Corporate payments fraud is becoming a pressing issue for banks as the recession progresses and the sophistication of attacks increase. In light of all this, J.P. Morgan Chase (New York) has issued a new white paper designed to raise corporates' fraud awareness and suggest best practices.
"Payments Fraud: How it Happens and What You Can Do to Protect Your Organization" examines check, ACH and credit card fraud, sharing tips on protecting treasury operations from advanced phishing techniques. It explores key areas of fraud vulnerability and proliferation, and reviews available products and services.
According to Iqbal Khan, executive director, J.P. Morgan Treasury Services, the white paper was meant to be neutral and nonbiased in order to best convey the importance of this issue to corporates.
"We wanted to raise general awareness of corporate payments fraud and help people get a better understanding from a corporate perspective," Khan told BS&T. "We're also using [the white paper] internally as collateral for our bankers and sales team to help them educate clients on their responsibilities and how to prevent fraud."
Although corporate payments fraud had been on the rise, Khan doesn't doubt the recession has helped it along. "The economy is softening so people are looking for an easy way to make a buck," he says, adding, "Corporates and banks can't afford to cover these losses like they used to."
A study issued by the Association for Financial Professionals earlier this year showed more than 70 percent of organizations polled experienced attempted or actual payments fraud in 2008. Thirty percent of respondents also showed an increase in payments fraud over the previous year, and the majority of respondents expect these illegal activities to grow.
He says as banks push more responsibility onto clients by offering self-service functions, they are also having to build more powerful security around these service platforms. However, Khan points out that in the end, the security comes down to the person using the platform—all the more reason to increase education at corporates.
J.P. Morgan clears a significant amount of the world's payments transactions and Khan says the bank has definitely seen a pick up in phishing . It's also trickling down to smaller and smaller businesses. These clients lack much of the resources and sophistication in terms of the tools they have to fight payments fraud. One thing banks can do to help commercial clients of this size is to simplify their fraud offerings. Something like Positive Pay works fine for large corporates, but small businesses often don't have the capability to support this. As a result, Khan suggests banks simplify their anti-fraud offerings.
J.P. Morgan did just that when it introduced Reverse Positive Pay. "We worked with the Chase Commercial Online team and Chase Business Banking (which caters to very small businesses) and put self-service fraud solutions on those applications to leverage the Reverse Positive Pay used for our large clients," he explains. "We gave them the ability to onboard themselves and we changed the price point."
J.P. Morgan's Reverse Positive Pay solution is Web-based and presents images of the checks to the clients on a daily basis before they pay them. It was integrated with a check return capability so that if a client sees a check is fraudulent, they can tell the bank right away and return the check.
"Traditionally, when a client finds a fraudulent check, they'd call their bank service officer, but by then, the check is out of the return window and not as easy to recover," says Khan. "It was also an expensive service for banks to maintain."
Apparently the word is getting out about fraud protection, at least among J.P. Morgan's business customers. Khan says the bank had 75,000 new accounts signed up for Reverse Positive Pay in the last four to five months. The bank expects over 1 million accounts to be signed up for the service next year.
Another way businesses can protect themselves is by segregating their accounts. Khan says 80 percent of the bank's accounts are not used for checking. Rather, there is more activity around ACH, wire, lockbox and similar payment mechanisms.
"You're leaving those account exposed to fraud," he relates. "So we rolled out fraud protection to these account to prevent checks from being posted to them."
Khan believes automation will help to at least curtail fraud in the future. "Things like EBAM [electronic bank account management] are being developed as we move more toward automation—it will be harder to commit fraud."
Some of the best practices highlighted in J.P. Morgan's report are:
- Check Fraud. To prevent check fraud, take practical defensive measures such as securing check stock and implementing dual control around key treasury functions such as check issuance and account reconciliation. Using high-quality check stock with built-in security features will reduce the likelihood of check manipulation. Industry tools such as Positive Pay reduce the possibility of fraudulent check payment.
- ACH Fraud. To minimize ACH or electronic payments fraud, sensitive information needs to be protected. Masking account numbers and Tax ID numbers in your written correspondence, and utilizing encrypted email for confidential, nonpublic information are both critical steps to reducing fraud. ACH debit blocks or ACH debit filters guard against unauthorized ACH debit transactions.
- Corporate Credit Card Fraud. Misuse of corporate payment cards by employees is not typically considered fraud by card issuers. The company is usually responsible for any loss, so organizations must have prevention programs in place. Protective controls, such as setting transaction limits and monthly limits for all cardholders, as well as blocking unauthorized vendors will greatly reduce misappropriation. Companies should also use Web-based payments tools that provide enhanced reporting and real-time visibility into spending.
- Phishing Fraud. Phishing spammers establish fake emails and Web sites in an attempt to steal security information, such as login names, passwords and other personal data. Organizations should ensure that browser and security software information is continually updated, and that spam blocking filters and surfing block controls are maintained companywide. Privacy locks should be utilized to restrict access to sensitive data.