return to blog page
skip to next post
skip to next post
skip to next post
skip to next post
skip to next post
skip to next post
skip to next post
OFAC
by LeAnne Wilcox (Risk Analyst), Aug 18, 2011 Office of Foreign Assets & Control. Sounds foreboding doesn't it? Like some organization where Darth Vader might be in charge. List of Specially Designated Nationals and Blocked Persons. Something which I don't want my name associated. In reality, OFAC and the SDN list are designed to help U.S. businesses identify which people and organizations NOT to do business with. The list generally contains known or suspected individuals and groups tied to terrorist organizations, money-laundering groups, organized crime and the like.
All financial institutions and similar organizations, such as ACH third-party processors, are required to bounce their lists of customers against the OFAC SDN list regularly, including company name and owner/s names. Unfortunately, this results in a large percentage of false-positive hits. Your customer may get a "hit" on this list as a possible match because their name is the same or similar to someone on the SDN list. In that event, additional personal or company information is required to rule out that your legitimate customer is NOT the person on the list. Home address and date of birth may be needed to confirm that the hit is indeed a false-positive.
This process may seem like a big inconvenience, especially when a monetary transaction is pended, to verify a false-positive hit. In the long run, however, OFAC regulations help keep the bad guys out of the system and help assure that financial institutions aren't making it easy for these people and organizations on the list to access and transfer funds used for illegal or terroristic purposes. Helping keep everyone safer and thwarting criminals is the goal.
by LeAnne Wilcox (Risk Analyst), Aug 18, 2011 Office of Foreign Assets & Control. Sounds foreboding doesn't it? Like some organization where Darth Vader might be in charge. List of Specially Designated Nationals and Blocked Persons. Something which I don't want my name associated. In reality, OFAC and the SDN list are designed to help U.S. businesses identify which people and organizations NOT to do business with. The list generally contains known or suspected individuals and groups tied to terrorist organizations, money-laundering groups, organized crime and the like.
All financial institutions and similar organizations, such as ACH third-party processors, are required to bounce their lists of customers against the OFAC SDN list regularly, including company name and owner/s names. Unfortunately, this results in a large percentage of false-positive hits. Your customer may get a "hit" on this list as a possible match because their name is the same or similar to someone on the SDN list. In that event, additional personal or company information is required to rule out that your legitimate customer is NOT the person on the list. Home address and date of birth may be needed to confirm that the hit is indeed a false-positive.
This process may seem like a big inconvenience, especially when a monetary transaction is pended, to verify a false-positive hit. In the long run, however, OFAC regulations help keep the bad guys out of the system and help assure that financial institutions aren't making it easy for these people and organizations on the list to access and transfer funds used for illegal or terroristic purposes. Helping keep everyone safer and thwarting criminals is the goal.
Know Your Customer - Protect Yourself from Payroll Fraud
by LeAnne Wilcox (Risk Analyst), Jul 28, 2011 Here's a story of a real-life scenario of why it's important for any business to do their due diligence and protect themselves by knowing their customer. A payroll processor recently received a call from a prospective client. Based on the client's needs, it appeared that a lot of fee income would be generated from the relationship. However, the processor became increasingly suspicious that the prospect was not a legitimate company. There were lots of red flags:
You've heard the adage, "if it seems too good to be true it probably is" and then there's "If it walks like a duck and talks like a duck, it's probably a duck". The lure of potential income was blurring the vision of the processor in this case. Luckily, their vision was only blurred and they weren't completely blinded.
When the payroll processor called in and I spoke with them, I assured them that this seemed fishy and I advised not to process the payroll. If they decided to move forward with the prospect, I advised to insist that the prospect wire the funds for the payroll amount as a wire is guaranteed funds. Hearing from another party made them feel more confident that they were being taken for a ride and they followed-up with some internet searching. Their search yielded recent references of the company and the owner being involved with identity theft charges and a recent grand jury indictment on bank check fraud.
Luckily, this business did their due diligence and saved themselves from a potentially devastating blow of several thousand dollars in losses, which might have put them out of business. Remember, protect yourself and your business and again, if it seems too good to be true, it probably is.
* names of the prospect and locations have been changed to protect the identify of parties
by LeAnne Wilcox (Risk Analyst), Jul 28, 2011 Here's a story of a real-life scenario of why it's important for any business to do their due diligence and protect themselves by knowing their customer. A payroll processor recently received a call from a prospective client. Based on the client's needs, it appeared that a lot of fee income would be generated from the relationship. However, the processor became increasingly suspicious that the prospect was not a legitimate company. There were lots of red flags:
- The prospect, Flag Real Estate, was located in KY and the payroll processor's office was in OR. When the prospect was asked how they found the processor, the prospect claimed that they did some internet searches and found them to be the most competitively priced
- Red Flag: The processor was a local/small regional firm and knew their website didn't disclose rates. I also pointed out that unless they were paying a large sum to SEO company, they probably were not at the top of any internet search engine.
- The prospect wanted to do a large payroll amount right away and it needed to be set up quickly
- Red Flag: The prospect claimed to be in business just 3 months and only had 2 employees. That didn't make much sense given the type of business, where a R/E transaction can take months and commissions may be relatively low at first
- When the processor offered to write checks and overnight them for the first payroll, the prospect became agitated and insisted it must by ACH direct deposit
- Red Flag: The fact the prospect become upset seemed odd. Why would they insist on direct deposit when the funds were being sent overnight mail? It's commonplace for payroll processors to not offer direct deposit until a relationship has been established and write checks from the client's account until such time.
- The routing numbers to the "employees" being paid matched to an internet bank's pay card products
- Red Flag: While internet banking and pay cards are not in and of themselves risky, combined with the other red flags, it can add to the picture of a scam. It can be very difficult to try to work with an such companies to try to stop access to funds or get information
- The processor was never able to get a hold of the prospect directly via phone and the voicemail only gave the phone number, no other identifier
- Red Flag: Why were they never available. Normally, a real estate professional makes it easy for clients and partners to reach them and certainly would identify themselves and their business on their phone
- Some other oddities also made the prospect wary
- The distinct southern accent the prospect had on the phone seemed to slip whenever he become irritated or confused
- Red Flag: Do I need to say more
- The email address was a generic yahoo account, bannerrealestate@yahoo.com, and when responses were received they came back as a completely different email referencing an individual's name and not the name of the prospect, J. Flag.
- Red Flag: A generic address is not itself a problem but in combination of other flags, it's a contributor. Generic addresses are easy to get. Furthermore, why would the responses be coming back with a different address, especially one with a different personal name.
- The distinct southern accent the prospect had on the phone seemed to slip whenever he become irritated or confused
- Day One: The payroll file is sent to the ACH third-party processor
- Day Two: A debit is made to the client's bank account for the full amount of the payroll (i.e. $50,000)
- Day Three: The funds are held and the credit to the employee's account is created
- Day Four: the funds are available to the employees in their account
You've heard the adage, "if it seems too good to be true it probably is" and then there's "If it walks like a duck and talks like a duck, it's probably a duck". The lure of potential income was blurring the vision of the processor in this case. Luckily, their vision was only blurred and they weren't completely blinded.
When the payroll processor called in and I spoke with them, I assured them that this seemed fishy and I advised not to process the payroll. If they decided to move forward with the prospect, I advised to insist that the prospect wire the funds for the payroll amount as a wire is guaranteed funds. Hearing from another party made them feel more confident that they were being taken for a ride and they followed-up with some internet searching. Their search yielded recent references of the company and the owner being involved with identity theft charges and a recent grand jury indictment on bank check fraud.
Luckily, this business did their due diligence and saved themselves from a potentially devastating blow of several thousand dollars in losses, which might have put them out of business. Remember, protect yourself and your business and again, if it seems too good to be true, it probably is.
* names of the prospect and locations have been changed to protect the identify of parties
True Service - Anticipating Customer Needs
by LeAnne Wilcox (Risk Analyst), Jul 22, 2011 Recently, one of the people I work with had a problem with a customer. They discovered that the customer had been skirting regulations and the terms of their approval. This customer had a history of being a bit combative and proved as such when the employee contacted them about the issue. The customer's response was "where does it say THAT in the agreement?" The employee came to me to find out, hoping that I knew exactly where in the 8-page document this would be covered. I had disappointing news. I knew this subject was not included in the customer agreement( rather, it was part of the terms of approval).
I could have left it at that. But I know that my co-worker was my customer. I explained to the employee that the issue was about approval terms versus the items covered in the agreement. I gave her information to explain that to the end customer. Further, I provided an example of why the terms were set as is and the subsequent financial risk and liability to our customer associated with not adhering to the terms. I also offered that I would be glad to talk with that customer directly to discuss or send an email to follow-up if necessary.
I didn't have to do all that. I could have let it go as "it's not in the agreement". That really wouldn't have helped my fellow employee or our end customer either. Both might have left the situation more frustrated with such an easy, pat answer.
I can think of another example where I was the beneficiary of a truly great service provider. I worked at a customer service center for a large regional bank where we were assigned an IT person. If I came to him with a request, he always asked me what I was trying to accomplish. Then he was able to point any issues that might result in making a change to our program, usually something I wouldn't have considered. Going a step further, he always offered me another solution. I didn't really appreciate him until he left the company for another job and he was replaced. The new person simply did what I asked, never asking more questions, never trying to find out the true problem. Subsequently, I got exactly what I asked for but not really what I necessarily needed.
Whether the customer is external or internal, try to anticipate the real problem and the real needs of the customer and solve that problem.
by LeAnne Wilcox (Risk Analyst), Jul 22, 2011 Recently, one of the people I work with had a problem with a customer. They discovered that the customer had been skirting regulations and the terms of their approval. This customer had a history of being a bit combative and proved as such when the employee contacted them about the issue. The customer's response was "where does it say THAT in the agreement?" The employee came to me to find out, hoping that I knew exactly where in the 8-page document this would be covered. I had disappointing news. I knew this subject was not included in the customer agreement( rather, it was part of the terms of approval).
I could have left it at that. But I know that my co-worker was my customer. I explained to the employee that the issue was about approval terms versus the items covered in the agreement. I gave her information to explain that to the end customer. Further, I provided an example of why the terms were set as is and the subsequent financial risk and liability to our customer associated with not adhering to the terms. I also offered that I would be glad to talk with that customer directly to discuss or send an email to follow-up if necessary.
I didn't have to do all that. I could have let it go as "it's not in the agreement". That really wouldn't have helped my fellow employee or our end customer either. Both might have left the situation more frustrated with such an easy, pat answer.
I can think of another example where I was the beneficiary of a truly great service provider. I worked at a customer service center for a large regional bank where we were assigned an IT person. If I came to him with a request, he always asked me what I was trying to accomplish. Then he was able to point any issues that might result in making a change to our program, usually something I wouldn't have considered. Going a step further, he always offered me another solution. I didn't really appreciate him until he left the company for another job and he was replaced. The new person simply did what I asked, never asking more questions, never trying to find out the true problem. Subsequently, I got exactly what I asked for but not really what I necessarily needed.
Whether the customer is external or internal, try to anticipate the real problem and the real needs of the customer and solve that problem.
Corporate Unauthorized Returns
by LeAnne Wilcox (Risk Analyst), Jul 1, 2011 Unauthorized returns in the ACH world can really throw a wrench in the system, at least for the originator of the transaction. The ACH payment from their business or corporate customer has been returned by the customer's bank as "unauthorized". The customer is claiming that the Originator didn't have the proper authorization to initiate the debit. The ACH Code for this type of return is R29.
The ACH rules for corporate debits are that the unauthorized returns must be returned within two business days of the date of the transaction.
How to best protect your business from unexpected R29 returns?
by LeAnne Wilcox (Risk Analyst), Jul 1, 2011 Unauthorized returns in the ACH world can really throw a wrench in the system, at least for the originator of the transaction. The ACH payment from their business or corporate customer has been returned by the customer's bank as "unauthorized". The customer is claiming that the Originator didn't have the proper authorization to initiate the debit. The ACH Code for this type of return is R29.
The ACH rules for corporate debits are that the unauthorized returns must be returned within two business days of the date of the transaction.
How to best protect your business from unexpected R29 returns?
- Make sure your customers are provided clear communication that their account will be automatically debited via ACH and for what amount
- Have your business customer sign an ACH Authorization to Debit form
- Verify that you are debiting a business checking account and not a personal account
- Ensure your customer doesn't have an automatic return for unrecognized transactions with their bank
- Verify that your company name, the name your customers will recognize, will be the name showing up on their bank statement
Understanding ACH Credit Risk for Direct Deposit
by LeAnne Wilcox (Risk Analyst), May 13, 2011 I often get asked why company financials are reviewed when a business applies for ACH services for direct deposit. What's the risk? Many times, people believe that the ACH transaction credit isn't released until the debited funds are collected. That's how it works with credit cards, where the authorization to debit the card is received prior to the sale transaction being approved. ACH is actually a little different. The funds are moved like an electronic check with float time.
Most payroll companies prefer a short processing window, where the funds are debited from their client, the employer, on Day 1 and the employee is credited(money in their account) on day 2. In the ACH world, however, the funds aren't considered collected, or settled, until Day 4. Why? Because it takes time for the debit to reach the employer's bank. There is a 2 business day window when an item can be returned by the employer's bank as NSF, account closed, etc. If the debit is returned on day 4, for example, and the credits were already released to the employee on Day 2, those credits are difficult to get back once credited to the employee via ACH. The only way to remove the risk of a returned item is a longer window or debiting the employer via a wire transfer.
This is how it ties back to the company's financials. Does the company have the financial capacity, on a short window, to cover a possible NSF or other type of return that needs to be collected? Does the company have financial strength or are they at risk of bankruptcy or other financial difficulties? Think of it this way, ACH on a short window is like a bank giving out an unsecured loan. Evaluating credit risk by reviewing financials is one of the tools used to assess the credit risk.
by LeAnne Wilcox (Risk Analyst), May 13, 2011 I often get asked why company financials are reviewed when a business applies for ACH services for direct deposit. What's the risk? Many times, people believe that the ACH transaction credit isn't released until the debited funds are collected. That's how it works with credit cards, where the authorization to debit the card is received prior to the sale transaction being approved. ACH is actually a little different. The funds are moved like an electronic check with float time.
Most payroll companies prefer a short processing window, where the funds are debited from their client, the employer, on Day 1 and the employee is credited(money in their account) on day 2. In the ACH world, however, the funds aren't considered collected, or settled, until Day 4. Why? Because it takes time for the debit to reach the employer's bank. There is a 2 business day window when an item can be returned by the employer's bank as NSF, account closed, etc. If the debit is returned on day 4, for example, and the credits were already released to the employee on Day 2, those credits are difficult to get back once credited to the employee via ACH. The only way to remove the risk of a returned item is a longer window or debiting the employer via a wire transfer.
This is how it ties back to the company's financials. Does the company have the financial capacity, on a short window, to cover a possible NSF or other type of return that needs to be collected? Does the company have financial strength or are they at risk of bankruptcy or other financial difficulties? Think of it this way, ACH on a short window is like a bank giving out an unsecured loan. Evaluating credit risk by reviewing financials is one of the tools used to assess the credit risk.
PCI-DSS
by LeAnne Wilcox (Risk Analyst), April 14, 2011
Data security is a real threat to all merchants, not just the larger retailers. In fact, Visa continues to identify Level 4 merchants (those with less than 1 million in transactions) as the group most commonly victimized by hackers. Level 4 merchants outnumber all other merchants in the number of cardholder data compromise. A recent poll shows only 11% of Level 4 merchants are actually in compliance and only 29% of these merchants are truly aware of PCI-DSS compliance standards.*
To help protect themselves and their customers, merchants should take these basic steps:
*Source: Transaction trends March 2011
by LeAnne Wilcox (Risk Analyst), April 14, 2011
Protecting Your Company & Your Customers
Did you know that if there is a credit card data security breach at your company, it may cost you as a merchant $5000 to $50,000 or more in compliance fees? This will be on top of the cost of replacing your customer's consumer cards, reimbursing the losses your customers incurred as a result of the breach and halt your business for several days, maybe even several weeks.Data security is a real threat to all merchants, not just the larger retailers. In fact, Visa continues to identify Level 4 merchants (those with less than 1 million in transactions) as the group most commonly victimized by hackers. Level 4 merchants outnumber all other merchants in the number of cardholder data compromise. A recent poll shows only 11% of Level 4 merchants are actually in compliance and only 29% of these merchants are truly aware of PCI-DSS compliance standards.*
To help protect themselves and their customers, merchants should take these basic steps:
- Use PCI-DSS compliant technology
- Secure cardholder transactions by encrypting all cardholder data during transmission
- Conduct regular WEB application and vulnerability scans
- Avoid electronic storage of credit card data unless there is a compelling business reason to do so
- Sensitive customer information should only be viewed by employees whose position warrants access
*Source: Transaction trends March 2011
skip to next post
What's risky about ACH?
by LeAnne Wilcox (Risk Analyst), June 28, 2010 No doubt, Direct Deposit and Direct Payment transactions via ACH make life much easier than doing business via check. It's convenient, safe and saves both money and time for both the sender and receiver.
What some companies don't realize, however, is that there is credit risk involved. Some people think ACH is similar to credit and debit transactions, where the transaction doesn't take place unless there is an "authorization" given by the debtor's bank. ACH transactions actually happen without such "authorization" thus creating risk. ACH credit risk is the risk that a party cannot provide the contracted funds necessary to settle the account. In other words, the originating bank is exposed to credit risk between the time it releases the ACH file to the Federal Reserve until the originator funds the account.
Because of this risk, most transactions are pre-funded, meaning that the funds from the debit are held for a set number of days, before the credits are released. Another means of risk mitigation is to hold a reserve at the bank or processing company. Many times, the company requesting ACH services is asked to provide financial information to ensure they have the financial capacity to cover the credit risk.
To give this a real-life example, let's take a look at direct deposit for a payroll. The funds for the entire payroll are debited from the employer and credited to the employee. The debit to the employer will take two (2) full business days to clear the employer's bank to ensure that the debit is not returned for NSF issues, account closed, or other issues. If the employer is debited on Thursday and the employees paid on Friday, the Originating Depository Financial Institution risks that the debit will be returned when the credits have already been released.
While the ACH network does carry risks, the advantages of the system are plentiful. With appropriate mitigation, both the sender and receiver of ACH transactions can reap the benefits from the secure, efficient and cost-effective system of the ACH network.
by LeAnne Wilcox (Risk Analyst), June 28, 2010 No doubt, Direct Deposit and Direct Payment transactions via ACH make life much easier than doing business via check. It's convenient, safe and saves both money and time for both the sender and receiver.
What some companies don't realize, however, is that there is credit risk involved. Some people think ACH is similar to credit and debit transactions, where the transaction doesn't take place unless there is an "authorization" given by the debtor's bank. ACH transactions actually happen without such "authorization" thus creating risk. ACH credit risk is the risk that a party cannot provide the contracted funds necessary to settle the account. In other words, the originating bank is exposed to credit risk between the time it releases the ACH file to the Federal Reserve until the originator funds the account.
Because of this risk, most transactions are pre-funded, meaning that the funds from the debit are held for a set number of days, before the credits are released. Another means of risk mitigation is to hold a reserve at the bank or processing company. Many times, the company requesting ACH services is asked to provide financial information to ensure they have the financial capacity to cover the credit risk.
To give this a real-life example, let's take a look at direct deposit for a payroll. The funds for the entire payroll are debited from the employer and credited to the employee. The debit to the employer will take two (2) full business days to clear the employer's bank to ensure that the debit is not returned for NSF issues, account closed, or other issues. If the employer is debited on Thursday and the employees paid on Friday, the Originating Depository Financial Institution risks that the debit will be returned when the credits have already been released.
While the ACH network does carry risks, the advantages of the system are plentiful. With appropriate mitigation, both the sender and receiver of ACH transactions can reap the benefits from the secure, efficient and cost-effective system of the ACH network.
Compliance is not a four-letter word.
by LeAnne Wilcox (Risk Analyst), Dec. 7, 2009 Compliance has a bad rap. You hear the word and everyone in the office shudders. Often it is seen as more work, more boxes to check, and more money out of our company pockets. Recently there has been a change in compliance requirements for all merchants that process, store or transmit cardholder data. The five payment brands (Visa, MasterCard, Discover, AMEX and JCB International) have now mandated that all merchants be compliant with Data Security Standards, otherwise known as PCI-DSS. Of course, it does mean a little more work and a little more money but the benefits are many, including customer confidence and protecting your business.
At minimum, PCI-DSS means that each merchant must complete a Self-Assessment Questionnaire, a series of questions about how the merchant stores, transmits and processes cardholder data. Depending on your merchant´s systems, you may also be required to have a Quarterly Network Scan. Both are designed to help identify gaps or deficiencies that could lead to a possible cardholder data breach. The last thing any merchant wants is their customer´s cardholder data stolen because they weren´t doing all they could to protect their customer´s information.
Did you know that the majority of card data theft cases occur at small retail locations, including land-line terminals? Improper storage of written credit card information, utilization of software that is not PCI compliant and use of unsecured voice over IP technology are just a few of the reasons that cardholder data is compromised.
Protecting cardholder data means not only protecting your customers but protecting your business. Cardholder data breaches result in heavy fines imposed to the merchant by all the payment brands involved. The merchant is also on the hook for paying for all the fraudulent transactions and losses suffered by their customers. For some businesses, these fines and increased charge-backs could mean going out of business. By taking the time to become PCI-DSS compliant the merchant can breathe a little easier, knowing they have taken measures to protect their customers and themselves while helping the customer feel confident that their data is safe at the merchant.
Merchants can´t run away from PCI-DSS compliance. No matter which processor the merchant chooses, PCI-DSS compliance is always there. Most processors, like InterceptEFT, provide a program to help their merchants become compliant and maintain that compliance. The goal is to help merchants safeguard data, help build customer trust and protect their business.
For more information about PCI-DSS compliance, visit these sites:
www.pcisecuritystandards.org
usa.visa.com/merchants/risk_management/cisp.html
by LeAnne Wilcox (Risk Analyst), Dec. 7, 2009 Compliance has a bad rap. You hear the word and everyone in the office shudders. Often it is seen as more work, more boxes to check, and more money out of our company pockets. Recently there has been a change in compliance requirements for all merchants that process, store or transmit cardholder data. The five payment brands (Visa, MasterCard, Discover, AMEX and JCB International) have now mandated that all merchants be compliant with Data Security Standards, otherwise known as PCI-DSS. Of course, it does mean a little more work and a little more money but the benefits are many, including customer confidence and protecting your business.
At minimum, PCI-DSS means that each merchant must complete a Self-Assessment Questionnaire, a series of questions about how the merchant stores, transmits and processes cardholder data. Depending on your merchant´s systems, you may also be required to have a Quarterly Network Scan. Both are designed to help identify gaps or deficiencies that could lead to a possible cardholder data breach. The last thing any merchant wants is their customer´s cardholder data stolen because they weren´t doing all they could to protect their customer´s information.
Did you know that the majority of card data theft cases occur at small retail locations, including land-line terminals? Improper storage of written credit card information, utilization of software that is not PCI compliant and use of unsecured voice over IP technology are just a few of the reasons that cardholder data is compromised.
Protecting cardholder data means not only protecting your customers but protecting your business. Cardholder data breaches result in heavy fines imposed to the merchant by all the payment brands involved. The merchant is also on the hook for paying for all the fraudulent transactions and losses suffered by their customers. For some businesses, these fines and increased charge-backs could mean going out of business. By taking the time to become PCI-DSS compliant the merchant can breathe a little easier, knowing they have taken measures to protect their customers and themselves while helping the customer feel confident that their data is safe at the merchant.
Merchants can´t run away from PCI-DSS compliance. No matter which processor the merchant chooses, PCI-DSS compliance is always there. Most processors, like InterceptEFT, provide a program to help their merchants become compliant and maintain that compliance. The goal is to help merchants safeguard data, help build customer trust and protect their business.
For more information about PCI-DSS compliance, visit these sites:
www.pcisecuritystandards.org
usa.visa.com/merchants/risk_management/cisp.html