framework for assessing risk managing ach risk coming & going kim a. bruck, aap, vice president,...

Framework for Assessing Risk

Managing ACH Risk Coming & Going

Kim A. Bruck, AAP, Vice President, Business Development

ACH ALERT, LLC

Patrick D. Collins, Vice President, Product Management

Associated Bank

June 7, 2012

2

Oh, the Stuff You Will Learn!

3

What can you expect to accomplish here today:

1. Understanding what banks consider as they review ACH processing risk

2. Risk is more than just financial

3. How does this affect you, the corporate customer

4. Hear about a few solutions to address processing risk

4

Getting to know you

• Which type of ACH activity do you feel represents the most risk for your FI?– ACH Debit Origination– ACH Credit Origination– Incoming ACH Items

• What are specific concerns?• Which type of ACH activity do you feel represents the most

risk for your clients?– ACH Debit Origination– ACH Credit Origination– Incoming ACH Items

• What are specific concerns?

5

ACH Risk Coming & Going

• RDFI– Unauthorized debits– Credits due to account takeover

• ODFI– Origination – Origination of unauthorized debits– Account Takeover

• Type of business identity theft in which the criminal entity steals a company’s valid online banking credentials

– Not about the compromise of the payments systems itself

• What happens once the cyber-thief has the online banking credentials?

– Initiate funds transfers out of compromised business account by ACH or wire to an FI account of associates (money mules) in the US or directly overseas

6

How It Happens

• A computer can become infected with malware which can then spread across the business’ entire network – An infected document attached to an e-mail– A link within an e-mail that connects to an

infected website– Employees visiting legitimate websites– An employee using a flash drive that was

infected by another computer• Systems are then exploited to obtain

legitimate security credentials

7

Corporate Account Takeover Scenario

Email with Trojan

embedded is opened

by Originator

Originator enters credentials for

Online Banking - Trojan captures

these credentials and sends to

criminal

Mules withdraw cash and forward to criminals oversees

Criminal logs into Originator’s Online Banking profile and modifies outbound ACH credit file to

incorrect routing & account numbers

Criminals go undiscovered

Criminals collect Online

Banking credentials

Originator/FI is out of the money

8

I. What can you expect to accomplish here today:

• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions

• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education

9

Automated Clearing House Strategic Statements

• Associated Bank will be both a receiver and an originator of ACH transactions as defined by the NACHA rules that govern policy and operational procedures.

• ABC will stay current with all obligations as outlined by NACHA’s periodical updates. • ABC will be current to within 6 months of major software releases.• Be appropriately competitive with similar offerings of our peer group. • If there are opportunities that prevail for ABC to be more proactive, we will act swiftly to

create a service or product that meets the financial, strategic, or tactical objectives of our organization.

• Maintain the highest level of accuracy, compliance and availability that ABC can reasonably provide.

• Customer contracts and agreements will define the services that will be provided to each customer and to each transaction account.

• ABC will position itself as an active member and leader in the ACH community through the participation with local ACH association. ABC’s current primary local association is WACHA.

• ABC will participate with the NACHA organization for the annual conference and/or other meetings plus seek participation with committee membership if beneficial to the bank.

10

I. What can you expect to accomplish here today:

• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions

• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education

• Target Businesses• High Risk Businesses • Required Underwriting• Renewals• Establishing Exposure Limits• Regulation O• International Transactions• Suspended Files• Required Documentation• Approval Authority• Roles and Responsibilities

Policy Should Include

• Risk Mitigation Techniques• Deteriorating Credits• Fraud Prevention• Variances from Policy• Profitability of ACH – including

ACH related losses• Trend information on volume,

returns, transaction types• ACH Exposure compared to

Tier 1 Capital Ratios• Risk in ACH Portfolio• High volume return rate clients• Violations and Fines

12

I. What can you expect to accomplish here today:

• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions

• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education

13

I. What can you expect to accomplish here today:

• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions

• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education

14

The Bee Watcher

15

The Bee-Watcher-Watcher watched the Bee-Watcher

16

What are some of the regulations and rules?

– ACH Operating Rules & Guidelines– ACH Risk Management Handbook– The Green Book

• Guide to Federal ACH Payments and Collections– Federal Regulation E – OFAC (Office of Foreign Asset Control)– FFIEC - Federal Financial Institutions Examination Council– Uniform Commercial Code Article 4A

• Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank

17

Uniform Commercial Code Article 4A, cont.

• A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.

18

I. What can you expect to accomplish here today:

• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions

• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education

19

I. What can you expect to accomplish here today:

• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions

• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education

20

I. What can you expect to accomplish here today:

• Better understanding of what drives banks risk considerations, philosophy and solutions– Strategy– Policy– Credit exposure– Customer protection– Regulations & Laws– Industries of interest, or not– Revenue compared to risk– Solutions

• KYC• Periodic reviews• Input controls• Behavioral monitoring• Automated tracking• Education

• 45% - Loss of productivity• 37% - Customer confidence and reputation• 18% - Customer accounts moved to another FI• 16% - No losses• 12% - Regulatory or other compliance issues

Source: Security Media Group 2010

2. More than just financial

Non financial losses experienced by FI’s in 2010

22

3. How does this affect you?

• Policy of a bank says we will do all things for all companies…• Credit exposure is established at the setup

– File limits, warehouse limits, transaction variances, etc.– Pre Funding

• Customer protection, again at setup– Service agreements– Authorization

• Regulations and laws• Industries of interest, or not

– Third party processors– Gaming– Health Care

• Revenue to risk

• Which type of ACH activity do you feel represents the most risk for financial institution?– ACH Debit Origination– ACH Credit Origination– Incoming ACH Debits– Incoming ACH Credits

Corporate Customer Perspective

24

The banks perspective

• What about specific Service Entry Codes such as IAT, POP, TEL, WEB

• How about return items– Commercial– Consumer

• Did you consider the settlement process– What is the offset account– What about items that have settlement dates outside of the

normal 1 day debit and 2 day credit• What role does a third party processor play for the bank and

the corporate customer

25

Business Process Controls

• Training, Policies & Procedures • Reviews, Exposure Limits & Dual Controls • Return reporting

– Check with ACH Operators for risk and origination reporting tools• Positive Pay

– Incoming and Outgoing ACH– Check

• Alerts– Incoming and Outgoing ACH– Outgoing Wire

• FFIEC Guidance and other regulations• Layered Security• Authentication techniques• Tools & Technology

26

Sound Business Practices: Corporate

• Layered System Security– Appropriate tools to prevent and deter unauthorized access to

its network and periodically review such tools to ensure they are up to date

– Install robust anti-virus and security software– Multi-layered system security technology– Security suites so all security options work together to provide

superior protection

27

Sound Business Practices: Corporate

• Online Banking Safety– Dedicating one computer exclusively for online banking and

cash management activity– Disallow a workstation used for online banking to be used for

general Web browsing and social networking– Verify use of a secure session (https) in the browser for all

online banking– Disallow the conduct of online banking from free Wi-Fi hot

spots– Cease all online banking activity if the online banking

application “looks” different than usual

© 2012 ACH Alert LLC. All Rights Reserved. 28

FFIEC Guidance Supplement – FI’s

• Federal Financial Institutions Examination Council (FFIEC) issued a supplement (June 28, 2011) to the Authentication in an Internet Banking Environment guidance, issued in October 2005– What is the purpose?

• Reinforce the risk management framework in the original guidance and update the FFIEC member agencies supervisory expectations regarding customer authentication, layered security and other controls in the increasingly hostile online environment

• More focus on business accounts

© 2012 ACH Alert LLC. All Rights Reserved. 29

Why does the FFIEC Guidance matter to you the Corporate client?

• Online business transactions– Generally ACH file origination & wire transfers

• FI’s should implement– Layered security – Multi-factor authentication

© 2012 ACH Alert LLC. All Rights Reserved. 30

Layered Security Program

• The Agencies expect that an institution’s layered security program will contain the following two elements, at a minimum. – Detect and Respond to Suspicious Activity – Control of Administrative Functions

© 2012 ACH Alert LLC. All Rights Reserved. 31

Layered Security Programs

• Detect and Respond to Suspicious Activity – Layered security controls should include processes designed

to detect anomalies and effectively respond to suspicious or anomalous activity related to:

• Initial login and authentication of customers requesting access to the institution’s electronic banking system; and

• Initiation of electronic transactions involving the transfer of funds to other parties.

© 2012 ACH Alert LLC. All Rights Reserved. 32

Tools & Technology

• Transaction monitoring/anomaly detection software– Suspicious funds transfers– Out of the ordinary– Patterns of behavior – Not approved recipient based on routing number and account

number– White list

© 2012 ACH Alert LLC. All Rights Reserved. 33

Tools & Technology

• Out-of-band authentication– Transaction that is initiated via one delivery channel (e.g.,

Internet) must be re-authenticated or verified via an independent delivery channel (e.g., phone) in order for the transaction to be completed

• Validation of the routing number & account number (aka Positive Pay/white list)

© 2012 ACH Alert LLC. All Rights Reserved. 34

Tools & Technology

• Focus on the point of entry– Online banking log in– Transmission of the file

• Once the file is at FI from online banking– Validation of the routing number and account number after it’s left online

banking and before it goes to processor or ACH Operator• Positive Pay• Out-of-band alerts

© 2012 ACH Alert LLC. All Rights Reserved. 35

Tools & Technology

• Wire transfers– Call back– Fax confirmation– Monitoring/Out of pattern behavior – Validation/White list – Out –of-band alerts

© 2012 ACH Alert LLC. All Rights Reserved. 36

The Stats

• Did you know that 860,000 attempts are made EACH day to hack into systems?

• There are about 75,000 new strings of malware EACH day?

© 2012 ACH Alert LLC. All Rights Reserved. 37

Resources

• Sample of Education Video http://www.achalert.com/index.php?page=demo-bank-usa

• NACHA Corporate Account Takeover Resource Center http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm

38

Contact Information

• Kim A. Bruck, AAP, Vice-President, Business Development, ACH ALERT, LLC–kbruck@achalert.com–1-866-265-8961 x 115–www.achalert.com

39

Contact Information

Patrick Collins, Vice-President

Associated Bank

740 Marquette Avenue

Minneapolis, MN 55402

(612) 359-4445

Patrick.Collins@associatedbank.com