Despite some declines, payments fraud remains a major concern for credit unions. So what steps should be taken to prevent or mitigate the risks of payments fraud?
Experts who spoke to Credit Union Journal offered a variety of suggestions.
According to Ken Otsuka, CUNA Mutual Group senior consultant, risk and compliance solutions, CUs with card programs that aren’t yet fully EMV-compliant should consider expediting the conversion. In addition, credit unions should ensure they are using card-not-present tools, including CVV2/CVC2 and address verification service, and encourage members to enroll in Verified-by-Visa or MasterCard SecureCode.
Otsuka also offered the following recommendations:
- Credit unions should avoid accepting members’ large-dollar wire transfer requests remotely (e.g., by phone, fax, email or through online banking) in the absence of a signed wire transfer agreement with members that specifies a commercially reasonable security procedure for authenticating remote requests. Members requesting large-dollar wires should be required to make the request in person at a branch office.
- Credit unions should deploy layered security controls, such as out-of-band authentication, to help prevent account takeovers of member accounts via online banking rather than rely solely on multi-factor authentication. Out-of-band authentication involves using a separate communications channel to authenticate transactions, such as when a member attempts to login to his/her account using a different computer, to verify large-dollar transfers and to verify changes to member contact information and passwords initiated through online banking.
- Credit unions should consider reviewing large dollar member checks presented for payment to ensure members did in fact issue the checks.
- Credit unions should conduct a risk assessment prior to introducing ACH transactional services to understand the risks associated with ACH so that controls can be implemented to help manage the risk.
According to Lou Grilli, director of payments strategy at Trellance, credit unions need “strict” account opening procedures with multiple forms of verification.
“There are several third-party tools, or hosted services, that perform account opening verification,” he noted. “Accounts or subsequent deposits that exceed suspicion thresholds should be flagged, and scrutinized. Limiting transactions both in volume and dollar amounts can limit the credit union’s exposure.”
In addition, every account update should be examined.
Grilli also suggested that members should be encouraged (that is, trained) to look at online statements, card transactions and activity on a daily basis. “Members should be highly encouraged to have current mobile numbers in their profile, and register for purchase and fraud alert,” he added. “Most important, train members to not click on links unless the source is completely trustworthy.”
Also, staff and credit unions should be better trained at detecting and preventing fraud. “Procedures need to be defined for every member request. Social media access and personal email, should not be allowed from credit union networks,” he said. “Security awareness needs to become part of the credit union’s culture.”
Grilli concluded that if the credit union fraud staff is seeing good results from technology used to combat card fraud, and becomes complacent, perhaps thinking that the worst is behind them, “they will be in for a very rude surprise as these more sophisticated forms of fraud impact big and small credit unions alike.”