Full text of 2012 Payments Fraud Survey Summary of Results
The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
2012 Payments Fraud Survey Summary of Results Federal Reserve Bank of Dallas FIRM—Financial Institution Relationship Management August 30, 2012 1. Introduction 2012 Payments Fraud Survey Results In April 2012, the Federal Reserve Bank of Dallas’ FIRM—Financial Institution Relationship Management Department conducted research on payments-related fraud experienced by organizations in the Dallas Fed District. 1 We asked our financial institution constituents to respond to an online survey about their experiences with payments fraud and the methods they use to reduce fraud risk. In addition, the survey audience was expanded with the help of the following organizations, which sent invitations to complete the survey directly to their members: SWACHA—The Electronic Payments Resource; the Dallas Association for Financial Professionals (AFP), Fort Worth AFP, Austin AFP, Houston Treasury Management Association (TMA) and San Antonio TMA. We thank those organizations for their help in obtaining responses. The survey covered transactions made using cash, check, debit and credit cards, automated clearinghouse (ACH), and wire transfers. This survey effort was part of a broader initiative conducted in conjunction with the Federal Reserve Banks of Minneapolis, Boston and Richmond, as well as the Independent Community Bankers of America. We plan to repeat this survey biannually in the years ahead, which will allow us to analyze trend data on payments fraud in the district over multiple years. 2. Respondent Information There were a total of 139 respondents to the survey based in the Dallas Fed District, 120 (86%) in the financial services industry, almost all of which are financial institutions (FIs), 2 and 19 (14%) non-financial services organizations. The remaining non-financial institution respondents classified their organizations in one of 19 industry categories, as shown in Chart A. Respondents are also categorized by their organizations’ annual revenues, shown in Chart B. Just over half of the organizations have annual revenues of less than $50 million. Chart C shows, for financial institution respondents only, the number of respondents in each of various assetsize groups. About 80% of respondents were from organizations with less than $1 billion in assets. 1 Questions about the survey should be directed to Matt Davies, AAP, CTP, Director of Payments Outreach, Federal Reserve Bank of Dallas, at matt.davies@dal.frb.org or 214-922-5259. 2 For the purposes of this survey, the term “financial institutions” includes both banks and credit unions. ©2012 Federal Reserve Bank of Dallas Page 2 2012 Payments Fraud Survey Results Chart A: Non-Financial Service Industry Respondent Classification 30% 26% 25% 20% 15% 11% 11% 11% 11% 11% 10% 5% 5% 5% 5% 5% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% Chart B: Revenue for All Respondents FI, N=119 Non-FI, N=20 30% Total, N=139 ©2012 Federal Reserve Bank of Dallas 0% 0% 0% 2% 10% 3% 0% 15% 2% 8% 5% 6% 5% 6% 2% 15% 4% 11% 0% 9% 8% 10% 8% 0% 15% 10% 25% 20% 10% 5% 9% 40% 51% 50% 57% 60% Page 3 2012 Payments Fraud Survey Results Chart C: FI Respondents by Asset Size (N=117) 30% 26% 25% 20% 15% 10% 16% 16% 13% 10% 5% 14% 2% 3% 0% 3. Summary of Survey Results by Question a. Payments Made and Payment Types Used by Respondent Organizations Non-financial institution respondents were asked whether their organization’s payments typically have as their counterparties consumers, other businesses (including government entities) or both. As can be seen in Chart D, respondents were split evenly between payments primarily to/from other businesses and payments to/from both consumers and businesses. Chart D: Payment Volume Counterparties Non-FI 60% 50% 50% 50% 40% 30% Non-FI, N=20 20% 10% 0% 0% Payments to/from both consumers and businesses ©2012 Federal Reserve Bank of Dallas Payments to/ from other businesses Payments to/ from consumers Page 4 2012 Payments Fraud Survey Results Chart E shows payment types accepted by non-financial institution respondents, while Chart F shows payment types used for disbursements by the same subset of respondents. Chart E: Payment Types Accepted by Non-FIs 120% 100% 100% 80% 95% 90% Non-FI, N=20 70% 60% 60% 40% 45% 20% 25% 20% 0% Check ACH Credits Wire Credit Cards ACH Debits Cash Debit - Debit Signature PIN 15% 0% Prepaid Cards Other Chart F: Payment Types Used by Non-FIs for Disbursements 120% Check ACH Debits Credit Cards Cash Prepaid Debit - Debit Cards Signature PIN 0% 0% 0% 10% 10% 20% Non-FI, N=20 10% ACH Credits 40% 70% Wire 65% 75% 60% 75% 80% 100% 100% Other Financial institution respondents were asked to indicate whether their customer base is composed primarily of consumers, commercial clients or both. As can be seen in Chart G, nearly three-fourths of financial institution respondents offer services to both consumer and commercial customers. ©2012 Federal Reserve Bank of Dallas Page 5 2012 Payments Fraud Survey Results Chart G: Types of Customers to Which FIs Offer Payments Products/Services 80% 74% 70% 60% FI, N=116 50% 40% 30% 10% 0% Both Consumers and Business or Commercial Clients 7% 19% 20% Primarily to Consumers Primarily Business or Commercial Clients Chart H illustrates the types of payments offered by financial institution respondents. Chart H: Payment Products Offered by FIs Wire Debit - PIN Check ACH Bill Payment Debit - Signature Remote Deposit Capture Prepaid Cards Credit Cards Lockbox Services International Payments Mobile Payments P2P Payments 99% 99% 94% 95% 93% 86% 62% 56% FI, N=117 46% 44% 27% 28% 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% b. Payments Fraud Attempts and Financial Losses Only two (1.7%) of the financial institution respondents reported no payments fraud attempts; that figure was four (20%) for all other organizations. Respondents were asked which payment types had the highest number of attempts, as reported in Chart I. Of FI respondents, 83.6% ©2012 Federal Reserve Bank of Dallas Page 6 2012 Payments Fraud Survey Results chose signature debit card attempts, followed by check (49.1%) and PIN debit (45.7%). Check fraud attempts were by far the highest among non-FI organizations at 65%, with credit card second highest at 35%. Chart I: Top Payment Types with Highest Number of Fraud Attempts (% of Respondents) No Fraud 0% 0% 0% 4% 20% Wire 2% 18% 16% Debit - PIN Credit Cards ACH Debits 1% 5% 1% Checks 3% 0% 3% Debit Signature 8% 5% 7% 0% 0% 10% 5% 20% 22% 10% 20% 35% 39% 30% Total, N=136 46% 49% 50% 40% Non-FI, N=20 65% 60% FI, N=116 51% 70% 72% 80% 84% 90% ACH Credits Cash Prepaid Cards For all payment types except signature debit, the majority of financial institution respondents indicated that their fraud prevention costs exceed their actual dollar losses to fraud (Chart J). Non-financial institution respondents tended to offer or use fewer types of payments, but for those payment types offered/used, they also indicated that fraud prevention tends to be more costly than actual fraud losses (Chart K). ©2012 Federal Reserve Bank of Dallas Page 7 2012 Payments Fraud Survey Results Chart J: Cost of Fraud Prevention vs. Actual Fraud Loss - FIs 90% Wire ACH 65% 49% 56% 65% Prevention Costs Debit PIN 30% Checks Prepaid Debit - Credit Cards Signature Cards Actual Fraud Loss 5% 28% 16% 5% 12% 4% 30% Cash 2% 21% 12% 0% 2% 10% 25% 20% 21% 2% 30% 39% 42% 40% 55% 56% 50% 41% 60% 68% 73% 70% 77% 80% Mobile Don't Offer/Use PYMT Chart K: Cost of Fraud Prevention vs. Actual Fraud Loss - Non-FIs 120% Prevention Costs 93% 7% 0% 0% 0% 13% 13% 73% 92% Actual Fraud Loss 8% 0% 63% 73% 13% 13% 17% 8% 0% 26% 0% 20% 21% 0% 40% 19% 19% 75% 74% 60% 79% 80% 100% 100% Don't Offer/Use PYMT Only 2.8% of the FI respondents reported no dollar losses due to payments fraud; that number jumps to 77.8% for all other respondents. Respondents were asked which payment types have the highest dollar losses, as reported in Chart L. Eighty-six percent of the financial institution ©2012 Federal Reserve Bank of Dallas Page 8 2012 Payments Fraud Survey Results respondents identified signature debit cards as having the highest dollar losses, followed by PIN debit cards and checks. In contrast, non-financial institution respondents identified credit cards and signature debit cards as having the highest dollar losses at about 11% each, followed by checks, ACH and cash at about 6% each. Chart L: Payment Types with Highest Dollar Losses Due to Fraud 100% 90% 80% 86% 78% 70% 60% FI, N=107 50% Non-FI, N=18 47% 40% 38% 30% 20% 10% 11% 0% Debit Signature 0% 6% Debit PIN Checks 12% 11% Credit Cards 9%6% 6%0% ACH Debits Wire 3% No Loss 2%6% 3%0% 0%0% Cash ACH Credits Prepaid Cards Over 74% of respondents estimated losses as 0.5% or less of their annual revenue (Table 1). Nearly 63% of all respondents selected the lowest range of loss, or less than 0.3% of annual revenues. These data suggest that losses due to payments fraud are relatively well controlled. ©2012 Federal Reserve Bank of Dallas Page 9 2012 Payments Fraud Survey Results Table 1: Payments Fraud Financial Losses by Percentage of Respondents that Incurred Losses Loss Range as a Percent of Annual Revenue Column1 0% 2 # of FI respondents (N=102) % of FI respondents .6% 1% 1.1% - 5% Over 5% 14 9 4 1 71% 14% 9% 4% 1% 3 0 1 0 0 17% 0% 6% 0% 0% 14 10 4 1 12% 8% 3% 1% 72 2% # of Non-FI respondents (N=18) % of Non-FI respondents .3% - .5% >0% - .3% 14 78% 16 # of all respondents (N=120) % of all respondents 75 13% 63% Nearly 45% of respondents experienced increased fraud loss in 2012 over 2011 (Chart M), while approximately 38% indicated their financial losses due to fraud had stayed the same, and nearly 17% reported that they had decreased. Chart M: Change in Payments Fraud Losses (2011 vs. 2010) 70% FI, N=107 61% 60% 17% 16% 10% 17% 20% 22% 38% 35% 30% Non-FI, N=18 Total, N=125 45% 40% 50% 50% 0% Increased Stayed the same Decreased As shown in Charts N and O below, respondents that reported an increase in loss estimated the size of the increase. Nearly 45% of these respondents cited an increase of 1% to 5%, and 13% ©2012 Federal Reserve Bank of Dallas Page 10 2012 Payments Fraud Survey Results estimated an increase of 10% or more. However, based on Table 1 above, note that, despite these increases, the total loss, estimated as a percentage of revenues, remains relatively small for the vast majority of respondents. Chart N: Percent Increase in Financial Losses - FIs 1 - 5% 45% 6 - 10% 11% More than 10% FI, N=53 13% Unsure 30% 0% 10% 20% 30% 40% 50% Chart O: Percent Increase in Financial Losses - Non-FIs 1 - 5% 33% 6 - 10% 0% More than 10% 0% Non-FI, N=3 Unsure 67% 0% 10% 20% 30% 40% 50% 60% 70% 80% As shown in Chart P below, respondents that reported an increase in loss were also asked to identify the payment type associated with the increased loss. Signature debit led the list for financial institutions, while credit cards were tops for non-financial institution respondents. ©2012 Federal Reserve Bank of Dallas Page 11 Chart P: Payment Type Associated with Increased Loss (% of Respondents w/ Increased Losses) 80% 67% 80% 70% FI, N=53 Debit - Debit - PIN Signature Check Credit Cards Wire ACH Debits Cash 0% 0% 0% 2% 0% 2% 2% 0% 4% 11% 6% 0% 5% 0% 0% 0% 10% 0% 20% 8% 19% 30% 18% 40% 33% Total, N=56 33% 45% 50% 43% Non-FI, N=3 60% 5% 90% 85% 2012 Payments Fraud Survey Results ACH Credit Prepaid Cards Charts Q and R below indicate the responses of those that reported a decrease in loss, who were then asked to estimate the size of the decrease. Chart Q: Percent Decrease in Losses - FI 1-5% 6-10% 31% 0% FI, N=16 More than 10% 44% Unsure 25% 0% 10% ©2012 Federal Reserve Bank of Dallas 20% 30% 40% 50% Page 12 2012 Payments Fraud Survey Results Chart R: Percent Decrease in Losses - Non-FI 1-5% 0% 6-10% 25% More than 10% 25% Non-FI, N=4 Unsure 50% 0% 10% 20% 30% 40% 50% 60% Chart S below shows the results for respondents that reported a decrease in loss who were then asked to identify the payment type associated with the decreased loss. In this area, signature debit topped the list for financial institutions, while checks were the biggest contributing factor for non-financial institution respondents. Chart S: Payment Type Associated with Decreased Loss (% of Respondents w/ Increased Losses) Checks 45% 0% ACH Debit 35% 53% Credit Cards 0% ACH Credit 24% 33% Wire 15% Cash 12% 6% 0% 5% Prepaid Cards 6% 0% 5% 0% 0% 0% 0% 0% 0% 0% 20% 10% 40% Non-FI, N=3 12% 60% FI, N=17 0% 80% 82% 100% 70% 100% 120% Debit - PIN Debit Signature In total, 14 respondents (12 financial institutions and two non-financial institution respondents) indicated that their organizations had made changes to their payments risk management practices that led to the decrease in 2011 payments fraud losses, while seven indicated that they had not. Among those who had made changes to their practices, the most common change was to enhance the organization’s systems for monitoring fraud (Chart T). Other ©2012 Federal Reserve Bank of Dallas Page 13 2012 Payments Fraud Survey Results changes included increasing staff training/education and enhancing internal controls and procedures. Chart T: Changes Made Contributing to Decrease in Losses 90% 80% 70% FI, N=11 82% Non-FI, N=2 73% 60% 64% 50% 50% 40% 50% 46% 46% 30% 20% 10% 0% 0% Enhanced fraud monitoring system 0% Staff training & education Enhanced internal procedures Adopted or increased use of a Financial service 0% Enhanced authentication methods Respondents who indicated that enhancements to their organization’s fraud monitoring systems had helped to reduce fraud losses were asked to further identify the payment types to which enhanced monitoring applies. Their responses are summarized in Chart U below. ©2012 Federal Reserve Bank of Dallas Page 14 2012 Payments Fraud Survey Results Chart U: Payments to which Enhanced Monitoring Applies 120% 80% 100% 100% FI, N=9 Non-FI, N=0 60% Card transactions ACH transactions Wire transactions Check transactions 0% 0% 0% 22% 22% 0% 0% 0% 20% 0% 33% 40% Other c. Most Common Fraud Schemes For payments received by non-financial institution respondents, the top two current fraud schemes most often used were altered/forged checks and counterfeit checks (Chart V). Fifty percent of non-FI respondents reported altered or forged checks as the top scheme most often used, followed by counterfeit checks at 43%. ©2012 Federal Reserve Bank of Dallas Page 15 2012 Payments Fraud Survey Results Chart V: Top 3 Current Fraud Schemes Involving Payments Accepted By % of Non-FI Respondents Altered or forged checks 50% Counterfeit checks 43% Counterfeit or stolen cards used online 7% Counterfeit or stolen cards used at POS 14% Counterfeit currency 29% Cash register frauds 7% Other internet payments 7% Use of fraudulent credentials/data 7% Fraudulent checks converted to ACH 0% Wireless-initiated payments 0% Telephone-initiated Payments 0% 0% Non-FI, N=14 10% 20% 30% 40% 50% 60% Financial institution respondents indicated that, in payments by or on behalf of their customers, the top two current fraud schemes most often used by fraudsters were counterfeit or stolen cards used at the point of sale (84%) and used online (70%), with counterfeit checks (48%) rounding out the top three (Chart W). Surprisingly, while “corporate account takeover” is a theme often highlighted in the press as a major issue, it was not cited as a significant theme that affected respondents to this survey. ©2012 Federal Reserve Bank of Dallas Page 16 2012 Payments Fraud Survey Results Chart W: Top 3 Current Fraud Schemes Involving Payments Accepted By % of FI Respondents Counterfeit or stolen cards used at POS 84% Counterfeit or stolen cards used online 70% Counterfeit checks 48% Altered or forged checks 31% Other internet payments 15% Account takeover of customers' accounts 6% Telephone-initiated payments 3% Counterfeit currency 6% Use of fraudulent credentials/data 4% Fraudulent checks converted to ACH 6% Other 0% Power of Attorney documents for schemes 0% Wireless-initiated payments 1% 0% FI, N=101 10% 20% 30% 40% 50% 60% 70% 80% 90% Financial institution respondents that experienced fraud against their organization’s own account(s) identified counterfeit checks and unauthorized or fraudulent ACH debits as the top schemes most often used (Chart X). Chart X: Fraud Schemes Involving Organization’s Own Accounts by % of FI Respondents Counterfeit checks 37% Altered or forged checks 21% Fraudulent or unauthorized ACH debits 31% Fraudulent or unauthorized card transactions 24% Breach of organizations access or security controls 8% Internal fraud scheme 6% 0% ©2012 Federal Reserve Bank of Dallas FI, N=83 5% 10% 15% 20% 25% 30% 35% 40% Page 17 2012 Payments Fraud Survey Results Charts Y and Z list the top three sources of information used in fraud schemes, as reported by financial and non-financial institution respondents, respectively. Approximately 70% of the financial institution respondents identified “sensitive” information obtained from a lost or stolen card, check or other physical document or device while in the consumer’s control. For non-financial institution respondents, however, the organization's information was most commonly obtained from a legitimate check issued by the organization. Chart Y: Top 3 Information Sources Used in Fraud Schemes - FIs Employee with legit access to organization or customer info (employee misuse) 2% Lost or stolen physical doc or electronic devices while in control of the organization 4% Other 14% Info about customer obtained by family or friend 24% Org's info obtained from legit check issued by org 25% Data breach due to computer hacking or cyber attacks 27% Email and webpage cyber attacks e.g., phishing, spoofing and pharming to obtain "sensitive" customer info Physical device tampering (e.g., use of skimmer on POS terminal or obtaining magnetic stripe information) "Sensitive" info obtained from lost or stolen card, check, or other physical doc or device while in consumer's control 31% 38% 70% 0% ©2012 Federal Reserve Bank of Dallas 10% 20% 30% 40% 50% 60% 70% 80% Page 18 2012 Payments Fraud Survey Results Chart Z: Top 3 Information Sources Used in Fraud Scheme - Non-FIs Info about customer obtained by family or friend 3% Physical device tampering (e.g., use of skimmer on POS terminal or obtaining magnetic stripe info) 3% Lost or stolen physical doc or electronic devices while in control of the organization 9% Other 15% Data breach due to computer hacking or cyber attacks 15% Employee with legitimate access to organization or customer info (employee misuse) E-mail and webpage cyber attacks (e.g., phishing, spoofing and pharming) to obtain "sensitive"… "Sensitive" info obtained from lost/stolen card, check, or other physical document or device while in consumer's control 18% 21% 39% 0% 10% 20% 30% 40% 50% e. Payments Fraud Mitigation Methods Used Respondents were asked about their use of—and the effectiveness of—various types of fraud mitigation methods and tools. Questions were asked in four areas: i) authentication methods, ii) transaction screening and risk management approach, iii) internal controls, and iv) risk mitigation services offered by financial institutions. i. Authentication. Respondents were asked which authentication methods their organizations currently use or plan to use to mitigate payment risk. Responses are indicated in Charts AA and BB for financial and non-financial institution respondents, respectively. In a hopeful sign for the growth in adoption of the EMV standards 3 for card processing, some 17% of FI respondents indicated that they plan to use chip card authentication by 2014. 3 EMV® is a global standard for credit and debit card transactions based on chip card technology. Though widely adopted in other developing countries, the United States is only beginning to move away from magnetic (“mag’) stripe technology to the EMV standards. The standard is commonly referred to as “chip-and-PIN,” although in the U.S. implementation—as led by the card associations Visa, MasterCard, Discover and American Express—both the option of “chip-and-PIN” and “chip-and-signature” will be allowed. ©2012 Federal Reserve Bank of Dallas Page 19 2012 Payments Fraud Survey Results Chart AA: Authentication Methods - FIs PIN authentication 0% 10% 90% Signature verification 85% Customer authentication for online transactions 0% 15% 88% Verify CID codes on payment card 4% 8% 71% Magnetic stripe authentication 1% 68% 2% Real-time decision support during account … 66% 7% Positive ID of purchaser for in-store/person … 66% Verify customer ID is authentic (magnetic stripe) 25% Biometrics authentication 14% 30% 27% 1% 9% 28% 33% 66% 4% 82% Card chip authentication 1% 17% 82% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Use Use by 2014 Don't use Chart BB: Authentication Methods - Non-FIs Customer authentication for online transactions Verify CID codes on payment card 27% PIN authentication 23% Magnetic stripe authentication Verify customer ID is authentic (magnetic stripe) Card chip authentication 73% 0% 67% 0% 33% Real-time decision support during account … 64% 0% 36% Positive ID of purchaser for in-store/person … 60% 0% 40% Signature verification 47% 7% 47% 69% 8% 14% 0% 86% 13%0% 88% 92% 8%0% Biometrics authentication 0% 100% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Use Use by 2014 Don't use Respondents who indicated that their institutions use the various types of authentication methods shown above were then asked to rate the effectiveness of those authentication methods. Overall, both categories of respondents indicate that the processes they have in place are effective (Charts CC and DD). For financial institutions using signature verification, it was the authentication method most often thought to be “somewhat ineffective” (11%), while non©2012 Federal Reserve Bank of Dallas Page 20 2012 Payments Fraud Survey Results financial institution respondents using magnetic stripe authentication more often chose that method as “somewhat ineffective” (50%), though the limited number of respondents to this question may make it hard to draw a broad conclusion. Chart CC: Effectiveness of Authentication - FIs Biometrics authentication 67% Positive ID of purchaser for in-store/person … 33% 65% Customer authentication for online transactions 33% 58% PIN authentication 40% 55% Verify customer ID is authentic (magnetic stripe) 54% 42% Signature verification Magnetic stripe authentication 0% 41% 40% 11% 60% 37% 0% 0% 58% 49% Verify CID codes on payment card 2% 4%1% 60% Real-time decision support during account … 0% 0% 59% 4% Card chip authentication 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very effective Somewhat effective Somewhat ineffective Chart DD: Effectiveness of Authentication - Non-FIs PIN authentication 100% 0% Card chip authentication 100% 0% Real-time decision support during account … 67% Customer authentication for online transactions 33% 71% Magnetic stripe authentication 0% Verify CID codes on payment card Positive ID of purchaser for in-store/person … Signature verification 29% 50% 50% 50% 50% 25% 75% 40% Verify customer ID is authentic (magnetic stripe) 0% 0% 0% 0% 0% 60% 100% 0% 0% Biometrics authentication 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very effective ©2012 Federal Reserve Bank of Dallas Somewhat effective Somewhat ineffective Page 21 2012 Payments Fraud Survey Results ii. Transaction Screening and Risk Management Approach. Use of different methods to screen transactions and apply centralized risk management varied significantly in overall adoption between FIs and other organizations (Charts EE and FF). While both financial and non-financial institution respondents rely on human review of payment transactions, a larger percent of FI respondents have adopted or plan to adopt centralized fraud information databases (for either one or multiple payment types) and participate in fraudster databases/receive alerts. Chart EE: Screening and Risk Management - FIs Provide staff education on payment fraud risk… 3% 2% 94% Fraud detection pen for currency 86% 0% Human review of payment transactions 85% 1% 14% Participate in fraudster databases and receive alerts 87% 0%13% Provide customer education on payment fraud… 48% Centralized fraud info database - one payment type 52% Centralized fraud info database - multiple… 0% ©2012 Federal Reserve Bank of Dallas 4% 76% Centralized risk management department Use 7% 10% 83% Fraud detection software w/ pattern matching Use by 2014 20% 11% 42% 4% 44% 40% 20% 47% 11% 43% 14% 60% 80% 100% Don't use Page 22 2012 Payments Fraud Survey Results Chart FF: Screening and Risk Management - Non-FIs Human review of payment transactions 88% Provide staff education on payment fraud risk mitigation Centralized risk management department 80% 50% Fraud detection pen for currency Fraud detection software w/ pattern matching Provide customer education on payment fraud risk mitigation Participate in fraudster databases and receive alerts Centralized fraud info database - one payment type Centralized fraud info database - multiple payment types 0% 31% 0% 20% 0% 50% 0% 19% 0% 14% 0% 13% 69% 81% 86% 12% 6% 82% 6% 6% 88% 6% 6% 88% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Use Use by 2014 Don't use Respondents who indicated that they use certain screening and risk management processes were also asked to report on their sense of the effectiveness of those processes. Their responses are indicated in Charts GG and HH. As with the effectiveness of their authentication processes in the section above, in the case of transaction screening and risk management processes, both categories of respondents indicate that the processes they have in place are effective. For non-financial institution respondents, “participate in fraudster databases and receive alerts” was the only method deemed by any respondent(s) to be “somewhat ineffective,” though, again, the limited number of respondents to this question may make it hard to draw a broad conclusion there. ©2012 Federal Reserve Bank of Dallas Page 23 2012 Payments Fraud Survey Results Chart GG: Effectiveness of Transaction Screening and Risk Mgmt. - FIs Centralized risk management department 66% Fraud detection software w/ pattern matching 32% 57% Centralized fraud info database - multiple… Centralized fraud info database - one payment type Fraud detection pen for currency 42% 49% 3% 50% 48% 2% 49% 53% Provide staff education on payment fraud risk… 46% 42% Provide customer education on payment fraud… 5% 46% 54% Participate in fraudster databases and receive alerts 2% 49% 46% Human review of payment transactions 3% 53% 25% 1% 0% 5% 7% 68% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very effective Somewhat effective Somewhat ineffective Chart HH: Effectiveness of Transaction Screening and Risk Mgmt. - Non-FIs Centralized fraud info database - multiple… 100% 0% Fraud detection software w/ pattern matching 100% 0% Centralized fraud info database - one payment type 100% 0% Human review of payment transactions 64% 36% 0% Provide staff education on payment fraud risk… 50% 50% 0% Provide customer education on payment fraud… 50% 50% 0% Participate in fraudster databases and receive alerts 50% Centralized risk management department 0% 43% Fraud detection pen for currency 0% 50% 57% 100% 0% 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very effective Somewhat effective Somewhat ineffective iii. Internal Controls. Respondents were asked which internal controls and procedures their organizations currently use or plan to use (Charts II and JJ). Ninety-seven percent of financial ©2012 Federal Reserve Bank of Dallas Page 24 2012 Payments Fraud Survey Results institution respondents reconcile bank accounts daily, but only 81% of non-financial institutions do so. Non-financial institution respondents seem to show a strong preference for use of separate accounts for different types of payments. Non-financial institution respondents seem to be more focused on card-related solutions, as by 2014 a number of respondents plan to set transaction limits for corporate card purchases and to review card-related reports daily. Chart II: Internal Controls - FIs Periodic internal/external audits Address exception items timely Dual controls/separation of duties w/in payment… Verify controls applied via audit or management… Reconcile bank accounts daily Authentication/authorization controls to payment… Logical access controls to network/payment… Review card related reports daily Transaction limits for payment disbursements Physical access controls to payment processing… Restrict/limit employee internet use from org's… Transaction limits for corporate card purchases Separate banking accounts by purpose or… Dedicated computer for transactions w/ FI or for … Employee hotline to report potential fraud 100% 100% 95% 95% 97% 97% 91% 94% 95% 88% 84% 82% 73% 56% 2% 45% 7% 0%0% 0% 0% 0% 5% 1% 4% 0% 4% 0% 4% 3% 6% 1% 5% 0% 5% 0%12% 1% 15% 1% 17% 1% 26% 42% 48% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Use ©2012 Federal Reserve Bank of Dallas Use by 2014 Don't use Page 25 2012 Payments Fraud Survey Results Chart JJ: Internal Controls - Non-FIs Physical access controls to payment processing… 94% Dual controls/separation of duties w/in payment… 0% 6% 100% Periodic internal/external audits 0%0% 93% 0% 7% Authentication/authorization controls to payment… 100% 0%0% Logical access controls to network/payment… 100% 0% 0% Transaction limits for corporate card purchases 18% 6% Verify controls applied via audit or management… 13% 87% Address exception items timely 7% 7% 88% Reconcile bank accounts daily 0%13% 81% Transaction limits for payment disbursements 0% 19% 67% Separate banking accounts by purpose or… Review card related reports daily 0% 13% 69% 50% Dedicated computer for transactions w/ FI or for … 33% 87% Restrict/limit employee internet use from org's… Employee hotline to report potential fraud 0% 47% 53% 6% 0% 25% 50% 0% 53% 13% 33% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Use Use by 2014 Don’t use Respondents who indicated they used the types of internal controls as shown above were also asked to report on the effectiveness of those controls. Their responses are indicated in Charts KK and LL. As with the effectiveness of both their authentication processes and in the transaction screening and risk management processes (in the sections above), in the case of internal controls, both categories of respondents indicate that the processes they have in place are effective. ©2012 Federal Reserve Bank of Dallas Page 26 2012 Payments Fraud Survey Results Chart KK: Effectiveness of Internal Controls - FIs Reconcile bank accounts daily Dual controls/separation of duties w/in payment… Authentication/authorization controls to payment… Logical access controls to network/payment… Address exception items timely Physical access controls to payment processing… Periodic internal/external audits Verify controls applied via audit or management… Transaction limits for payment disbursements Review card related reports daily Transaction limits for corporate card purchases Separate banking accounts by purpose or… Employee hotline to report potential fraud Restrict/limit employee internet use from … 81% 86% 74% 78% 79% 79% 79% 75% 74% 75% 79% 71% 64% 66% 63% 19% 0% 15% 0% 24% 2% 23% 0% 21% 0% 21% 0% 21% 0% 24% 1% 26% 0% 25% 0% 21% 0% 29% 0% 33% 3% 29% 5% 37% 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very effective Somewhat effective Somewhat ineffective Chart LL: Effectiveness for Internal Controls Non-FIs Review card related reports daily Reconcile bank accounts daily Authentication/authorization controls to payment… Dual controls/separation of duties w/in payment… Address exception items timely Physical access controls to payment processing… Logical access controls to network/payment… Periodic internal/external audits Verify controls applied via audit or management… Transaction limits for corporate card purchases Separate banking accounts by purpose or… Transaction limits for payment disbursements Restrict/limit employee internet use from … Employee hotline to report potential fraud 100% 92% 93% 100% 85% 77% 85% 92% 92% 92% 100% 91% 78% 70% 71% 0%0% 8% 0% 7% 0% 0%0% 15% 0% 0% 23% 15% 0% 8%0% 8%0% 8%0% 0% 9%0% 22% 0% 0% 30% 0% 29% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very effective Somewhat effective Somewhat ineffective iv. Risk Mitigation Services Offered by Financial Institutions. Of the various risk mitigation services offered by financial institutions, the top five used by non-financial institution ©2012 Federal Reserve Bank of Dallas Page 27 2012 Payments Fraud Survey Results respondents as reported in Chart MM are: online information services (e.g. statements), multifactor authentication to initiate payments, fraud loss prevention insurance, check positive pay/reverse positive pay, and ACH debit blocks. Based on the responses as to which services FIs plan to use by 2014, there appears to be significant planned growth in the ACH area, with the use of ACH payee positive Pay (23%) and ACH debit blocks (7%) and debit filters (7%) on the horizon. Chart MM: Percentage of Non-FIs Using Risk MitigationServices Offered by FIs Online information services, e.g., statements 100% 0% 0% Multi-factor authentication to initiate payments 87% 0% 13% Check positive pay/reverse positive pay 80% 0% 20% ACH debit blocks 80% 7% 13% Account alert services 69% 0% 31% ACH debit filters 71% 7% 21% Fraud loss prevention services, e.g., insurance 86% 0% 14% Card alert services for commercial/corporate cards 62% 8% 31% Check payee positive pay 57% 7% 36% ACH positive pay 46% 0% 54% Post no check services 33% 0% 67% ACH payee positive pay 15% 23% 62% Account masking services 0%8% 92% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Use Use by 2014 Don't use When it comes to the effectiveness of these services offered by financial institutions, nonfinancial institution respondents (users of the services) overall indicated positive responses (Chart NN). The one exception was fraud loss prevention services (e.g., insurance). It is possible that financial institution respondents see insurance as less effective as it does not prevent fraud; it is really only a solution for after fraud has already occurred. ©2012 Federal Reserve Bank of Dallas Page 28 2012 Payments Fraud Survey Results Chart NN: Effectiveness of Risk Mitigation Services Account masking services0% 0% 0% ACH payee positive pay 100% 0% 0% Check payee positive pay 100% 0% 0% ACH debit blocks 100% 0% 0% Check positive pay/reverse positive pay 83% ACH positive pay 17% 80% Multi-factor authentication to initiate payments 20% 92% 0% 0% 8% 0% 0% ACH debit filters 80% 20% Post no check services 80% 20% 0% Online information services, e.g., statements 86% 14% 0% Card alert services for commercial/corporate cards 86% 14% 0% Account alert services 57% Fraud loss prevention services, e.g., insurance 55% 43% 27% 0% 18% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very effective Somewhat effective Somewhat ineffective Chart OO provides a view of the various risk mitigation services that are being offered by financial institution respondents. A large majority of respondents are offering services such as online statements to their corporate customers and have implemented multifactor authentication requirements for the initiation of payments. As one moves down the list of service offerings to more complex products, such as positive pay/reverse positive pay and payee positive pay (for both check and ACH), the percentage of financial institution respondents offering those services decreases significantly. It is possible that community bank respondents either cannot offer some of these more sophisticated services or they do not have a commercial customer base that has yet expressed a need for them. In addition, because the financial institution respondents include all types of FIs – both banks and credit unions – the number of respondents may reflect some credit unions that traditionally support individual members, as opposed to corporate customers, and may not need to offer such services to their retail customer base. ©2012 Federal Reserve Bank of Dallas Page 29 2012 Payments Fraud Survey Results Chart OO: Percentage of FI/Svc. Provider Respondents Offering Risk Mitigation Services Online information services, e.g., statements Multi-factor authentication to initiate payments Account alert services Account masking services ACH debit blocks Card alert services for commercial/corporate cards ACH debit filters Check positive pay/reverse positive pay ACH positive pay Post no check services Check payee positive pay ACH payee positive pay 95% 91% 74% 51% 63% 43% 49% 51% 6% 29% 1% 30% 6% 22% 8% 20% 5% 2% 10% 5% 4% 8% 43% 34% 47% 46% 45% 2% 2% 1% 8% 18% 65% 69% 72% 72% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Offer Offer by 2014 Don't offer f. Opportunities to Reduce Payments Fraud Respondents reported on opportunities to reduce fraud in three areas: i) organizational actions, ii) barriers to reducing payments fraud, and iii) legal and regulatory changes. i. Organizational Actions. Respondents were asked what new or improved methods are most needed to reduce payments fraud (Chart PP). Nearly two-thirds of the respondents said their organizations should apply controls over Internet payments, while more than half of all respondents are in favor of replacement of card/magnetic stripe technology. The latter bodes well for the coming adoption of the EMV standards for card transactions in the U.S. 4 4 See page 19. ©2012 Federal Reserve Bank of Dallas Page 30 2012 Payments Fraud Survey Results Chart PP: New/Improved Methods Needed to Reduce Payments Fraud Controls over internet payments 31% Replacement of card/magnetic strip technology 31% Consumer education of fraud prevention 69% 64% 57% 53% 58% 55% 39% 51% 54% 51% More aggressive law enforcement Information sharing on emerging fraud tactics being conducted by criminal rings 46% Controls over mobile payments 28% 30% 27% 29% Industry alert services Image-survivable check security features for business checks FI, N=85 52% 50% 39% Industry-specific education on best prevention practices for fraud 54% 53% Non-FI, N=13 Total, N=98 39% 39% 22% 23% 22% 5% 8% 5% Other 0% 10% 20% 30% 40% 50% 60% 70% 80% When asked what authentication methods their organizations might prefer or consider adopting to help reduce payments fraud, the adoption of tokens led the way among nonfinancial institution respondents, while multifactor authentication was the top method among financial institution respondents. When viewed in total, approximately 58% of respondents were in favor of multifactor authentication (Chart QQ). ©2012 Federal Reserve Bank of Dallas Page 31 2012 Payments Fraud Survey Results Chart QQ: Authentication Methods Preferred/Considered for Adoption to Reduce Payments Fraud Chip and PIN requirement 44% Multi-factor authentication 44% Chip for dynamic authentication 52% 51% Total, N=92 36% 38% Out-of-band/channel authentication… Non-FI, N=9 45% 42% 22% PIN requirement FI, N=83 59% 58% 56% 49% 46% 11% 39% 42% Token 78% 30% 33% 30% Mobile device to authenticate person Biometrics 21% 18% 0% 2% 11% 3% Other 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% ii. Barriers to Reducing Payments Fraud. Respondents reported on barriers to further reducing payments fraud. Most identified a version of “cost” as the main barrier, citing lack of staff resources, implementation costs and lack of compelling business case as the main barriers. A complete summary is listed in Chart RR. ©2012 Federal Reserve Bank of Dallas Page 32 2012 Payments Fraud Survey Results Chart RR: Main Barriers to Payments Fraud Mitigation 64% 60% 63% Lack of staff resources Consumer data privacy issues/concerns Cost of implementing in-house fraud detection tool/service Cost of implementing commercially available fraud detection tool/service Lack of compelling business case (cost vs. benefit) to adopt new or change existing methods Corporate reluctance to share information due to competitive issues Unable to combine payment information for review due to operating w/ multiple business areas,… 49% 47% 30% 26% 23% 0% 33% 29% 0% FI, N=80 Non-FI, N=10 36% 40% 37% Total, N=90 23% 30% 23% 13% 14% 10% 11% Other 0% 30% 20% 10% 20% 30% 40% 50% 60% 70% iii. Legal or Regulatory Changes. Respondents were also asked to offer views on legal and regulatory changes that would help reduce payments fraud. Many respondents would like to see increased penalties for fraud and more likely prosecution. Topping the list for FI respondents was placing more responsibility for fraud mitigation with—and shifting liability for fraudulent card payments to—the entity that initially accepts the card. This is interesting in light of the planned liability shifts that are part of the EMV “roadmaps” of all the major card associations (MasterCard, Visa, Discover and American Express). Table 2 lists these and other considerations. ©2012 Federal Reserve Bank of Dallas Page 33 2012 Payments Fraud Survey Results Table 2: Legal and Regulatory Considerations by Percentage of Respondents Legal and Regulatory Changes Place responsibility to mitigate fraud and shift liability for fraudulent card payments to the entity that initially accepts the card payment Increase penalties for fraud and attempted fraud Place more responsibility on consumers and customers to reconcile and protect their payment data Assign liability for fraud losses to the party most responsible for not acting to reduce the risk of payment fraud Strengthen disincentives to committing fraud through stiffer penalties and more likely prosecution Improve law enforcement cooperation on domestic and international payments fraud and fraud rings Focus future legal or regulatory changes on data breaches to where breaches occur Align Regulation E and Regulation CC to reflect changes in check collection systems' use of check images and conversion of checks to ACH Assign responsibility for mitigating fraud risk to the party best positioned to take action against fraud Establish new laws/regs or change existing ones in order to strengthen the management of payments fraud risk FI (N=86) FI (%) Non-FS (N=13) Non-FS (%) Total (N=99) Total (%) 67 78% 3 23% 70 71% 63 73% 9 69% 72 73% 63 73% 5 39% 68 69% 60 70% 5 39% 65 66% 49 57% 10 77% 59 60% 48 56% 8 62% 56 57% 44 51% 3 23% 47 47% 39 45% 4 31% 43 43% 41 48% 2 15% 43 43% 27 31% 5 39% 32 32% h. Conclusions Considered as a whole, the results of our 2012 payments fraud survey suggest the following: • Both financial institutions and corporations of all sizes in the district continue to be concerned about payments-related fraud. • Most problematic is fraud that affects checks and debit cards because these are the payment types that were most often attacked by fraud schemes and that sustained the highest losses as a result. These findings are generally consistent with fraud surveys conducted by national industry associations such as the Association for Financial Professionals (AFP).5 • Although fraud involving “corporate account take-over” has been highlighted in the press recently as a major problem, it was not cited as a significant scheme that affected respondents to this survey. • Most financial institutions and other corporations report total fraud losses that represent less than .3% of their annual revenues. While any loss due to fraud is undesirable, by this measure these levels are relatively small. 5 See http://www.afponline.org/fraud/ ©2012 Federal Reserve Bank of Dallas Page 34 2012 Payments Fraud Survey Results • Organizations are using various internal controls and procedures to mitigate payments fraud risk. Transaction monitoring, authentication, and risk services offered by financial institutions are also used. • Lack of staff resources is the primary barrier cited by a majority of organizations when considering additional options for mitigating payments fraud risk. ©2012 Federal Reserve Bank of Dallas Page 35
@FedFRASER