Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Wire Transfer Bootcamp Session II: Wire Transfer Risk
and Risk Mitigation
Presented by Gary Nesbitt, AAP, MBA
Questions
Handouts
Audio
GaryB.Nesbi-,AAP,MBAGNesbi'Consul.ng
• PrincipalatGNesbi-Consul:ng• Speaksna:onallyonelectronicpayments
relatedtopics• Over3decadesofbankopera:ons,risk
management,andpaymentsexperience• FormerSVPofEastPay,regionalpayments
associa:on• Managedelectronicpayments@FRBandFirst
UnionBank(nowWellsFargoBank)
• ConnectviaLinkedIn– h-p://www.linkedin.com/in/garynesbi-/
3
TopicstobeCovered
• TypesofRisk• RiskMi4ga4on
– ManagementToolsandPolicies– SecurityTechniques
4
2015PaymentSystemsComparisonType Transaction
Volume (Billions)
Dollar Volume
($Trillions)
Average Payment Amount
Checks 17.3 26.8 $1,410
Wires 142.8 (Millions)
834.6 $5,850,000
Debit Cards
59.6 2.29 $38
Credit Cards
31.0 2.80 $94
ACH 23.5 145.3 $2,159
Source: FRB Retail Payments Study 2015 Press Release (December, 2016)
5
KeyCharacteris4csofWireTransfer• Usuallyforlarger$amountscomparedtootherpaymentstypes
• Enteredintonetworkforsamedayse-lement(domes:c)
• Subjecttomoreriskthanotherpaymentsbecause:– AmountsaremuchlargerthanACHorchecks– Fedwiresarefinal(irrevocable)whenreceived
• Mostfrequentlyusedforbanktobank(nobeneficiary)• Costsmorethanothertypesofpaymentstoprocess
– Duetoaddi:onalriskmi:ga:ontoolsemployedsuchasdualcontrolandsepara:onofdu:es
6
WireTransferInputChannels
Sending Bank Federal Reserve or CHIPS
Receiving Bank
$ $
Beneficiary
Sender
PhoneWalk-inThru
Branch
CallCenter
OnlineBankingPortal
Fax/Le:er
7
2016AFPPaymentsFraud&ControlStudyThekeyfindingsofthe2016AFPPaymentsFraudandControlSurveyinclude:
• 73%oforganiza4onsexperiencedaQemptedoractualpaymentsfraudin2016.Thisnumberwentupfrom62%in2015.Largestincreasesincestudybeganin2009.• Largeorganiza:onsweremorelikelytohaveexperiencedpaymentsfraudthanweresmaller
ones.78%oforganiza:onswithannualrevenuesover$1billionwerevic:msofpaymentsfraudin2015.
• BusinessEmailCompromise(BEC)washighlightedinstudyasmajorareaofconcern.• Informa>onbelowfrom2015study–detailsfor2016notyetavailable.• Almosteightoutoftenorganiza4ons(77percent)thatexperiencedaQemptedoractualpaymentsfraudin2014werevic4msofcheckfraud.Thepercentageoforganiza4onsaffectedbypaymentsfraudviaotherpaymentmethodswere:• ACHdebit(22%)DOWNfrom27%inpreviousyear• Corporate/commercialcards(43%)UPfrom29%inpreviousyear• ACHcredits(9%)UPfrom8%inpreviousyear• Wiretransfers(27%)UPfrom14%inpreviousyear
• 70%oforganiza4onsthatwerevic4msofactualand/oraQemptedpaymentsfraudin2013experiencednofinanciallossfrompaymentsfraud(downfrom74%in2012).
• Amongorganiza4onsthatdidsufferafinanciallossresul4ngfrompaymentsfraudin2012,thetypicallosswas$23,100(upfrom$20,300).
• Asaresultofrecentsecuritybreaches,63%oforganiza>onshaveadoptedorplantoaddaddi>onalsecuritymeasures.
8
TypesofRisk• Credit• Opera4onal• Fraud• Systemic
9
TypesofRisk• Sovereign• Compliance• Technology/3rdParty• Reputa4onal
10
CreditRisks• Originatoroftransferwillnothave“good”fundsavailableat4metransferistobesentoratendofday,orwhenseQlementisaQempted.
11
Opera4ngRisks• Hardware/SoewareorTelecommunica:onsFailure
• HumanError• Limited/UntrainedStaff• Disaster(Thiscantakemanyforms)
12
FraudRisks
• InternalFraud– FIEmployees– 3rdPartyProcessors
• ExternalFraud– CompanyEmployees– 3rdPartyProcessors– Interlopers/hackers– Keyloggers– CustomerImpersona:on– SocialEngineering
13
FraudRisksControls• “KnowYourCustomers”
– Notonlywhotheyarebutwhattheynormallydo• HaveformalcontractsinplacethatoutlinebothFI&customers’rightsandobliga:ons
• Use“commerciallyreasonablesecuritymeasures”(callbacks,digitalsignatures,dualcontrols,testkeys,“outofbandauthen:ca:on”methods)
• Usemul:plelayersofsecurity• LimitknowledgewithinFItoa“needtoknow”basis
14
SystemicRisk• Risktothesystem/networkthatonefinancialins:tu:on’sinabilitytose-leitsposi:onwillcauseotherfinancialins:tu:onstofailtose-le.
• FederalReserve’sPaymentSystemRiskPolicywasdevelopedtopreventthisfromoccurring.RequiresFItomonitorbothitsFedposi:onandcustomer’sposi:on.
15
SovereignRisk• Riskthatasovereigngovernmentorotherpoli:calen:tywilltakesomeac:ontopreventoralterthese-lementoftransfers.
• Oeenreferredtoas“Poli:cal”risk• Couldbeassimpleasadelay(whichcouldcauselossoncurrencyexchange)orascomplexasrestrainingtheaccountsorassets.
16
Technology/3rdPartyRisk• Riskthatabankorcreditunionhaswhenitusessoewareorsystemsdevelopedbyen::esoutsidethefinancialins:tu:on(e.g.soewarevendors)orserviceproviders.
• Sincethesystemorsoewareisapackage,thepurchasingFIisdependentuponthedeveloperforrisktoolsthatarebuiltintothesystem,aswellastheperiodicupdatesandmaintenance.
• Forexample,afunc:onthatshouldrequiredualcontrol/separa:onmaybeaweaklinkifthesystemdoesNOTallowthatcontroltobeimplemented.TheFIwouldneedtodecidewhethertoacceptthatriskortoimplementcompensa:ngcontrols.
17
Technology/3rdPartyRisk
18
• RiskMi4ga4on– FIsshouldhavecontracts/agreementsinplacewithcorrespondentFIsandserviceprovidersthatoutlinewhatcontrolsareimplementedand3rdparty’sresponsibilityforanyerrorsorlosses
– FIsshouldevaluatethecontrolsemployedandaskforaddi:onalcontrolstobeimplemented(ifappropriate)oraddcompensa:ngcontrolssuchasproceduresormanualcontrols
– FIshouldrequestcer:fica:onofauditsconductedbytechnologyproviderstoensurecompliancewithlegalandregulatoryrequirements.
19
Reputa4onalRisk• Riskthatalossorproblemiscommunicatedtothepublicresul:nginnega:vepressandalossofbusiness
• RiskMi:ga:on– HaveaPRplanpreparedintheeventthatasignificantproblemorlossoccurs
• Shouldincludeinternalcommunica:ons,andexternalpressreleases,contactinforma:on,andongoingmi:ga:onstrategies
RiskMi4ga4onTools
• PersonnelManagementPolicies– Reassignpersonnelwhohavegivenno:ce– Randomlyrotatepersonnel– Hirestaffforfundstransfersopera:onswithaprovenhistorywithorganiza:on(notnewhires)
– AdequateTrainingandWri-enDocumenta:on– Pre-employmentScreenings(drug,credit,andpolicecheck)
– “TimeAway”Policy
20
RiskMi4ga4onTools• UseofRepe::veWireTransfers
– Sincemostofthecri:calinforma:oninthepaymentorderis“sta:c”,riskisreduced(opera:onalerrors,fraud,etc.)
– Keycontrolishowarerepe::vesupdated/changed.• Limitnon-repe::vewiretransfers
– Verifykeydataelements(amount,beneficiaryandbankinfo)
– WireTransferRequestsbyPhone/Fax?• WireTransferRequestForms
21
ManagementToolsandPolicies
• Proceduresfor“excep:ons”– Planaheadhowtohandle–uselikelyscenariossuchasprimarystaffout,etc.
• DualControl/Segrega:onofDu:es• PhysicalSecurity• DataSecurity
22
Passwords
23
● Alphanumeric– Useamixofle-ersandnumbersex:A1JB85C
● AvoidUsing…..– Namesoffamilyorpets– Easydic:onarywords– BirthdatesorSSN’s
● Don’twriteyourpassworddownwhereitcanbeseen!(oranywhereelse!!!)
SecurityTechniques• Passwords• Callbacks• Encryp:onofmessagesbetweensender&FI• PKI–public/privatekeyinfrastructure• TestKeys• Smartcards/tokens• Biometrics?
– Fingerprints– VoicePrints– Re:nascan
• Nosingle“silverbullet”
24
• Bestprotec:oniswhenmul:plesecuritytechniquesormeasuresareused
• Oeentwoormoretechniquesarecombined,whichmakesitmoredifficulttoovercomethepreventa:vedevices.– Person’sprofileandterminalprofile– Physicalsecurityanddatasecurity
• Somethingthatyouknowandsomethingthatyouhave.– UserID/Passwordandsmartcardorfingerprint
• ImpactofFFIECguidanceformul:-factorauthen:ca:on?– Whatareregulatorslookingfor?– Layersecurity?
• FIsadding“outofband”authen:ca:onduetotheFFIECGuidanceissuedJune2011
25
SecurityTechniques
Gary Nesbitt AAP, MBA
Wire Transfer 2017 Bootcamp: Session III: Wire Fraud & Current Events Thurs, 2/2 at 1pm CT/2pm ET