Payment fraud is one of thebiggest risk management challenges facing corporate treasurymanagers, and it's one that businesses must battle on two fronts.Although media attention tends to focus on the emergence oftechnically sophisticated online banking scams, criminals continueto target paper checks for fraud. Both crimes should be front andcenter on a treasurer's radar.

According to the “2013 AFP Payments Fraud and Control Survey”conducted by the Association for Financial Professionals (AFP), 61percent of organizations experienced attempted or actual paymentfraud in 2012. Checks continued to be the dominant payment formtargeted by fraudsters, with 87 percent of affected organizationsreporting check fraud attempts. Check fraud has been around for along time, but in recent years criminals have become moreproficient at it. The advent of inexpensive desktop publishingequipment has enabled them to create incredibly authentic-lookingcounterfeit checks. In its most common form, counterfeitinginvolves creation of fraudulent checks using an organization'sMICR-line data. Criminals also commonly alter the amount or payeename on checks that have actually been issued, or they steal orcounterfeit employee paychecks.

Meanwhile, a much smaller proportion of respondents to the AFPsurvey said they faced attempts at commercial purchasing card fraud(29 percent), Automated Clearing House (ACH), debit fraud (27percent), or wire transfer fraud (11 percent), although thepotential losses are greater via these electronic methods. Thetypical financial loss among companies that suffered payment fraudin 2012 was $20,300, according to the AFP.

|

Who's Liable for Fraud Losses?

Some corporate managers believe their banks will necessarilybear liability for any fraud losses they incur—and when thetreasury team doesn't fear fraud losses, fraud prevention might notbe their top priority. That's why it's crucial to understand thatbusinesses can be held liable for payment fraud. These days, banksand their business clients share responsibility for takingappropriate steps to mitigate fraud risk. If a company fails totake these steps, it may bear liability for fraud losses.

In cases of check fraud losses, the Uniform Commercial Code(UCC) is the legal basis for determining liability. Revisions tothe UCC in 1990 increased corporate responsibility in check fraudloss situations and softened the burden for banks. Today the UCCrequires corporate account holders to follow “reasonable commercialstandards” to guard against check fraud. It suggests that banks andcorporate account holders should divide responsibility for a lossbased on the extent to which each party contributed to the loss byfailing to meet reasonable commercial standards.

The July 2010 outcome ofCincinnati Insurance Company v. Wachovia Bank confirmedthe potential for corporate liability in check-fraud losses. Inthat lawsuit, Wachovia prevailed over a business customer'sinsurance company. The bank had reportedly recommended that thecustomer use its positive-pay service, through which Wachovia wouldhave compared all checks presented for payment against a listprovided by the client of checks it had legitimately issued.Positive pay would have identified potentially fraudulent items,but the customer declined the service and suffered a $150,000 checkfraud loss.

A court determined that the customer was liable for the loss.Its deposit agreement with Wachovia included a conditional releaseof Wachovia's liability if the customer failed to use the bank'sproducts designed to detect or deter check fraud. (You can read acase summary and the court order at http://www.safechecks.com/articles/files/legal-reasons-to-implement-positive-pay.html.)

|

Bank Services That Combat CheckFraud

Positive pay is generally considered the most effectiveavailable deterrent of check fraud. When a check presented forpayment does not match the issuance information provided by thebank's customer, the bank alerts the customer, which can theninvestigate to determine whether the bank should pay the check aspresented.

In addition to standard positive-pay services, many banks offera “positive payee” service enhancement, which helps flag checks onwhich the payee name has been altered. Positive payee requiresbusinesses to include payee names in the check issuance files theysend to their banks. The bank can then identify any checkspresented for payment in which the dollar amount, account number,and serial number match the positive-pay guidance but the payeename does not.

Many banks offer several additional services, which businessescan use to further reduce their exposure to check fraud and monitorfor fraud attempts, including:

• Account reconciliation. It's important to ensure that allchecks written, stopped, voided, etc. are properly accountedfor.
• Balance reporting. Simply checking balances and transactiondetails at least once a day can help a company catch discrepanciesand potential fraud early.
• “Post no checks” restrictions on depository accounts. Thissimple setting enables companies to set up special-purpose accountsto handle only one activity, such as collections.
• Credit- or debit-only restrictions on accounts. Definingaccounts as allowing only debit/payables or credit/collectionsenables quicker recognition of any attempts at unauthorizedactivities.

|

Addressing Low-Tech ACH Fraud

ACH fraud can take a couple of different forms. One, which hasbeen around for years, occurs when a criminal steals a check.Rather than forging the physical check, the criminal uses itsrouting and bank account numbers to order goods by phone or online.In another form of ACH fraud, a dishonest employee might use theMICR-line information on a paycheck to initiate a fraudulent ACHdebit.

The biggest issue in combating these types of low-tech ACH fraudis that rules of NACHA, the electronic payments association, stipulatethat a company has only 24 hours to contact its bank to dispute afraudulent ACH debit. Failure to initiate a dispute within the24-hour window shifts all liability for fraud losses to thecorporate account holder.

To support efforts to prevent ACH fraud, banks offer ACH debitblocks and debit filters. ACH debit blocks enable an organizationto specify that its bank should reject any ACH debits against aparticular account or accounts. ACH debit filters enable theorganization to establish criteria defining which ACH debits thebank should accept for a particular account. Parameters can begeneral—for instance, dollar limits for a single transaction or alist of acceptable payees—or a company can establish detailedcriteria for each authorized payment, providing the name of theapproved payee, the exact dollar amount, and the payment initiationdate. Such detailed filtering is sometimes referred to as “ACHpositive pay.”

Many banks are recommending that commercial clients use separateaccounts for check payments and electronic payments. Further, manybusinesses are segregating electronic payments, using some accountsonly for ACH credits and others only for ACH debits. When apaper-only account receives an electronic debit or credit, or whenan ACH debit is initiated on a credit-only account, the payment isautomatically rejected.

|

Online Banking: New Opportunities forFraud

In recent years, a new type of ACH fraud has emerged ascriminals have taken advantage of companies' adoption of onlinebanking. In fact, new online banking scams are introduced almostdaily.

One of these scams' earliest forms was “phishing.” In a phishingattack, someone receives an email from what appears to be a trustedbusiness partner, such as a bank. The email may ask the reader toopen an attachment or click a link. The website the reader lands onmay appear to be legitimate, but in actuality it's a counterfeitsite. Once on a counterfeit site, a treasury professional may beasked to divulge bank account numbers and online bankingcredentials, such as usernames and passwords.

As corporate treasuries have become more savvy in avoidingphishing scams, criminals have developed more targeted forms ofattack. One, called “reverse phishing,” begins when a corporatestaff member receives an e-mail that appears to be from a knownvendor. Rather than asking for online banking credentials, themessage's sender asks the recipient to take an action, such asredirecting an electronic trade payment to a different bankaccount. The victimized company may not even realize it has beenscammed until weeks later, when the actual vendor calls to ask whyits invoice is unpaid.

Even harder to detect, many fraudsters today work throughcredential-stealing malware. In a typical scam, a finance managerreceives an e-mail falsely purporting to be from a credible source,such as the Better Business Bureau. The e-mail asks the recipientto view a document, and when he opens the message's attachment orclicks the provided link, malware installs on his computer. Thenext time the victim visits an online banking site, the malwarealerts the criminal, who uses keystroke logging technology tocapture the victim's login and security credentials.

Treasury professionals are wrong to assume that banks willaccept liability for any losses that occur when fraudsters accessaccounts by compromising an online banking platform. Most banks'online services agreements outline liability—but in general, acompany is liable for payment fraud losses that occur because thecompany failed to protect its systems.

One of the simplest and most effective controls in combatingonline payment fraud is the use of dual control in paymentinitiation; one person initiates each transaction, while a secondindividual reviews and approves it. This is a best practice basedon the premise of separation of duties, and many banks now requireit.

|

Cards Are Targets, Too

Twenty-nine percent of the respondents to the AFP's 2013 surveywho were affected by payment fraud reported that commercial cardswere targeted. In fact, of those respondents reporting that theyexperienced attempted or actual fraud related tobusiness-to-business card transactions, 48 percent said it resultedfrom the improper use of their own commercial cards.

Seventy-four percent reported experiencing commercial card fraudat the hands of an unknown external party. One common scam is“vishing,” through which a cardholder receives a call from someonewho has the purchasing card number. Pretending to be reporting afraudulent transaction, the caller asks for the cardholder's CVV2code over the phone. With the card number and code, the criminalcan then successfully make unauthorized purchases.

Twenty-six percent of AFP survey respondents said they weresubject to fraud perpetrated by their own employees, such as use ofa commercial card to pay for an unauthorized purchase.Interestingly, respondents said their organizations were liable forcard-fraud losses 26 percent of the time, which is about half thefrequency with which the card-issuing bank was liable (49 percent)and around the same frequency with which the merchant was heldliable (23 percent).

One of the best ways to curtail payment-card fraud is to imposespending restrictions on individual cardholders. Most banks allowcorporate customers to establish a variety of limits. For instance,a commercial-card program administrator might tell the bank that aparticular cardholder can spend no more than $500 per transaction.Or the administrator might set a daily or monthly spending limitfor each cardholder; transactions that exceed the restriction willbe declined.

A card-program administrator can also use merchant categorycodes to define the types of businesses at which the card can beused. For example, the administrator might dictate that aparticular employee who never travels for business cannot use hercard at hotels. Such restrictions can help prevent fraud by unknownexternal parties because if a card or card number is stolen, thethief will only be able to make purchases from merchants inapproved categories.

Treasury managers and commercial-card program administrators canalso use their card's online reporting tools to monitor employeespending and look for fraud. Online card management tools typicallyallow administrators to generate reports on spending activities bycardholder.

|

Keys to Curbing Payment Fraud

Fraudsters are targeting both paper and electronic paymentmethods, but checks remain organizations' most vulnerable means ofpayment. In fact, according to the AFP, replacing all checks withelectronic funds transfers is the single best way to combatfraud.

Ultimately, businesses are responsible for using software andprocess best practices to protect against payment fraud. No singlesolution or practice can ensure that a company will avoid fraudlosses, so companies need to take a multilayered approach thatincludes best practices in fraud prevention for checks, ACHpayments, and commercial card usage, as well as employee educationabout general online security measures.

See also:

• Impostor Fraud: A Cyber Risk ManagementChallenge
• Mitigating the risk of Wire Fraud
• Who's Legally Liable for a Risk ManagementFailure?

————————————————-

Linda Coven is SVP, treasury managementproduct, online services, for Capital One; in this position, shehas responsibility for Capital One's Treasury Management OnlineServices, including Treasury Optimizer; File Delivery; CommercialMobile Banking; and Intellix, the Treasury Management portal. Shehas held critical leadership positions in the management anddevelopment of online banking solutions and currently serves on theAmerican Bankers Association Payment Systems Committee.