Risk Management May, 2007 JPMorgan Chase Commercial Card Solutions.

Risk ManagementMay, 2007

JPMorgan Chase JPMorgan Chase Commercial Card Commercial Card SolutionsSolutions

2

AgendaAgenda

Definitions

Fraud

Dispute

Case Study – Employee Fraud

State of Oklahoma Audit Findings

3

DefinitionsDefinitions

4

DefinitionsDefinitions

Fraud – Unauthorized use of a payment card resulting from lost, stolen or compromised account. The user has malicious intent and is seeking personal gain from use of account.

Dispute – Authorized cardholder questions the validity of a transaction. More along the lines of a transaction that was “mistakenly” applied to an account. MasterCard defines valid dispute reasons.

Employee Abuse – Authorized cardholder uses card in a manner which the State receives no benefit. MasterCard defines the type of employee abuse for which customers can be indemnified.

5

FraudFraud

6

Common Fraud TypesCommon Fraud Types

Lost/Stolen

Counterfeit Card

Mail Theft/Non-Receipt

Unauthorized Use

Skimming

Phishing

7

Lost/StolenLost/Stolen

Major source of fraud, along with counterfeit cards

Perpetrator not sophisticated

May know cardholder address, date of birth and social security number

Generally does not have false identification

Various types of spending

8

Counterfeit CardCounterfeit Card

Credit card has been manufactured

Security features will not be present or authentic

Sophisticated perpetrator

False identification used

Often found within organized fraud rings

9

Mail Theft/Non-ReceiptMail Theft/Non-Receipt

New account or replacement card recently mailed

Perpetrator slightly more sophisticated

Will know cardholder address, usually does not know date of birth and social security number

Generally does not have false identification

In-store purchases or mail/telephone order

10

Unauthorized UseUnauthorized Use

Transactions are made without an actual plastic via mail or telephone orders

Perpetrator is more sophisticated

Adult or Internet-type transactions

11

SkimmingSkimming

Magnetic stripe is compromised

Card has been manufactured

Identification matches with a false name embossed on credit card

Sophisticated perpetrator - organized fraud rings

Enhanced security features deter perpetrators

12

PhishingPhishing

Phishing is an attempt to gain private information about you and your accounts. Most often via e-mail that looks like it is from your financial institution

You should never reply to or enter any information if you receive a suspicious e-mail

If you are unsure if the e-mail is legitimate call the 800 number on the back of your card

13

PhishingPhishing

It is not JPMorganChase’s practice to:

Send e-mail that requires you to enter personal information directly into the e-mail

Send e-mail threatening to close your account if you do not take immediate action of providing personal information

Send e-mail asking you to reply by sending personal information

Send e-mail asking you to enter your user ID, password, or account number into an e-mail or non-secure web page

14

Protection Against Fraud Loss is a PartnershipProtection Against Fraud Loss is a Partnership

Fraud statistics vary from customer to customer, depending upon the controls they have in place.

Statistically, customers with higher loss are not taking advantage of the controls and reporting provided by the Bank.

JPMChase is there to assist in reducing fraud losses through preventative measures, reporting, and recovery efforts.

There are a number of things customers can do to guard against fraud.

15

Card Design Security FeaturesCard Design Security Features

Hologram

Stylized Logo

Tamper-evident signature panel (CVC2)

Unique magnetic stripe coding (CVC1)

16

Top Fraud MCCsTop Fraud MCCs

5411 – Grocery Stores

5732 - Electronics

5311 – Department Stores

5310 – Discount Stores

4812 – Telecommunication Equipment including telephone sales

17

Fraud Detection SystemFraud Detection System

Criteria for queues based on current fraud trends

Reacts to request for authorization

Queues are populated with authorization “hits” on criteria

Queues can be defined for specific MCCs, dollar amounts, states/countries, etc.

18

Fraud Detection SystemFraud Detection System

Detection cases are reviewed by a fraud analyst

Cardholder or Program Administrator is contacted to validate activity

Accounts may be temporarily suspended until activity is validated

Account analyzed by history, previous spending patterns, type of transaction, recently issued card

19

DisputesDisputes

20

Dispute Handling Guidelines Dispute Handling Guidelines

Merchants have 45 days to respond to your dispute claim

Provisional credit provided during the research process

File disputes timely

Maintain sufficient documentation on transactions to support your dispute

Avoid card sharing, it forfeits your dispute rights

Avoid use of department cards

21

Chargeback Tip - DisputesChargeback Tip - Disputes

Cardholder should contact merchant to resolve dispute

Cardholder must tender return of merchandise

Quality of service requires supporting documentation

Issuers may assist with cancellation of recurring payments on behalf of the cardholder

22

Case Study Employee FraudCase Study Employee Fraud

23

Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud

Classic Fraud Profile

Trusted long term employee

Employee rarely took vacations/time off

Employee had no real backup

Had multiple levels of responsibility

Employee enforced policy for everyone else

Had access to forms to cover fraud

Start small and built up over time

New supervision – limited training

24

Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud

Internal Weaknesses

Poorly trained supervision

Was a program administrator and a cardholder

Limited transparency

Limited audit/review by department

No internal audit

Limited review by accounts payable

Weak purchase oversight, small dollar purchases

Start small and built up over time

New supervision – limited training

25

Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud

Best Practices/Learning Points

Act quick and decisively

Advise senior management immediately

Get HR involved

Think before you act or say anything

Consider the consequences

Work the data

There is a reason for the program

There are corrective actions

There have been successful accomplishments

26

Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud

Best Practices/Learning Points

Clearly define the underlying issues

Have the facts straight

Describe why the program exist

Describe the effectiveness

Describe what you are doing to resolve the issue

Consider the former employee

Consider the current co-workers

27

Case Study Recovering From Employee FraudCase Study Recovering From Employee Fraud

Corrective Action Steps

New reporting requirements

Transaction monitoring

Minimum use requirements

Card Authorizations

Review of authorized levels

Internal audit corrective action plans

New supervisor manual

28

MasterCoverage Liability Protection Program MasterCoverage Liability Protection Program

Coverage afforded by MasterCard to indemnify entities for instances of employee abuse

Maximum coverage of $100K per cardholder

Program administrator action required

Adhere to claim criteria

Limited to certain activity up to 75 days before and 14 days after JPMC is notified of employee termination

Claims available through customer service or program coordinator

Key Requirements

Employee must be terminated

Cards must be cancelled within two business days of employee termination date

29

MasterCoverage Liability Protection Program MasterCoverage Liability Protection Program

Key Exclusion

Department Cards

Charges made by someone who is not an employee

30

State of Oklahoma Audit FindingsState of Oklahoma Audit Findings

31

State of Oklahoma Purchase Card AuditsState of Oklahoma Purchase Card Audits

2006 Audit Cycle

Purchase Card Expenditures $17.9MM

For the agencies audited, there was $7MM or 39% of purchase card expenditures

25 Agencies audited

On average of 42% of the expenditures for each Agency were tested

Estimated administrative cost savings for the State of Oklahoma for calendar year 2006 of $6.4 MM*

*2005 RPMG Research, P-Card Benchmark Survey Results

32

Most Common Purchase Card Audit FindingsMost Common Purchase Card Audit Findings

Receipts filed were not properly signed, dated, and annotated as “Received”

Internal Procedures were not properly submitted or updated to the Department of Central Services

Memo Statements were not properly signed, dated, or included in the Agency’s purchase documentation

Employee Agreements that were not signed by participating employees of the Purchase Card program

33

Highest Occurrences of Quantifiable Audit FindingsHighest Occurrences of Quantifiable Audit Findings

Applicable items that exceeded $500 were not included on the inventory list of the Agency

Receipts reviewed were not properly signed, dated, and annotated as “Received”

Employee Agreements that were not signed by participating employees of the Purchase Card program

34

Findings Associated with Highest Dollar AmountFindings Associated with Highest Dollar Amount

Total purchase card expenditures exceeding the amount encumbered by the agency

Purchase card transactions not having appropriate documentation

Purchase card transactions not having a detailed or itemized receipt

35

Highest Error Rate Associated with Purchase Card Highest Error Rate Associated with Purchase Card FindingsFindings

Agencies who reported lost cards did not have Missing Lost Card Reports on file at the time of the audit

Items for Inventory were not included on the inventory list of the Agency

36

Outcome of Continuous Monitoring PerformedOutcome of Continuous Monitoring Performed

13 agency directors voluntarily deactivated cards due to lack of or inappropriate Approving Officials

4 more agency directors deactivated their cards during or regular audits

5 purchase cards were cancelled and 4 were placed on hold due to cardholders not recorded on the DCS training log

37

Questions?Questions?

38

ContactsContacts

David W Cox

Vice President

JPMorganChase

(312) 954-3533

Lisa Martin

Department of Central Services

State of Oklahoma

(504) 522-1654