About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

December 3, 2018


Building Blocks for the Sandbox

I just returned from a leave of absence to welcome my third child to this world. As I catch up on payments news, one theme emerging is the large number of state and federal regulatory bodies launching their own fintech sandboxes. Typically, these testing grounds allow businesses to experiment with various "building blocks" while they innovate. Some businesses are even allowed regulatory relief as they work out the kinks. As I've researched, I've found myself daydreaming about how my new little human also needs to work with the right building blocks, or core principles, to ensure he develops properly and "plays nice" in the sandbox.

But—back to work. What guidance do fintechs have available to them to grow and prosper?.

On July 31 of this year, the U.S. Department of the Treasury released a report suggesting regulatory reform to promote financial technology and innovation among both traditional financial institutions and nonbanks. The report in its entirety is worth a review, but I'll highlight some of it here.

The blueprint for a unified regulatory sandbox is still up for discussion, but the Treasury suggests a hierarchical structure, either overseen by a single regulator or by an entirely new regulator. The Treasury suggests that Congress will likely have to assist by passing legislation with the necessary preemptions to grant authority to the newly created agency or a newly named authoritative agency.

The report outlines these core principles of a unified regulatory sandbox:

  • Promote the adoption and growth of innovation and technological transformation in financial services.
  • Provide equal access to companies in various stages of the business lifecycle (e.g., startups and incumbents). [The regulator should define when a business could or should participate.]
  • Delineate clear and public processes and procedures, including a process by which firms enter and exit.
  • Provide targeted relief across multiple regulatory frameworks.
  • Offer the ability to achieve international regulatory cooperation or appropriate deference where applicable.
  • Maintain financial integrity, consumer protections, and investor protections commensurate with the scope of the project, not be based on the organization type (whether it's a bank or nonbank).
  • Increase the timeliness of regulator feedback offered throughout the product or service development lifecycle. [Slow regulator feedback is typically a deterrent for start-up participation.]

Clearly, the overarching intent of these principles is to help align guidance, standards, and regulation to meet the needs of a diverse group of participants. Should entities offering the same financial services be regulated similarly? More importantly, is such a mission readily achievable?

People have long recognized the fragmentation of the U.S. financial regulatory system. The number of agencies at the federal and state levels with a hand in financial services oversight creates inconsistencies and overlaps of powers. Fintech innovations even sometimes invite attention from regulators outside of the financial umbrella, regulators like the Federal Communications Commission or the Federal Trade Commission.

In the domain of financial services are kingdoms of industry. Take the payments kingdom, for example. Payments are interstate, global, and multi-schemed (each scheme with its own rules framework). And let's be honest, in the big picture of financial services innovations and in the minds of fintechs, payments are an afterthought, and they aren't front and center in business plans. Consumers want products or services; payments connect the dots. (In fact, the concept of invisible payments is only growing stronger.)

What is more, a fintech, even though it may have a payments component in its technology, might not identify itself as a fintech. And a business that doesn't see itself as a fintech is not going to get in line for a unified financial services regulator sandbox (though it might want to play in a payments regulator sandbox).

When regulatory restructuring takes place, I hope it will build a dedicated infrastructure to nurture the payments piece of fintech, so that all can play nice in the payments sandbox. (Insert crying baby.)

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 3, 2018 in bank supervision , emerging payments , financial services , fintech , innovation , regulations , regulators | Permalink | Comments ( 0)

November 19, 2018


Smaller FIs Weigh In on Mobile Financial Services

I have previously written several posts on the Sixth District's 2016 Mobile Banking and Payments Survey results as well as the consolidated results of the 2016 survey involving financial institutions (FIs) in the Atlanta Fed's district and six other Federal Reserve districts. Readers will recall that the primary goal of the survey was to allow the Federal Reserve and industry stakeholders to better understand the status of financial institutions' strategies with regard to mobile banking and payments products and services.

As a follow-up to this work, the Federal Reserve districts of Atlanta, Boston, Cleveland, Kansas City, Minneapolis, and Richmond conducted a "quick-hit" survey in June 2018 of the FIs that did not respond to the detailed 2016 survey. The survey consisted of just five questions pertaining to mobile financial service offerings. It also gathered some demographic data. A total of 565 FIs responded, representing an 11.7 percent response rate. You can find a report that the Payment Strategies Group at the Federal Reserve Bank of Boston prepared on the Boston Fed website.

As a group, the FIs responding to the 2018 survey were smaller in asset size than were respondents to the 2016 survey.

Chart-one

Some of the key takeaways in the report include:

  • Of the 2018 respondents, 88 percent of banks and 81 percent of credit unions currently offer mobile banking services or plan to offer them by the end of 2018.
  • Fifty-five percent of the respondents reported that more than 20 percent of their customers were active mobile banking users.
  • Surprisingly, 14 percent of the respondents indicated they have no plans to offer mobile banking services. All but one of the FIs that have no plans to offer mobile banking had assets under $500 million. These FIs were almost evenly split between credit unions (33) and banks (36).
  • Not tracking or being unwilling to reveal customer usage levels of mobile banking services remains an issue; 29 percent of the respondents did not answer the question. My opinion is that it's the latter reason, given that a standard reporting option of mobile banking systems is to be able to track enrollment and unique sign-on activity.
  • Offerings of mobile payment services continue to lag significantly behind mobile banking. Of the 2018 responses, 57 percent currently offer or plan to offer them, while 43 percent have no plans to offer them or were undecided.

We will be conducting the detailed Mobile Banking and Payments survey in early 2019 and look forward to sharing the results with you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

November 19, 2018 in mobile banking , mobile payments , payments study | Permalink | Comments ( 0)

November 13, 2018


In Payments, What I Say May Not Match What I Do

How do you like to pay your bills? Perhaps you schedule bills to pay automatically by bank account number so you don't miss a due date. Or maybe you would rather review a paper statement and then mail a check.

By number, U.S. consumers report paying 4 in 10 bills by electronic means—for example, by using their online banking bill pay function or providing a bank account number at a biller's website. By dollar value, the practice of using electronic transactions to pay bills is also prevalent: about half of bill payments by dollar value are made using online banking bill pay or bank account number payment. These are among findings from the Diary of Consumer Payment Choice, a survey of U.S. consumers released in September of this year.

Chart-one

Source: 2017 Diary of Consumer Payment Choice

The diary also asks respondents how they prefer to pay bills, so we can look at how consumers' stated preferences compare to what they actually do in specific situations. It turns out that 36 percent of consumers prefer online banking bill pay or bank account number payment, and about the same percentage prefer either a debit card or credit card.

Keep in mind that 38 percent of bill payments and 36 percent of consumers are not comparable. Actual behavior is measured in percentage shares of transactions. Preferences are measured in percentage shares of consumers (about 2,900 U.S. adults responded to this nationally representative survey).

We can see, however, the transactions for which consumers deviate from their stated preferences for bill payments. Of the bill payments recorded in the 2017 DCPC, about half were made using the consumers' preferred payment instrument.

Why do we consumers deviate from what we say we prefer? Think of your own payment choices. You might be constrained by what is feasible. For example, you might prefer to pay most bills with a paper check but for bills you pay online, it's impossible to use paper payment instruments. Your choice could be limited by what the payee prefers to accept. For example, your plumber might prefer payment by cash or check. Or you might deviate from your preferred method to save money. For example, your local municipality might put a surcharge on card payments, so paying with your bank account number is less costly. Or, for larger bills, you might use a credit card to earn points.

To see more about how consumers adjust our payment choices given the situation, take a look at the interactive charts detailing payment choice by dollar value, payment type, and remote or in-person payments, as reported in the 2017 Diary of Consumer Payment Choice.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

November 13, 2018 in cards , payments study | Permalink | Comments ( 0)

November 5, 2018


Organizational Muscle Memory and the Right of Boom

"Left of boom" is a military term that refers to crisis prevention and training. The idea is that resources are focused on preparing soldiers to prevent an explosion or crisis—the "boom!" The training they undergo in left of boom also helps the soldiers commit their response to a crisis, if it does happen, to muscle memory, so they will act quickly and efficiently in life-threatening situations.

Image-one

The concept of the boom timeline has been applied to many other circumstances, as I can personally attest. More years ago than I will admit to, I was a teller and had to participate in quarterly bank-robbery training that focused on each employee's role during and immediately after a robbery. The goal was to help us commit these procedures to muscle memory so that when we were faced with a high-stress situation, our actions would be second nature. My training was tested one day when I came face-to-face with a motorcycle-helmet-wearing bank robber who leaped over the counter into the teller area. Like most bank robbers, he was in and out fast, but thanks to muscle memory, we were springing into action as soon as he was leaping back over the counter and running out of the branch.

This type of muscle memory preparation has also been applied to cybersecurity. Organizations commit significant human and capital resources to the left of boom to help prevent and detect threats to their networks. Unfortunately, cybersecurity experts must get things right 100 percent of the time while bad actors have to be right only once. So how do organizations prepare for the right of boom?

Recently, I had the opportunity to observe a right-of-boom exercise that simulated a systemic cyberbreach of the payments system. This event, billed as the first of its kind, was sponsored by P20 and held in Cambridge, Massachusetts. Cybersecurity leaders from the payments industry convened to engage in a war games exercise that was ripped from the headlines. The scenario: a Thanksgiving Day cyberbreach, the day before the biggest shopping day of the year, of a multinational financial services company that included the theft and online posting of 75 million customer records, along with a ransomware attack that shut down the company's computer systems. The exercise began with a phone call from a reporter asking for the company's response to the posting of customer records online—BOOM! Immediately, the discussion turned to an incident response plan. What actions would be taken first? Who do you call? How do you communicate with employees if your system has been overtaken by a ransomware attack? How do you serve your customers? What point is the "in case of fire break glass" moment, meaning, has your organization defined what constitutes a crisis and agreed on when to initiate the crisis response plan?

An overarching theme was the importance of the "commander's intent," which reflects the priorities of the organization in the event of an incident. It empowers employees to exercise "disciplined initiative" and "accept prudent risk"—both principles associated with the military philosophy of "mission command"—so the company can return to its primary business as quickly as possible. In the context of a cyberbreach that has shut down communication channels within an organization, employees, in the absence of management guidance, can analyze the situation, make decisions, and then take action. The commander's intent forms the basis of an organization's comprehensive incident response plan and helps to create a shared understanding of organizational goals by identifying the key things your organization must execute to maintain operations.

Here is an example of a commander's intent statement:

Process all deposits and electronic transactions to ensure funds availability for all customers within established regulatory timeframes.

Having a plan in place where everyone from the top of the organization down understands their role and then practicing that plan until it becomes rote, much like my bank robbery experience, is critical today.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed

 

November 5, 2018 in consumer protection , cybercrime , cybersecurity | Permalink | Comments ( 0)

October 29, 2018


Remote Card Fraud: A Growing Concern

Where's the money in card payments? Despite all we hear about e-commerce and other kinds of remote payments, in-person payments remain strong. The total dollar value of in-person card payments exceeded the total dollar value of remote payments in both 2015 and 2016. In-person payments were 56 percent of all card payments by value in 2016, and 58 percent in 2015. By number, the race is not even close: 78 percent of card payments were in person in 2016.

Graph-one

Looking at change from 2015 to 2016, however, another story could be emerging. When we consider the growth in the value of card payments, remote payments grew by 11 percent from 2015 to 2016, compared to about 3 percent growth by value for in-person card payments. By number, in-person card payments increased 5 percent and remote by 17 percent.

It wasn't only remote payments that grew from 2015 to 2016—so did remote fraud. In fact, it grew faster than remote payments did overall. Remote fraud by value grew more than three times faster than the value of remote payments—35 percent compared to 11 percent. By number, remote fraud grew about twice as fast—32 percent compared to 17 percent.

In contrast to the mix of remote and in-person card payments overall, where in-person payments still are the majority, fraudulent remote card payments were more than half of all fraudulent card payments by both value and number in 2016.

Graph-two

These data suggest that remote card payments fraud is likely to be of increasing concern for the U.S. payments system going forward. Additional data are included in the report at www.federalreserve.gov/paymentsystems/fr-payments-study.htm.

To learn more about payments fraud, you can sign up for the Talk About Payments webinar on November 1 at 11 a.m. (ET). This webinar is open to the public but you must register in advance to participate.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

October 29, 2018 in cards , consumer fraud , debit cards , fraud , identity theft , mobile payments , online retail , payments study | Permalink | Comments ( 0)

October 22, 2018


Three Views of Noncash Payments Fraud

Despite what we might gather from the headlines, payments fraud is a small fraction of the value of all payments.In 2015, by value, it was only about 1/200 of 1 percent of noncash payment transactions. The pie chart shows what a tiny slice of the pie that payments fraud is.

Image-one-sm

This view of the value of payments fraud in 2015 is one of three views that today's post will offer, using data from a recently released payments fraud report.

The report, based on data from the Federal Reserve Payments Study, quantifies noncash payments fraud by value and number in 2012 and 2015 and provides information that can help inform efforts to prevent and detect payments fraud. Data include detail on different payment instruments and transaction types.

Fraud value is defined in the report to be the value of unauthorized third-party payments that were cleared and settled, before any chargebacks, returns, or recoveries. It does not include the costs of any prevention, detection, or remediation methods. The report covers noncash payments used for everyday consumer and business transactions, including automated clearinghouse (ACH), check, and card payments. (Wires are excluded.)

Here's the next view of payments fraud by value: most payments fraud is by card. Slightly more than three-quarters of noncash payments fraud by value are credit card, debit card (prepaid and non-prepaid), and ATM withdrawal fraud; almost half is credit card fraud. The second chart shows that by value, ACH fraud is 14 percent of noncash payments fraud and check fraud is 8.6 percent.

Image-two-sm

Finally, fraud rates by value for cards increased from 2012 to 2015 while fraud rates for check payments decreased and fraud rates for ACH stayed flat. That rate increase for cards means that the value of fraudulent card payments grew faster than the dollar-value growth overall, which is concerning. Indeed, card fraud by value grew more than three times faster than the growth in card payments and ATM withdrawals by value—64 percent compared to 21 percent. ACH fraud grew more in line with the growth rate in ACH payments, with fraud by value increasing 11 percent compared to a 13 percent increase in the value of total ACH payments.

Image-three-sm
You can find additional data in the report at https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm.

To learn more about the payments fraud report, join our next Talk About Payments webinar on November 1 at 11 a.m. (ET). The webinar is open to the public but you must register in advance to participate. (Registration is free.) Once registered, you will receive a confirmation email with login and call-in information. Also, be sure to check back next Monday for another Take On Payments post about the report.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 22, 2018 in cards , consumer fraud , cybercrime , cybersecurity , debit cards , payments study | Permalink | Comments ( 0)

October 15, 2018


An Ounce of Prevention

Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.

As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.

SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.

Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.

Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.

As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

October 15, 2018 in biometrics , cards , cybersecurity , emerging payments , fintech , innovation | Permalink | Comments ( 0)

October 1, 2018


Safeguarding Things When They’re All Connected

In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.

Prepurchase

  • Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
  • Check with reliable product review sites to see what others have to say about the product’s security features.
  • If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.

Postpurchase

  • Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
  • Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
  • Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
  • Register your device with the manufacturer to be notified of security updates or recalls.
  • Add the device to your separate network if available.

If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.

We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.

Photo of Ian Perry-Okara  By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed

 

Photo of David Lott  By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 1, 2018 in account takeovers , cybercrime , cybersecurity , data security , identity theft , innovation | Permalink | Comments ( 0)

September 24, 2018


Racing Ahead in the Wireless Space

This past Sunday, Eliud Kipchoge smashed the marathon world record at the Berlin Marathon, with a time of 2:01:39, shaving 1 minute 22 seconds off the previous world record. Though some running experts claim a marathon under two hours will never happen, I think elite runners will continue to push the speed envelope and we will witness a sub-two-hour marathon one day.

The marathon isn’t the only area where the speed envelope is being pushed. Another area, and the focus of today’s blog, is in the wireless space.

It was in 2002 when the first commercial 3G network launched in the United States. 3G made it possible for our phones to run applications using a global positioning system (GPS) or using videoconferencing, among other things. The second half of 2010 marked the first commercial launch of 4G in the United States, with many of the mobile network operators launching this service. 4G expanded on the speed of 3G and made it possible for consumers to access the web with their mobile devices, stream high-definition video, and connect Internet of Things devices.

Now, as we approach the fourth quarter of 2018, we are on the cusp of 5G networks, which will be 10 times as fast as our 4G networks. According to a recent Wall Street Journal article on 5G that sparked my interest in the topic, the speed of 5G networks will allow the proliferation of applications such as self-driving cars, virtual reality, and remote surgery. And this got me thinking, what impact will 5G have on the future of commerce, payments, and security?

I haven’t spent any time researching that last question, but no doubt there will be significant benefits and risks that 5G networks will introduce into retail payments. I can draw inspiration from one of my favorite cartoons, the Jetsons, and think ahead to what a Jetson house might look like in 2025: one that is filled with connected devices that communicate with not only us but also each other. Close your eyes and imagine a house with a robotic vacuum that communicates with a virtual home assistant when it needs new bags—and zero human interaction is needed in the process. Or imagine a vehicle that drives itself to the nearest gas station when the low-fuel light appears. Undoubtedly, this new faster-speed wireless world will create security threats that we have yet to face.

So as we at the Risk Forum think about the possibilities and new risks of a 5G world and its impact on commerce, payments, and security, what should we be paying attention to?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 24, 2018 in data security , emerging payments , innovation | Permalink | Comments ( 0)

September 17, 2018


Insuring against Business Email Compromise Fraud

In July, an FBI public service announcement reported that global losses from business email compromise (BEC) fraud exceeded $12.5 billion in the four-and-a-half years from October 2013 to May 2018. Important to managing any fraud is a good risk management strategy, as my colleague recently discussed. The table lists some of the strategies you can use to protect yourself against BEC.

Risk Management Strategy Elements Description Example
Avoidance Implement policies and procedures to avoid risk. Accept no payment transaction instructions via email.
Mitigation Use controls and policies to reduce risk. Require dual authorization for large-value payments.
Transfer Transfer the losses associated with a fraudulent event. Purchase an insurance policy.
Acceptance Budget for fraud losses and litigation/fines related to security incident. Maintain funds in a reserve account.

This post will focus on risk transfer—specifically, it will discuss some appellate court legal developments on insurance policies and coverage related to BEC scams. This post is not intended to offer legal advice but rather, by highlighting rulings in three recent cases, to illustrate some of the challenges associated with BEC scams and transfer strategies using insurance policies. The question is whether or not the computer fraud coverage in a commercial crime policy covers losses from social engineering fraud such as BEC or payment instruction fraud. Judgments in three recent cases have been mixed, one in favor of the insurance company and two others in favor of the compromised businesses.

In April, the Ninth Circuit Court of Appeals ruled that Aqua Star's losses stemming from payment instruction fraud, a type of BEC scam, were not covered under its computer crime insurance policy. In this case, a criminal posing as a vendor of Aqua Star duped an employee through email to change the vendor's bank account information. More than $700,000 was wired from the company to the criminal's account. The court found that, even though the criminal used electronic means to dupe the employee, the Aqua Star insurance policy did not cover the loss because an authorized employee accessed the company's systems and changed the wiring instructions.

In contrast, in July, appellate courts ruled in favor of two businesses that sought coverage from loss of funds to a BEC scam. In the first, a BEC scheme victimized Mediadata to the tune of nearly $4.8 million. An accounts payable clerk was tricked into wiring money into a criminal's account with an email that appeared to be from the company's president and a spoofed phone call that seemed to be from a Mediadata attorney. The Second Circuit Court of Appeals concluded that, in this instance, Mediadata was covered by its computer fraud policy because the fraudster used a computer code to alter a series of email messages to make them appear legitimate—even though Mediadata computers weren't directly hacked.

Then one week later, the Sixth Circuit Court of Appeals ruled in favor of American Tooling Center (ATC). This company was also victimized by a BEC scheme and lost more than $800,000. In this case, the money was wired to a criminal's bank account after the perpetrator intercepted emails between ATC and a vendor and then began impersonating the vendor. The court rejected the insurance company's argument that the losses were excluded because an ATC employee caused the loss by changing the payment instructions. Instead, the court determined that computer fraud does not require unauthorized access to a company's computer systems and that a company can claim a direct loss as a result of an employee being duped.

These cases show the difficulty in understanding what types of fraud losses might be specifically covered under your insurance policy since the courts do not always agree. Some insurance companies now offer separate BEC riders, which could prove valuable in the event you are a victim of this fraud. Because the crimes can result in significant losses, it is also important to know how much coverage is available under commercial crime policies, and imperative to ensure that the coverage is sufficient for losses that can arise from this type of fraud. Are you insuring your company from BEC fraud?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 17, 2018 in risk management | Permalink | Comments ( 0)

Google Search



Recent Posts


Archives


Categories


Powered by TypePad