Combating Payments Fraud: How Well Are You Managing Your Company's Risk?

2,985 views

Published on

Payments fraud incidents are increasing in frequency and severity every day. Combined with more stringent global regulatory requirements and increasing payments volumes, corporations today are challenged with combating emerging payments fraud activities. This session will discuss fraud trends impacting businesses, best practices in mitigating risk, and the tools to have in your arsenal in fighting fraudulent payment activities.

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,985
On SlideShare
0
From Embeds
0
Number of Embeds
889
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Combating Payments Fraud: How Well Are You Managing Your Company's Risk?

  1. 1. Combating Payments Fraud: How Well Are You Managing Your Company’s Risk? Peter Nash, Assistant Treasurer, CVS Caremark Nasreen Quibria, Payments Expert, Logica
  2. 2. Today’s End in Mind…© Logica 2012. All rights reserved No. 2
  3. 3. This is Logica Leading global business and technology services company  Business consulting  Products  Systems integration  Outsourcing Nearly 41,000 employees worldwide Over $6 billion USD in revenues 2011 Creating value for clients by successfully integrating people, business and technology© Logica 2012. All rights reserved No. 3
  4. 4. About• Largest pharmacy health care provider in the United States• More than $107 billion in annual revenue• Approximately 200,000 employees in 44 states, the District of Columbia, and Puerto Rico• Headquartered in Woonsocket, R.I.• Operate more than 7,327 retail stores, 30 onsite pharmacies, 31 specialty pharmacy stores, 13 specialty mail order pharmacies, four mail order pharmacies, 657 MinuteClinic , retail health care clinics• No. 1 provider of prescriptions – more than 1 billion prescriptions filled or managed annually• 75 percent of the U.S. population lives within three miles of a CVS/pharmacy• No. 1 Retail-Based Medical Center Operator• No. 1 Retail Loyalty Program – more than 69 million active ExtraCare customers© Logica 2012. All rights reserved No. 4
  5. 5. Impact of Economic Downturn Great Recession Improvement in December 2007 – June 2009 US Economy80% 72% 73% 71% 71% 71% 68% 66%70%60% 55%50%40%30% 24%20% 6%10% 0% 3% -1% -3% 0%-10% 2004 2005 2006 2007 2008 2009 2010 2011 -7%-20% Attempted or Actual Payments Fraud % Growth Source: 2012 AFP Payments Fraud and Control Survey Growth in fraud trends reflect US economic landscape© Logica 2012. All rights reserved No. 5
  6. 6. Trends in Payments Fraud $30,000 20% $26,600 13% 9% 8% $25,000 $23,300 4% 10% 0% $20,000 $18,400 $19,200 $17,100 $15,200 -10% $15,000 $13,900 -12% -20% $10,000 -30% $5,000 -40% -40% $0 -50% 2004 2006 2007 2008 2009 2010 2011 Estimated Median Value of Payments Fraud % GrowthSource: 2012 AFP Payments Fraud and Control Survey © Logica 2012. All rights reserved …Business of fraud continues to thrive No. 6
  7. 7. Shifting Landscape in Payments Fraud Outside individual (e.g., forged check, stolen card) Internal party (e.g., malicious insider) Organized crimeThird-party or outsourcer (e.g., vendor, professional service provider, business trading partner OtherCriminal invasion (e.g., hacked system,malicious code - spyware or malware) Lost or stolen laptop or other device 2011 2010 2009 0% 20% 40% 60% 80% 100% Source: 2012 AFP Payments Fraud and Control Survey No. 7 © Logica 2012. All rights reserved Growing threats are evolving…
  8. 8. Cybercrime at Center Stagetotal cost of cybercrime$388 billionTop 3 Cybercrimes:• Computer viruses or malware• Online scams• PhishingSource: Norton Cybercrime Report 2011© Logica 2012. All rights reserved No. 8
  9. 9. Largest Breaches of All Time* HM Revenue Sony Corporation and Customs 77m - Hacked US Dept. of RockYou, Inc. April 26, 2011 25m – Lost T-Mobile Amazon’s Veterans Affairs November 17m – Lost 32m – Hacked 25m – Hacked Zappos 26m – Stolen May May 2, 2011 20,2007 Oct. 6, 2008 Dec.14, 2009 22, 2006 24m – Hacked Jan.15, 2012 2005 2006 2007 2008 2009 2010 2011 2012 TJX Companies EMC’s RSA *4 gaming +CardSystems 96m – Hacked 40m – Hacked social network40m – Hacked January 17, 2007 March2011 sites hackedJune 19, 2005 Bank of New Heartland Payment Nov – Dec York Systems 2011 12m – Lost 130m records lost - SK Telecom’s Sept 6, 2008 Hacked January 20, Cyworld 2009 35m – Hacked *Greater than 10m accounts impacted July 28, 2011 © Logica 2012. All rights reserved No. 9
  10. 10. No Payment Type is Immune Checks 85% ACH Debits 23% Corporate/Commercial Cards 20% Consumer/Small Business Cards 12% ACH Credits 5% Wire Transfers 5% Payroll and Other Benefit Cards 5% 0% 20% 40% 60% 80% 100%Source: 2012 AFP Payments Fraud and Control Survey© Logica 2012. All rights reserved But not all fraud targets are equal No. 10
  11. 11. Low Tech, High Loss Types of Check Fraud • Use organizations MICR line data • Altered payee names on checks issued by the organization • Altered employee paychecks • Counterfeit checks • Check kiting • “Holder in Due Course” (HIDC) Even as check volumes decline, check fraud remains rampant© Logica 2012. All rights reserved No. 11
  12. 12. Check Fraud Reduced with BOC BOC + New Authorization Process = Reduced Check Fraud • CVS now receives initial returns and average of 7 days quicker (from 10 days to 3 days on average) • All unknown Check writers are routed to TeleCheck Online for authorization (includes negative file and risk scoring) • Check Declines roughly doubled with no up-tick in customer complaints • Multiple Returned Checks (same MICR with 2 or more returns) decreased (items down 46% and dollars down 64%)© Logica 2012. All rights reserved No. 12
  13. 13. Low Tech, High Loss Types of Check Check Fraud Best Practices Fraud Protection Solutions • Use organizations • Use high-quality check stock with • Positive pay MICR line data built-in security features • Payee verification • Altered payee names • Purchase stock from known • Reverse positive pay on checks issued by vendors the organization • Stale dating • Store check stock, deposit slips, • Check cashing with • Altered employee bank statements and cancelled positive pay paychecks checks securely • Counterfeit checks • Implement secure financial • Post no checks • Check kiting document destruction processes • “Holder in Due Course” • Establish employee order/reorder (HIDC) policy for stock • Dual controls over check stock, check issuance and account reconciliation Even as check volumes decline, check fraud remains rampant© Logica 2012. All rights reserved No. 13
  14. 14. ACH Fraud Gains Momentum Types of ACH Fraud • Account Hijacking • Identity Fraud • ACH Kiting • Reverse Phishing • Insider Origination Fraud • Counterfeiting© Logica 2012. All rights reserved No. 14
  15. 15. Corporate Refund Check Fraud Associates/friends A few attempts got Corporate refund of check recipients through as ACH checks were attempted to commit blocks/filters were generated and ACH fraud against not in place on all mailed to several different accounts consumers corporate accounts Fraud attempts were Most attempts were detected and stopped as a result reversed as a result of ACH blocks of detailed account reconciliations© Logica 2012. All rights reserved No. 15
  16. 16. ACH Fraud Gains Momentum Types of ACH ACH Fraud Best Practices Fraud Protection Solutions • Account Hijacking • Know who you’re dealing with • ACH Transaction • Identity Fraud • Segregate accounts for better Review • ACH Kiting control • ACH Debit Blocking • Reverse Phishing • Mask account numbers and Tax ID • ACH Debit Filters • Insider Origination numbers in correspondence • ACH Positive Pay Fraud • Use encryption email for • Late ACH Return Block • Counterfeiting confidential information • Return Item Validation • Monitor and reconcile your • Universal Payment accounts daily Identification Code • Ensure secure ID tokens are (UPIC) collected and passwords are changed when an employee leaves • Devise strong passwords© Logica 2012. All rights reserved No. 16
  17. 17. NACHA "ACH Transaction" Virus Scam© Logica 2012. All rights reserved No. 17
  18. 18. Focus on Phishing Types of Phishing Phishing Protection Best Practices Solutions • Deceptive Phishing • Ensure that browser and security • Implement anti-virus, • Malware-Based Phishing software information is continually content filtering and updated spam blocker solutions • Keyloggers and • Spam blocking filters and surfing at the Internet gateway Screenloggers • Session Hijacking block controls are maintained • Consider subscribing to companywide cyber-intelligence • Web Trojans • Privacy locks should be utilized to services which may be • Hosts File Poisoning restrict access to sensitive data used to identify on-line threats, • System Reconfiguration • Establish corporate policies for misrepresentations, or Attacks email content online frauds targeting • Data Theft • Provide a way for email recipient to brand(s) • DNS-Based Phishing validate legitimate email • Content Injection • Stronger authentication at websites • Man-in-the-Middle • Search Engine Phishing • Monitor for potential phishing sites© Logica 2012. All rights reserved No. 18 …to name a few
  19. 19. Credit Where No Credit is Due (B-to-B) Types of Card Credit Card Fraud Best Practices Fraud Protection Solutions • Employee misuse • Protective controls, such as setting • PCI Compliance • Embezzlement transaction limits and monthly limits solutions • False fraud for all cardholders • Fraud detection • Lost or stolen card • Cancel and destroy unused cards solutions including alerts • “Card- Not Present” • Track receipts orders • Review card statements for • Web-based payments tools that provide • Counterfeit unexplained charges enhanced reporting • Order a copy of your firm’s credit and real-time visibility report annually to look for into spending unauthorized applications, unfamiliar credit accounts • Authenticate cardholder • Not delay chargeback response • Adhere to PCI Compliance Standards Card fraud is typically committed by an unknown external party© Logica 2012. All rights reserved No. 19
  20. 20. Corporate Toolbox Deter (& Detect Defend Prevent) • Audit & monitor • Report unauthorized • Control access of internal procedures transactions to checks, cards, and • Rigorously monitor financial institution electronic payments financial position immediately • Screen new hires • Utilize financial • Enforce a policy of zero • Train staff on fraud institution electronic tolerance awareness solution & services • Segregate duties • Reconcile daily • Protect sensitive data, systems, documents, passwords, and PINs • KYC (+suppliers & referral sources)© Logica 2012. All rights reserved No. 20
  21. 21. Control and Monitoring of Bank Account Signers• Currently control 735 corporate/retail accounts with two segregated signers on each account over 290 banks.• Signers have the ultimate control of the account, features and reporting.• Audit account signers periodically to ensure both accuracy and active employment.• The signer database and applicable controls is a weakness in some of the larger banks, particularly as it relates to corporate versus branch accounts.• Ensure that bank branches cannot accept instructions from local field or store management.• Bank and corporate employees can and will make errors.© Logica 2012. All rights reserved No. 21
  22. 22. Key Takeways & Best Practices  Organizations need to remain vigilant to threats, especially emerging cross-channel fraud.  Build a culture of risk awareness. Communicate and collaborate with employees to educate and work with them to combat fraud.  Reduce exposure to fraud attempts and losses by migrating more transactions to electronic payments (i.e., ACH and cards).  Leverage the tools and techniques available to you. Utilize best practices and solutions offered by financial institutions and solution providers.© Logica 2012. All rights reserved No. 22
  23. 23. Questions… Peter D. Nash | Assistant Treasurer Nasreen Quibria | Payments Expert One CVS Drive Woonsocket | RI 02895 (o) 781.373.8554 | (m) 617.390.4649 nasreen.quibria@logica.com (o) 401.770.2853 peter.nash@cvscaremark.com Nasreen Quibria (nasreen.quibria@gmail.com) nquibria© Logica 2012. All rights reserved No. 23

×