Embed Size (px)
Citation preview
Risk ManagementMay, 2007
JPMorgan Chase JPMorgan Chase Commercial Card Commercial Card SolutionsSolutions
2
AgendaAgenda
Definitions
Fraud
Dispute
Case Study – Employee Fraud
State of Oklahoma Audit Findings
3
DefinitionsDefinitions
4
DefinitionsDefinitions
Fraud – Unauthorized use of a payment card resulting from lost, stolen or compromised account. The user has malicious intent and is seeking personal gain from use of account.
Dispute – Authorized cardholder questions the validity of a transaction. More along the lines of a transaction that was “mistakenly” applied to an account. MasterCard defines valid dispute reasons.
Employee Abuse – Authorized cardholder uses card in a manner which the State receives no benefit. MasterCard defines the type of employee abuse for which customers can be indemnified.
5
FraudFraud
6
Common Fraud TypesCommon Fraud Types
Lost/Stolen
Counterfeit Card
Mail Theft/Non-Receipt
Unauthorized Use
Skimming
Phishing
7
Lost/StolenLost/Stolen
Major source of fraud, along with counterfeit cards
Perpetrator not sophisticated
May know cardholder address, date of birth and social security number
Generally does not have false identification
Various types of spending
8
Counterfeit CardCounterfeit Card
Credit card has been manufactured
Security features will not be present or authentic
Sophisticated perpetrator
False identification used
Often found within organized fraud rings
9
Mail Theft/Non-ReceiptMail Theft/Non-Receipt
New account or replacement card recently mailed
Perpetrator slightly more sophisticated
Will know cardholder address, usually does not know date of birth and social security number
Generally does not have false identification
In-store purchases or mail/telephone order
10
Unauthorized UseUnauthorized Use
Transactions are made without an actual plastic via mail or telephone orders
Perpetrator is more sophisticated
Adult or Internet-type transactions
11
SkimmingSkimming
Magnetic stripe is compromised
Card has been manufactured
Identification matches with a false name embossed on credit card
Sophisticated perpetrator - organized fraud rings
Enhanced security features deter perpetrators
12
PhishingPhishing
Phishing is an attempt to gain private information about you and your accounts. Most often via e-mail that looks like it is from your financial institution
You should never reply to or enter any information if you receive a suspicious e-mail
If you are unsure if the e-mail is legitimate call the 800 number on the back of your card
13
PhishingPhishing
It is not JPMorganChase’s practice to:
Send e-mail that requires you to enter personal information directly into the e-mail
Send e-mail threatening to close your account if you do not take immediate action of providing personal information
Send e-mail asking you to reply by sending personal information
Send e-mail asking you to enter your user ID, password, or account number into an e-mail or non-secure web page
14
Protection Against Fraud Loss is a PartnershipProtection Against Fraud Loss is a Partnership
Fraud statistics vary from customer to customer, depending upon the controls they have in place.
Statistically, customers with higher loss are not taking advantage of the controls and reporting provided by the Bank.
JPMChase is there to assist in reducing fraud losses through preventative measures, reporting, and recovery efforts.
There are a number of things customers can do to guard against fraud.
15
Card Design Security FeaturesCard Design Security Features
Hologram
Stylized Logo
Tamper-evident signature panel (CVC2)
Unique magnetic stripe coding (CVC1)
16
Top Fraud MCCsTop Fraud MCCs
5411 – Grocery Stores
5732 - Electronics
5311 – Department Stores
5310 – Discount Stores
4812 – Telecommunication Equipment including telephone sales
17
Fraud Detection SystemFraud Detection System
Criteria for queues based on current fraud trends
Reacts to request for authorization
Queues are populated with authorization “hits” on criteria
Queues can be defined for specific MCCs, dollar amounts, states/countries, etc.
18
Fraud Detection SystemFraud Detection System
Detection cases are reviewed by a fraud analyst
Cardholder or Program Administrator is contacted to validate activity
Accounts may be temporarily suspended until activity is validated
Account analyzed by history, previous spending patterns, type of transaction, recently issued card
19
DisputesDisputes
20
Dispute Handling Guidelines Dispute Handling Guidelines
Merchants have 45 days to respond to your dispute claim
Provisional credit provided during the research process
File disputes timely
Maintain sufficient documentation on transactions to support your dispute
Avoid card sharing, it forfeits your dispute rights
Avoid use of department cards
21
Chargeback Tip - DisputesChargeback Tip - Disputes
Cardholder should contact merchant to resolve dispute
Cardholder must tender return of merchandise
Quality of service requires supporting documentation
Issuers may assist with cancellation of recurring payments on behalf of the cardholder
22
Case Study Employee FraudCase Study Employee Fraud
23
Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud
Classic Fraud Profile
Trusted long term employee
Employee rarely took vacations/time off
Employee had no real backup
Had multiple levels of responsibility
Employee enforced policy for everyone else
Had access to forms to cover fraud
Start small and built up over time
New supervision – limited training
24
Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud
Internal Weaknesses
Poorly trained supervision
Was a program administrator and a cardholder
Limited transparency
Limited audit/review by department
No internal audit
Limited review by accounts payable
Weak purchase oversight, small dollar purchases
Start small and built up over time
New supervision – limited training
25
Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud
Best Practices/Learning Points
Act quick and decisively
Advise senior management immediately
Get HR involved
Think before you act or say anything
Consider the consequences
Work the data
There is a reason for the program
There are corrective actions
There have been successful accomplishments
26
Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud
Best Practices/Learning Points
Clearly define the underlying issues
Have the facts straight
Describe why the program exist
Describe the effectiveness
Describe what you are doing to resolve the issue
Consider the former employee
Consider the current co-workers
27
Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud
Corrective Action Steps
New reporting requirements
Transaction monitoring
Minimum use requirements
Card Authorizations
Review of authorized levels
Internal audit corrective action plans
New supervisor manual
28
MasterCoverage Liability Protection Program MasterCoverage Liability Protection Program
Coverage afforded by MasterCard to indemnify entities for instances of employee abuse
Maximum coverage of $100K per cardholder
Program administrator action required
Adhere to claim criteria
Limited to certain activity up to 75 days before and 14 days after JPMC is notified of employee termination
Claims available through customer service or program coordinator
Key Requirements
Employee must be terminated
Cards must be cancelled within two business days of employee termination date
29
MasterCoverage Liability Protection Program MasterCoverage Liability Protection Program
Key Exclusion
Department Cards
Charges made by someone who is not an employee
30
State of Oklahoma Audit FindingsState of Oklahoma Audit Findings
31
State of Oklahoma Purchase Card AuditsState of Oklahoma Purchase Card Audits
2006 Audit Cycle
Purchase Card Expenditures $17.9MM
For the agencies audited, there was $7MM or 39% of purchase card expenditures
25 Agencies audited
On average of 42% of the expenditures for each Agency were tested
Estimated administrative cost savings for the State of Oklahoma for calendar year 2006 of $6.4 MM*
*2005 RPMG Research, P-Card Benchmark Survey Results
32
Most Common Purchase Card Audit FindingsMost Common Purchase Card Audit Findings
Receipts filed were not properly signed, dated, and annotated as “Received”
Internal Procedures were not properly submitted or updated to the Department of Central Services
Memo Statements were not properly signed, dated, or included in the Agency’s purchase documentation
Employee Agreements that were not signed by participating employees of the Purchase Card program
33
Highest Occurrences of Quantifiable Audit FindingsHighest Occurrences of Quantifiable Audit Findings
Applicable items that exceeded $500 were not included on the inventory list of the Agency
Receipts reviewed were not properly signed, dated, and annotated as “Received”
Employee Agreements that were not signed by participating employees of the Purchase Card program
34
Findings Associated with Highest Dollar AmountFindings Associated with Highest Dollar Amount
Total purchase card expenditures exceeding the amount encumbered by the agency
Purchase card transactions not having appropriate documentation
Purchase card transactions not having a detailed or itemized receipt
35
Highest Error Rate Associated with Purchase Card Highest Error Rate Associated with Purchase Card FindingsFindings
Agencies who reported lost cards did not have Missing Lost Card Reports on file at the time of the audit
Items for Inventory were not included on the inventory list of the Agency
36
Outcome of Continuous Monitoring PerformedOutcome of Continuous Monitoring Performed
13 agency directors voluntarily deactivated cards due to lack of or inappropriate Approving Officials
4 more agency directors deactivated their cards during or regular audits
5 purchase cards were cancelled and 4 were placed on hold due to cardholders not recorded on the DCS training log
37
Questions?Questions?
38
ContactsContacts
David W Cox
Vice President
JPMorganChase
(312) 954-3533
Lisa Martin
Department of Central Services
State of Oklahoma
(504) 522-1654
