5 Tips to Reduce Banking FraudPayments Assoc. Offers Advice to Fight Corporate Account Takeover
This is the advice from Alex Romeo, VP, Electronic Payments Network Product Manager, at the Clearing House, a payments association and processor that is owned by 20 of the largest banks in the U.S.
"Large or small businesses are targets," Romeo says. "What oftentimes it is called ACH fraud, or wire fraud, is actually corporate account takeover. Once the criminals have the corporate's banking credentials, they're off to the races."
Romeo sees several things that both institutions and the businesses can be doing to lower the potential for corporate account takeover:
1. Multi-Factor Authentication
The best approach is to start with a multi-factor authentication/multi-layered security structure. This is what Romeo is seeing from the institutions that are successfully thwarting fraud. "Remember, there is no one silver bullet that will solve this problem, so if you put all your hope in a single solution, you'll get compromised, and the intruder will have everything."
This multi-layered approach from a software perspective, combined with old-fashioned out-of-band phone calls to the customer to confirm a questionable transaction, can cut the institution's headaches and the business' fraud losses.
In the old days, Romeo says, calendars were put in place for all set transactions for all accounts, whether they were large corporates or small businesses. "If they had a weekly payroll, that only went out once a week, and then all of a sudden we saw something going out every day -- that would be a red flag; we would question it," he says.
2. Banks: Monitor Transactions
In his days in bank operations, Romeo says, the bank used to set up daily limits on each user. "We used to set these limits on our mainframe processor in the bank, along with file limits and batch limits, so if there were something added, or out of the ordinary, we would spot it." Another thing to watch for is a whole lot of activity right under $9,000. "Because the fraudsters know they won't draw suspicion of a bank if they fly under $10,000 mark."
3. Businesses: Reconcile Corporate Accounts Daily
For businesses, Romeo recommends reconcilement of banking accounts and transactions on a daily basis -- either at end of day or at least at the beginning. "This will help catch any transactions you didn't make, and the sooner you bring it to your bank's attention, the better chance to retrieve the money, with the bank doing a recall or reversal of the transaction. The longer you wait, the less likely it is that you'll see that money recovered."
4. Employ Dual, Triple Controls
Dual controls at the corporate side are, at the very least, tablestakes. Romeo suggests even triple controls, where one person creates the transaction, a second person approves it, and then a third person actually sends the transaction.
"If you don't have the people, then set up the ACH transactions with the institution, an out of band confirmation, whether it is a phone call to confirm that you've sent it, and confirmation of the correct information was received," he notes. This can be done live or through an automated voice response system. Usually, only one person would have the password and ID to call the bank, which would be totally separate from the person's computer.
5. Raise Fraud Awareness
Finally, Romeo says, continuous education of business customers is important. At the national level, this problem of corporate account takeover has gotten real attention. But real solutions won't come until financial institutions and their corporate accounts alike realize the real risks they face - and simple solutions they can implement to help mitigate those risks.