From Gateway to Gatekeeper: The Role of Private Industry Players in Detecting and Preventing Fraud

Moderator:

Tracey Thomas, Staff Attorney, Division of Marketing Practices, FTC

Panelists:

Jack Christin, Senior Regulatory Counsel, eBay/PayPal

Jane Larimer, General Counsel, NACHA – The Electronic Payments Association

Clifford Stanford, Assistant Vice President & Director, Retail Payments Risk Forum, Federal Reserve Bank of Atlanta

James Paravecchio, Group Manager, Fraud Risk Management Operations, Verizon

Tim Cranton, Associate General Counsel, Microsoft Corporation

Panel 3: 1:30 – 3:00 pm

Jack Christin

Senior Regulatory Counsel

eBay/PayPal, Inc.

San Jose, CA

ACH Network ACH Network Detecting and Preventing FraudDetecting and Preventing Fraud

February 25, 2009Jane LarimerEVP ACH Network ServicesGeneral CounselNACHA -The Electronic Payments Association

• NACHA is the administrator of the ACH Network, responsible for:• Developing and maintaining the NACHA Operating Rules • Performing Network risk management• Administering the National System of Fines to enforce the Rules• Educating payment system participants

• Risk events are addressed proactively when they occur• Risk events are managed to minimize the long-term effect on consumers and financial

institutions. • Implementing NACHA’s risk strategy includes amending the NACHA Operating Rules,

disseminating best practices and developing tools to manage the risk profile of the Network on an ongoing basis.

• Risk trends look positive for the ACH Network.• As the ACH Network’s utility has been expanded, there has been great attention to risk

and fraud mitigation. The ACH Network has experienced lower rates of return for unauthorized entries and other returns indicative of fraud.

• The ACH has gained visibility from a regulatory perspective. Since 2006, the OCC has issued guidance on managing risk related to ACH activity twice (2006-39 and 2008-12)

• Since 2001, debit unauthorized return rates reduced from .09% to .04%.

The ACH Network …Risk Management is a Priority

ACH Network Unauthorized Debit Rate – 2001-2008… Continuing To Decline

The rate of unauthorized transactions in the ACH Network has been historically low. The peak for unauthorized transactions in the Network was realized in 2002 with telemarketing abuse of the TEL application. Since than, NACHA and the Operators’ attention to Network risk management shows in a consistently declining return rate for transactions returned as unauthorized.

Unauthorized Debit Return Rate

0.00%

0.02%

0.04%

0.06%

0.08%

0.10%

0.12%

2001 2002 2003 2004 2005 2006 2007 2008

Un

auth

ori

zed

Deb

its

Unauthorized Return Rate

NACHA Risk Management Initiatives …Significant progress has been made along a

Risk – Quality Continuum

The ACH Network is safe and secure. Proactive work on initiatives outlined on the risk quality continuum include developing rules and managing risk at NACHA and across all network participants to result in a low risk payment network.

• “Traditional” fraud included telemarketing fraud, credit repair, and membership clubs.

• The Internet provided a new vehicle for companies who would perpetrate fraud and could use the anonymity provided by the Internet. The traditional frauds are present, plus key logging and phishing attacks were added to the arsenal.

• OCC 2006-39: list of high risk originators include:– Online payment processors– Credit repair services– MOTO companies– Internet gambling– Offshore businesses– Adult entertainment

Fraud Trends

• September 2007, Capital Credit Alliance, Inc. and Consumer Credit Services, Inc. (CCA/CCS) filed suit against NACHA.

• CCA/CCS sought:– Temporary restraining order (TRO) against NACHA due to

“NACHA’s arbitrary, capricious, and unwarranted imposition of monetary fines” against CCA/CCS.

– Declaratory judgment that they are not and have never been in violation of the NACHA Operating Rules.

– Reimbursement for fines assessed.

Litigation

• Nevada Attorney General filed an amicus brief in support of NACHA’s opposition to the TRO.

• January 2008, the US District Court of Nevada denied CCA/CCS’ Motion for Preliminary Injunction and TRO.

• The Court found that CCA/CCS failed to demonstrate a likelihood of success on the merits. In assessing this the Court stated:– even a cursory review of the transcripts and authorization

forms…demonstrate that Plaintiff’s method of attaining authorization for debit transactions is deceptive, and in violation of the NACHA Operating Rules.

Litigation

Litigation

• The Court stated further:– the public has a strong public interest in the enforcement of the

NACHA Operating Rules, as unauthorized transactions create significant problems for consumers whose bank accounts are improperly debited, and for financial institutions forced to incur the expense of investigating and correcting unauthorized transactions.

• February, 2008 CCA/CCS voluntarily dismissed their lawsuit against NACHA.

Clifford Stanford

Assistant Vice President & Director Retail Payments Risk Forum

Federal Reserve Bank of Atlanta Atlanta, GA

A Catalyst for Collaboration

• The views expressed in this presentation are those of the presenter and do not necessarily reflect the views of the Federal Reserve Bank of Atlanta or the Federal Reserve System.

The Environment: Some Key Challenges

– Check payments still highest driver of fraud despite volume decline

– Potential movement of fraud from checks to ACH– Ever increasing occurrence of ecommerce

• Consumer personal and financial information more vulnerable• More transactions processed without customer and merchant

physical interaction– Increased interest in protection of consumer information

• Reputation risk of possible data breach– Slow to implement cross channel fraud monitoring– Proliferation of prepaid cards with fraud vulnerabilities

» Source: “A summary of the roundtable discussion on retail payments fraud”, Federal Reserve Payments System Policy Advisory Committee, March 2007

Noncash Payments Increased at Annual Rate of 4.6% from 2003 to

2006

*CAGR is compound annual growth rate. Source: Federal Reserve Bank of Boston [2007 Federal Reserve Payments Study]

Distribution of Noncash Payments – Value vs. Number (2006)

Payment Type

Percentage (Number)

Percentage (Value)

Checks paid 33% 55%

ACH 16% 41%

EBT 1% 0%

Debit card 27% 1%

Credit card 23% 3%

Source: The 2007 Federal Reserve Payments Study

Check Fraud Increasing Despite Decrease in Check Volume

• Check Volume– 30.6 billion checks paid in 2006 (down 6.4% since 2003)1

• Check Fraud– Counterfeit checks resulted in loss of $271 million for banks in

20062

• 160% increase from 3 years prior– Check-related fraud overall – $969 million in 20062

» Source: 1The 2007 Federal Reserve Payments Study; 22007 ABA Deposit Account Fraud Survey Report

2007 ABA Deposit Account Fraud Survey

• CHECK FRAUD AGAINST BANK DEPOSIT ACCOUNTS (Industry Estimates)

Source: American Bankers Association

Highlights from AFP Fraud Survey (2008)– corporate perspective

• 71% of organizations were victims of actual or attempted payments fraud (check, ACH, cards, or wire) in 2007.

• 37% of organizations experienced some financial loss as a result of attempted payments fraud– median loss was only $13,900

• Almost all organizations (94 percent) that experienced attempted or actual payments fraud in 2007 were victims of check fraud.– 17% reported a financial loss from check fraud

– Organizations were much less likely to be subject to fraud from electronic payments than from checks

A Closer Look at ACH Payments

Number of ACH payments

billions

0.3

8.4

8.8

2003

2.6

12.0

14.6

2006

CAGR

(2003-06)

Total change

(billions)ACH payments

18.6% 5.8

Converted checks

98.7% 2.2

Other ACH 12.6% 3.6

Source: The 2007 Federal Reserve Payments Study

Fraud in ACH

• Internal ACH fraud

• Internet-based fraud

• Telemarketing fraud

• “Bad” checks converted to ACH

• Reverse phishing (altering ACH RT and a/c data)

• Keystroke logging

• ACH kiting

“Emerging” Payments . . .

• ACH eChecks for non-recurring payments• Remotely created “Non-Check eChecks”• Remote deposit capture (even consumer level)• Mobile banking • Decoupled debit cards• Prepaid cards• Payroll cards• Contactless cards• “PII portals”• Etc. etc.

Evolving Fraud Environment

• Fraudsters are well organized and structured

• Rings are global

• Fraud perpetrated across payment types – no longer specialized

• Improved technology and communication

• Active market for confidential information

So, what about the regulators and law enforcement?

• How savvy about retail payments systems? • Does the complexity of payments systems hinder

efforts?• Are consumer protections adequate?• Are private sector/self-regulatory efforts adequate? • Are there sufficient market incentives, or does more

need to be done by regulators and law enforcement? • Are adequate resources dedicated?• What are the gaps? • What collaborative mechanisms work/don’t work? • How do we break down the barriers among those with

common interests in mitigating risk and preventing fraud?

The Environment: Opportunities?

– Holistic solutions that look across all payment systems

– Increased collaboration and information sharing across the industry

– Enhancements to authentication techniques

– Implementation of standards

– National fraud-notification systems

– Fed-sponsored outreach events, research and analysis

» Source: “A summary of the roundtable discussion on retail payments fraud”, Federal Reserve Payments System Policy Advisory Committee, March 2007

Retail Payments Risk Forum

• The Retail Payments Risk Forum is a catalyst for collaboration among thought leaders in the retail payments risk management arena to:– convene interested parties,– promote actions to mitigate risk,– conduct research and analysis, and

– provide education.

• Portals and Rails blog– portalsandrails.frbatlanta.org

James Paravecchio

Group Manager

Fraud Risk Management Operations, Verizon

Denver, CO

Tim Cranton

Associate General Counsel Microsoft Corporation

Seattle, WA

Questions?

From Gateway to Gatekeeper: The Role of Private Industry Players in Detecting and Preventing Fraud

Moderator:

Tracey Thomas, Staff Attorney, Division of Marketing Practices, FTC

Panelists:

Jack Christin, Senior Regulatory Counsel, eBay/PayPal

Jane Larimer, General Counsel, NACHA – The Electronic Payments Association

Clifford Stanford, Assistant Vice President & Director, Retail Payments Risk Forum, Federal Reserve Bank of Atlanta

James Paravecchio, Group Manager, Fraud Risk Management Operations, Verizon

Tim Cranton, Associate General Counsel, Microsoft Corporation

Panel 3: 1:30 – 3:00 pm

3:00 – 3:15 pm