2012 Payments Fraud Survey
Summary of Results
Federal Reserve Bank of Dallas FIRM—Financial Institution Relationship Management
August 30, 2012
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 2
1. Introduction In April 2012, the Federal Reserve Bank of Dallas’ FIRM—Financial Institution Relationship Management Department conducted research on payments-related fraud experienced by organizations in the Dallas Fed District.1 We asked our financial institution constituents to respond to an online survey about their experiences with payments fraud and the methods they use to reduce fraud risk. In addition, the survey audience was expanded with the help of the following organizations, which sent invitations to complete the survey directly to their members: SWACHA—The Electronic Payments Resource; the Dallas Association for Financial Professionals (AFP), Fort Worth AFP, Austin AFP, Houston Treasury Management Association (TMA) and San Antonio TMA. We thank those organizations for their help in obtaining responses. The survey covered transactions made using cash, check, debit and credit cards, automated clearinghouse (ACH), and wire transfers. This survey effort was part of a broader initiative conducted in conjunction with the Federal Reserve Banks of Minneapolis, Boston and Richmond, as well as the Independent Community Bankers of America. We plan to repeat this survey biannually in the years ahead, which will allow us to analyze trend data on payments fraud in the district over multiple years. 2. Respondent Information There were a total of 139 respondents to the survey based in the Dallas Fed District, 120 (86%) in the financial services industry, almost all of which are financial institutions (FIs),2 and 19 (14%) non-financial services organizations. The remaining non-financial institution respondents classified their organizations in one of 19 industry categories, as shown in Chart A. Respondents are also categorized by their organizations’ annual revenues, shown in Chart B. Just over half of the organizations have annual revenues of less than $50 million. Chart C shows, for financial institution respondents only, the number of respondents in each of various asset-size groups. About 80% of respondents were from organizations with less than $1 billion in assets.
1 Questions about the survey should be directed to Matt Davies, AAP, CTP, Director of Payments Outreach, Federal Reserve Bank of Dallas, at [email protected] or 214-922-5259. 2 For the purposes of this survey, the term “financial institutions” includes both banks and credit unions.
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 3
0% 0% 0%
11%
0%
26%
11%
5% 5%
0% 0%
11%
5%
11%
0%
5%
0% 0%
11%
0%
5%
10%
15%
20%
25%
30%
Chart A: Non-Financial Service Industry Respondent Classification
57%
8%
11%
2%
6%
5%
0%
2%
10%
0% 15
%
10%
0% 15
%
5%
25%
15%
10%
5%
0%
51%
8%
9%
4%
6%
8%
2%
3%
9%
0%
0%
10%
20%
30%
40%
50%
60%
Chart B: Revenue for All Respondents
FI, N=119
Non-FI, N=20
Total, N=139
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 4
3. Summary of Survey Results by Question a. Payments Made and Payment Types Used by Respondent Organizations Non-financial institution respondents were asked whether their organization’s payments typically have as their counterparties consumers, other businesses (including government entities) or both. As can be seen in Chart D, respondents were split evenly between payments primarily to/from other businesses and payments to/from both consumers and businesses.
16%
10%
26%
16% 13% 14%
2% 3%
0%
5%
10%
15%
20%
25%
30%
Chart C: FI Respondents by Asset Size (N=117)
50% 50%
0% 0%
10%
20%
30%
40%
50%
60%
Payments to/from both consumers and
businesses
Payments to/ from other businesses
Payments to/ from consumers
Chart D: Payment Volume Counterparties Non-FI
Non-FI, N=20
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 5
Chart E shows payment types accepted by non-financial institution respondents, while Chart F shows payment types used for disbursements by the same subset of respondents.
Financial institution respondents were asked to indicate whether their customer base is composed primarily of consumers, commercial clients or both. As can be seen in Chart G, nearly three-fourths of financial institution respondents offer services to both consumer and commercial customers.
100% 95%
90%
60%
70%
45%
25% 20%
15% 0% 0%
20%
40%
60%
80%
100%
120%
Check ACH Credits
Wire Credit Cards
ACH Debits
Cash Debit - Signature
Debit - PIN
Prepaid Cards
Other
Chart E: Payment Types Accepted by Non-FIs
Non-FI, N=20
100%
75%
75%
65%
70%
10%
10%
10%
0%
0%
0%
20%
40%
60%
80%
100%
120%
Check Wire ACH Credits
ACH Debits
Credit Cards
Cash Prepaid Cards
Debit - Signature
Debit - PIN
Other
Chart F: Payment Types Used by Non-FIs for Disbursements
Non-FI, N=20
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 6
Chart H illustrates the types of payments offered by financial institution respondents.
b. Payments Fraud Attempts and Financial Losses Only two (1.7%) of the financial institution respondents reported no payments fraud attempts; that figure was four (20%) for all other organizations. Respondents were asked which payment types had the highest number of attempts, as reported in Chart I. Of FI respondents, 83.6%
74%
19%
7%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Both Consumers and Business or Commercial
Clients
Primarily to Consumers Primarily Business or Commercial
Clients
Chart G: Types of Customers to Which FIs Offer Payments Products/Services
FI, N=116
10%
28%
27%
44%
46%
56%
62%
86%
93%
95%
94%
99%
99%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
P2P Payments
Mobile Payments
International Payments
Lockbox Services
Credit Cards
Prepaid Cards
Remote Deposit Capture
Debit - Signature
Bill Payment
ACH
Check
Debit - PIN
Wire
Chart H: Payment Products Offered by FIs
FI, N=117
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 7
chose signature debit card attempts, followed by check (49.1%) and PIN debit (45.7%). Check fraud attempts were by far the highest among non-FI organizations at 65%, with credit card second highest at 35%.
For all payment types except signature debit, the majority of financial institution respondents indicated that their fraud prevention costs exceed their actual dollar losses to fraud (Chart J). Non-financial institution respondents tended to offer or use fewer types of payments, but for those payment types offered/used, they also indicated that fraud prevention tends to be more costly than actual fraud losses (Chart K).
84%
49%
46%
16%
22%
8%
2%
3%
1%
0%
5%
65%
0%
35%
10%
5% 20
%
0%
5%
0%
72%
51%
39%
18%
20%
7%
4%
3%
1%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Debit - Signature
Checks Debit - PIN Credit Cards ACH Debits Wire No Fraud ACH Credits Cash Prepaid Cards
Chart I: Top Payment Types with Highest Number of Fraud Attempts (% of Respondents)
FI, N=116
Non-FI, N=20
Total, N=136
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 8
Only 2.8% of the FI respondents reported no dollar losses due to payments fraud; that number jumps to 77.8% for all other respondents. Respondents were asked which payment types have the highest dollar losses, as reported in Chart L. Eighty-six percent of the financial institution
77%
73%
68%
56%
55%
39%
30%
28%
30%
21%
25%
21%
42%
41%
12%
65%
16%
5%
2%
2%
12%
2%
4%
49%
5%
56%
65%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Wire ACH Cash Debit - PIN
Checks Prepaid Cards
Debit - Signature
Credit Cards
Mobile
Chart J: Cost of Fraud Prevention vs. Actual Fraud Loss - FIs
Prevention Costs Actual Fraud Loss Don't Offer/Use PYMT
79%
74%
75%
63%
13%
8%
13%
0%
7%
21%
26%
17%
19%
13%
0%
13%
0%
0%
0%
0%
8%
19%
73%
92%
73%
100%
93%
0%
20%
40%
60%
80%
100%
120%
Chart K: Cost of Fraud Prevention vs. Actual Fraud Loss - Non-FIs
Prevention Costs Actual Fraud Loss Don't Offer/Use PYMT
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 9
respondents identified signature debit cards as having the highest dollar losses, followed by PIN debit cards and checks. In contrast, non-financial institution respondents identified credit cards and signature debit cards as having the highest dollar losses at about 11% each, followed by checks, ACH and cash at about 6% each.
Over 74% of respondents estimated losses as 0.5% or less of their annual revenue (Table 1). Nearly 63% of all respondents selected the lowest range of loss, or less than 0.3% of annual revenues. These data suggest that losses due to payments fraud are relatively well controlled.
86%
47%
38%
12% 9% 6% 3% 2% 3% 0% 11% 0% 6% 11% 6% 0%
78%
6% 0% 0% 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Debit - Signature
Debit - PIN
Checks Credit Cards
ACH Debits
Wire No Loss Cash ACH Credits
Prepaid Cards
Chart L: Payment Types with Highest Dollar Losses Due to Fraud
FI, N=107
Non-FI, N=18
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 10
Table 1: Payments Fraud Financial Losses by Percentage of Respondents that Incurred Losses
Loss Range as a Percent of Annual Revenue
Column1 0% >0% - .3% .3% - .5% .6% - 1%
1.1% - 5% Over 5%
# of FI respondents (N=102)
2
72
14 9 4 1
% of FI respondents 2% 71% 14% 9% 4% 1%
# of Non-FI respondents (N=18)
14
3 0 1 0 0
% of Non-FI respondents 78% 17% 0% 6% 0% 0%
# of all respondents (N=120)
16
75
14 10 4 1
% of all respondents 13% 63% 12% 8% 3% 1% Nearly 45% of respondents experienced increased fraud loss in 2012 over 2011 (Chart M), while approximately 38% indicated their financial losses due to fraud had stayed the same, and nearly 17% reported that they had decreased.
As shown in Charts N and O below, respondents that reported an increase in loss estimated the size of the increase. Nearly 45% of these respondents cited an increase of 1% to 5%, and 13%
50%
35%
16%
17%
61%
22%
45%
38%
17%
0%
10%
20%
30%
40%
50%
60%
70%
Increased Stayed the same Decreased
Chart M: Change in Payments Fraud Losses
(2011 vs. 2010)
FI, N=107
Non-FI, N=18
Total, N=125
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 11
estimated an increase of 10% or more. However, based on Table 1 above, note that, despite these increases, the total loss, estimated as a percentage of revenues, remains relatively small for the vast majority of respondents.
As shown in Chart P below, respondents that reported an increase in loss were also asked to identify the payment type associated with the increased loss. Signature debit led the list for financial institutions, while credit cards were tops for non-financial institution respondents.
30%
13%
11%
45%
0% 10% 20% 30% 40% 50%
Unsure
More than 10%
6 - 10%
1 - 5%
Chart N: Percent Increase in Financial Losses - FIs
FI, N=53
67%
0%
0%
33%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Unsure
More than 10%
6 - 10%
1 - 5%
Chart O: Percent Increase in Financial Losses - Non-FIs
Non-FI, N=3
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 12
Charts Q and R below indicate the responses of those that reported a decrease in loss, who were then asked to estimate the size of the decrease.
85%
45%
19%
8%
6%
4%
0%
2%
0%
0%
0%
0%
67%
0%
33%
33%
0%
0%
80%
43%
18%
11%
5%
5%
2%
2%
0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Debit - Signature
Debit - PIN Check Credit Cards
Wire ACH Debits
Cash ACH Credit Prepaid Cards
Chart P: Payment Type Associated with Increased Loss (% of Respondents w/ Increased Losses)
FI, N=53
Non-FI, N=3
Total, N=56
25%
44%
0%
31%
0% 10% 20% 30% 40% 50%
Unsure
More than 10%
6-10%
1-5%
Chart Q: Percent Decrease in Losses - FI
FI, N=16
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 13
Chart S below shows the results for respondents that reported a decrease in loss who were then asked to identify the payment type associated with the decreased loss. In this area, signature debit topped the list for financial institutions, while checks were the biggest contributing factor for non-financial institution respondents.
In total, 14 respondents (12 financial institutions and two non-financial institution respondents) indicated that their organizations had made changes to their payments risk management practices that led to the decrease in 2011 payments fraud losses, while seven indicated that they had not. Among those who had made changes to their practices, the most common change was to enhance the organization’s systems for monitoring fraud (Chart T). Other
50%
25%
25%
0%
0% 10% 20% 30% 40% 50% 60%
Unsure
More than 10%
6-10%
1-5%
Chart R: Percent Decrease in Losses - Non-FI
Non-FI, N=4
0%
0% 6%
12%
6% 12
% 24
%
53%
82%
0%
0%
0%
0%
0%
33%
100%
0%
0%
0%
0% 5%
10%
5% 15
%
35%
45%
70%
0%
20%
40%
60%
80%
100%
120%
Prepaid Cards
Cash Wire ACH Credit
Credit Cards
ACH Debit Checks Debit - PIN Debit - Signature
Chart S: Payment Type Associated with Decreased Loss (% of Respondents w/ Increased Losses)
FI, N=17
Non-FI, N=3
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 14
changes included increasing staff training/education and enhancing internal controls and procedures.
Respondents who indicated that enhancements to their organization’s fraud monitoring systems had helped to reduce fraud losses were asked to further identify the payment types to which enhanced monitoring applies. Their responses are summarized in Chart U below.
82%
73%
64%
46% 46%
0%
50% 50%
0% 0% 0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Enhanced fraud
monitoring system
Staff training & education
Enhanced internal
procedures
Adopted or increased use of a Financial
service
Enhanced authentication
methods
Chart T: Changes Made Contributing to Decrease in Losses
FI, N=11
Non-FI, N=2
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 15
c. Most Common Fraud Schemes For payments received by non-financial institution respondents, the top two current fraud schemes most often used were altered/forged checks and counterfeit checks (Chart V). Fifty percent of non-FI respondents reported altered or forged checks as the top scheme most often used, followed by counterfeit checks at 43%.
100%
33%
22%
22%
0%
0%
0%
0%
0%
0%
0%
20%
40%
60%
80%
100%
120%
Card transactions
ACH transactions
Wire transactions
Check transactions
Other
Chart U: Payments to which Enhanced Monitoring Applies
FI, N=9
Non-FI, N=0
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 16
Financial institution respondents indicated that, in payments by or on behalf of their customers, the top two current fraud schemes most often used by fraudsters were counterfeit or stolen cards used at the point of sale (84%) and used online (70%), with counterfeit checks (48%) rounding out the top three (Chart W). Surprisingly, while “corporate account takeover” is a theme often highlighted in the press as a major issue, it was not cited as a significant theme that affected respondents to this survey.
0%
0%
0%
7%
7%
7%
29%
14%
7%
43%
50%
0% 10% 20% 30% 40% 50% 60%
Telephone-initiated Payments
Wireless-initiated payments
Fraudulent checks converted to ACH
Use of fraudulent credentials/data
Other internet payments
Cash register frauds
Counterfeit currency
Counterfeit or stolen cards used at POS
Counterfeit or stolen cards used online
Counterfeit checks
Altered or forged checks
Chart V: Top 3 Current Fraud Schemes Involving Payments Accepted By % of Non-FI Respondents
Non-FI, N=14
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 17
Financial institution respondents that experienced fraud against their organization’s own account(s) identified counterfeit checks and unauthorized or fraudulent ACH debits as the top schemes most often used (Chart X).
1%
0%
0%
6%
4%
6%
3%
6%
15%
31%
48%
70%
84%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Wireless-initiated payments
Power of Attorney documents for schemes
Other
Fraudulent checks converted to ACH
Use of fraudulent credentials/data
Counterfeit currency
Telephone-initiated payments
Account takeover of customers' accounts
Other internet payments
Altered or forged checks
Counterfeit checks
Counterfeit or stolen cards used online
Counterfeit or stolen cards used at POS
Chart W: Top 3 Current Fraud Schemes Involving Payments Accepted By % of FI Respondents
FI, N=101
6%
8%
24%
31%
21%
37%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Internal fraud scheme
Breach of organizations access or security controls
Fraudulent or unauthorized card transactions
Fraudulent or unauthorized ACH debits
Altered or forged checks
Counterfeit checks
Chart X: Fraud Schemes Involving Organization’s Own Accounts by % of FI Respondents
FI, N=83
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 18
Charts Y and Z list the top three sources of information used in fraud schemes, as reported by financial and non-financial institution respondents, respectively. Approximately 70% of the financial institution respondents identified “sensitive” information obtained from a lost or stolen card, check or other physical document or device while in the consumer’s control. For non-financial institution respondents, however, the organization's information was most commonly obtained from a legitimate check issued by the organization.
70%
38%
31%
27%
25%
24%
14%
4%
2%
0% 10% 20% 30% 40% 50% 60% 70% 80%
"Sensitive" info obtained from lost or stolen card, check, or other physical doc or device while in
consumer's control
Physical device tampering (e.g., use of skimmer on POS terminal or obtaining magnetic stripe
information)
Email and webpage cyber attacks e.g., phishing, spoofing and pharming to obtain "sensitive" customer
info
Data breach due to computer hacking or cyber attacks
Org's info obtained from legit check issued by org
Info about customer obtained by family or friend
Other
Lost or stolen physical doc or electronic devices while in control of the organization
Employee with legit access to organization or customer info (employee misuse)
Chart Y: Top 3 Information Sources Used in Fraud Schemes - FIs
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 19
e. Payments Fraud Mitigation Methods Used Respondents were asked about their use of—and the effectiveness of—various types of fraud mitigation methods and tools. Questions were asked in four areas: i) authentication methods, ii) transaction screening and risk management approach, iii) internal controls, and iv) risk mitigation services offered by financial institutions. i. Authentication. Respondents were asked which authentication methods their organizations currently use or plan to use to mitigate payment risk. Responses are indicated in Charts AA and BB for financial and non-financial institution respondents, respectively. In a hopeful sign for the growth in adoption of the EMV standards3 for card processing, some 17% of FI respondents indicated that they plan to use chip card authentication by 2014. 3 EMV® is a global standard for credit and debit card transactions based on chip card technology. Though widely adopted in other developing countries, the United States is only beginning to move away from magnetic (“mag’) stripe technology to the EMV standards. The standard is commonly referred to as “chip-and-PIN,” although in the U.S. implementation—as led by the card associations Visa, MasterCard, Discover and American Express—both the option of “chip-and-PIN” and “chip-and-signature” will be allowed.
39%
21%
18%
15%
15%
9%
3%
3%
0% 10% 20% 30% 40% 50%
"Sensitive" info obtained from lost/stolen card, check, or other physical document or
device while in consumer's control
E-mail and webpage cyber attacks (e.g., phishing, spoofing
and pharming) to obtain "sensitive" …
Employee with legitimate access to organization or customer info (employee
misuse)
Data breach due to computer hacking or cyber attacks
Other
Lost or stolen physical doc or electronic devices while in control of the organization
Physical device tampering (e.g., use of skimmer on POS terminal or obtaining
magnetic stripe info)
Info about customer obtained by family or friend
Chart Z: Top 3 Information Sources Used in Fraud Scheme - Non-FIs
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 20
Respondents who indicated that their institutions use the various types of authentication methods shown above were then asked to rate the effectiveness of those authentication methods. Overall, both categories of respondents indicate that the processes they have in place are effective (Charts CC and DD). For financial institutions using signature verification, it was the authentication method most often thought to be “somewhat ineffective” (11%), while non-
1%
14%
25%
66%
66%
68%
71%
88%
85%
90%
17%
4%
9%
1%
7%
2%
1%
4%
0%
0%
82%
82%
66%
33%
27%
30%
28%
8%
15%
10%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Card chip authentication
Biometrics authentication
Verify customer ID is authentic (magnetic stripe)
Positive ID of purchaser for in-store/person …
Real-time decision support during account …
Magnetic stripe authentication
Verify CID codes on payment card
Customer authentication for online transactions
Signature verification
PIN authentication
Chart AA: Authentication Methods - FIs
Use Use by 2014 Don't use
0%
8%
13%
14%
23%
33%
27%
36%
40%
47%
0%
0%
0%
0%
8%
0%
0%
0%
0%
7%
100%
92%
88%
86%
69%
67%
73%
64%
60%
47%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Biometrics authentication
Card chip authentication
Verify customer ID is authentic (magnetic stripe)
Magnetic stripe authentication
Real-time decision support during account …
PIN authentication
Positive ID of purchaser for in-store/person …
Signature verification
Verify CID codes on payment card
Customer authentication for online transactions
Chart BB: Authentication Methods - Non-FIs
Use Use by 2014 Don't use
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 21
financial institution respondents using magnetic stripe authentication more often chose that method as “somewhat ineffective” (50%), though the limited number of respondents to this question may make it hard to draw a broad conclusion.
0%
37%
40%
49%
42%
55%
60%
58%
65%
67%
0%
59%
60%
41%
58%
54%
40%
4%
33%
33%
0%
4%
0%
11%
0%
0%
0%
1%
2%
0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Card chip authentication
Magnetic stripe authentication
Verify CID codes on payment card
Signature verification
Verify customer ID is authentic (magnetic stripe)
Real-time decision support during account …
PIN authentication
Customer authentication for online transactions
Positive ID of purchaser for in-store/person …
Biometrics authentication
Chart CC: Effectiveness of Authentication - FIs
Very effective Somewhat effective Somewhat ineffective
0%
0%
40%
25%
50%
0%
71%
67%
100%
100%
0%
100%
60%
75%
50%
50%
29%
33%
0%
0%
0%
0%
0%
0%
0%
50%
0%
0%
0%
0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Biometrics authentication
Verify customer ID is authentic (magnetic stripe)
Signature verification
Positive ID of purchaser for in-store/person …
Verify CID codes on payment card
Magnetic stripe authentication
Customer authentication for online transactions
Real-time decision support during account …
Card chip authentication
PIN authentication
Chart DD: Effectiveness of Authentication - Non-FIs
Very effective Somewhat effective Somewhat ineffective
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 22
ii. Transaction Screening and Risk Management Approach. Use of different methods to screen transactions and apply centralized risk management varied significantly in overall adoption between FIs and other organizations (Charts EE and FF). While both financial and non-financial institution respondents rely on human review of payment transactions, a larger percent of FI respondents have adopted or plan to adopt centralized fraud information databases (for either one or multiple payment types) and participate in fraudster databases/receive alerts.
43%
52%
48%
76%
83%
87%
85%
86%
94%
11%
4%
11%
4%
7%
0%
1%
0%
3%
47%
44%
42%
20%
10%
13%
14%
14%
2%
0% 20% 40% 60% 80% 100%
Centralized fraud info database - multiple …
Centralized fraud info database - one payment type
Centralized risk management department
Fraud detection software w/ pattern matching
Provide customer education on payment fraud …
Participate in fraudster databases and receive alerts
Human review of payment transactions
Fraud detection pen for currency
Provide staff education on payment fraud risk …
Chart EE: Screening and Risk Management - FIs
Use Use by 2014 Don't use
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 23
Respondents who indicated that they use certain screening and risk management processes were also asked to report on their sense of the effectiveness of those processes. Their responses are indicated in Charts GG and HH. As with the effectiveness of their authentication processes in the section above, in the case of transaction screening and risk management processes, both categories of respondents indicate that the processes they have in place are effective. For non-financial institution respondents, “participate in fraudster databases and receive alerts” was the only method deemed by any respondent(s) to be “somewhat ineffective,” though, again, the limited number of respondents to this question may make it hard to draw a broad conclusion there.
6%
6%
12%
14%
19%
31%
50%
80%
88%
6%
6%
6%
0%
0%
0%
0%
0%
0%
88%
88%
82%
86%
81%
69%
50%
20%
13%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Centralized fraud info database - multiple payment types
Centralized fraud info database - one payment type
Participate in fraudster databases and receive alerts
Provide customer education on payment fraud risk mitigation
Fraud detection software w/ pattern matching
Fraud detection pen for currency
Centralized risk management department
Provide staff education on payment fraud risk mitigation
Human review of payment transactions
Chart FF: Screening and Risk Management - Non-FIs
Use Use by 2014 Don't use
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 24
iii. Internal Controls. Respondents were asked which internal controls and procedures their organizations currently use or plan to use (Charts II and JJ). Ninety-seven percent of financial
25%
42%
54%
53%
46%
50%
49%
57%
66%
68%
53%
46%
46%
49%
48%
49%
42%
32%
7%
5%
0%
1%
5%
2%
3%
2%
3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Provide customer education on payment fraud …
Participate in fraudster databases and receive alerts
Provide staff education on payment fraud risk …
Human review of payment transactions
Fraud detection pen for currency
Centralized fraud info database - one payment type
Centralized fraud info database - multiple …
Fraud detection software w/ pattern matching
Centralized risk management department
Chart GG: Effectiveness of Transaction Screening and Risk Mgmt. - FIs
Very effective Somewhat effective Somewhat ineffective
0%
43%
50%
50%
50%
64%
100%
100%
100%
100%
57%
0%
50%
50%
36%
0%
0%
0%
0%
0%
50%
0%
0%
0%
0%
0%
0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Fraud detection pen for currency
Centralized risk management department
Participate in fraudster databases and receive alerts
Provide customer education on payment fraud …
Provide staff education on payment fraud risk …
Human review of payment transactions
Centralized fraud info database - one payment type
Fraud detection software w/ pattern matching
Centralized fraud info database - multiple …
Chart HH: Effectiveness of Transaction Screening and Risk Mgmt. - Non-FIs
Very effective Somewhat effective Somewhat ineffective
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 25
institution respondents reconcile bank accounts daily, but only 81% of non-financial institutions do so. Non-financial institution respondents seem to show a strong preference for use of separate accounts for different types of payments. Non-financial institution respondents seem to be more focused on card-related solutions, as by 2014 a number of respondents plan to set transaction limits for corporate card purchases and to review card-related reports daily.
45% 56%
73% 82% 84%
88% 95% 94%
91% 97% 97% 95% 95% 100% 100%
7% 2%
1% 1%
1% 0%
0% 1%
3% 0% 0% 1% 0%
0% 0%
48% 42%
26% 17% 15% 12%
5% 5%
6% 4%
4% 4% 5% 0% 0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Employee hotline to report potential fraud Dedicated computer for transactions w/ FI or for …
Separate banking accounts by purpose or … Transaction limits for corporate card purchases Restrict/limit employee internet use from org's … Physical access controls to payment processing …
Transaction limits for payment disbursements Review card related reports daily
Logical access controls to network/payment … Authentication/authorization controls to payment …
Reconcile bank accounts daily Verify controls applied via audit or management … Dual controls/separation of duties w/in payment …
Address exception items timely Periodic internal/external audits
Chart II: Internal Controls - FIs
Use Use by 2014 Don't use
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 26
Respondents who indicated they used the types of internal controls as shown above were also asked to report on the effectiveness of those controls. Their responses are indicated in Charts KK and LL. As with the effectiveness of both their authentication processes and in the transaction screening and risk management processes (in the sections above), in the case of internal controls, both categories of respondents indicate that the processes they have in place are effective.
53%
47%
50%
69%
87%
67%
81%
88%
87%
18%
100%
100%
93%
100%
94%
13%
0%
0%
6%
0%
0%
0%
0%
7%
6%
0%
0%
0%
0%
0%
33%
53%
50%
25%
13%
33%
19%
13%
7%
13%
0%
0%
7%
0%
6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Review card related reports daily
Dedicated computer for transactions w/ FI or for …
Employee hotline to report potential fraud
Restrict/limit employee internet use from org's …
Separate banking accounts by purpose or …
Transaction limits for payment disbursements
Reconcile bank accounts daily
Address exception items timely
Verify controls applied via audit or management …
Transaction limits for corporate card purchases
Logical access controls to network/payment …
Authentication/authorization controls to payment …
Periodic internal/external audits
Dual controls/separation of duties w/in payment …
Physical access controls to payment processing …
Chart JJ: Internal Controls - Non-FIs
Use Use by 2014 Don’t use
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 27
iv. Risk Mitigation Services Offered by Financial Institutions. Of the various risk mitigation services offered by financial institutions, the top five used by non-financial institution
63% 66% 64%
71% 79%
75% 74% 75%
79% 79% 79% 78%
74% 86%
81%
37% 29% 33%
29% 21%
25% 26% 24%
21% 21% 21% 23%
24% 15%
19%
0% 5% 3% 0% 0% 0% 0% 1% 0% 0% 0% 0%
2% 0% 0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Restrict/limit employee internet use from … Employee hotline to report potential fraud
Separate banking accounts by purpose or … Transaction limits for corporate card purchases
Review card related reports daily Transaction limits for payment disbursements
Verify controls applied via audit or management … Periodic internal/external audits
Physical access controls to payment processing … Address exception items timely
Logical access controls to network/payment … Authentication/authorization controls to payment …
Dual controls/separation of duties w/in payment … Reconcile bank accounts daily
Chart KK: Effectiveness of Internal Controls - FIs
Very effective Somewhat effective Somewhat ineffective
71% 70%
78% 91%
100% 92% 92% 92%
85% 77%
85% 100%
93% 92%
100%
29% 30%
22% 9%
0% 8% 8% 8%
15% 23%
15% 0%
7% 8%
0%
0% 0% 0% 0% 0% 0% 0% 0% 0%
0% 0% 0%
0% 0% 0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Employee hotline to report potential fraud Restrict/limit employee internet use from …
Transaction limits for payment disbursements Separate banking accounts by purpose or …
Transaction limits for corporate card purchases Verify controls applied via audit or management …
Periodic internal/external audits Logical access controls to network/payment …
Physical access controls to payment processing … Address exception items timely
Dual controls/separation of duties w/in payment … Authentication/authorization controls to payment …
Reconcile bank accounts daily Review card related reports daily
Chart LL: Effectiveness for Internal Controls Non-FIs
Very effective Somewhat effective Somewhat ineffective
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 28
respondents as reported in Chart MM are: online information services (e.g. statements), multi-factor authentication to initiate payments, fraud loss prevention insurance, check positive pay/reverse positive pay, and ACH debit blocks. Based on the responses as to which services FIs plan to use by 2014, there appears to be significant planned growth in the ACH area, with the use of ACH payee positive Pay (23%) and ACH debit blocks (7%) and debit filters (7%) on the horizon.
When it comes to the effectiveness of these services offered by financial institutions, non-financial institution respondents (users of the services) overall indicated positive responses (Chart NN). The one exception was fraud loss prevention services (e.g., insurance). It is possible that financial institution respondents see insurance as less effective as it does not prevent fraud; it is really only a solution for after fraud has already occurred.
0% 15%
33% 46%
57% 62%
86% 71%
69% 80% 80%
87% 100%
8% 23%
0% 0%
7% 8%
0% 7%
0% 7%
0% 0%
0%
92% 62%
67% 54%
36% 31%
14% 21%
31% 13%
20% 13%
0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Account masking services ACH payee positive pay Post no check services
ACH positive pay Check payee positive pay
Card alert services for commercial/corporate cards Fraud loss prevention services, e.g., insurance
ACH debit filters Account alert services
ACH debit blocks Check positive pay/reverse positive pay
Multi-factor authentication to initiate payments Online information services, e.g., statements
Chart MM: Percentage of Non-FIs Using Risk MitigationServices Offered by FIs
Use Use by 2014 Don't use
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 29
Chart OO provides a view of the various risk mitigation services that are being offered by financial institution respondents. A large majority of respondents are offering services such as online statements to their corporate customers and have implemented multifactor authentication requirements for the initiation of payments. As one moves down the list of service offerings to more complex products, such as positive pay/reverse positive pay and payee positive pay (for both check and ACH), the percentage of financial institution respondents offering those services decreases significantly. It is possible that community bank respondents either cannot offer some of these more sophisticated services or they do not have a commercial customer base that has yet expressed a need for them. In addition, because the financial institution respondents include all types of FIs – both banks and credit unions – the number of respondents may reflect some credit unions that traditionally support individual members, as opposed to corporate customers, and may not need to offer such services to their retail customer base.
55%
57%
86%
86%
80%
80%
92%
80%
83%
100%
100%
100%
0%
27%
43%
14%
14%
20%
20%
8%
20%
17%
0%
0%
0%
0%
18%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Fraud loss prevention services, e.g., insurance
Account alert services
Card alert services for commercial/corporate cards
Online information services, e.g., statements
Post no check services
ACH debit filters
Multi-factor authentication to initiate payments
ACH positive pay
Check positive pay/reverse positive pay
ACH debit blocks
Check payee positive pay
ACH payee positive pay
Account masking services
Chart NN: Effectiveness of Risk Mitigation Services
Very effective Somewhat effective Somewhat ineffective
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 30
f. Opportunities to Reduce Payments Fraud Respondents reported on opportunities to reduce fraud in three areas: i) organizational actions, ii) barriers to reducing payments fraud, and iii) legal and regulatory changes. i. Organizational Actions. Respondents were asked what new or improved methods are most needed to reduce payments fraud (Chart PP). Nearly two-thirds of the respondents said their organizations should apply controls over Internet payments, while more than half of all respondents are in favor of replacement of card/magnetic stripe technology. The latter bodes well for the coming adoption of the EMV standards for card transactions in the U.S.4
4 See page 19.
20%
22%
30%
29%
51%
49%
43%
63%
51%
74%
91%
95%
8%
6%
1%
6%
4%
5%
10%
2%
5%
8%
1%
2%
72%
72%
69%
65%
45%
46%
47%
34%
43%
18%
8%
2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
ACH payee positive pay
Check payee positive pay
Post no check services
ACH positive pay
Check positive pay/reverse positive pay
ACH debit filters
Card alert services for commercial/corporate cards
ACH debit blocks
Account masking services
Account alert services
Multi-factor authentication to initiate payments
Online information services, e.g., statements
Chart OO: Percentage of FI/Svc. Provider Respondents Offering Risk Mitigation Services
Offer Offer by 2014 Don't offer
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 31
When asked what authentication methods their organizations might prefer or consider adopting to help reduce payments fraud, the adoption of tokens led the way among non-financial institution respondents, while multifactor authentication was the top method among financial institution respondents. When viewed in total, approximately 58% of respondents were in favor of multifactor authentication (Chart QQ).
5%
22%
29%
30%
50%
53%
51%
55%
53%
64%
8%
23%
39%
39%
39%
46%
54%
39%
31%
31%
5%
22%
27%
28%
52%
54%
51%
58%
57%
69%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Image-survivable check security features for business checks
Industry alert services
Industry-specific education on best prevention practices for fraud
Controls over mobile payments
Information sharing on emerging fraud tactics being conducted by criminal rings
More aggressive law enforcement
Consumer education of fraud prevention
Replacement of card/magnetic strip technology
Controls over internet payments
Chart PP: New/Improved Methods Needed to Reduce Payments Fraud
FI, N=85
Non-FI, N=13
Total, N=98
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 32
ii. Barriers to Reducing Payments Fraud. Respondents reported on barriers to further reducing payments fraud. Most identified a version of “cost” as the main barrier, citing lack of staff resources, implementation costs and lack of compelling business case as the main barriers. A complete summary is listed in Chart RR.
3%
18%
30%
42%
46%
38%
42%
58%
51%
11%
0%
33%
78%
11%
56%
22%
44%
44%
2%
21%
30%
39%
49%
36%
45%
59%
52%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Other
Biometrics
Mobile device to authenticate person
Token
Out-of-band/channel authentication …
PIN requirement
Chip for dynamic authentication
Multi-factor authentication
Chip and PIN requirement
Chart QQ: Authentication Methods Preferred/Considered for Adoption to Reduce Payments Fraud
FI, N=83
Non-FI, N=9
Total, N=92
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 33
iii. Legal or Regulatory Changes. Respondents were also asked to offer views on legal and regulatory changes that would help reduce payments fraud. Many respondents would like to see increased penalties for fraud and more likely prosecution. Topping the list for FI respondents was placing more responsibility for fraud mitigation with—and shifting liability for fraudulent card payments to—the entity that initially accepts the card. This is interesting in light of the planned liability shifts that are part of the EMV “roadmaps” of all the major card associations (MasterCard, Visa, Discover and American Express). Table 2 lists these and other considerations.
11%
14%
23%
37%
29%
23%
47%
63%
20%
30%
30%
40%
0%
0%
30%
60%
10%
13%
23%
36%
33%
26%
49%
64%
0% 10% 20% 30% 40% 50% 60% 70%
Other
Unable to combine payment information for review due to operating w/ multiple business areas, …
Corporate reluctance to share information due to competitive issues
Lack of compelling business case (cost vs. benefit) to adopt new or change existing methods
Cost of implementing commercially available fraud detection tool/service
Cost of implementing in-house fraud detection tool/service
Consumer data privacy issues/concerns
Lack of staff resources
Chart RR: Main Barriers to Payments Fraud Mitigation
FI, N=80
Non-FI, N=10
Total, N=90
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 34
Table 2: Legal and Regulatory Considerations by Percentage of Respondents
h. Conclusions Considered as a whole, the results of our 2012 payments fraud survey suggest the following: • Both financial institutions and corporations of all sizes in the district continue to be
concerned about payments-related fraud.
• Most problematic is fraud that affects checks and debit cards because these are the payment types that were most often attacked by fraud schemes and that sustained the highest losses as a result. These findings are generally consistent with fraud surveys conducted by national industry associations such as the Association for Financial Professionals (AFP).5
• Although fraud involving “corporate account take-over” has been highlighted in the press
recently as a major problem, it was not cited as a significant scheme that affected respondents to this survey.
• Most financial institutions and other corporations report total fraud losses that represent less than .3% of their annual revenues. While any loss due to fraud is undesirable, by this measure these levels are relatively small.
5 See http://www.afponline.org/fraud/
Legal and Regulatory ChangesFI
(N=86)FI
(%)Non-FS(N=13)
Non-FS(%)
Total(N=99)
Total(%)
Place responsibility to mitigate fraud and shift liability for fraudulent card payments to the entity that initially accepts the card payment
67 78% 3 23% 70 71%
Increase penalties for fraud and attempted fraud 63 73% 9 69% 72 73%
Place more responsibility on consumers and customers to reconcile and protect their payment data
63 73% 5 39% 68 69%
Assign liability for fraud losses to the party most responsible for not acting to reduce the risk of payment fraud
60 70% 5 39% 65 66%
Strengthen disincentives to committing fraud through stiffer penalties and more likely prosecution
49 57% 10 77% 59 60%
Improve law enforcement cooperation on domestic and international payments fraud and fraud rings
48 56% 8 62% 56 57%
Focus future legal or regulatory changes on data breaches to where breaches occur
44 51% 3 23% 47 47%
Align Regulation E and Regulation CC to reflect changes in check collection systems' use of check images and conversion of checks to ACH
39 45% 4 31% 43 43%
Assign responsibility for mitigating fraud risk to the party best positioned to take action against fraud
41 48% 2 15% 43 43%
Establish new laws/regs or change existing ones in order to strengthen the management of payments fraud risk
27 31% 5 39% 32 32%
2012 Payments Fraud Survey Results
©2012 Federal Reserve Bank of Dallas Page 35
• Organizations are using various internal controls and procedures to mitigate payments fraud risk. Transaction monitoring, authentication, and risk services offered by financial institutions are also used.
• Lack of staff resources is the primary barrier cited by a majority of organizations when considering additional options for mitigating payments fraud risk.
Top Related