Wire Transfer Bootcamp Session II: Wire Transfer Risk

and Risk Mitigation

Presented by Gary Nesbitt, AAP, MBA

Questions

Handouts

Audio

GaryB.Nesbi-,AAP,MBAGNesbi'Consul.ng

•  PrincipalatGNesbi-Consul:ng•  Speaksna:onallyonelectronicpayments

relatedtopics•  Over3decadesofbankopera:ons,risk

management,andpaymentsexperience•  FormerSVPofEastPay,regionalpayments

associa:on•  Managedelectronicpayments@FRBandFirst

UnionBank(nowWellsFargoBank)

•  ConnectviaLinkedIn–  h-p://www.linkedin.com/in/garynesbi-/

3

TopicstobeCovered

• TypesofRisk• RiskMi4ga4on

– ManagementToolsandPolicies– SecurityTechniques

4

2015PaymentSystemsComparisonType Transaction

Volume (Billions)

Dollar Volume

($Trillions)

Average Payment Amount

Checks 17.3 26.8 $1,410

Wires 142.8 (Millions)

834.6 $5,850,000

Debit Cards

59.6 2.29 $38

Credit Cards

31.0 2.80 $94

ACH 23.5 145.3 $2,159

Source: FRB Retail Payments Study 2015 Press Release (December, 2016)

5

KeyCharacteris4csofWireTransfer•  Usuallyforlarger$amountscomparedtootherpaymentstypes

•  Enteredintonetworkforsamedayse-lement(domes:c)

•  Subjecttomoreriskthanotherpaymentsbecause:– AmountsaremuchlargerthanACHorchecks– Fedwiresarefinal(irrevocable)whenreceived

•  Mostfrequentlyusedforbanktobank(nobeneficiary)•  Costsmorethanothertypesofpaymentstoprocess

–  Duetoaddi:onalriskmi:ga:ontoolsemployedsuchasdualcontrolandsepara:onofdu:es

6

WireTransferInputChannels

Sending Bank Federal Reserve or CHIPS

Receiving Bank

$ $

Beneficiary

Sender

PhoneWalk-inThru

Branch

CallCenter

OnlineBankingPortal

Fax/Le:er

7

2016AFPPaymentsFraud&ControlStudyThekeyfindingsofthe2016AFPPaymentsFraudandControlSurveyinclude:

•  73%oforganiza4onsexperiencedaQemptedoractualpaymentsfraudin2016.Thisnumberwentupfrom62%in2015.Largestincreasesincestudybeganin2009.•  Largeorganiza:onsweremorelikelytohaveexperiencedpaymentsfraudthanweresmaller

ones.78%oforganiza:onswithannualrevenuesover$1billionwerevic:msofpaymentsfraudin2015.

•  BusinessEmailCompromise(BEC)washighlightedinstudyasmajorareaofconcern.•  Informa>onbelowfrom2015study–detailsfor2016notyetavailable.•  Almosteightoutoftenorganiza4ons(77percent)thatexperiencedaQemptedoractualpaymentsfraudin2014werevic4msofcheckfraud.Thepercentageoforganiza4onsaffectedbypaymentsfraudviaotherpaymentmethodswere:•  ACHdebit(22%)DOWNfrom27%inpreviousyear•  Corporate/commercialcards(43%)UPfrom29%inpreviousyear•  ACHcredits(9%)UPfrom8%inpreviousyear•  Wiretransfers(27%)UPfrom14%inpreviousyear

•  70%oforganiza4onsthatwerevic4msofactualand/oraQemptedpaymentsfraudin2013experiencednofinanciallossfrompaymentsfraud(downfrom74%in2012).

•  Amongorganiza4onsthatdidsufferafinanciallossresul4ngfrompaymentsfraudin2012,thetypicallosswas$23,100(upfrom$20,300).

•  Asaresultofrecentsecuritybreaches,63%oforganiza>onshaveadoptedorplantoaddaddi>onalsecuritymeasures.

8

TypesofRisk• Credit• Opera4onal• Fraud• Systemic

9

TypesofRisk• Sovereign• Compliance• Technology/3rdParty• Reputa4onal

10

CreditRisks• Originatoroftransferwillnothave“good”fundsavailableat4metransferistobesentoratendofday,orwhenseQlementisaQempted.

11

Opera4ngRisks• Hardware/SoewareorTelecommunica:onsFailure

• HumanError• Limited/UntrainedStaff• Disaster(Thiscantakemanyforms)

12

FraudRisks

•  InternalFraud– FIEmployees– 3rdPartyProcessors

• ExternalFraud– CompanyEmployees– 3rdPartyProcessors– Interlopers/hackers– Keyloggers– CustomerImpersona:on– SocialEngineering

13

FraudRisksControls•  “KnowYourCustomers”

–  Notonlywhotheyarebutwhattheynormallydo•  HaveformalcontractsinplacethatoutlinebothFI&customers’rightsandobliga:ons

•  Use“commerciallyreasonablesecuritymeasures”(callbacks,digitalsignatures,dualcontrols,testkeys,“outofbandauthen:ca:on”methods)

•  Usemul:plelayersofsecurity•  LimitknowledgewithinFItoa“needtoknow”basis

14

SystemicRisk•  Risktothesystem/networkthatonefinancialins:tu:on’sinabilitytose-leitsposi:onwillcauseotherfinancialins:tu:onstofailtose-le.

•  FederalReserve’sPaymentSystemRiskPolicywasdevelopedtopreventthisfromoccurring.RequiresFItomonitorbothitsFedposi:onandcustomer’sposi:on.

15

SovereignRisk•  Riskthatasovereigngovernmentorotherpoli:calen:tywilltakesomeac:ontopreventoralterthese-lementoftransfers.

• Oeenreferredtoas“Poli:cal”risk•  Couldbeassimpleasadelay(whichcouldcauselossoncurrencyexchange)orascomplexasrestrainingtheaccountsorassets.

16

Technology/3rdPartyRisk•  Riskthatabankorcreditunionhaswhenitusessoewareorsystemsdevelopedbyen::esoutsidethefinancialins:tu:on(e.g.soewarevendors)orserviceproviders.

•  Sincethesystemorsoewareisapackage,thepurchasingFIisdependentuponthedeveloperforrisktoolsthatarebuiltintothesystem,aswellastheperiodicupdatesandmaintenance.

•  Forexample,afunc:onthatshouldrequiredualcontrol/separa:onmaybeaweaklinkifthesystemdoesNOTallowthatcontroltobeimplemented.TheFIwouldneedtodecidewhethertoacceptthatriskortoimplementcompensa:ngcontrols.

17

Technology/3rdPartyRisk

18

•  RiskMi4ga4on–  FIsshouldhavecontracts/agreementsinplacewithcorrespondentFIsandserviceprovidersthatoutlinewhatcontrolsareimplementedand3rdparty’sresponsibilityforanyerrorsorlosses

–  FIsshouldevaluatethecontrolsemployedandaskforaddi:onalcontrolstobeimplemented(ifappropriate)oraddcompensa:ngcontrolssuchasproceduresormanualcontrols

–  FIshouldrequestcer:fica:onofauditsconductedbytechnologyproviderstoensurecompliancewithlegalandregulatoryrequirements.

19

Reputa4onalRisk•  Riskthatalossorproblemiscommunicatedtothepublicresul:nginnega:vepressandalossofbusiness

•  RiskMi:ga:on– HaveaPRplanpreparedintheeventthatasignificantproblemorlossoccurs

•  Shouldincludeinternalcommunica:ons,andexternalpressreleases,contactinforma:on,andongoingmi:ga:onstrategies

RiskMi4ga4onTools

•  PersonnelManagementPolicies– Reassignpersonnelwhohavegivenno:ce– Randomlyrotatepersonnel– Hirestaffforfundstransfersopera:onswithaprovenhistorywithorganiza:on(notnewhires)

– AdequateTrainingandWri-enDocumenta:on– Pre-employmentScreenings(drug,credit,andpolicecheck)

– “TimeAway”Policy

20

RiskMi4ga4onTools•  UseofRepe::veWireTransfers

– Sincemostofthecri:calinforma:oninthepaymentorderis“sta:c”,riskisreduced(opera:onalerrors,fraud,etc.)

– Keycontrolishowarerepe::vesupdated/changed.•  Limitnon-repe::vewiretransfers

– Verifykeydataelements(amount,beneficiaryandbankinfo)

– WireTransferRequestsbyPhone/Fax?• WireTransferRequestForms

21

ManagementToolsandPolicies

• Proceduresfor“excep:ons”– Planaheadhowtohandle–uselikelyscenariossuchasprimarystaffout,etc.

• DualControl/Segrega:onofDu:es• PhysicalSecurity• DataSecurity

22

Passwords

23

● Alphanumeric– Useamixofle-ersandnumbersex:A1JB85C

● AvoidUsing…..– Namesoffamilyorpets– Easydic:onarywords– BirthdatesorSSN’s

● Don’twriteyourpassworddownwhereitcanbeseen!(oranywhereelse!!!)

SecurityTechniques•  Passwords•  Callbacks•  Encryp:onofmessagesbetweensender&FI•  PKI–public/privatekeyinfrastructure•  TestKeys•  Smartcards/tokens•  Biometrics?

– Fingerprints– VoicePrints– Re:nascan

• Nosingle“silverbullet”

24

•  Bestprotec:oniswhenmul:plesecuritytechniquesormeasuresareused

•  Oeentwoormoretechniquesarecombined,whichmakesitmoredifficulttoovercomethepreventa:vedevices.–  Person’sprofileandterminalprofile–  Physicalsecurityanddatasecurity

•  Somethingthatyouknowandsomethingthatyouhave.–  UserID/Passwordandsmartcardorfingerprint

•  ImpactofFFIECguidanceformul:-factorauthen:ca:on?–  Whatareregulatorslookingfor?–  Layersecurity?

•  FIsadding“outofband”authen:ca:onduetotheFFIECGuidanceissuedJune2011

25

SecurityTechniques

Ques4ons?

FeelfreetocontactmeviaCBANCordirectlyviaemail.

gary.nesbi-@gmail.com

26

Gary Nesbitt AAP, MBA

gary.nesbitt@gmail.com

Wire Transfer 2017 Bootcamp: Session III: Wire Fraud & Current Events Thurs, 2/2 at 1pm CT/2pm ET