2010 FIBA Conference

The Bank Fraud Reality:

Experiences and Perspectives of U.S. Banks

Michael B. Benardo
Cyber Fraud and Financial Crimes Section Chief
Division of Supervision and Consumer Protection
Federal Deposit Insurance Corporation
 Outline

 Phishing

 Corporate Account Takeover Risks

 Third Party Payment Processor Risks

 Mobile Banking Risks

Phishing
 Phishing
• An e-mail that looks like it is from a legitimate
source – PayPal, a financial institution, FDIC
• The recipient provides personal or financial
information, such as bank account or credit
card numbers, passwords, date of birth, social
security number
• Financial loss and/or Identify theft
 Phishing
• Skyrocketed with significant increases since
mid-1990’s – ignited by Internet and PCs
• Criminals moved quickly to use newer
technologies – provided easy access &
anonymity
 Typical Phishing e-mail
• Urgent!
• Use fear
• More sophisticated than in the past
Phishing and Related Threats
Corporate Account Takeover Risks
 Corporate Account Takeovers
• Recent Headlines:

“Cybercrooks Stalk Small Businesses that Bank Online”

“European Cyber-Gangs Target Small U.S. Firms”

“Broad New Hacking Attack Detected”

 Corporate Account Takeovers
• Impacting Web-based payment origination services
for business customers

• Resulting from compromised banking software login

credentials
– Business customers
– Municipalities
– Churches and Religious Institutions
 Corporate Account Takeovers
• Fraudulent EFT transactions
– Automated clearing house (ACH)
– Wire transfers

• Crimeware (malicious software)

– Trojan horse programs
– Key loggers
– Other spoofing techniques
 Corporate Account Takeovers
• Awareness, education and collaboration
– Financial institutions
– Small businesses
– Technology providers
– Law enforcement agencies and banking regulators
 Corporate Account Takeovers
• SA-147-2009: Fraudulent Electronic Funds Transfers
www.fdic.gov/news/news/specialalert/2009/sa09147.html

• SA-185-2009: Fraudulent Work-at-Home Funds

Transfer Agent Schemes
www.fdic.gov/news/news/specialalert/2009/sa09185.html
 Third Party
Payment Processor Risks
 Payment Processor Relationships
• High Risk Activities
– Telemarketing
– On-line merchants

• Payment Types
– Remotely Created Checks
– ACH
Third Party Payment Processors
• Risks
– Strategic Risk
– Credit Risk
– Compliance Risk
– Transaction Risk
– Legal Risk
– Reputation Risk
• Financial institutions may be viewed as facilitating a
payment processor’s or a merchant client’s
fraudulent or unlawful activity
 Third Party Payment Processors
Processor Due Diligence & Underwriting

• Policies and procedures

• Background check of processor and merchant clients
• Processor approval program that extends beyond
credit risk management
• Authenticate the processor’s business operations
and assess the risk level
 Third Party Payment Processors
Ongoing Monitoring

• Monitor higher rates of returns or charge backs

• FFIEC BSA/AML Examination Manual urges financial
institutions to assess and manage risk with respect to
third-party payment processors
• Risk management program should include
procedures to monitor payment processor
information (i.e., merchant data, transaction volume,
charge back history)
Third Party Payment Processors
Red Flags
• Payment processors that use more than one financial
institution to process merchant client payments
• One or more of the relationships may be terminated
as a result of suspicious activity
• Payment processor’s merchant clients are
inappropriately obtaining personal account
information and using it to create unauthorized RCCs
or ACH debits
 Third Party Payment Processors
When Fraudulent Activity is Suspected

 File a Suspicious Activity Report

 Require payment processor to cease processing for
that specific merchant
 Terminate financial institution’s relationship with the
payment processor
Mobile Banking Risks
 Mobile Banking

• Banking: alerts, funds transfers, balance checking

• Payments: payments at point of sale, domestic P2P,
cross-border remittances
• Prepaid on the phone
 Mobile Banking

• P2P initiatives introduced on mobile phone gaining

traction in United States:
– SMS texting – convenience may drive adoption
– iPhone, Droid, smartphone Apps
– “Bump” phones to exchange information
 Mobile Payments
Haiti Earthquake Donations

• Bank agnostic payment – telecoms extending credit

• Error resolution issues:
– What happens if the $20 donation instruction you
sent to Haiti appears as a $200 or even a $2,000
charge on your bill?
– What if there is a disagreement about the error
between you and your wireless carrier?
 Mobile Payments
Haiti Earthquake Donations

• Who regulates transaction to protect consumer from

identity theft, payment fraud and other payment
risks?
• Charity scams – FBI and other warnings
 Mobile Banking/
Payment Security Threats
• Mobile malware and viruses
• Secure access
• BSA and AML – prepaid on the phone
• Un-trusted applications
• Authentication
• Identity theft
• Regulatory framework
• Who owns the customer? Consumer protections?
Questions?
Thank you!