otherwise).
This document is intended for information purposes only and does not constitute investment advice or a recommendation or an offer or solicitation, and is not the basis for any contract to purchase or sell any security or other instrument, or for Investment Banking Affiliates or banking affiliates to enter into or arrange any type of transaction as a consequent of any information contained herein.
With respect to investments in money market mutual funds, you should carefully consider a fund’s investment objectives, risks, charges, and expenses before investing. Although money market mutual funds seek to preserve the value of your investment at $1.00 per share, it is possible to lose money by investing in money market mutual funds. The value of investments and the income derived from them may go down as well as up and you may not get back your original investment. The level of yield may be subject to fluctuation and is not guaranteed. Changes in rates of exchange between currencies may cause the value of investments to decrease or increase.
W h d t d li i d id li d i d t th i d d f h l t Th li i hibit l f ff i hWe have adopted policies and guidelines designed to preserve the independence of our research analysts. These policies prohibit employees from offering research coverage, a favorable research rating or a specific price target or offering to change a research rating or price target as consideration for or an inducement to obtain business or other compensation.
Copyright 2014 Bank of America Corporation. Bank of America N.A., Member FDIC, Equal Housing Lender..38