Framework for Assessing Risk Managing ACH Risk Coming & Going Kim A. Bruck, AAP, Vice President, Business Development ACH ALERT, LLC Patrick D. Collins, Vice President, Product Management Associated Bank June 7, 2012
Dec 24, 2015
Framework for Assessing Risk
Managing ACH Risk Coming & Going
Kim A. Bruck, AAP, Vice President, Business Development
ACH ALERT, LLC
Patrick D. Collins, Vice President, Product Management
Associated Bank
June 7, 2012
2
Oh, the Stuff You Will Learn!
3
What can you expect to accomplish here today:
1. Understanding what banks consider as they review ACH processing risk
2. Risk is more than just financial
3. How does this affect you, the corporate customer
4. Hear about a few solutions to address processing risk
4
Getting to know you
• Which type of ACH activity do you feel represents the most risk for your FI?– ACH Debit Origination– ACH Credit Origination– Incoming ACH Items
• What are specific concerns?• Which type of ACH activity do you feel represents the most
risk for your clients?– ACH Debit Origination– ACH Credit Origination– Incoming ACH Items
• What are specific concerns?
5
ACH Risk Coming & Going
• RDFI– Unauthorized debits– Credits due to account takeover
• ODFI– Origination – Origination of unauthorized debits– Account Takeover
• Type of business identity theft in which the criminal entity steals a company’s valid online banking credentials
– Not about the compromise of the payments systems itself
• What happens once the cyber-thief has the online banking credentials?
– Initiate funds transfers out of compromised business account by ACH or wire to an FI account of associates (money mules) in the US or directly overseas
6
How It Happens
• A computer can become infected with malware which can then spread across the business’ entire network – An infected document attached to an e-mail– A link within an e-mail that connects to an
infected website– Employees visiting legitimate websites– An employee using a flash drive that was
infected by another computer• Systems are then exploited to obtain
legitimate security credentials
7
Corporate Account Takeover Scenario
Email with Trojan
embedded is opened
by Originator
Originator enters credentials for
Online Banking - Trojan captures
these credentials and sends to
criminal
Mules withdraw cash and forward to criminals oversees
Criminal logs into Originator’s Online Banking profile and modifies outbound ACH credit file to
incorrect routing & account numbers
Criminals go undiscovered
Criminals collect Online
Banking credentials
Originator/FI is out of the money
8
I. What can you expect to accomplish here today:
• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions
• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education
9
Automated Clearing House Strategic Statements
• Associated Bank will be both a receiver and an originator of ACH transactions as defined by the NACHA rules that govern policy and operational procedures.
• ABC will stay current with all obligations as outlined by NACHA’s periodical updates. • ABC will be current to within 6 months of major software releases.• Be appropriately competitive with similar offerings of our peer group. • If there are opportunities that prevail for ABC to be more proactive, we will act swiftly to
create a service or product that meets the financial, strategic, or tactical objectives of our organization.
• Maintain the highest level of accuracy, compliance and availability that ABC can reasonably provide.
• Customer contracts and agreements will define the services that will be provided to each customer and to each transaction account.
• ABC will position itself as an active member and leader in the ACH community through the participation with local ACH association. ABC’s current primary local association is WACHA.
• ABC will participate with the NACHA organization for the annual conference and/or other meetings plus seek participation with committee membership if beneficial to the bank.
10
I. What can you expect to accomplish here today:
• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions
• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education
• Target Businesses• High Risk Businesses • Required Underwriting• Renewals• Establishing Exposure Limits• Regulation O• International Transactions• Suspended Files• Required Documentation• Approval Authority• Roles and Responsibilities
Policy Should Include
• Risk Mitigation Techniques• Deteriorating Credits• Fraud Prevention• Variances from Policy• Profitability of ACH – including
ACH related losses• Trend information on volume,
returns, transaction types• ACH Exposure compared to
Tier 1 Capital Ratios• Risk in ACH Portfolio• High volume return rate clients• Violations and Fines
12
I. What can you expect to accomplish here today:
• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions
• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education
13
I. What can you expect to accomplish here today:
• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions
• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education
14
The Bee Watcher
15
The Bee-Watcher-Watcher watched the Bee-Watcher
16
What are some of the regulations and rules?
– ACH Operating Rules & Guidelines– ACH Risk Management Handbook– The Green Book
• Guide to Federal ACH Payments and Collections– Federal Regulation E – OFAC (Office of Foreign Asset Control)– FFIEC - Federal Financial Institutions Examination Council– Uniform Commercial Code Article 4A
• Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank
17
Uniform Commercial Code Article 4A, cont.
• A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.
18
I. What can you expect to accomplish here today:
• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions
• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education
19
I. What can you expect to accomplish here today:
• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions
• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education
20
I. What can you expect to accomplish here today:
• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions
• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education
• 45% - Loss of productivity• 37% - Customer confidence and reputation• 18% - Customer accounts moved to another FI• 16% - No losses• 12% - Regulatory or other compliance issues
Source: Security Media Group 2010
2. More than just financial
Non financial losses experienced by FI’s in 2010
22
3. How does this affect you?
• Policy of a bank says we will do all things for all companies…• Credit exposure is established at the setup
– File limits, warehouse limits, transaction variances, etc.– Pre Funding
• Customer protection, again at setup– Service agreements– Authorization
• Regulations and laws• Industries of interest, or not
– Third party processors– Gaming– Health Care
• Revenue to risk
• Which type of ACH activity do you feel represents the most risk for financial institution?– ACH Debit Origination– ACH Credit Origination– Incoming ACH Debits– Incoming ACH Credits
Corporate Customer Perspective
24
The banks perspective
• What about specific Service Entry Codes such as IAT, POP, TEL, WEB
• How about return items– Commercial– Consumer
• Did you consider the settlement process– What is the offset account– What about items that have settlement dates outside of the
normal 1 day debit and 2 day credit• What role does a third party processor play for the bank and
the corporate customer
25
Business Process Controls
• Training, Policies & Procedures • Reviews, Exposure Limits & Dual Controls • Return reporting
– Check with ACH Operators for risk and origination reporting tools• Positive Pay
– Incoming and Outgoing ACH– Check
• Alerts– Incoming and Outgoing ACH– Outgoing Wire
• FFIEC Guidance and other regulations• Layered Security• Authentication techniques• Tools & Technology
26
Sound Business Practices: Corporate
• Layered System Security– Appropriate tools to prevent and deter unauthorized access to
its network and periodically review such tools to ensure they are up to date
– Install robust anti-virus and security software– Multi-layered system security technology– Security suites so all security options work together to provide
superior protection
27
Sound Business Practices: Corporate
• Online Banking Safety– Dedicating one computer exclusively for online banking and
cash management activity– Disallow a workstation used for online banking to be used for
general Web browsing and social networking– Verify use of a secure session (https) in the browser for all
online banking– Disallow the conduct of online banking from free Wi-Fi hot
spots– Cease all online banking activity if the online banking
application “looks” different than usual
© 2012 ACH Alert LLC. All Rights Reserved. 28
FFIEC Guidance Supplement – FI’s
• Federal Financial Institutions Examination Council (FFIEC) issued a supplement (June 28, 2011) to the Authentication in an Internet Banking Environment guidance, issued in October 2005– What is the purpose?
• Reinforce the risk management framework in the original guidance and update the FFIEC member agencies supervisory expectations regarding customer authentication, layered security and other controls in the increasingly hostile online environment
• More focus on business accounts
© 2012 ACH Alert LLC. All Rights Reserved. 29
Why does the FFIEC Guidance matter to you the Corporate client?
• Online business transactions– Generally ACH file origination & wire transfers
• FI’s should implement– Layered security – Multi-factor authentication
© 2012 ACH Alert LLC. All Rights Reserved. 30
Layered Security Program
• The Agencies expect that an institution’s layered security program will contain the following two elements, at a minimum. – Detect and Respond to Suspicious Activity – Control of Administrative Functions
© 2012 ACH Alert LLC. All Rights Reserved. 31
Layered Security Programs
• Detect and Respond to Suspicious Activity – Layered security controls should include processes designed
to detect anomalies and effectively respond to suspicious or anomalous activity related to:
• Initial login and authentication of customers requesting access to the institution’s electronic banking system; and
• Initiation of electronic transactions involving the transfer of funds to other parties.
© 2012 ACH Alert LLC. All Rights Reserved. 32
Tools & Technology
• Transaction monitoring/anomaly detection software– Suspicious funds transfers– Out of the ordinary– Patterns of behavior – Not approved recipient based on routing number and account
number– White list
© 2012 ACH Alert LLC. All Rights Reserved. 33
Tools & Technology
• Out-of-band authentication– Transaction that is initiated via one delivery channel (e.g.,
Internet) must be re-authenticated or verified via an independent delivery channel (e.g., phone) in order for the transaction to be completed
• Validation of the routing number & account number (aka Positive Pay/white list)
© 2012 ACH Alert LLC. All Rights Reserved. 34
Tools & Technology
• Focus on the point of entry– Online banking log in– Transmission of the file
• Once the file is at FI from online banking– Validation of the routing number and account number after it’s left online
banking and before it goes to processor or ACH Operator• Positive Pay• Out-of-band alerts
© 2012 ACH Alert LLC. All Rights Reserved. 35
Tools & Technology
• Wire transfers– Call back– Fax confirmation– Monitoring/Out of pattern behavior – Validation/White list – Out –of-band alerts
© 2012 ACH Alert LLC. All Rights Reserved. 36
The Stats
• Did you know that 860,000 attempts are made EACH day to hack into systems?
• There are about 75,000 new strings of malware EACH day?
© 2012 ACH Alert LLC. All Rights Reserved. 37
Resources
• Sample of Education Video http://www.achalert.com/index.php?page=demo-bank-usa
• NACHA Corporate Account Takeover Resource Center http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm
38
Contact Information
• Kim A. Bruck, AAP, Vice-President, Business Development, ACH ALERT, LLC–[email protected]–1-866-265-8961 x 115–www.achalert.com
39
Contact Information
Patrick Collins, Vice-President
Associated Bank
740 Marquette Avenue
Minneapolis, MN 55402
(612) 359-4445