Payments Fraud: Stopping the Unstoppable Force .....2

A Collaborative Fraud-Fighting Think Tank ..................4

SEPA: The Cost of Opportunity........................................6

November 2009

PPRREEVVEENNTTIIOONN OOFFPPAAYYMMEENNTTSS FFRRAAUUDDIINNCCRREEAASSIINNGGLLYY IISS AACCRROOSSSS--IINNDDUUSSTTRRYYEEFFFFOORRTT..

The battle against payments fraud is as old as money. As banks have introduced new payments methods andincreasingly sophisticated defenses, fraudsters havequickly evolved their schemes and adeptly matchedbanks’ efforts to stop them. Now the industry is lookingto join forces to stop fraud in its tracks.

IN THIS REPORT

PAYMENTS FRAUD:FACING THE CHALLENGES

The battle against payments fraud is as old as money.

But while some of the latest efforts borrow from scams past, most of

today’s fraud schemes are as sophisticated as banks’ most advanced

payments systems. And stopping them is still a challenge.

BY MARIA BRUNO-BR ITZ

Copyright 2009 United Business Media. Please note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article reprints, e-prints and permissions please contact:

Wright’s Reprints, 1-877-652-5295, UBMreprints@wrightsreprints.com.

November 2009 ©2009 Bank Systems & Technology; Reproduction Prohibited page 2

PAYMENTS FRAUD

From simple “Dumpster diving” to organized crimerings that rely on complex computer programming, fraudscams grow in sophistication to match the evolution ofpayment forms. “Fraud trends continue to evolve,”notes Douglas Twining, director of fraud servicesfor Cleveland-based KeyBank ($99 billion in assets). “The fraud types we’ve seenfor years, such as check fraud, are still inexistence and are being tailored to today’sworld. Check fraud is easy to commit forunsophisticated fraudsters as well as the sophis-ticated criminals.”

In fact, despite the advent of Check 21 and elec-

tronic bill pay, check fraud remains the most prevalentform of corporate payments fraud. According to the

Association for Financial Professionals’ 2009 AFP Pay-ments and Fraud Control Survey, nine out of 10

organizations (91 percent) that experiencedattempted or actual payments fraud in 2008

were targeted via check fraud. (ACH debitcame in a distant second, at 28 percent,followed by consumer credit/debit cards,

at 18 percent, and corporate/commercialcards, at 14 percent.Iqbal Khan, executive director of New York-

based JPMorgan ($2.2 trillion in assets) Treasury

ame a payment method and there is probably some scheme to defraud it.Since the Chinese introduced paper money, banks have been concerned aboutfraud. More than a thousand years later, payments fraud continues to hauntbanks, consumers and businesses.

“Fraud is still rampant,” comments Paul Sussman, VP with First Manhat-tan Consulting Group in New York. “The majority of businesses over $1 mil-lion in revenue are going to be exposed to payment fraud, and almost every

bank is being hit by fraud today.”

N

“The number of [payments fraud]attempts remains

strong,” says Iqbal Khan,

Executive Director of JPMorgan

Treasury Services.“But fraud losses are

declining because of technology.”

November 2009 ©2009 Bank Systems & Technology; Reproduction Prohibited page 3

Services, which sponsored the AFP sur-vey, says the study revealed an overallincrease in fraud activity year over year.He emphasizes, however, that it is impor-tant to distinguish between fraud attemptsand realized losses. “Remember, it isattempts versus actual fraud,” Khan says.“The number of attempts remains strong,but fraud losses are declining becauseof technology.”

But fraud never disappears, suggestsChristopher Beier, a senior product man-ager with Brookfield, Wis.-based Fiserv.It just goes elsewhere.

He points to a Javelin Strategy &Research study that showed a decreasein credit card fraud for 2007. Fraud innon-card accounts (checking and sav-ings), however, were on the rise, from$1,800 per loss in 2007 to $9,800 in 2008,according to Beier. “There’s a highermean fraud cost here,” Beier says. “Frauddidn’t go away. It just moved.”

KEEPING FRAUD IN CHECKStill, fraudsters are loyal to the tried andtrue. Even as check volumes decrease inthe U.S., check fraud remains the reign-

ing fraud champion. “Traditional check fraud is the easi-

est form of fraud,” says First ManhattanConsulting’s Sussman. “There’s still checkkiting, check washing and the availabil-ity of good laser printers. ... You just needthe check routing number and accountnumber to get started [counterfeiting].”

The passage of Check 21 and the intro-duction of check imaging and remote

deposit capture (RDC) may even havecreated opportunities for innovative crim-inals. “A lot of fraud is tied to Check 21because of the reduction in physical checkcharacteristics that occurs once the checkis imaged,” notes Michael Urban, seniordirector of fraud solutions at FICO (Min-neapolis). “We get a lot of efficienciesfrom check imaging, but the fraud pre-vention part becomes trickier.”

PAYMENTS FRAUD

PH

OT

O B

Y L

UC

Y K

EN

NE

DY

November 2009 ©2009 Bank Systems & Technology; Reproduction Prohibited page 4

PAYMENTS FRAUD

Tom Wills, senior analyst, risk, security and fraud, withPleasanton, Calif.-based Javelin, agrees that new kinds of fraudhave been introduced along with check truncation. “You mighthave low-resolution scanners at the point of sale,” he explains.“Some paper checks are secured with an infrared watermarkand special ink. All that protection goes away because the checkscanner might not pick it up.”

But even automated clearing house (ACH)payments — which historically were a means toenable recurring credits generated by the govern-ment or commercial interests and were consid-ered secure — may not be entirely safe now thatACH debit has become prevalent for Internet-and phone-based payments. “ACH is known forbeing secure,” states Lars Skari, partner and prac-tice manager for banking and capital marketswith Infosys Consulting, a division of InfosysTechnologies (Bangalore). “But there’s potentialfor some sophisticated fraud activity here becauseyou can now authorize ACH debits on the Webor phone.”

According to Aaron McPherson, practice direc-tor, payments and security, for Framingham, Mass.-based Financial Insights, ACH fraud has not beena significant concern and ACH fraud numbers areholding steady. “But does that mean ACH is secure,or are we not catching it?” he asks.

McPherson says the vendors he has spoken toaren’t reporting much demand among banks forACH-monitoring solutions. “Bankers seem confi-dent in the security of the ACH system,” he reports.But, “With ACH you just transmit the item transitnumber and the account number. This informa-tion is on checks,” McPherson notes, suggestingthat this opens an opportunity for fraud.

Adds Robert Jones, a senior consultant withthe fraud practice at Santa Fe, N.M.-based The Santa Fe Group, “At least with a card, youknow there’s a certain amount of monitoring andfunds. With a checking account number, you don’tknow if the number really exists at all. It’s a WildWest scenario.”

FRAUD IN THE CARDS?Indeed, when it comes to security issues, no otherarea has received greater attention than cards. Butcards present a strange dichotomy: On one hand,they are prone to fraud on a number of fronts, fromoutright theft of physical cards to sophisticatedhacking attacks into issuers’ or merchants’ data-bases and networks. On the other hand, the cardspace has long been lauded for its use of analyt-ics and risk-monitoring technology to thwart fraud-ulent activities.

Add to that the common issuer practice of zero liability for consumers who are victims ofcard theft and, as First Manhattan Consulting’sSussman says, “Credit card fraud is pretty locked

down in some ways.” Though, with the rumblings from Congress about reforming the card industry, Sussman says, heis unsure if issuers will be able to maintain this business model.

Neither is Julie Bernard, a Washington, D.C.-based seniorexecutive and financial services technology expert with Accen-ture. “It may take a long time to change [the zero liability] prac-

A COLLABORATIVE FRAUD-FIGHTINGTHINK TANK

R ecognizing the pervasive nature ofpayments fraud, theAtlanta branch of the

Federal Reserve, which housesthe Retail Payments Office ofthe Federal Reserve, estab-lished the Retail Payments RiskForum two years ago to bringtogether expertise from a vari-ety of disciplines to collaborateon ways to better secure thepayments system. “A key roleof the Federal Reserve systemis to foster the integrity of thepayment system,” explains Clif-ford Stanford, an assistant VPwith the Atlanta Fed and thedirector of the Retail PaymentsRisk Forum. “The Atlanta Fedformed the Retail PaymentsRisk Forum to help fulfill thisrole. ... We are staffing it withpeople dedicated to this areafull-time. Our mission is to be acatalyst for collaboration. Wework with industry playersfrom banks, nonbank pay-ments providers, industrygroups, regulators, merchants,law enforcement and academia— all who think about retailpayments risk issues.”

The forum’s earliest push wasto establish a blog, Portals and Rails (portalsandrails.frb-atlanta.org), to create a dia-logue on emerging risks in theretail payments system. Thecooperative also has begunhosting live meetings and teleconferences, with plans topotentially introduce Web conferences. But the blog,according to Stanford, is the

best way for a wide audienceto engage with the forum.

“This is a key output vehicle forour thinking in closer to realtime and [enables] looking atevents as they happen andevolve in payments fraud andrisk, rather than writing a paperon subjects looking back a yearlater,” he explains, adding thatthe forum is looking to bringon board guest bloggers tofacilitate the discussion.

Obviously, Stanford notes,anti-payments fraud tech-nology is frequently a topic ofconversation for the forum’sparticipants. “This is definitelyan area of interest for us —the tools available for banksand others to monitor, trackand mitigate fraud; the breachphenomenon and the conceptof data security in movingmoney,” he says.

An advisory committee, Stan-ford continues, helps bringtogether the various players.Although the committee itselfis not an open forum, hepoints out, it does encouragefeedback, and the blog pro-vides a tool for collaboration.

“Response from the pay-ments players ... shows theimportance of these issues,”Stanford comments. “Wewant feedback too, so weknow whether the informationwe’re providing is useful andif there’s anything we can dobetter.” —M.B.

tice, but who knows what’s going to happen as a result of capsput on the business by Congress,” she says.

KeyBank’s Twining, however, stresses that there is greatvalue in maintaining a strong anti-fraud program. Even with leg-islation that restricts some practices of credit card issuers, con-tinuing a program of zero consumer liability is in a bank’s bestinterest, he says. “As margins are squeezed, your ability to digestfraud losses becomes more difficult, and there could be a pos-itive snowball effect from a fraud prevention investment froma consumer confidence perspective,” Twining notes.

The card business presents an intriguing model for theuse of fraud-fighting technology. “There are some real-ly good pattern analytics that you don’t necessarilysee on checks,” Accenture’s Bernard relates. “Thereare so many ways to prevent card fraud — PCIcompliance, placing credit watches on cards.And retailers have some time before the moneygoes out the door to verify the transaction.”

Bruce Rutherford, who oversees fraud managementsolutions for MasterCard Advisors, says the card spacehas historically served as a model for the use of fraud-fight-ing technology. Purchase, N.Y.-based MasterCard, for exam-ple, has offered near real-time risk scoring to its issuers since1998. MasterCard’s Expert Monitoring Solution (EMS), Ruther-ford explains, scores transactions in near real time and buildsmodels at the regional network level based on product type.“EMS is a technology that leverages a number of artificial intel-ligence technologies beyond our own networks,” he says. “Weplan to introduce real-time scoring to EMS this November.”

A WAR ON MULTIPLE FRONTSKey to any payments fraud prevention program, according to Catherine Allen, founder and CEO of The Santa Fe Group,is breaking down the business silos that segregate not onlypayments channels but also banks’ information security andfraud management systems. “A good fraud prevention processrequires better communication between [lines of business],”Allen asserts.

“It is no surprise that the biggest fraud problems are in lega-cy products, like checks and credit cards,” says Infosys’ Skari,who notes that these products also are banks’ “biggest cashcows.” “These are not integrated when it comes to fraud man-agement. [For example], you may employ sophisticated ana-lytics for cards, but not for ACH.”

According to Financial Insights’ McPherson, banks aremoving toward an enterprisewide, cross-channel fraud man-agement approach. “It’s the idea that activity in one accountcan signal activity in another if they’re linked,” he explains.“You can get a lot of value in looking at all of a customer’saccounts together.”

McPherson says banks need to scrutinize payments secu-rity from two standpoints: security that blocks threats at thedoors, such as identity verification and real-time scoring offraud risks before they occur; and internal security, such asexamining databases within the bank using behavioral analyt-ics to determine suspicious patterns of behavior.

Still, gaining a 360-degree view of customers’ accounts andenterprise data is only part of the solution. The other is mak-

ing clients understand the importance of certain technologiesand practices in keeping their payments safe.

JPMorgan’s Khan says, for example, even though the bank’spositive pay service (which helps the bank compare a compa-ny’s record of checks issued with checks presented) has beenproven to significantly reduce check fraud on the corporateside, there are some companies that still have not implement-ed the technology. “A lot of corporates are hit with fraud becausethey don’t protect themselves very well,” he contends. “They

need appropriate internal controls.”It starts, Khan adds, with awareness. “This just isn’t seenas a business priority for some companies until it actu-

ally hits,” he relates, adding, “We work very activelyhere to educate our clients on fraud prevention.”

According to Khan, JPMorgan hosts client work-shops on fraud best practices. The bank also

works with its sales and services employees toensure that they are familiar with the bank’s fraud

prevention products. “We also try to price these prod-ucts so they make sense to a corporate,” Khan notes. “Fraud

prevention is in all of our best interests.”That’s an idea that the industry is at least starting to acknowl-

edge, as payments players increasingly embrace cross-indus-try efforts to secure payments transactions. “People are talk-ing about greater sharing of data between parties in the pay-ments value chain — banks, merchants and processors,” accord-ing to Financial Insights’ McPherson, who notes that such col-laborative efforts traditionally haven’t had much supportbecause all parties involved fear loss of control of the pay-ments transaction data. “Sharing data on security breachesinvolves personal account data that banks are reluctant toshare. There are privacy concerns.”

FIGHTING THE LOW-TECH FIGHTPerhaps lost amid all of the attention on high-tech data breach-es, however, is the reality that low-tech fraud forms are sur-prisingly dominant, says Javelin’s Wills. “The area of databreaches is distorted,” he asserts. “The big ones grab head-lines. But there’s no strong correlation between a breach andfraud. Now we’re seeing all this regulation around data breach-es and how banks need to notify customers. There’s also PCIcompliance, which is a quasi regulation [for card data safety].But according to our research, only one in 10 breaches actu-ally results in fraud.”

The reason, Wills says, is that fraudsters need more infor-mation to commit these crimes than just a card number. That’swhere old-fashioned Dumpster diving or even Facebook researchon individuals comes in, he says. “Look at all the personal infor-mation people put in their Facebook accounts,” Wills com-ments. “This makes it so easy for criminals to fill in the blanks.”

Add to this the fact that most fraud is “friendly fraud,” whenthe victim knows the perpetrator in some way, according to Wills,and fraud prevention takes on another dimension. “There’s a lotof focus on breach protection, which is fine. But mitigation strate-gies for breaches and for fraud are not the same,” Wills stress-es. “PCI was built around breach protection: It helps you plugholes. For fraud, you must focus more on Know Your Customerand tracking and analytics than we do today.” ■

November 2009 ©2009 Bank Systems & Technology; Reproduction Prohibited page 5

PAYMENTS FRAUD

November 2009 ©2009 Bank Systems & Technology; Reproduction Prohibited page 6

n November 2009 several payments milestones willbe reached: The Payment Services Directive (PSD),which aims to establish a comprehensive set of rules

for payments in the European Union, is expected to betransposed into national law in nearly all EU/EuropeanEconomic Area countries; and the Single Euro PaymentsArea (SEPA) Direct Debit (SDD) schemes (Core andB2B) for making cross-border and national euro directdebits will be launched as well.

In contrast to the SDD scheme, the PSD willhave an immediate impact on banks. Banksmust be able to process PSD-applicablepayments in line with local legislationbeginning Day 1, abiding by the regula-tions’ full requirements, such as maximumexecution timeline, value dating provisions,and full-amount obligations for originating andintermediary banks. The financial impact on banks— in particular, the decline of fee and float income —will be noticeable straight away.

The SDD schemes will not have such a direct effect.Although a new European Commission (EC) regulation(also effective November 2009) includes a mandatoryreachability obligation for the payment service provider(PSP), this obligation will have a transition period untilNovember 2010 for PSPs that are already active in nation-al euro direct debit schemes. For PSPs outside the euro-zone, the transition period will run until November 2014.

Accordingly, fewer banks will offer SDD to clients on Day 1, and volumes are expected to be low in the first year.The success of the SDD will depend largely on the reach-ability of banks and a solution to migrate legacy directdebit mandates to the SDD schemes, as well as agreeing

to an end date for existing euro ACH systems within Europe.Both the PSD and SDD will change the payments

landscape in Europe. In many cases banks are lookingfor partners rather than upgrading their own infrastruc-tures to comply with the different requirements. Thisapproach may range from correspondent banking tocomplex outsourcing structures.

For processing of commercial payments in line withthe PSD, ordering banks must ensure that any inter-

mediary does not deduct charges from the trans-action. Explicitly outlined in national laws, the

“no-deduct” service should become stan-dard for PSD transactions.

But there is more that a correspon-dent partner can do for its financial insti-

tution clients. Deutsche Bank, for example,provides a value-added service on request to con-

vert the charge codes in SWIFT instructions to accom-modate all involved parties.

In addition SEPA creates opportunities to leveragepartners. Since January 2008 Deutsche Bank has pro-vided full clearing services for SEPA credit transfers viaa dedicated pan-European platform. Its solutions forSEPA direct debits are built on the same platform andthus are perfectly aligned to complement our existingSEPA Connect service.

The SEPA Direct Debit scheme is more complex thanthe SEPA Credit Transfer scheme in regard to its content

and the message flows involved. New internalprocesses need to be built from scratch andold infrastructures can be used only in limitedways. Therefore, participating banks are focus-ing on the new XML messages for SDD pro-cessing, rather than on alternative formats.

The XML messages form the basis of DeutscheBank’s SDD services. However, to support several stagesof the client’s SDD implementation, the bank also pro-vides conversion services based on other file formats, likeCSV, for transaction initiation and transaction receipts aswell as SEPA-compliant returns and reversals. ■

S E PA

New European payments directiveswill require banks to invest in newinfrastructures or partnerships, but they also provide opportunities to offer value-added services, writesBernd Waizenhoefer,Head of FI Markets -Global Payments ProductManagement, GlobalTransaction Banking,Deutsche Bank.

The Payment Services Directive and the SEPA Direct Debit schemes will changethe payments landscape in Europe.

I