About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

September 17, 2018


Insuring against Business Email Compromise Fraud

In July, an FBI public service announcement reported that global losses from business email compromise (BEC) fraud exceeded $12.5 billion in the four-and-a-half years from October 2013 to May 2018. Important to managing any fraud is a good risk management strategy, as my colleague recently discussed. The table lists some of the strategies you can use to protect yourself against BEC.

Risk Management Strategy Elements Description Example
Avoidance Implement policies and procedures to avoid risk. Accept no payment transaction instructions via email.
Mitigation Use controls and policies to reduce risk. Require dual authorization for large-value payments.
Transfer Transfer the losses associated with a fraudulent event. Purchase an insurance policy.
Acceptance Budget for fraud losses and litigation/fines related to security incident. Maintain funds in a reserve account.

This post will focus on risk transfer—specifically, it will discuss some appellate court legal developments on insurance policies and coverage related to BEC scams. This post is not intended to offer legal advice but rather, by highlighting rulings in three recent cases, to illustrate some of the challenges associated with BEC scams and transfer strategies using insurance policies. The question is whether or not the computer fraud coverage in a commercial crime policy covers losses from social engineering fraud such as BEC or payment instruction fraud. Judgments in three recent cases have been mixed, one in favor of the insurance company and two others in favor of the compromised businesses.

In April, the Ninth Circuit Court of Appeals ruled that Aqua Star's losses stemming from payment instruction fraud, a type of BEC scam, were not covered under its computer crime insurance policy. In this case, a criminal posing as a vendor of Aqua Star duped an employee through email to change the vendor's bank account information. More than $700,000 was wired from the company to the criminal's account. The court found that, even though the criminal used electronic means to dupe the employee, the Aqua Star insurance policy did not cover the loss because an authorized employee accessed the company's systems and changed the wiring instructions.

In contrast, in July, appellate courts ruled in favor of two businesses that sought coverage from loss of funds to a BEC scam. In the first, a BEC scheme victimized Mediadata to the tune of nearly $4.8 million. An accounts payable clerk was tricked into wiring money into a criminal's account with an email that appeared to be from the company's president and a spoofed phone call that seemed to be from a Mediadata attorney. The Second Circuit Court of Appeals concluded that, in this instance, Mediadata was covered by its computer fraud policy because the fraudster used a computer code to alter a series of email messages to make them appear legitimate—even though Mediadata computers weren't directly hacked.

Then one week later, the Sixth Circuit Court of Appeals ruled in favor of American Tooling Center (ATC). This company was also victimized by a BEC scheme and lost more than $800,000. In this case, the money was wired to a criminal's bank account after the perpetrator intercepted emails between ATC and a vendor and then began impersonating the vendor. The court rejected the insurance company's argument that the losses were excluded because an ATC employee caused the loss by changing the payment instructions. Instead, the court determined that computer fraud does not require unauthorized access to a company's computer systems and that a company can claim a direct loss as a result of an employee being duped.

These cases show the difficulty in understanding what types of fraud losses might be specifically covered under your insurance policy since the courts do not always agree. Some insurance companies now offer separate BEC riders, which could prove valuable in the event you are a victim of this fraud. Because the crimes can result in significant losses, it is also important to know how much coverage is available under commercial crime policies, and imperative to ensure that the coverage is sufficient for losses that can arise from this type of fraud. Are you insuring your company from BEC fraud?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 17, 2018 in risk management | Permalink | Comments ( 0)

September 10, 2018


The Case of the Disappearing ATM

The longtime distribution goal of a major soft drink company is to have their product "within an arm's reach of desire." This goal might also be applied to ATMs—the United States has one of the highest concentration of ATMs per adult. In a recent post, I highlighted some of the findings from an ATM locational study conducted by a team of economics professors from the University of North Florida. Among their findings, for example, was that of the approximately 470,000 ATMs and cash dispensers in the United States, about 59 percent have been placed and are operated by independent entrepreneurs. Further, these independently owned ATMs "tend to be located in areas with less population, lower population density, lower median and average income (household and disposable), lower labor force participation rate, less college-educated population, higher unemployment rate, and lower home values."

This finding directly relates to the issue of financial inclusion, an issue that is a concern of the Federal Reserve's. A 2016 study by Accenture pointed "to the ATM as one of the most important channels, which can be leveraged for the provision of basic financial services to the underserved." I think most would agree that the majority of the unbanked and underbanked population is likely to reside in the demographic areas described above. One could conclude that the independent ATM operators are fulfilling a demand of people in these areas for access to cash, their primary method of payment.

Unfortunately for these communities, a number of independent operators are having to shut down and remove their ATMs because their banking relationships are being terminated. These closures started in late 2014, but a larger wave of account closures has been occurring over the last several months. In many cases, the operators are given no reason for the sudden termination. Some operators believe their settlement bank views them as a high-risk business related to money laundering, since the primary product of the ATM is cash. Financial institutions may incorrectly group these operators with money service businesses (MSB), even though state regulators do not consider them to be MSBs. Earlier this year, the U.S. House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing over concerns that this de-risking could be blocking consumers' (and small businesses') access to financial products and services. You can watch the hearing on video (the hearing actually begins at 16:40).

While a financial institution should certainly monitor its customer accounts to ensure compliance with its risk tolerance and compliance policies, we have to ask if the independent ATM operators are being painted with a risk brush that is too broad. The reality is that it is extremely difficult for an ATM operator to funnel "dirty money" through an ATM. First, to gain access to the various ATM networks, the operator has to be sponsored by a financial institution (FI). In the sponsorship process, the FI rigorously reviews the operator's financial stability and other business operations as well as compliance with BSA/AML because the FI sponsor is ultimately responsible for any network violations. Second, the networks handling the transaction are completely independent from the ATM owners. They produce financial reports that show the amount of funds that an ATM dispenses in any given period and generate the settlement transactions. These networks maintain controls that clearly document the funds flowing through the ATM, and a review of the settlement account activity would quickly identify any suspicious activity.

The industry groups representing the independent ATM operators appear to have gained a sympathetic ear from legislators and, to some degree, regulators. But the sympathy hasn't extended to those financial institutions that are accelerating account closures in some areas. We will continue to monitor this issue and report any major developments. Please let us know your thoughts.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 10, 2018 in banks and banking , consumer protection , financial services , money laundering , regulations , regulators , third-party service provider | Permalink | Comments ( 0)

September 4, 2018


The First Step in Risk Management

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

Chart-image

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

There are more than 250 different security frameworks globally. Examples include the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the Capability Maturity Model Integration (CMMI)®, and the Center for Information Security's Critical Security Controls. (In addition, many industries have industry-specific standards and laws, such as health care's HIPAA, created by the Health Insurance Portability and Accountability Act.) Each framework is essentially a set of best practices that enables organizations to improve performance, important capabilities, and critical business processes surrounding information technology security.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

So, outside of complying with legal and regulatory requirements, how do you determine which framework or frameworks to adopt?

It depends! A Tenable Network Security report, Trends in Security Framework Adoption, provides insight into commonly adopted frameworks as well as the reasons companies have adopted them and how fully. Typically, organizations first consider security frameworks that have a strong reputation in their industries or for specific activities. They then look at compliance with regulations or mandates made by business relationships.

This chart shows reasons organizations have adopted the popular NIST Cybersecurity Framework.

Improving-critical-infrasture-cybersecurity-graph

The study found that there is no single security framework that the majority of companies use. Only 40 percent of respondents reported using a single security framework; many reported plans to adopt additional frameworks in the short term. Close to half of organizations (44 percent) reported they are using multiple frameworks in their security program; 15 percent of these are using three or more.

This year, the Federal Reserve System's Secure Payments Taskforce released Payment Lifecycles and Security Profiles, an informative resource that provides an overview of payments. Each payment type accompanies a list of applicable legal, regulatory, and industry-specific standards or frameworks. Spoiler alert: the lists are long and complex!

Let me point out a subsection appearing with each payment type that is of particular interest to this blog: "Challenges and Improvement Opportunities." Scroll through these subsections to see specific examples calling for more work on standards or frameworks.

Organizations need choices. But having too many frameworks to choose from, coupled with their constantly changing nature and the fluid payments environment, can complicate the implementation of a risk management strategy. With so many choices and so much in flux, how did you manage with step one of your risk management strategy?

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 4, 2018 in consumer protection , cybercrime , cybersecurity , payments risk , risk management | Permalink | Comments ( 0)

August 27, 2018


Who Owns Your ATM?

Counting the number of ATMs in the United States has been a challenge since 1996, when independent operators (nonfinancial institutions) started deploying ATMs/cash dispensers. That was when Visa and MasterCard dropped their prohibition against surcharges. But a recent study sponsored by the National ATM Council largely overcame that challenge while also gathering some interesting results about the locational aspects of the independently owned ATMs compared to machines owned by financial institutions (FI).

The study was conducted earlier this year by a team of economics professors from the Department of Economics and Geography in the University of North Florida's Coggin School of Business. The study's primary objective was to determine whether the locations of independently owned ATMs and FI-owned ATMs were different in terms of demographics and socioeconomic status.

Using a database from Infogroup, the team identified 470,135 ATMs operating in 2016. About 41 percent of these were FI-owned, and the rest were independently owned. The majority of the independent ATMs are in retail establishments, with heavy concentrations in convenience stores, pharmacies, and casual dining locations.

FI owned ATMs Duval Median Household Income 2016 Independently owned ATMs Duval Median Household Income 2016
(Click on the images to enlarge.)

The research team plotted the locations of all the ATMs, overlaying demographic and socioeconomic data they obtained from the U.S. Census Bureau and its American Community Survey. Among the 10 main elements the researchers used were median age, unemployment rate, education level, household income, disposable income, and average home values.

They concluded that the independent ATMs "tend to be located in areas with less population, lower population density, lower median and average income (household and disposable), lower labor force participation rate, less college-educated population, higher unemployment rate and lower home values."

So what does this mean?

Well, it means that the independently owned ATMs are providing a vital service in rural and inner-city areas. Other studies—such as the Federal Reserve's Diary of Consumer Payment Choice—have shown that lower-income households (those earning less than $50,000) use cash as their primary method of payment. Therefore, these independent ATM owners are giving these households access to financial services that would otherwise be limited.

A post from December 2014 highlighted some of the challenges the independent operators were facing. Stand by for a future post that will provide an update on this part of our country's payment ecosystem.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 27, 2018 in banks and banking , financial services | Permalink | Comments ( 0)

Google Search



Recent Posts


Archives


Categories


Powered by TypePad