Staying Ahead of Fraudsters: Protecting Your Bank and Your Customers from Payments Fraud
by Amanda Dorphy, Senior Payments Information Consultant, Payments Information and Outreach Office, Federal Reserve Bank of Minneapolis
Fraud is a serious threat to payment system efficiency, consumer confidence, and a community bank's bottom line. Safeguarding assets from fraud attacks is an ongoing challenge not only because community banks and their customers are regular targets of fraud schemes but also because these schemes evolve in response to changes in payment instruments, technology, and security.
To mitigate fraud risk, community banks have a challenging job: They have to keep pace with new and existing schemes while monitoring the effectiveness of their fraud prevention tools. To that end, the Federal Reserve's 2012 Payments Fraud Survey — Consolidated Results1 is beneficial in that it helps assess the fraud landscape by providing insights into fraud risks and surveying the effectiveness of fraud-fighting methods so that bankers can stay ahead of fraudsters. Another resource is the free on-demand webcast titled Keeping Up with Fraudsters: What You Need to Know, which is available on the Federal Reserve Bank Services website.2 In addition to providing useful information, this webcast also summarizes the survey results.
The 2012 Payments Fraud Survey was sponsored by the Federal Reserve Banks of Boston, Dallas, Minneapolis, and Richmond, as well as the Independent Community Bankers of America.3 Survey participants included financial institutions (FIs) from across the United States, with some concentration in the regions of the sponsoring Federal Reserve Districts. A total of 689 institutions — 86 percent banks, 10 percent credit unions, and 4 percent thrifts — responded. About six in 10 participating institutions had assets of less than $250 million (Figure 1).
Most respondents reported that they offered traditional payment services, such as wire transfers, debit cards, checks, automated clearinghouse (ACH), and bill payment services (Figure 2). Other payment products, such as remote deposit capture (RDC) or person-to-person (P2P) payments, are also offered, but to a lesser extent. This information is relevant because institutions implement fraud prevention measures only for the products they offer.
Payments Fraud Attacks and Losses
Payments fraud is widespread: Ninety-six percent of the survey respondents experienced both fraud attempts and losses in 2011.4 From a list of nine payment types, institutions were asked to identify the top three payment types they encountered with the highest number of fraud attempts and losses (Figure 3). The survey found that institutions were especially vexed by signature-based debit card fraud, with more than 80 percent placing it among their top three payment types with the most attempts and losses. In addition, more than 40 percent of the respondents identified checks and personal identification number (PIN)-based debit card fraud as among their top three payment types with the highest levels of fraud attempts and losses.
Although credit card fraud was not among the top three payment types with the highest number of fraud attempts or losses for respondents to this survey — many of whom do not issue credit cards — credit cards are nevertheless vulnerable to payments fraud. In the 2013 Federal Reserve Payments Study, credit cards accounted for the highest number of fraudulent transactions (third-party fraud) and highest losses, without respect to the organization incurring the loss.5
Survey participants were also asked to identify the top three fraud schemes involving their customers' accounts (Figure 4). The survey found that 80 percent of the respondents reported counterfeit or stolen cards used at the point of sale (POS) or in person among the top three schemes, and 68 percent reported counterfeit or stolen cards used online (card-not-present transactions). Counterfeit checks were mentioned among the top three schemes by about four in 10 institutions.
Survey respondents also identified their top three data sources used in common payment fraud schemes. The most prevalent source, reported by 64 percent of institutions, was "sensitive" information obtained from lost or stolen cards, checks, or other physical documents or devices in the consumer's control. This finding underscores the importance of educating customers about ways to protect their personal and financial information. Therefore, community banks should consider offering tips to their customers about effective ways for them to avoid becoming fraud victims.
To avoid losses, community banks must effectively manage fraud risk for all payment products offered. Data from the 2012 Payments Fraud Survey can be used by community banks to identify payment methods, such as signature-based debit cards, that they should consider targeting for heightened fraud prevention measures. Effective fraud mitigation considers the potential of payments fraud attempts as well as the size of losses to which various payment methods are vulnerable. For example, survey respondents reported that the takeover of customer accounts that can involve wire transfers or ACH credits was not a very common scheme. However, this fraud scheme, if successful, can compromise security credentials used to access an account and result in comparatively high-dollar losses to banks and/or their customers.
Good News, Bad News
The good news is that most institutions experienced low losses from payments fraud. According to the survey, 76 percent reported a 2011 fraud loss rate of less than 0.3 percent of annual revenues, the lowest loss category in the survey (Table 1).
The bad news is that 51 percent reported an increase in their fraud loss rate in 2011 as compared with that in 2010.6 Only 16 percent reported a reduction, and 34 percent reported that their fraud loss rate stayed the same in 2011 as compared with that in 2010.
For institutions that reported increased fraud losses, one-half reported fraud loss rates that were between 1 and 5 percent higher in 2011. Nineteen percent reported fraud loss rate increases of more than 10 percent. It is not surprising that increased losses were most common among debit card payments. Nearly nine in 10 institutions reported increased losses among signature-based debit card payments, and more than four in 10 cited losses among PIN-based debit card payments. The survey results show that institutions can act to fight fraud successfully: About three in 10 institutions reported they were able to cut fraud losses by more than 10 percent, including losses due to signature and PIN-based debit card fraud and check fraud.
Risk Mitigation Strategies
Once funds have been transferred, they are hard to retrieve, so it makes sense to invest in fraud prevention proactively before losses occur. Because no silver bullet exists, effective fraud mitigation requires a layered approach.
The survey explores the use and effectiveness of a number of fraud mitigation methods, including internal controls and procedures, customer authentication methods, transaction screening and risk management methods, and risk management services that institutions offer to their customers.
Internal controls and procedures are the most frequently used fraud mitigation methods and were rated highly by institutions (Figure 5). Indeed, of the 15 internal controls and procedures listed in the survey, more than 80 percent of the respondents used 12 or more.
Respondents were asked about 10 customer authentication methods (Figure 6). PIN authentication, signature verification, and customer authentication for online transactions were used by more than 80 percent of the institutions. However, the effectiveness of signature verification and magnetic stripe authentication were rated comparatively low, receiving a "somewhat ineffective" rating of 11 percent and 8 percent, respectively.7
Although the current use of card-chip authentication was low at 2 percent, 12 percent of institutions planned to use card-chip authentication by 2014. This may reflect the concerted efforts underway by the major card brands to migrate U.S. magnetic stripe cards to chip-enabled cards, which reduce counterfeit fraud by using dynamic data to authenticate the card versus static data on the magnetic stripe card. Chip cards do not protect against lost and stolen card fraud, unless PIN or biometric authentication is used. They also do not protect against "card-not-present" fraud, which requires additional risk mitigation measures. Multilayered approaches, such as multifactor authentication (sometimes referred to as "something you have, something you know, and something you are"), or layered security, are more effective in preventing fraud, according to recommendations by the Federal Financial Institutions Examination Council (FFIEC) in Authentication in an Internet Banking Environment8 and Supplement to Authentication in an Internet Banking Environment.9
Transaction screening and risk management methods with the highest use included staff education and training on fraud mitigation, use of a fraud detection pen for currency, and human review of payment transactions (Figure 7). Eleven percent of the institutions planned to provide customer education about payments fraud prevention, and 10 percent planned to use software that detects fraud through pattern matching, predictive analytics, or other indicators.
These plans make sense based on the record of institutions with reduced fraud losses. Seventy-two percent of these institutions pointed to "enhanced fraud monitoring systems" that targeted debit and credit card transactions as the reason for their fraud reduction results. This includes fraud monitoring systems that employ anomaly detection to identify unusual payment behavior. Anomaly detection technology addresses the question: Based on past behavior of this cardholder, is this particular transaction a legitimate one? Community banks should explore what services their vendors, core banking providers, and other payment services providers offer to help protect them and their customers from fraud.
Six in 10 institutions also identified "staff training and education" as a key change that led to reduced fraud losses. Staff training can typically be accomplished at a reasonable cost; it can also reap added benefits, such as good customer service, because staff members are able to help prevent customers from becoming victims to fraud schemes.
Institutions also offer services to help their customers mitigate payments fraud. About nine in 10 offer online information services and multifactor authentication tools to their business customers. About two-thirds of the respondents offer account alert services and about one-half offer account masking services and ACH debit blocks.
Relatively few institutions offer check and/or ACH positive pay services to their business customers. Thus, community banks may want to review the current set of fraud prevention services they offer to business customers and consider the opportunity to supplement them. ACH fraud prevention tools were of particular interest to business respondents. Smaller business customers may be reluctant to buy fraud prevention services from their banks due to the cost and time involved. However, educating customers about the benefits of fraud prevention, including what service options are available and how to use them, may help address the reluctance of small businesses to buy these services.
Fraud Prevention Methods Needed
Institutions were asked what new or improved methods are most needed to fight future payments fraud. Most institutions identified controls over Internet payments, consumer education on fraud prevention, and replacing card magnetic stripe technology with stronger security.
Community banks are well positioned to provide payments fraud prevention education to customers. They can consider offering tips to consumers and businesses on their website about how to avoid becoming fraud victims. They might also discuss payments fraud and risk mitigation during regular meetings with clients. Law enforcement officers can also be a valuable resource in helping to educate consumers and businesses about the dangers of fraud and the importance of protecting financial data. On the Federal Reserve Bank of Minneapolis's website, the Payments Information and Outreach Office has a list of Industry & Government Information-Sharing Resources Related to Payments Fraud, which provides a wide variety of resources, including education resources.10
Institutions also expressed preference for a "chip-and-PIN" requirement for cards and multifactor authentication over other authentication methods, such as just chip, just PIN, or out-of-band authentication (Table 2). Under the chip-and-PIN approach, cardholders authenticate their card with the chip and authorize themselves as the card user with their PIN. Chip cards contain embedded microprocessors that can store information securely and perform cryptographic processing during a payment transaction. Cards carry security credentials, or keys, that are stored securely in the card's chip and are used to authenticate the card. These credentials help to prevent card skimming and card cloning, which are two of the common ways that magnetic stripe cards are compromised and used for fraudulent activity. Each payment transaction made with a chip card also includes dynamic data that are unique to a single transaction. By using dynamic data, transaction data cannot be reused, or replayed, to authorize a second payment. Chip-and-PIN authentication for cards requires significant investment in infrastructure changes on the part of issuers, merchants, and other stakeholders, but there are payoffs in terms of less counterfeit fraud and elimination of card skimming. Chip authentication combined with PIN verification helps to protect against lost and stolen card fraud.
As U.S. industries make plans to implement chip cards, community banks that issue debit and/or credit cards should meet with their card service providers to discuss options, as well as an appropriate timetable for issuing chip cards and their preferred security model, such as the chip-and-PIN or chip-and-signature approach.11
Payoffs for Investing in Fraud Prevention
What is holding institutions back from investing more in fraud prevention? Four of the top five barriers that were reported related to some aspect of cost. A lack of staff resources was a barrier at more than half of the institutions. Concerns about consumer data privacy was a barrier for about four in 10 institutions.
Community banks should fully analyze their dollar losses from fraud to help determine whether more investment in risk mitigation is warranted. That is,
when considering the business case, it is important to assess both quantitative and qualitative factors. In general, banks should determine whether it
makes sense for fraud losses to be higher than prevention costs (Figure 8).
Banks should also consider marginal costs and benefits. Sixty-one percent of the institutions reported that losses attributed to signature-based debit card fraud were greater than what they spent on preventing such fraud, and about 45 percent reported the same for losses due to debit PIN and check fraud. This suggests that institutions should at least understand the relationship between the fraud prevention investments and the losses that they are experiencing by payment type and consider increased spending to prevent fraud in areas in which losses outweigh risk mitigation spending.
It is also important to consider other consequences of fraud, such as damage to a bank's reputation and costs incurred for recovery, reporting, and other expenses for handling fraud incidents. On the flip side, bankers should evaluate the impact of fraud prevention measures on qualitative factors such as customer goodwill. What are the consequences if another party or a bank customer suffers financial losses? What is the impact on convenience? If controls are lax, unauthorized transactions may slip through; if controls are too tight, customers may be annoyed at having a payment denied. Community bankers should strive to implement fraud prevention tools that achieve an appropriate balance.
Payments-related fraud remains a significant concern for institutions. Nearly all respondents to the survey reported payment fraud attempts and losses. Most reported fraud losses that represented less than 0.3 percent of their annual revenues. While any fraud loss is undesirable, by this measure, institutions appear to be doing a good job of keeping loss levels low.
Institutions identified signature-based debit cards as the payment instrument with the highest number of fraud attempts and losses. More than 60 percent reported that losses from signature-based debit card fraud exceeded their costs of preventing such fraud. This suggests that institutions should weigh their specific situation in terms of losses from signature-based debit card fraud against the cost and benefits of investing in fraud prevention.
Institutions that reduced their fraud loss rates are targeting high-risk payment types. Seventy-two percent of respondents cited enhancement of fraud monitoring systems for debit and credit card transactions, including techniques such as anomaly detection, among the key changes they made that contributed to their reduction in payments fraud losses. Institutions are also focused more on the need to use stronger security alternatives to magnetic stripe authentication technology for card payments.
Community banks must manage fraud risk for all payments to avoid losses. Strategies for detecting and preventing fraud effectively use multiple risk mitigation methods and tools, or a layered strategy.
Given the tenacity and innovation of fraud perpetrators, it is important for banks to stay informed about fraud trends to protect themselves and their customers from payments fraud and to arm themselves with fraud-fighting methods that work effectively.
Back to top
- 1 Survey participants included primarily financial institution members, as well as some nonfinancial institution members, of regional payment and treasury management associations, of the Independent Community Bankers of America, and of other associations. A summary of the survey results is available at www.minneapolisfed.org/about/whatwedo/payments/2012-payments-fraud-survey-consolidated-results.pdf. The Federal Reserve plans to repeat the survey this spring.
- 2 The webcast is available at events.frbservices.org/ep_web/DSP_eventlist.cfm.
- 3 The survey questions are available at www.minneapolisfed.org/about/whatwedo/payments/2012_Payments_Fraud_Survey_Questions.pdf.
- 4 This survey did not measure the amount of loss per fraud attempt. When assessing the impact of potential losses, community banks should consider both the absolute value of the losses by payment type and the realized losses per attempt.
- 5 The report is available at www.frbservices.org/files/communications/pdf/research/2013_payments_study_summary.pdf.
- 6 See the 2012 Payments Fraud Survey.
- 7 For more information on how methods were rated for effectiveness, see the 2012 Payments Fraud Survey.
- 8 See www.ffiec.gov/pdf/authentication_guidance.pdf.
- 9 See www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf.
- 10 See www.minneapolisfed.org/about/whatwedo/paymentsinformation.cfm.
- 11 See www.emv-connection.com for more information.