Financial fraud has never been more serious — and costly — for American businesses. According to the “2011 Business Banking Trust Study,” just released by Guardian Analytics, 56 percent of businesses responding to the survey experienced fraud in the last 12 months. Of these, 75 percent were victims of corporate account takeover or online fraud. The FBI estimates that corporate account takeover, in which fraudsters redirect ACH money transfers for legitimate business payments to their illicit accounts, could cost companies $1 billion this year alone.
“The level of ACH risk for a financial institution continues to rise as fraudsters become increasingly sophisticated,” said Barry Rich, chief financial officer and enterprise risk management group head at CapitalMark Bank & Trust, a 4-year-old de novo bank in Chattanooga, Tenn. “These criminals are beginning to target community banks in the belief they are more susceptible to attack.”
Banks are the front-line defense against financial fraud, which is increasingly challenging as payment channels expand, thus offering more avenues for fraudulent activity.
“Customers rely on anytime, anywhere access to payment information that can be easily integrated into their workflows and allows them to be more efficient,” said Uma Wilson, vice president, product management and development at UMB Bank in Kansas City. “As companies continue to operate daily in an open and highly networked online environment, safeguarding this information requires a delicate balancing act to provide ease of use and security.”
Connie Livingston, vice president, treasury management product manager, at Regions Bank, headquartered in Birmingham, Ala., also emphasizes the critical role for banks.
“Protecting the security of information is something Regions takes very seriously, and we are committed to providing advanced solutions to mitigate our clients’ exposure to fraud,” she said. “We have multiple systems in place that are client-facing with multi-factor authentication as well as internal to ensure the security of information. We also believe that client education of best practices is a critical component of preventing corporate account takeover.”
ACH and Corporate Account Takeover
Banks providing ACH credit-origination services should ensure that their originating clients do not have funds redirected from their accounts via ACH and wire transfers. Business clients need to understand the time frame to return ACH transactions is limited, and financial institutions must provide a timely and effective alert system to protect these clients.
Until recently, the emphasis has been placed on education, teaching employees the risks associated with opening unsolicited attachments or allowing pop-ups. Companies and banks have installed firewalls and spam filters; many have issued security tokens and the use of one-time password technology. Among the available options is out-of-band authentication, in which a business is alerted by phone and required to verify a transaction.
The $21 billion-asset Associated Bank, headquartered in Green Bay, Wis., introduced OOBA last year.
“When an online user enters a high-risk service,” said Doug Milway, senior vice president, treasury management product director, “the customer chooses which predetermined phone number (desk, cell or home) to call. That phone rings immediately, and the user is instructed to enter the one-time security code displayed on the computer screen into the headset.”
Associated is targeting June to introduce ACH A.L.E.R.T., offered by ACH Alert in Chattanooga. It is an automatic alert system that warns subscribing account holders when an ACH debit transaction occurs, thereby allowing them to control the pay/no pay decision for incoming ACH debits. “We plan to deploy this product to our commercial customer base,” said Milway. “We feel it will allow us to offer a more competitive product, as well as automate more of our back-office processing.”
The $132 billion-asset Regions is selling the ACH service through its treasury management group, targeting key clients, such as those using the bank’s check fraud prevention service, Positive Pay (a service that matches account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the company), and those who have reported unauthorized activity.
The $12.4 billion-asset UMB plans to introduce it to its entire client base once the service completes its testing phase.
Prevention and Protection
According to the study by Guardian Analytics, in 78 percent of fraud cases, banks failed to prevent the illegal transfer of funds and other fraudulent practices, including identity theft. When fraud occurs, moreover, nearly half of businesses responding did not believe their banks would cover any losses. At the same time, 70 percent feel their financial institutions should ultimately be responsible for securing online accounts.
“Our primary objective is to provide clients with comprehensive solutions to help mitigate fraud exposure, while taking an active role as their trusted adviser by providing fraud prevention tools and resources. With ACH A.L.E.R.T., we are addressing the need our business clients have to protect their accounts from unauthorized ACH debits,” said Regions’ Livingston. “We are leveraging the service to address the ACH risk of our business client base. Businesses have a responsibility to review their account activity and report unauthorized activity to their bank; otherwise, they risk a financial loss. By combining unique cash management needs and business requirements with the appropriate solutions and safeguards, we are helping our clients take an active approach to reducing their exposure to fraud.”
At UMB, the goal is to provide a way for customers to view all their incoming electronic debit transactions, and to enable them to approve or decline a debit from posting to their account by using a Web-based module. According to Wilson, “This empowers our customers to maintain their authorized vendors list and, at the same time, to quickly identify and prevent the unauthorized transaction from posting to their account.”
A complementary product offered by the $490 million-asset CapitalMark is ACH Alert’s ACH C.O.P.S. (Credit Origination Positive-Pay Service). This allows a financial institution to effectively combat the threat of losses due to corporate account takeover by providing ACH-originating clients with a service that alerts them if a credit entry is received designated to a routing number/account number not registered in ACH C.O.P.S.
By inserting this service into the process, originators can be alerted via an out-of-band method if an exception exists, and they are provided with a safe and secure method for approving or rejecting exceptions. The financial institution benefits by driving the exception-handling decision to the client.
Says CapitalMark’s Rich, “ACH C.O.P.S. notifies the customer of any ACH origination before the ACH is released. This allows the customer to stop the transaction before it leaves the bank.”
Concept to Implementation
As a software-as-a-service product, ACH alert service requires minimal systems integration for implementation. UMB Bank modified its operational documentations to accommodate the new processes and added additional control points, but both changes were minimal, according to Wilson.
“Financial institutions can charge their clients for the added value and use ACH A.L.E.R.T. to generate a revenue stream in an area that was once a cost center,” said Peace.
A bank pays set-up costs and an ongoing charge based on a per-client/per-month fee, which can be passed on to the bank’s client. Regions, UMB and Associated Bank charge for the service, while CapitalMark does not charge most customers.
According to the Guardian Analytics study, 43 percent of businesses moved their banking activities elsewhere after a fraud incident, and an additional 33 percent moved their primary cash management services to another institution.
UMB’s Wilson best summarizes the message for banks still contemplating what actions to take: “Companies are streamlining their payments and seeking ways to disburse payments efficiently and cost effectively. With this in mind, banks should vigilantly consider implementing risk mitigation products to meet this demand.”
Michael Scheibach is executive editor of BankNews.
Copyright © June 2011 BankNews Media
10 Benefits of ACH Risk Mitigation Services
The bank executives interviewed for this article each recognize the importance of providing an effective means to protect their consumer and business clients from ACH risk. Here are 10 key benefits from offering an ACH risk mitigation service.
1. Provides customers with a better experience in handling their ACH exceptions transactions and assists clients with fraud awareness.
2. Prevents unauthorized debit activity and rounds out overall fraud prevention suite.
3. Keeps the bank competitive in the evolving bank technology product and service space.
4. Provides a new source of recurring fee income.
5. Solidifies the bank’s partnership with its clients by providing leading-edge technology.
6. Gives customers the online ability to set up new filters or maintenance existing filters.
7. Improves the bank’s overall ability to retain business clients.
8. Extends the time frame for customers to review and disposition suspect items.
9. Further bolsters the bank against reputation risk, as felt when any fraud is committed against a financial organization.
10. Takes care of the bank’s shareholders, who will benefit from the value of a solidly protected institution.
Q. What should banks do to combat the escalation of ACH risk for their business clients?
A. The volume and type of ACH transactions are increasing a bank’s ACH risk. But all types of payments are seeing increased risk exposure; ACH is not immune. As banks encourage customers to move from paper-based to electronic products, we need to provide education around how they can best protect themselves. It’s our job to provide education about risk and exposure that our customers could experience. It’s also our job to help find ways to limit their risks.
-Doug Milway, senior vice president, treasury management product director, Associated Bank