Payment fraud is one of the biggest risk management challenges facing corporate treasury managers, and it’s one that businesses must battle on two fronts. Although media attention tends to focus on the emergence of technically sophisticated online banking scams, criminals continue to target paper checks for fraud. Both crimes should be front and center on a treasurer’s radar.
According to the “2013 AFP Payments Fraud and Control Survey” conducted by the Association for Financial Professionals (AFP), 61 percent of organizations experienced attempted or actual payment fraud in 2012. Checks continued to be the dominant payment form targeted by fraudsters, with 87 percent of affected organizations reporting check fraud attempts. Check fraud has been around for a long time, but in recent years criminals have become more proficient at it. The advent of inexpensive desktop publishing equipment has enabled them to create incredibly authentic-looking counterfeit checks. In its most common form, counterfeiting involves creation of fraudulent checks using an organization’s MICR-line data. Criminals also commonly alter the amount or payee name on checks that have actually been issued, or they steal or counterfeit employee paychecks.
Meanwhile, a much smaller proportion of respondents to the AFP survey said they faced attempts at commercial purchasing card fraud (29 percent), Automated Clearing House (ACH), debit fraud (27 percent), or wire transfer fraud (11 percent), although the potential losses are greater via these electronic methods. The typical financial loss among companies that suffered payment fraud in 2012 was $20,300, according to the AFP.
Who’s Liable for Fraud Losses?
Some corporate managers believe their banks will necessarily bear liability for any fraud losses they incur—and when the treasury team doesn’t fear fraud losses, fraud prevention might not be their top priority. That’s why it’s crucial to understand that businesses can be held liable for payment fraud. These days, banks and their business clients share responsibility for taking appropriate steps to mitigate fraud risk. If a company fails to take these steps, it may bear liability for fraud losses.
In cases of check fraud losses, the Uniform Commercial Code (UCC) is the legal basis for determining liability. Revisions to the UCC in 1990 increased corporate responsibility in check fraud loss situations and softened the burden for banks. Today the UCC requires corporate account holders to follow “reasonable commercial standards” to guard against check fraud. It suggests that banks and corporate account holders should divide responsibility for a loss based on the extent to which each party contributed to the loss by failing to meet reasonable commercial standards.
The July 2010 outcome of Cincinnati Insurance Company v. Wachovia Bank confirmed the potential for corporate liability in check-fraud losses. In that lawsuit, Wachovia prevailed over a business customer’s insurance company. The bank had reportedly recommended that the customer use its positive-pay service, through which Wachovia would have compared all checks presented for payment against a list provided by the client of checks it had legitimately issued. Positive pay would have identified potentially fraudulent items, but the customer declined the service and suffered a $150,000 check fraud loss.
A court determined that the customer was liable for the loss. Its deposit agreement with Wachovia included a conditional release of Wachovia’s liability if the customer failed to use the bank’s products designed to detect or deter check fraud. (You can read a case summary and the court order at http://www.safechecks.com/articles/files/legal-reasons-to-implement-positive-pay.html.)
Bank Services That Combat Check Fraud
Positive pay is generally considered the most effective available deterrent of check fraud. When a check presented for payment does not match the issuance information provided by the bank’s customer, the bank alerts the customer, which can then investigate to determine whether the bank should pay the check as presented.
In addition to standard positive-pay services, many banks offer a “positive payee” service enhancement, which helps flag checks on which the payee name has been altered. Positive payee requires businesses to include payee names in the check issuance files they send to their banks. The bank can then identify any checks presented for payment in which the dollar amount, account number, and serial number match the positive-pay guidance but the payee name does not.
Many banks offer several additional services, which businesses can use to further reduce their exposure to check fraud and monitor for fraud attempts, including:
- Account reconciliation. It’s important to ensure that all checks written, stopped, voided, etc. are properly accounted for.
- Balance reporting. Simply checking balances and transaction details at least once a day can help a company catch discrepancies and potential fraud early.
- “Post no checks” restrictions on depository accounts. This simple setting enables companies to set up special-purpose accounts to handle only one activity, such as collections.
- Credit- or debit-only restrictions on accounts. Defining accounts as allowing only debit/payables or credit/collections enables quicker recognition of any attempts at unauthorized activities.
Addressing Low-Tech ACH Fraud
ACH fraud can take a couple of different forms. One, which has been around for years, occurs when a criminal steals a check. Rather than forging the physical check, the criminal uses its routing and bank account numbers to order goods by phone or online. In another form of ACH fraud, a dishonest employee might use the MICR-line information on a paycheck to initiate a fraudulent ACH debit.
The biggest issue in combating these types of low-tech ACH fraud is that rules of NACHA, the electronic payments association, stipulate that a company has only 24 hours to contact its bank to dispute a fraudulent ACH debit. Failure to initiate a dispute within the 24-hour window shifts all liability for fraud losses to the corporate account holder.
To support efforts to prevent ACH fraud, banks offer ACH debit blocks and debit filters. ACH debit blocks enable an organization to specify that its bank should reject any ACH debits against a particular account or accounts. ACH debit filters enable the organization to establish criteria defining which ACH debits the bank should accept for a particular account. Parameters can be general—for instance, dollar limits for a single transaction or a list of acceptable payees—or a company can establish detailed criteria for each authorized payment, providing the name of the approved payee, the exact dollar amount, and the payment initiation date. Such detailed filtering is sometimes referred to as “ACH positive pay.”
Many banks are recommending that commercial clients use separate accounts for check payments and electronic payments. Further, many businesses are segregating electronic payments, using some accounts only for ACH credits and others only for ACH debits. When a paper-only account receives an electronic debit or credit, or when an ACH debit is initiated on a credit-only account, the payment is automatically rejected.
Online Banking: New Opportunities for Fraud
In recent years, a new type of ACH fraud has emerged as criminals have taken advantage of companies’ adoption of online banking. In fact, new online banking scams are introduced almost daily.
One of these scams’ earliest forms was “phishing.” In a phishing attack, someone receives an email from what appears to be a trusted business partner, such as a bank. The email may ask the reader to open an attachment or click a link. The website the reader lands on may appear to be legitimate, but in actuality it’s a counterfeit site. Once on a counterfeit site, a treasury professional may be asked to divulge bank account numbers and online banking credentials, such as usernames and passwords.
As corporate treasuries have become more savvy in avoiding phishing scams, criminals have developed more targeted forms of attack. One, called “reverse phishing,” begins when a corporate staff member receives an e-mail that appears to be from a known vendor. Rather than asking for online banking credentials, the message’s sender asks the recipient to take an action, such as redirecting an electronic trade payment to a different bank account. The victimized company may not even realize it has been scammed until weeks later, when the actual vendor calls to ask why its invoice is unpaid.
Even harder to detect, many fraudsters today work through credential-stealing malware. In a typical scam, a finance manager receives an e-mail falsely purporting to be from a credible source, such as the Better Business Bureau. The e-mail asks the recipient to view a document, and when he opens the message’s attachment or clicks the provided link, malware installs on his computer. The next time the victim visits an online banking site, the malware alerts the criminal, who uses keystroke logging technology to capture the victim’s login and security credentials.
Treasury professionals are wrong to assume that banks will accept liability for any losses that occur when fraudsters access accounts by compromising an online banking platform. Most banks’ online services agreements outline liability—but in general, a company is liable for payment fraud losses that occur because the company failed to protect its systems.
One of the simplest and most effective controls in combating online payment fraud is the use of dual control in payment initiation; one person initiates each transaction, while a second individual reviews and approves it. This is a best practice based on the premise of separation of duties, and many banks now require it.
Cards Are Targets, Too
Twenty-nine percent of the respondents to the AFP’s 2013 survey who were affected by payment fraud reported that commercial cards were targeted. In fact, of those respondents reporting that they experienced attempted or actual fraud related to business-to-business card transactions, 48 percent said it resulted from the improper use of their own commercial cards.
Seventy-four percent reported experiencing commercial card fraud at the hands of an unknown external party. One common scam is “vishing,” through which a cardholder receives a call from someone who has the purchasing card number. Pretending to be reporting a fraudulent transaction, the caller asks for the cardholder’s CVV2 code over the phone. With the card number and code, the criminal can then successfully make unauthorized purchases.
Twenty-six percent of AFP survey respondents said they were subject to fraud perpetrated by their own employees, such as use of a commercial card to pay for an unauthorized purchase. Interestingly, respondents said their organizations were liable for card-fraud losses 26 percent of the time, which is about half the frequency with which the card-issuing bank was liable (49 percent) and around the same frequency with which the merchant was held liable (23 percent).
One of the best ways to curtail payment-card fraud is to impose spending restrictions on individual cardholders. Most banks allow corporate customers to establish a variety of limits. For instance, a commercial-card program administrator might tell the bank that a particular cardholder can spend no more than $500 per transaction. Or the administrator might set a daily or monthly spending limit for each cardholder; transactions that exceed the restriction will be declined.
A card-program administrator can also use merchant category codes to define the types of businesses at which the card can be used. For example, the administrator might dictate that a particular employee who never travels for business cannot use her card at hotels. Such restrictions can help prevent fraud by unknown external parties because if a card or card number is stolen, the thief will only be able to make purchases from merchants in approved categories.
Treasury managers and commercial-card program administrators can also use their card’s online reporting tools to monitor employee spending and look for fraud. Online card management tools typically allow administrators to generate reports on spending activities by cardholder.
Keys to Curbing Payment Fraud
Fraudsters are targeting both paper and electronic payment methods, but checks remain organizations’ most vulnerable means of payment. In fact, according to the AFP, replacing all checks with electronic funds transfers is the single best way to combat fraud.
Ultimately, businesses are responsible for using software and process best practices to protect against payment fraud. No single solution or practice can ensure that a company will avoid fraud losses, so companies need to take a multilayered approach that includes best practices in fraud prevention for checks, ACH payments, and commercial card usage, as well as employee education about general online security measures.
Linda Coven is SVP, treasury management product, online services, for Capital One; in this position, she has responsibility for Capital One’s Treasury Management Online Services, including Treasury Optimizer; File Delivery; Commercial Mobile Banking; and Intellix, the Treasury Management portal. She has held critical leadership positions in the management and development of online banking solutions and currently serves on the American Bankers Association Payment Systems Committee.