Framework for Assessing Risk Managing ACH Risk Coming & Going Kim A. Bruck, AAP, Vice President, Business Development ACH ALERT, LLC Patrick D. Collins, Vice President, Product Management Associated Bank June 7, 2012

Oh, the Stuff You Will Learn!

What can you expect to accomplish here today: Understanding what banks consider as they review ACH processing risk Risk is more than just financial How does this affect you, the corporate customer Hear about a few solutions to address processing risk

Getting to know you Which type of ACH activity do you feel represents the most risk for your FI? ACH Debit Origination ACH Credit Origination Incoming ACH Items What are specific concerns? Which type of ACH activity do you feel represents the most risk for your clients?

ACH Risk Coming & Going RDFI Unauthorized debits Credits due to account takeover ODFI Origination Origination of unauthorized debits Account Takeover Type of business identity theft in which the criminal entity steals a company’s valid online banking credentials Not about the compromise of the payments systems itself What happens once the cyber-thief has the online banking credentials? Initiate funds transfers out of compromised business account by ACH or wire to an FI account of associates (money mules) in the US or directly overseas

Systems are then exploited to obtain legitimate security credentials How It Happens A computer can become infected with malware which can then spread across the business’ entire network An infected document attached to an e-mail A link within an e-mail that connects to an infected website Employees visiting legitimate websites An employee using a flash drive that was infected by another computer Systems are then exploited to obtain legitimate security credentials

Corporate Account Takeover Scenario Originator enters credentials for Online Banking - Trojan captures these credentials and sends to criminal Criminals collect Online Banking credentials Email with Trojan embedded is opened by Originator Criminal logs into Originator’s Online Banking profile and modifies outbound ACH credit file to incorrect routing & account numbers Mules withdraw cash and forward to criminals oversees Criminals go undiscovered Originator/FI is out of the money

I. What can you expect to accomplish here today: Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education Show next slide

Automated Clearing House Strategic Statements Associated Bank will be both a receiver and an originator of ACH transactions as defined by the NACHA rules that govern policy and operational procedures. ABC will stay current with all obligations as outlined by NACHA’s periodical updates. ABC will be current to within 6 months of major software releases. Be appropriately competitive with similar offerings of our peer group. If there are opportunities that prevail for ABC to be more proactive, we will act swiftly to create a service or product that meets the financial, strategic, or tactical objectives of our organization. Maintain the highest level of accuracy, compliance and availability that ABC can reasonably provide. Customer contracts and agreements will define the services that will be provided to each customer and to each transaction account. ABC will position itself as an active member and leader in the ACH community through the participation with local ACH association. ABC’s current primary local association is WACHA. ABC will participate with the NACHA organization for the annual conference and/or other meetings plus seek participation with committee membership if beneficial to the bank.

I. What can you expect to accomplish here today: Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

Policy Should Include Risk Mitigation Techniques Deteriorating Credits Fraud Prevention Variances from Policy Profitability of ACH – including ACH related losses Trend information on volume, returns, transaction types ACH Exposure compared to Tier 1 Capital Ratios Risk in ACH Portfolio High volume return rate clients Violations and Fines Target Businesses High Risk Businesses Required Underwriting Renewals Establishing Exposure Limits Regulation O International Transactions Suspended Files Required Documentation Approval Authority Roles and Responsibilities

I. What can you expect to accomplish here today: Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

I. What can you expect to accomplish here today: Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

The Bee Watcher

The Bee-Watcher-Watcher watched the Bee-Watcher

What are some of the regulations and rules? ACH Operating Rules & Guidelines ACH Risk Management Handbook The Green Book Guide to Federal ACH Payments and Collections Federal Regulation E OFAC (Office of Foreign Asset Control) FFIEC - Federal Financial Institutions Examination Council Uniform Commercial Code Article 4A Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank

Uniform Commercial Code Article 4A, cont. A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.

I. What can you expect to accomplish here today: Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

I. What can you expect to accomplish here today: Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

I. What can you expect to accomplish here today: Better understanding of what drives banks risk considerations, philosophy and solutions Strategy Policy Credit exposure Customer protection Regulations & Laws Industries of interest, or not Revenue compared to risk Solutions KYC Periodic reviews Input controls Behavioral monitoring Automated tracking Education

2. More than just financial Non financial losses experienced by FI’s in 2010 45% - Loss of productivity 37% - Customer confidence and reputation 18% - Customer accounts moved to another FI 16% - No losses 12% - Regulatory or other compliance issues Source: Security Media Group 2010

3. How does this affect you? Policy of a bank says we will do all things for all companies… Credit exposure is established at the setup File limits, warehouse limits, transaction variances, etc. Pre Funding Customer protection, again at setup Service agreements Authorization Regulations and laws Industries of interest, or not Third party processors Gaming Health Care Revenue to risk

Corporate Customer Perspective Which type of ACH activity do you feel represents the most risk for financial institution? ACH Debit Origination ACH Credit Origination Incoming ACH Debits Incoming ACH Credits

The banks perspective What about specific Service Entry Codes such as IAT, POP, TEL, WEB How about return items Commercial Consumer Did you consider the settlement process What is the offset account What about items that have settlement dates outside of the normal 1 day debit and 2 day credit What role does a third party processor play for the bank and the corporate customer

Business Process Controls Training, Policies & Procedures Reviews, Exposure Limits & Dual Controls Return reporting Check with ACH Operators for risk and origination reporting tools Positive Pay Incoming and Outgoing ACH Check Alerts Outgoing Wire FFIEC Guidance and other regulations Layered Security Authentication techniques Tools & Technology

Sound Business Practices: Corporate Layered System Security Appropriate tools to prevent and deter unauthorized access to its network and periodically review such tools to ensure they are up to date Install robust anti-virus and security software Multi-layered system security technology Security suites so all security options work together to provide superior protection

Sound Business Practices: Corporate Online Banking Safety Dedicating one computer exclusively for online banking and cash management activity Disallow a workstation used for online banking to be used for general Web browsing and social networking Verify use of a secure session (https) in the browser for all online banking Disallow the conduct of online banking from free Wi-Fi hot spots Cease all online banking activity if the online banking application “looks” different than usual

FFIEC Guidance Supplement – FI’s Federal Financial Institutions Examination Council (FFIEC) issued a supplement (June 28, 2011) to the Authentication in an Internet Banking Environment guidance, issued in October 2005 What is the purpose? Reinforce the risk management framework in the original guidance and update the FFIEC member agencies supervisory expectations regarding customer authentication, layered security and other controls in the increasingly hostile online environment More focus on business accounts © 2012 ACH Alert LLC. All Rights Reserved.

Why does the FFIEC Guidance matter to you the Corporate client? Online business transactions Generally ACH file origination & wire transfers FI’s should implement Layered security Multi-factor authentication © 2012 ACH Alert LLC. All Rights Reserved.

Layered Security Program The Agencies expect that an institution’s layered security program will contain the following two elements, at a minimum. Detect and Respond to Suspicious Activity Control of Administrative Functions © 2012 ACH Alert LLC. All Rights Reserved.

Layered Security Programs Detect and Respond to Suspicious Activity Layered security controls should include processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to: Initial login and authentication of customers requesting access to the institution’s electronic banking system; and Initiation of electronic transactions involving the transfer of funds to other parties. © 2012 ACH Alert LLC. All Rights Reserved.

© 2012 ACH Alert LLC. All Rights Reserved. Tools & Technology Transaction monitoring/anomaly detection software Suspicious funds transfers Out of the ordinary Patterns of behavior Not approved recipient based on routing number and account number White list © 2012 ACH Alert LLC. All Rights Reserved.

© 2012 ACH Alert LLC. All Rights Reserved. Tools & Technology Out-of-band authentication Transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., phone) in order for the transaction to be completed Validation of the routing number & account number (aka Positive Pay/white list) © 2012 ACH Alert LLC. All Rights Reserved.

© 2012 ACH Alert LLC. All Rights Reserved. Tools & Technology Focus on the point of entry Online banking log in Transmission of the file Once the file is at FI from online banking Validation of the routing number and account number after it’s left online banking and before it goes to processor or ACH Operator Positive Pay Out-of-band alerts © 2012 ACH Alert LLC. All Rights Reserved.

© 2012 ACH Alert LLC. All Rights Reserved. Tools & Technology Wire transfers Call back Fax confirmation Monitoring/Out of pattern behavior Validation/White list Out –of-band alerts © 2012 ACH Alert LLC. All Rights Reserved.

© 2012 ACH Alert LLC. All Rights Reserved. The Stats Did you know that 860,000 attempts are made EACH day to hack into systems? There are about 75,000 new strings of malware EACH day? © 2012 ACH Alert LLC. All Rights Reserved.

© 2012 ACH Alert LLC. All Rights Reserved. Resources Sample of Education Video http://www.achalert.com/index.php?page=demo-bank-usa NACHA Corporate Account Takeover Resource Center http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm © 2012 ACH Alert LLC. All Rights Reserved.

Contact Information Kim A. Bruck, AAP, Vice-President, Business Development, ACH ALERT, LLC kbruck@achalert.com 1-866-265-8961 x 115 www.achalert.com

Contact Information Patrick Collins, Vice-President Associated Bank 740 Marquette Avenue Minneapolis, MN 55402 (612) 359-4445 Patrick.Collins@associatedbank.com