FBI's recent report states that between March 2010 and April 2011, the FBI identified twenty incidents in which the online banking credentials of
small-to-medium sized U.S. businesses were compromised and used to initiate wire transfers to Chinese economic and trade companies. As of April 2011, the total attempted fraud amounts to approximately $20 million; the actual victim losses are $11 million.
Modus-operandi is similar to account takeover frauds, prominent in SME segments, through online account hacking using malwares. Apart from technical lines of defense set up by banks, it seems hackers could slip through walls and transfer funds, more so when
automation and STP processing handles such "pass through" payments seamlessly. The need for lines of defense at business process layers in payment processing is critical in this context.
Financial institutions with customer centricity should be able to offer Customer Payment Profiles, to capture payment preferences of customer. Apart from differentiation of customers in the space, it adds risk management by setting up risk control parameters
as defined or preferred by customers. Profile supports account segregation. Account owners should necessarily segregate accounts for various purposes for which account relationship is established with Financial institution. Mark up accounts used for collections,
payables, salary payments, reserve funds, returned funds etc. This will define the need or rather restricting payment services on certain accounts which reduces risk exposure for such accounts. Any account take over in such cases will fail in payment processing
at subscription validations. Receivables if segregated through different account, there is no need to enable payments in such accounts so wire originations from such account can be restricted through such selective subscriptions.
Preferential subscriptions provide for Risk Limits. Risk Limits to provide additional confirmation calls with SME account owners thro' Call back limits based on risk appetite will reduce fraudulent payment flow. Risk Limit definition should be data based/
need based. Defining arbitrary limits - $1,000,000/$500,000 etc. - may end up in setting unnecessary space for fraud payments. Limit setting should be based on past data on funds flow needs through designated account. It is reported that in most cases of reported
frauds, they tend to be above $900,000, but the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers were under $500,000. Setting up frequency based limits on volumes and value of payments (during a business
day, holiday, cumulative on a predefined frequency (Daily/Weekly/ Biweekly/Monthly etc.)) can also regulate funds flow from accounts. These limits could be definable at more granular levels apart from account. Origination modes with higher vulnerability should
be protected with lower limits. Payment validations should have differential handling based on origination modes.
Watch Word Monitoring will definitely help in filtering fraud payments in similar cases. Fraud payments normally follow a pattern in payment origination. For instance, here the case reported used certain key chinese cities -Raohe, Fuyuan, Jixi City, Xunke,
Tongjiang, and Dongning in beneficiary details of payments. Once identified, such key words should be incorporated in payments filtering as a preventive measure.
As always said, financial and reputational loss are substantial in these cases, and it is prudent to protect financial resources from external siphoning/take over through above business check points, as a business layer in addition to all authentication
technical layers which often is drilled through by fraudsters