Presentation is loading. Please wait.

Presentation is loading. Please wait.

Framework for Assessing Risk Managing ACH Risk Coming & Going

Published byThomasine Barrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Framework for Assessing Risk Managing ACH Risk Coming & Going"— Presentation transcript:

1 Framework for Assessing Risk Managing ACH Risk Coming & Going
Kim A. Bruck, AAP, Vice President, Business Development ACH ALERT, LLC Patrick D. Collins, Vice President, Product Management Associated Bank June 7, 2012

2 Oh, the Stuff You Will Learn!

3 What can you expect to accomplish here today:
Understanding what banks consider as they review ACH processing risk Risk is more than just financial How does this affect you, the corporate customer Hear about a few solutions to address processing risk

4 Getting to know you Which type of ACH activity do you feel represents the most risk for your FI? ACH Debit Origination ACH Credit Origination Incoming ACH Items What are specific concerns? Which type of ACH activity do you feel represents the most risk for your clients?

5 ACH Risk Coming & Going RDFI Unauthorized debits
Credits due to account takeover ODFI Origination Origination of unauthorized debits Account Takeover Type of business identity theft in which the criminal entity steals a company’s valid online banking credentials Not about the compromise of the payments systems itself What happens once the cyber-thief has the online banking credentials? Initiate funds transfers out of compromised business account by ACH or wire to an FI account of associates (money mules) in the US or directly overseas

6 Systems are then exploited to obtain legitimate security credentials
How It Happens A computer can become infected with malware which can then spread across the business’ entire network An infected document attached to an A link within an that connects to an infected website Employees visiting legitimate websites An employee using a flash drive that was infected by another computer Systems are then exploited to obtain legitimate security credentials

7 Corporate Account Takeover Scenario
Originator enters credentials for Online Banking - Trojan captures these credentials and sends to criminal Criminals collect Online Banking credentials with Trojan embedded is opened by Originator Criminal logs into Originator’s Online Banking profile and modifies outbound ACH credit file to incorrect routing & account numbers Mules withdraw cash and forward to criminals oversees Criminals go undiscovered Originator/FI is out of the money

8 I. What can you expect to accomplish here today:
Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education Show next slide

9 Automated Clearing House Strategic Statements
Associated Bank will be both a receiver and an originator of ACH transactions as defined by the NACHA rules that govern policy and operational procedures. ABC will stay current with all obligations as outlined by NACHA’s periodical updates. ABC will be current to within 6 months of major software releases. Be appropriately competitive with similar offerings of our peer group. If there are opportunities that prevail for ABC to be more proactive, we will act swiftly to create a service or product that meets the financial, strategic, or tactical objectives of our organization. Maintain the highest level of accuracy, compliance and availability that ABC can reasonably provide. Customer contracts and agreements will define the services that will be provided to each customer and to each transaction account. ABC will position itself as an active member and leader in the ACH community through the participation with local ACH association. ABC’s current primary local association is WACHA. ABC will participate with the NACHA organization for the annual conference and/or other meetings plus seek participation with committee membership if beneficial to the bank.

10 I. What can you expect to accomplish here today:
Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

11 Policy Should Include Risk Mitigation Techniques Deteriorating Credits Fraud Prevention Variances from Policy Profitability of ACH – including ACH related losses Trend information on volume, returns, transaction types ACH Exposure compared to Tier 1 Capital Ratios Risk in ACH Portfolio High volume return rate clients Violations and Fines Target Businesses High Risk Businesses Required Underwriting Renewals Establishing Exposure Limits Regulation O International Transactions Suspended Files Required Documentation Approval Authority Roles and Responsibilities

12 I. What can you expect to accomplish here today:
Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

13 I. What can you expect to accomplish here today:
Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

14 The Bee Watcher

15 The Bee-Watcher-Watcher watched the Bee-Watcher

16 What are some of the regulations and rules?
ACH Operating Rules & Guidelines ACH Risk Management Handbook The Green Book Guide to Federal ACH Payments and Collections Federal Regulation E OFAC (Office of Foreign Asset Control) FFIEC - Federal Financial Institutions Examination Council Uniform Commercial Code Article 4A Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank

17 Uniform Commercial Code Article 4A, cont.
A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.

18 I. What can you expect to accomplish here today:
Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

19 I. What can you expect to accomplish here today:
Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

20 I. What can you expect to accomplish here today:
Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

21 2. More than just financial
Non financial losses experienced by FI’s in 2010 45% - Loss of productivity 37% - Customer confidence and reputation 18% - Customer accounts moved to another FI 16% - No losses 12% - Regulatory or other compliance issues Source: Security Media Group 2010

22 3. How does this affect you?
Policy of a bank says we will do all things for all companies… Credit exposure is established at the setup File limits, warehouse limits, transaction variances, etc. Pre Funding Customer protection, again at setup Service agreements Authorization Regulations and laws Industries of interest, or not Third party processors Gaming Health Care Revenue to risk

23 Corporate Customer Perspective
Which type of ACH activity do you feel represents the most risk for financial institution? ACH Debit Origination ACH Credit Origination Incoming ACH Debits Incoming ACH Credits

24 The banks perspective What about specific Service Entry Codes such as IAT, POP, TEL, WEB How about return items Commercial Consumer Did you consider the settlement process What is the offset account What about items that have settlement dates outside of the normal 1 day debit and 2 day credit What role does a third party processor play for the bank and the corporate customer

25 Business Process Controls
Training, Policies & Procedures Reviews, Exposure Limits & Dual Controls Return reporting Check with ACH Operators for risk and origination reporting tools Positive Pay Incoming and Outgoing ACH Check Alerts Outgoing Wire FFIEC Guidance and other regulations Layered Security Authentication techniques Tools & Technology

26 Sound Business Practices: Corporate
Layered System Security Appropriate tools to prevent and deter unauthorized access to its network and periodically review such tools to ensure they are up to date Install robust anti-virus and security software Multi-layered system security technology Security suites so all security options work together to provide superior protection

27 Sound Business Practices: Corporate
Online Banking Safety Dedicating one computer exclusively for online banking and cash management activity Disallow a workstation used for online banking to be used for general Web browsing and social networking Verify use of a secure session (https) in the browser for all online banking Disallow the conduct of online banking from free Wi-Fi hot spots Cease all online banking activity if the online banking application “looks” different than usual

28 FFIEC Guidance Supplement – FI’s
Federal Financial Institutions Examination Council (FFIEC) issued a supplement (June 28, 2011) to the Authentication in an Internet Banking Environment guidance, issued in October 2005 What is the purpose? Reinforce the risk management framework in the original guidance and update the FFIEC member agencies supervisory expectations regarding customer authentication, layered security and other controls in the increasingly hostile online environment More focus on business accounts © 2012 ACH Alert LLC. All Rights Reserved.

29 Why does the FFIEC Guidance matter to you the Corporate client?
Online business transactions Generally ACH file origination & wire transfers FI’s should implement Layered security Multi-factor authentication © 2012 ACH Alert LLC. All Rights Reserved.

30 Layered Security Program
The Agencies expect that an institution’s layered security program will contain the following two elements, at a minimum. Detect and Respond to Suspicious Activity Control of Administrative Functions © 2012 ACH Alert LLC. All Rights Reserved.

31 Layered Security Programs
Detect and Respond to Suspicious Activity Layered security controls should include processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to: Initial login and authentication of customers requesting access to the institution’s electronic banking system; and Initiation of electronic transactions involving the transfer of funds to other parties. © 2012 ACH Alert LLC. All Rights Reserved.

32 © 2012 ACH Alert LLC. All Rights Reserved.
Tools & Technology Transaction monitoring/anomaly detection software Suspicious funds transfers Out of the ordinary Patterns of behavior Not approved recipient based on routing number and account number White list © 2012 ACH Alert LLC. All Rights Reserved.

33 © 2012 ACH Alert LLC. All Rights Reserved.
Tools & Technology Out-of-band authentication Transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., phone) in order for the transaction to be completed Validation of the routing number & account number (aka Positive Pay/white list) © 2012 ACH Alert LLC. All Rights Reserved.

34 © 2012 ACH Alert LLC. All Rights Reserved.
Tools & Technology Focus on the point of entry Online banking log in Transmission of the file Once the file is at FI from online banking Validation of the routing number and account number after it’s left online banking and before it goes to processor or ACH Operator Positive Pay Out-of-band alerts © 2012 ACH Alert LLC. All Rights Reserved.

35 © 2012 ACH Alert LLC. All Rights Reserved.
Tools & Technology Wire transfers Call back Fax confirmation Monitoring/Out of pattern behavior Validation/White list Out –of-band alerts © 2012 ACH Alert LLC. All Rights Reserved.

36 © 2012 ACH Alert LLC. All Rights Reserved.
The Stats Did you know that 860,000 attempts are made EACH day to hack into systems? There are about 75,000 new strings of malware EACH day? © 2012 ACH Alert LLC. All Rights Reserved.

37 © 2012 ACH Alert LLC. All Rights Reserved.
Resources Sample of Education Video NACHA Corporate Account Takeover Resource Center © 2012 ACH Alert LLC. All Rights Reserved.

38 Contact Information Kim A. Bruck, AAP, Vice-President, Business Development, ACH ALERT, LLC x 115

39 Contact Information Patrick Collins, Vice-President Associated Bank 740 Marquette Avenue Minneapolis, MN (612)

Download ppt "Framework for Assessing Risk Managing ACH Risk Coming & Going"

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
FFIEC Agency Supplement to Authentication in an Internet Banking Environment http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf.

FFIEC Agency Supplement to Authentication in an Internet Banking Environment
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Red Flags Rule & Municipal Utilities

Red Flags Rule & Municipal Utilities
OLA {DRAFT} BEST PRACTICES Revised 6/25/2013. Payments Landscape Update Ever increasing scrutiny and pressure from every agency OCC (J LaRoche, May, 2013)

OLA {DRAFT} BEST PRACTICES Revised 6/25/2013. Payments Landscape Update Ever increasing scrutiny and pressure from every agency OCC (J LaRoche, May, 2013)
Protect Yourself from Your Customer Kristin A. Stedman, AAP Senior Vice President Education Services 1 © 2014 TACHA. All Rights Reserved.

Protect Yourself from Your Customer Kristin A. Stedman, AAP Senior Vice President Education Services 1 © 2014 TACHA. All Rights Reserved.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Anti-Money Laundering (AML)

Anti-Money Laundering (AML)
1 Supplement to the Guideline on Prevention of Money Laundering Hong Kong Monetary Authority 8 June 2004.

1 Supplement to the Guideline on Prevention of Money Laundering Hong Kong Monetary Authority 8 June 2004.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.
Treasury- Cash Management Services

Treasury- Cash Management Services
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google