Entries categorized as ‘fraud’
Proper business practices are a necessity in business, and when dealing with other people’s money it is paramount. The FTC, again, has charged a fine against a business for not doing proper due diligence on new accounts within their operations. ChoicePoint, now owned wholly by Lexis-Nexis, was previously found guilty of such practices in their infamous “breach” where an account was setup and pilfered 100,000s of accounts records.
The latest fine is against a payment provider who did not properly follow its own guidelines for onboarding new merchants. The result was the fraudulent charges against consumers of more than $2.38 million. The business has been ordered by Federal Court to pay $1,779,000 in consumer redress and end the illegal practices.
…the payment processor did not follow its own guidelines for new merchants and did not check addresses, phone numbers, or references the bogus merchant provided. The FTC alleged that the defendants anticipated that the scam would generate high return rates, that they did not request or obtain proof that consumers had authorized debits to their accounts, and that they continued to process charges even after receiving complaints from consumers and banks and unacceptable explanations about unauthorized debits from the merchant. The complaint alleged that more than 70 percent of the merchant’s transactions were returned or refused by the consumers’ banks
What is interesting is – what type of risk management practices existed in the business to let this occur for so long, and what audit efforts were conducted that did not catch these deficiencies in existing controls?
Guidelines and proper business practices are NOT check boxes for the sole purpose of checking them, but to be adhered in a manner that ensures the operational integrity of the business and the fidelity of operations.
A great article on the power of “check lists” is available here at the New Yorker.
Best regards,
James DeLuccia IV
Categories: Compliance · IT Controls · Institute of Internal Auditors · audit · fraud · information security
Tagged: best practices, fines, fraud, ftc, merchant, payment processor, PCI DSS, sas 70
The cost of fraud to an organization is approximately 6% of an organizations revenues each year. This is an astounding figure calculated by the Association of Certified Fraud Examiners using a global survey, and supported by several other international and independent authorities. A great means of reducing the damage of known and unknown damages to an organization is through the establishment of a preventive health-check system.
The establishment of clear accountability, responsibility, upper management support, and clear awareness of areas of high risk are fundamental to every organization. In IT Compliance and Controls this is discussed in detail under Principle 1 – Tone at the Top and Principle 3 – Human Resources. A great supplemental to the book’s In Practice guidances – the ACFE has available an excellent Prevention Check List for business leaders.
The document is very simple and has immediate benefits. There are careful guidelines recommended when conducting such efforts that should be embraced. The need for such checklists exists separate from PCI and such regulations, as this is present around the world – consider SocGen (Reports 1-3 detail the fraud!) and WorldCom.
Check out the checklist here today, bring your general council on board, and determine how you can increase your revenues by 6% today.
Best,
James DeLuccia
A special thanks to the ACFE for making this freely available without registration.
Categories: IT Controls · fraud
A client of mine recently updated their rich corporate governance program, and beyond obvious extensions to include recent State laws (introduced in the last 6 months) governing data usage and some International legislation there was particular attention towards the Federal government use of the FSG (Federal Sentencing Guidelines). A recent increase in DOJ attention has raised this mandates requirements above the normal baseline within the organization, and now carries equal weight with such initiatives as SOX, PCI DSS, and NASD listing requirements.
Two nice sources for FSG are the full guidelines themselves – of particular interest may be section 8B2.1 Effective Compliance and Ethics Program“, and a nice text published by Theodore L. Banks and Frederick Z. Banks entitled, “Corporate Legal Compliance Handbook”. Here is a link to Google Book Search with some interesting content already highlighted.
As a best practice, always review your responsibilities to stakeholders (whether they be investors, employees, industry watch groups, government agencies, or international treaty conditions) on a regular basis. These periods of review vary depending on the growth and change of your particular industry, but should not exceed an annual inspection. Reviews should focus on the business impacts these mandates impose and the controls established to satisfy each. An executive session should be included in this process to ensure that strategic direction is captured, and that any shifts are embraced by management and all divisions of a company.
Best,
James DeLuccia
Update: Book Release is now March 19th 2008!! Pre-Order Today
Categories: Boards · Governance · Payment Card Industry Data Security Standard · State Laws · audit · fraud · regulations
VISA announced today that the majority of their merchants were PCI DSS v1.1 compliant. Specifically, 99% of Level 1 Merchants and 92% of Level 2 Merchants have met compliance or have submitted an approved remediation program. This is a huge increase in compliant organizations year over year, and much congratulations is due to the merchants and Visa who worked to get this done. A fortunate by product of this is, hopefully, we will see some similar successes and releases by the other four card associations that make up the majors. It is important to realize that Visa is only one of the four, and the others are just as important to ensuring consumer confidence, and eliminating credit card / identity theft through the payment transaction system.
In addition, I found a study released showing that those organizations that are PCI Compliant have a lower instance of fraud, as a result. This is in line with my earlier article here and here at IT Compliance and Controls.
Well done Visa and the associated merchants in this release, and here is to making 2008 a far better year than 2007 for online security and consumer credit card confidence.
An article on the press release and its impacts on consumers and merchants is available here by SC Magazine, and here.
Best,
James DeLuccia
Categories: Compliance · PCI DSS · Payment Card Industry Data Security Standard · audit · fraud · information security
January 17, 2008 · 1 Comment
A great piece was written up by Kevin Funnell recapping an article in the American Banker the impact of banks meeting the FFIEC Multi-Factor Authentication deadline of January 1, 2007. Thankfully many organizations adopted these requirements prior to the hard deadline, and overall fraud rates have plunged. Key points to highlight in his writeup that jump at me are:
Great Success:
“fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication”
This highlights and supports that Multifactor authentication is beneficial and should provide immediate returns to the organization on a financial and public goodwill posture.
Escalation continues:
“increased incidents of branch and contact center fraud and criminals working the channels to get pieces of information”
An important fact that highlights that threats can come from different angles, but the target is STILL the data and we must do a great job at securing and monitoring those data stores.
What truly resonates with me is the amount of fraud reduced through a simple introduction of a control. The economics and technical feasibility of this control are very understandable and not complex. I feel there is a huge opportunity for online merchants, not banks that are subject to the FFIEC, to fully embrace this control and necessary technology. PCI DSS mandates under Section 8.3 that administrators, employees, and third parties use two-factor authentication when accessing data remotely – this does not apply (today) to consumers.
A good set of studies on multi-factor authentication usefulness and applicability can be found here, here, here, and here.
Updated: Great breakdown on Multi-Factor approaches and analysis by Karim Zerhouni Senior Manager for BearingPoint.
Fraud is an issue that impacts the business profit margins and disrupts the consumers lives. Reducing cost and improving a consumer experience is a best practice in any economy, nation, and industry.
Best,
James DeLuccia
Categories: CoBIT · Compliance · IT Controls · Multifactor · PCI DSS · Payment Card Industry Data Security Standard · ROI · Risk Management · fraud · information security
