Best Practices in Fraud Prevention
The fight against fraud in financial transactions is never-ending. But the good guys (by the way, that would include most of us) continue to get smarter, even as the bad guys plot more-sophisticated and harder-to-detect schemes. A new phase in the fraud battle opened with the effective date of Check 21 (28 October, 2004). It’s nevertheless very important for everyone in the financial and corporate sectors to remember that this Check 21 era is just a new phase, not a panacea that will end fraud for all time.
In a very real sense, fraud will always be a risk. We do not, however, have to make it any easier for the fraudsters. Indeed, if we use common sense and best practices to prevent fraud, financial institutions and the greater corporate world can make it much, much harder for perpetrators to succeed.
Just what are some of these best practices? Not all are new. In fact, some of them have been in vogue and widely used for a number of years. We still need to implement them properly, and it is a very good idea to initiate multiple layers of fraud prevention to effectively narrow the fraudsters’ overall window of opportunity.
In dealing with checks, for example, the generally accepted rule of thumb is that to the extent possible, financial institutions and other companies should migrate from paper to electronic transactions. Electronic transactions – while not immune to fraud – serve to significantly limit fraud vulnerability. On this basis, we can highlight the best practice of migrating employees as well as vendors to direct deposit salary and payables, respectively – either through Automated Clearing House (ACH) deposits, or using card solutions.
Payment through cards may serve to limit liability for unauthorized use in certain circumstances and to reduce the volume of checks that are out there and subject to paper fraud. But the reality is that a certain number of checks (quite likely a very high number) will be around for a long time. Significant numbers of employees and vendors simply won’t – or can’t – accept payment in any form but checks. So there’s a perpetual need to be more and more diligent in combating check fraud. And one particular weapon is now clearly established as the No. 1 defense against this common type of fraud: positive pay comparison and reporting procedures.
The fundamental positive pay theory is to match key items on each check presented for payment at a financial institution to the issuing company’s list of checks that the company has issued for payment. More specifically, positive pay characteristics such as check amount and serial number can be examined and compared at the teller line and in the back office. Any ‘exception’ is communicated to the client company for a payment decision; a ‘return’ or ‘no-pay’ decision, of course, results in no payment on the check and, when applicable, sends the item back to the bank-of-first-deposit. And there are key positive pay refinements in an image-enabled environment, such as the capability to transmit check images online for client examination.
Systems are being set in motion to verify the payee name against the issue file, to head off a variation of check fraud that frequently originates within the issuing company, where the fraudster in this case would have to know that the issued-check amount and serial number are legitimate. There are also a number of ways internal fraudsters are able to alter the payee name on a check. Obviously, from a best-practice perspective, this type of ‘internal’ fraud also screams out for more stringent internal controls.
And at first blush, many recommended best practices in internal control may seem like ‘no-brainers’, until we ponder the fact that a considerable proportion of companies simply fail to implement them. Good internal safeguards include such best practices as making sure more than one person is responsible for approving financial transactions, as well as for approving the disbursements themselves.
This is all included under the general heading of ‘entitlements’, meaning that specific employees are entitled to issue checks, to authorize wire or ACH payments, to audit and review accounts. In an even larger sense, these internal controls represent ‘checks and balances’ that assure financial responsibilities are spread broadly throughout an organization. Such a system of shared responsibilities serves to severely curtail the possibility that any individual employee could cook the books to his or her own financial benefit (even to the point of issuing himself or herself an unauthorized check, or wiring a close friend or relative a tidy financial nest egg).
The checks and balances and overall entitlements principal are also paramount among best practices in a company’s internal check-printing operation. As a matter of course, check stock should be securely stored under lock and key. And for access, again, more than one person must be held responsible. During the actual printing process, each check should be printed in total. It isn’t worth the risk to have checks just sitting around 80 per cent or 90 per cent complete, waiting to be filled in by unscrupulous unknown individuals. And, just as check stock must be guarded carefully, access to the authorized-signature stamp must be closely controlled by more than one person.
All of these internal check-printing principles, of course, can be rendered moot if a company chooses to outsource its check-printing function to a financially certified and bank-recommended outside source. Outsourcing the check-printing function also allows efficiencies and economies of scale in check distribution. Apart from the purely financial arena, best practices in internal controls additionally involve what might be considered as mundane as password security. Assuring computer password secrecy and freedom from compromise is only a ‘mundane’ topic until hackers successfully get into a company’s IT system and wreak all manner of havoc. Don’t make it easy for the hackers, who are clever and capable enough of their own volition. A company must require its employees to change their passwords regularly.
And under no circumstances should passwords be shared, or printed out and stored in an easily accessible and obvious location like under the keyboard. It’s not a bad idea to require that passwords be memorized – but short of that, each individual password must at least be kept in a locked and secured place of the employee’s choosing.
The true prospect for success of internal controls and best practices in fraud prevention is almost totally dependent on the individual company’s own sense of responsibility. If a company is unable or unwilling to effectively shoulder its own responsibility, no consulting financial institution or any other outside source stands a realistic chance of improving the situation. And while methods stressing fraud-prevention are preferable, it’s always a best practice to beef up surveillance to try to detect fraud that may be occurring right under your nose.
Among things that financial institutions particularly watch for is ‘out-of-pattern’ activity – such as the presentation of wildly out-of-sequence checks, or a sudden and severe uptick in deposits into a particular account. A quick investigation might yield the discovery that the deposit-fraud technique of ‘account takeover’ is in progress. If not stopped in its tracks, activity of this nature could indicate – among many other things – a ramp-up to wire fraud (actually a misnomer, since there’s usually nothing illegal about the wire itself; the fraud is most commonly related to the manner in which the money got into the subject account in the first place).
A very good (and relatively easy) best practice to strongly consider with regard to any strictly depository account is to flag it with a ‘post-no-checks’ code. With such an advisory in place, any check that purports to withdraw funds from that account is automatically rejected and returned. Two other excellent best practices relate to incoming ACH debit or credit transactions – which can either be blocked (meaning no such transaction is allowed) or filtered (meaning certain types of transaction are disallowed, while allowing other designated transactions to proceed apace based upon specific defined criteria on this particular account). Again, the capability to specifically delineate ACH transactions provides another level of control, another level of safety and confidence when trying to succeed in conducting legitimate business in the midst of a world brimming with fraud.
And in a Check 21 environment, very real effects could be realized – including a general speedup of the financial process, with perhaps up to two days being shaved off newly automated check clearing processes that used to require the physical transfer of checks, sometimes cross-country. This new reality is undoubtedly catching many unaware. And fraudsters are being deprived of at least a considerable portion of a vital time ally that has traditionally worked in their favor.
Still, there are those in the financial and corporate communities who lament the loss of many physical check safeguards (watermark, hologram, etc.) that may not survive in an image-enabled environment. That same image-enabled environment, however, supports newer and arguably more effective characteristics that will continue to be improved. Several companies have been working on and have succeeded in developing a new generation of what in the financial industry are known as Image Survivable Security features that serve to augment the physical check security marks. Testing has confirmed that certain security features survive on the image – and are effective in enabling detection of counterfeits up to 99 per cent of the time. Quite logically, then, financial institutions are beginning to adopt some of these new tools.
Some vital characteristics have been thoroughly evaluated and proven to represent lasting value in the burgeoning image-enabled Check 21 environment. In the same vein, techniques such as check profiling are continuing to be developed and improved upon, allowing financial institutions to closely examine and confidently authenticate checks based upon their transmitted images. Furthermore, as part of their routine due-diligence and self-monitoring, many companies today are clamoring for as much real-time information as financial institutions can provide, and insisting that the real-time information capability be further refined and developed sooner rather than later on all types of activity, both paper and electronic. Frankly, this desire on the parts of many very substantive corporations is a good sign. It indicates, among other things, just how serious these companies are about self-monitoring and daily (even hourly) transaction reconcilement. In fighting fraud, speed is and always will be of the essence.
Other best practices in fraud prevention revolve around corporate-card encouragement and usage. As mentioned earlier, prepaid cards are relatively safe vehicles compared to checks for paying certain employees – and for paying some vendors. Benefits for the card recipient generally include much easier replacement in case of a lost or stolen card as opposed to a check. And benefits for the company that pays using card solutions are basically twofold: limited liability for unauthorized use in certain circumstances, as well as a greater measure of control over precise funding and card usage.
An ‘incentive/reward’ card is another good application of card technology in the corporate world. A company can issue bonuses or employee rewards in the form of a card that is usable only at certain merchants or types of merchants. This provides the company an incremental safeguard against certain types of card fraud. The same principles – a high degree of control combined with limited liability in certain circumstances for unauthorized use – apply to corporate travel cards, or corporate entertainment cards.
Card fraud today is often linked to hackers who manage to crack the system of a major retailer, thereby obtaining perhaps hundreds of thousands of credit-card numbers from the records of largely affluent consumers. The much greater threat to corporate integrity, however, lies in the twisted genius of the hackers themselves. Just ask yourself: If they succeed in hacking into your system, what kind of harm might the irritatingly inventive hackers do?
Meditating on this question should serve to remind all of us that if there were one best practice that should be adopted by every business operating today, it would be effectively communicating to each and every employee the absolutely essential importance of information security. It cannot be overemphasized: guard your security information closely. Any compromise of that security must be taken very seriously, and remedies pursued immediately. Also, of course, it helps to hire the best and the most trust-worthy employees.
But even those regarded as the most trust-worthy could well become candidates for compromise. That’s why neither today’s corporate entity nor the 21st-century financial institution can ever let its guard down – not for a minute, not for anybody. While we are not by any means suggesting that implementing all of these as well as other identifiable financial best practices is easy or will stop every fraudster, it could prove extraordinarily worthwhile to give these measures an honest try. It could, in fact, literally be worth millions of dollars in foiled fraud attempts.