The Community Banker’s Guide to Payments Fraud Prevention
Let’s start with some chilling numbers: $6.9 billion–the FBI’s estimate of losses by Americans in 2021 due to wire fraud. Fifty-five billion dollars–one estimate of last year’s fraud losses involving ACH payments. A significant majority of this fraud relates to commercial payments. To a community banker, these numbers are the stuff of nightmares.
Payments fraud is nothing new, and while the scams are evolving, the core procedures for detecting and preventing them haven’t changed as much as one might think. As you gear up for summer, take a moment for a self-checkup on fraud prevention tactics.
1. Refresh your Security Procedures
When was the last time your bank took a good look at the security procedures built into your cash management agreements and payment processing procedures? From a legal perspective, having “commercially reasonable” security procedures in place is critical in shifting liability away from the bank. From a practical perspective, this means more than a vague line in your ACH and wire transfer agreements stating that security procedures will be established and followed.
Multi-factor authentication has become the gold standard for online banking access and electronic payments, but it isn’t foolproof. Call-backs, transaction limits and dual control remain tried-and-true security procedures, and new techniques like requiring transactions to be originated from a dedicated IP address are proving useful. Instead of relying on just one method, be thoughtful about what makes sense for your organization and your customers.
And don’t limit your security procedures to online banking payments. If your bank accepts payment orders via phone or in-person, make sure sufficient procedures are in place to confirm the identity of the requestor. In-person payment fraud remains surprisingly common.
2. Document, Document, Document
After you’ve settled on security procedures, document them for every customer. The last thing you need when dealing with a fraud incident is to dig through customer files trying to determine what security procedures were actually in place, only to find that nothing was ever documented. This happens alarmingly often (including at bigger banks).
When a customer signs up for cash management products, make sure paperwork is filled out regarding the security procedures the customer has chosen. Did the customer reject options like dual control or IP address confirmation? Document it. Has the customer requested call-backs be made to certain contacts for certain transactions? Document it. Did you recently send an updated ACH agreement out to your existing customers? Document it. Banks find themselves in hot water when they cannot prove what security procedures were actually in place, and, in turn, whether they were followed.
3. Positive Pay
For business customers with any regular volume of checks or ACH files, a positive pay arrangement can be a tremendously effective way to combat fraud. While the terms of the arrangement might vary from bank to bank, the general idea remains the same: the bank compares all incoming checks and/or ACH files against separate lists of authorized payments from the customer, flagging any that do not match up and withholding payment unless the customer confirms the payment is authorized. It can be a tough sell for small business customers who are already counting every penny of monthly expenses, but there are plenty of real-life cautionary tales that can help convince a customer on the fence.
New technology has provided some excellent fraud detection tools, but nothing replaces good, old-fashioned human suspicion. Talk about fraud. Make sure bank employees stay up to date on the latest fraud trends and vulnerabilities. Help customers understand risks associated with popular fraud schemes like “business email compromise” and spoofed invoices that surreptitiously redirect otherwise legitimate payments. Encourage employees and customers to speak up and reach out whenever something smells fishy. And remind everyone involved that not even the best technology will necessarily detect or stop fraud from insiders at a customer’s business.
5. Really Know Your Customer
Megabanks are forced to rely heavily on technology for fraud detection because it is simply impossible for them to be personally familiar with the business practices of each customer. Community bankers are uniquely situated to combat fraud because your customers are more than just account numbers–they are real people you see every day in your community, both inside and outside the bank. Get to know them, their businesses and their banking routines.
Your deposit team is in a great position to spot something unusual in a customer’s account activity and intervene. “See something, say something” isn’t just a law enforcement tagline. Does the local machine shop usually send multiple high-dollar ACH files on a day that doesn’t line up with its payroll or supplier payment schedules? Is the hairdresser down the street likely to be initiating international wire transfers from an IP address across the country? Some customers might find a call about a suspicious transaction a nuisance or a nosey interruption, but they’ll probably buy your next round at the local watering hole if you keep them from losing their hard-earned money to a scammer.
There is no silver bullet for fraud prevention, and the threat will never go away. Even when the bank can avoid liability, fraud incidents present reputational risk and harm relationships with impacted customers. Be proactive, be agile and be vigilant.