Overview of Card Regulations, Disputes, & FraudTina Giorgio, President & CEO

ICBA Bancard Inc.

Agenda

• Regulation Overview• Chargebacks• Fraud Trends• Fraud Prevention • Investigation Strategies• Fraud Tool Box• Response Plan

2

Regulation Overview

Regulation E

• First adopted in 1978, established obligations, rights and liabilities of participants in EFT and Remittance Transfer Systems

• “Transfer” by definition is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a Consumer’s Account

• A Consumer is defined as a natural person.• An Account is defined as an account used for personal, family or

household purposes.• A business is not a consumer, however a sole proprietor may be

consider a Consumer under Regulation E.

Regulation E, cont.

• Consumer Responsibilities• Notify the bank within two business days of discovering the

“error”o Consumer liability is limited to $50

• After two business days, the Consumer has 60 days from the statement mailing to report the error.o Consumer liability is limited to $500

• Anything after 60 days does not apply (unless there are extenuating circumstances, e.g. hospital stay)

Regulation E, cont.• Bank Responsibilities

• Must resolve the dispute within 10 business days or give the Consumer provisional credit – reduced to 5 business days for Visa and Mastercardo Any overdraft fees or service charges must be reversed

• Consumer notification in writing of provisional credited and full use of the funds during the investigation

• The dispute must be resolved within 45 days (90 for POS) or the credit is final no matter what the outcome

• Final resolution letter is required within 3 business days and credit cannot be reversed for 5 business days after the notice

Visa and Mastercard Zero Liability Policies

• Visa and Mastercard both have a Zero Liability Policy on purchases made with a debit card

• If a Consumer notifies the bank within two business days of discovering an error, the Consumer liability for the transaction(s) is $0

• If a Consumer notifies the bank after two business days but before 60 days from statement mailing, the Consumer liability is $50

• Also offer liability waiver on commercial and business cards (not part of the regulations)

Regulation Z

• The liability for unauthorized use is a maximum of $50• The Consumer has 60 days from the receipt of the statement to

report the error• Issuer has two billing cycles to resolve• Consumer cannot be billed/debited for disputed amount(s)• Bank cannot adversely affect the Consumer’s credit report• If the credit is attached to a debit card, Reg E applies, not Reg Z

Chargebacks

The Cardholder

The Issuing Bank

The Card Brand

The Processor

The Merchant

The Dispute Process

Chargeback Changes

• April 2018 Visa Claims Resolution (VCR) launched• Reduce dispute timeframes

o Closure timeframe has decreased to avg. 16 days from 54 dayso Arbitration acceptance rates have increased

• Queue management – displays days to next action to ensure compliance

• Most rejects result from ineligible claims or wrong claim types• Know your dispute type (e.g. CP, CNP, POS Mode, etc.)

Fraud Trends

Fraud Continues to Shift with EMV Adoption

• 67% of cards representing 97% of payment volume are chip cards• 2.9M merchants are chip enabled and processed 1.5B transactions• Counterfeit card fraud has dropped by over 50% since the liability

shift in 2015• Contactless is next and is getting faster adoption than chip alone did,

especially now that first generation chips are expiring

Fraud Rates - Debit

• 79% of the fraud occurs in the card not present environment• CNP represents over 50% of sales volume and is growing 3%/year

• Fraud rates have remained fairly flat since 2016• CP represents 4.2 bps of sales volume while CNP represents 25.4 bps of sales

volume making the blended fraud rate 14.6 bps of sales

• Fraud rates for Bancard clients are much lower• CP represents 2.0 bps and CNP represents 15.0 bps

Fraud Rates - Credit

• Credit fraud losses are higher than debit • More loss per occurrence

• Have remained fairly flat since 2016• CP represents 11.0 bps of sales volume while CNP represents 22.2 bps of sales

volume making the blended fraud rate 14.6 bps of sales

• Fraud rates for Bancard clients• CP represents 11.2 bps and CNP represents 24.3 bps

Fraud Prevention

Fraud Types• Lost/Stolen• Not Received Issue (NRI) Cards• Fraudulent Application• Account Takeovers• Counterfeit (Skimming)• Card Not Present

17

Fraud Prevention Best Practice

•Neural Networks•Data Matching•Address Verification Service•Address change monitoring•Daily parameter controls•Report Monitoring•3D Secure Solutions

Authorization Parameters• Daily Controls• Code Blocks• Authorizations• Payment Parameters• Over Limit Levels• PIN Validation• Credit Line Management Controls

19

Authorization Parameter Settings• Issuers should review or evaluate their

authorization parameter settings and controls either on a quarterly basis or every six months

• Daily Limits• Velocity• Dollar Amounts• Merchant Code Blocks (MCC/SIC)• Payment Parameters

20

Visa CAMS and MasterCard ADC Alerts

• The Visa Compromised Account Management System (CAMS) and the MasterCard Account Data Compromise Event (ADC) is a tool to inform your institution of a situation involving stolen, recovered, or compromised credit or debit accounts.

• As the issuer and owner of the accounts, your institution has the responsibility to determine the best action to take to secure your interest and protect your institution from fraud losses.

• Create a severity rating based on the elements that are considered “at risk” to help aid the decisioning factor whether to block and reissue an account or to monitor the account for possible fraud trends

21

Investigation Strategies

Investigation Strategies

• Review Fraud Trend and identify fraud type• Identify the number of accounts impacted• Conduct CPP – Common point of purchase analysis• Compile fraud data to present as financial evidence. • Contact local law enforcement to present case

23

Investigations – Law Enforcement Reporting• Financial Evidence - Provide all fraud

transaction data to law enforcement• Elements to include in report• Approved fraud transactions including overall

total• Declined fraud transactions including overall

total• Fraudulent payments including overall total• Overall total amount for all fraud activity

24

Investigation – Law Enforcement Case Types

• Assist with Various Cases• Family/Friendly fraud cases• First party fraud cases• Traditional fraud cases• Internal fraud cases

• LEO Requests• U. S. Secret Service• U.S. Marshals Financial Surveillance Unit• FBI – Cybercrime Division• U.S. Postal Inspection Service• Local, State, & International law enforcement agencies

25

Fraud Tool Box• Crimedex Alerts

o https://www.crimedex.com/• International Association of Financial Crimes Investigators – IAFCI

o https://www.iafci.org/• Association of Certified Fraud Examiners – ACFE

o http://www.acfe.com/• United States Secret Service eInformation Network

o https://www1.einformation.usss.gov/eInformation/home.seam• United States Secret Service Electronics Crimes Task Force – ECTF

o http://www.secretservice.gov/ectf.shtml• FICO Card Alert Network Fraud Forum

o https://community.fico.com/community/fraud-alert-network• National Cyber Forensics Training & Alliance – NCFTA

o http://www.ncfta.net/

26

Response Plan

Steps to respond to a fraud trend:

• Evaluate the situation:• Network in your community• Review & adjust your controls and parameters• Notify appropriate law enforcement• Notify insurance company

Questions?Tina.Giorgio@icba.org

@tnagiorgio

Blog: icba.org/bancard/news-events/tinas-take-on-payments