Transcription
COMMERCIAL CARDFRAUD MANAGEMENT IN COMMERCIAL CARDS:Proactive Vigilance andCollaboration Required
INTRODUCTIONWith their numerous benefits, commercial cards, which include corporate traveland entertainment (T&E) cards, purchasing cards, fleet cards and more, arewell-established vehicles for business-to-business (B2B) payments, particularly inNorth America. Yet, news about data breaches and card fraud can unnerve evenstalwart card supporters. There is no denying that fraud can and does happen,originating from various sources, both internal and external.At the broadest level, card fraud is theunauthorized use, or attempted use, of a paymentcard. The incidence of commercial card fraud isfar lower than the incidence of fraud on consumercards, and it is lower than the incidence ofcorporate check fraud. The 2015 AFP PaymentsFraud and Control Survey reveals that paper checksare the payment type most susceptible to fraudattacks even as their overall use continues todecline. Check fraud also accounts for the largestdollar amount of organizations’ financial loss dueto fraud. Credit/debit cards are the second mostpopular vehicle for payments fraud; 34% reportedfraud attempts via credit/debit cards in 2014, downfrom 43% in 2013.1Fraud management in the financial servicesindustry has always been a matter of trying to stayone step ahead of the fraudsters. This is a greatchallenge due to the relentless and global pursuitof ill-gotten gains by an amalgam of criminals.As a regulated financial institution, JPMorganChase is required to develop, maintain andconstantly update the processes, procedures andsystems used to manage risk across our banking1entities and products, including commercialcards. Regulatory compliance is of course nonnegotiable. A substantial part of the equation isto maintain our reputation as a safe and soundplace to help manage the financial resources ofthe many millions of individuals and companieswho place their trust in the institution. JPMorganChase also understands that we must accomplishthis while creating an optimal experience for ourclients, including seamless, uninterrupted service,the protection of information and prevention ofpotential financial losses through card fraud.JPMorgan Chase takes the threat of fraud veryseriously and devotes numerous resources toprevention. Our commercial card fraud lossstatistics, measured as a percentage of cardspending, are below the industry average anda far lower rate than the fraud associated withconsumer cards. This low fraud rate speaks to thestrength of our fraud prevention practices as wellas relationships with clients in establishing effectivecard controls. In this paper we will discuss cardfraud in more detail and some of the ways thatJPMorgan Chase works to reduce the risk.Business Wire, 54/en/Global-Card-Fraud-Losses-Reach-16.31-Billion fraud/.
1 FRAUD MANAGEMENT IN COMMERCIAL CARDS: Proactive Vigilance and Collaboration RequiredCard Fraud Scopeand DefinitionC ard-related fraud is a major challenge around the globe. Oneindustry estimate puts 2014 losses at roughly 16 billion, withthe potential to reach 35 billion by the end of this decade. Thesedirect losses are shared by financial institutions, merchants andbusinesses, so it is a distributed pain that requires collaborationto manage across the industry spectrum. There are also otherexpenses in addition to the direct fraud loss, including costs ofadministering the post-loss process, ongoing prevention, andinvestigating the fraudsters for potential prosecution. In the UnitedStates the challenge has been somewhat greater because thefraud-resistant EMV/chip card technology is only in process of beingdeployed by banks and merchants, likely requiring about two moreyears to be fully implemented across the market. nlike consumer fraud, commercial card fraud can originateUinternally when an employee cardholder uses the card for personalgain or shares with others for that purpose. The same AFP survey(with 741 responses from organizations of all types and annualrevenue ranging from under 50 million to more than 20 billion),indicates that among organizations whose commercial cardprograms were subject to fraud, 25% reported fraud perpetratedby their own employees.2 A separate source of internal fraudarises from policy violations whereby an employee makes businesspurchases that do not follow the company’s rules. Examplesinclude purchasing from a supplier that has not been approved,buying unnecessary or unauthorized goods, and purchasing highervolumes than allowed. ore common, though, is external fraud involving a lost, stolen,Mor counterfeit card and/or stolen account information (see Exhibit1). External fraud categories also include situations where thecard(s) is not received, somehow intercepted prior to the corporateemployee or administrator. An unknown external party was the2This report is issued by the Department of Commerce’s U.S. Census Bureau and the Bureau of Economic Analysis.most common source of fraud found by the AFP Survey, at 77% ofincidences. Counterfeit card fraud results from cards manufacturedby fraudsters using detailed account information stolen byvarious means. ata breaches and the subsequently compromised card accountsDhave made headlines in recent years, bringing the problem of fraudto the forefront and revealing vulnerabilities that allow it to occur.These are sometimes a result of merchant network vulnerabilities,skimming card information at the point of sale, or even stolenequipment. Breaches also occur through phishing and even moresophisticated credit master processes, where computer-generatedaccount number algorithmic combinations are tested for validity.Indeed, data breaches may help explain the sharp increase infraud and awareness of it. Fraudsters are certainly mindful of thetransition to EMV/chip cards, and have increased their counterfeitcard attacks before the opportunity dwindles. Overall, partiesinvolved in external fraud can range from a lone perpetrator toexperienced criminal rings.E XH IBIT 1 : U NK NOWN E XTE R NAL PART Y IS THE L EA D INGS OU RCE O F C AR D F R AU DPercentage of Organizations That Suffered at Least One Attempt atCorporate or Commercial Card Fraud, by Party Responsible, 2014100%80%77%60%40%25%20%0%16%Unknown External PartySource: 2015 AFP Payments Fraud and Control SurveyEmployeeThird Party or Outsourcer
2 FRAUD MANAGEMENT IN COMMERCIAL CARDS: Proactive Vigilance and Collaboration RequiredThe JPMorgan Chase Fraud Team ApproachThe myriad benefits of commercial card programs of course faroutweigh the financial losses incurred through fraud. One wayis through overall order processing costs. According to the 2014Purchasing Card Benchmark Survey Results by RPMG ResearchCorporation, a purchasing card process is estimated to be 20.38per transaction, roughly three to four times less expensive thantraditional procure-to-pay processes (depending upon the relativeefficiency of corporate processes).3 JPMorgan Chase recognizes,however, that fraud remains a financial risk to our clients, andcan also be an invasive experience to an individual cardholder,as well as extremely inconvenient, especially during importantbusiness travel circumstances. Therefore we invest a great dealin a comprehensive approach to the prevention and overallmanagement of fraud.Our approach to managing fraud involves four major sets ofongoing and interrelated activity. (see Exhibit 2). Each operationalactivity is designed to provide an optimal end-to-end set ofstandards to prevent fraud, minimize its’ effect, reduce negativeclient impact and establish constant learning inputs for greatereffectiveness. The fraud team provides inter-operational feedback,based on established cases, new trends, external agency andindustry intelligence, and systems monitoring. In summary theseactivities are as follows: S trategy – This group establishes commercial card reductionstrategies and tactical approaches, along with optimal fraudmonitoring technology used in conjunction with the cardsprocessing systems. They are monitoring internal and externaltrends, while participating in industry fraud intelligence activities. P revention – This group makes operational decisions impactingaccounts through a combination of account activity monitoringand cardholder communication. They both prevent fraud andthrough immediate action, minimize its’ financial and clientimpact if already in process. If JPMorgan Chase suspects fraud,we have a multi-channel communication process to attemptcontact with the cardholder. If the cardholder or admin suspectsfraud, one of our fraud experts must actually speak with thembefore taking action to close the account. This minimizesinconvenience before setting corrective action into motion.EX HIBIT 2: CO MM ERCIA L C A R D F R AUD T E A M OVE RVIE WFraud Trend Analysis OptimizeTools and Strategies IndustryCollaboration OngoingAdjustments andEnhancementsBest Practices ClientConsultation Client AdvocacyPartner With Law EnforcementIndustry Monitoring3Association of Financial Professionals, Account Analysis CardholderCommunication ProactiveBlocking New Post-Event Analysis NetworkReporting ChargebackInitiation Determine SARRequirement
3 FRAUD MANAGEMENT IN COMMERCIAL CARDS: Proactive Vigilance and Collaboration Required R ecovery – This group manages post-fraud activity, includingmerchant chargebacks, cardholder and company reporting,network updates and potential threat filings with the FFIEC. C onsultation – This group works directly with programadministrators to establish up best practices for external andinternal fraud prevention and monitoring. They also work withexternal law enforcement agencies on case investigations andprosecutorial referrals.Client CollaborationI n the multiple lines of defense against card fraud, one of themost important elements is the actual set of card program policydecisions enacted by the corporate client. JPMorgan Chase placesa high priority on providing our corporate clients with programset-up advice based on industry-leading knowledge and experienceto establish appropriate policies. In addition to the proactive fraudmonitoring that is provided as part of program, we also placefraud controls directly in the hands of the program administratorthrough PaymentNet, our online management front end system.The client can easily generate reports to monitor declines, cashadvances, and unusual card activity as well as all other accountand transaction details. In addition, program administrators canapply credit, velocity, and MCC controls to precisely define allowabletransactions and align card usage with chosen internal policies. OurImplementation Associates and Program Coordinators will workwith administrators on training and set up so that intended policiesare accurately established. However, the client is in control and cansubsequently change settings themselves based on internal policydecisions, providing overall contractual limitations are not impacted(for example, corporate credit line).JPMorgan Chase places a highpriority on providing our corporateclients with program set-up advicebased on industry-leading knowledgeand experience to establishappropriate policies.We remain available consultants throughout the program tenureand will also connect with corporate clients to provide new fraudintelligence as it arises, allowing them to update their programsettings if applicable. An example is that our fraud team will providea detailed fraud consultation walkthrough to client executivesand program administrators explaining fraud performance indepth. This consultation includes collaboration with your programadministrators to identify and implement ongoing improvements.This ongoing training, communication and two-way collaboration isa hallmark of our approach and an important reason for our strongfraud loss results.Best PracticesT here are numerous best practices for companies to minimize cardfraud, both internally and externally. (see Exhibit 3) These can beplaced into three general categories: A nti-Fraud Technology Control – JPMorgan Chase utilizesindustry leading fraud detection, scoring, and prevention toolsto minimize internal and external fraud. Other solutions, oftenoffered by third-party technology providers, are specific toauditing/transaction monitoring and might accommodate othertypes of payments, not just cards. The key is to find the correctbalance in setting the controls. If controls are too tight, theprogram may not reach its true potential.
4 FRAUD MANAGEMENT IN COMMERCIAL CARDS: Proactive Vigilance and Collaboration RequiredCompanies should not overlook the value of conducting a riskanalysis and repeating it annually to ensure it evolves along withthe card program. Such analysis serves to document the controlsand identify potential control gaps. The results should lead toimprovements in controls and more effective internal auditing. P revention – being effective practitioners involves more thanjust technology, most often incorporating proper communication.Examples of these may seem rudimentary but should be reviewed. Well-defined roles and responsibilities, such as employeecardholder, manager/approver, program manager/administrator Separation of duties, especially pertaining to the programmanager and provider invoice payments Clear and complete policies and procedures Internal agreements around program policies andconsequences of non-complianceC ompanies should not overlook thevalue of conducting a risk analysisand repeating it annually to ensure itevolves along with the card program. D etection – one of the largest contributors to internal cardfraud and policy violations is poor oversight. Organizationsshould mandate transaction review by cardholders and theirmanagers at a minimum of once per month. Cardholders arethe gatekeepers and should be the first ones to spot potentialexternal fraud, taking the prescribed steps for limiting the impact.Program administrators should also review provided reports(declined transactions, new accounts, closed accounts, systemaccess, etc.) It is also recommended to enact adequate programauditing to evaluate adherence to policies and procedures andthe effectiveness of controls. Mandatory annual training for cardholders and managersEX HIBIT 3 : CO M PA N Y B E ST P R AC T I C E SSU MMARY FO R CO M BAT I N G C A R D F R AUDControls Targeting:External FraudInternal Fraud/Policy IssuesTraining on phishing, card security, etc.Training on card policies and proceduresCardholder transaction reviewUsage of internal agreementTransaction disputes, as neededManager review of cardholder transactionsVerification of supplier PCI complianceAppropriate separation of dutiesCard controls (e.g. limits, MCC blocks)Card controls (e.g. limits, MCC blocks)Auditing and program reportingAuditing and program reportingSource: Mercator Advisory Group
5 FRAUD MANAGEMENT IN COMMERCIAL CARDS: Proactive Vigilance and Collaboration RequiredConclusionJ PMorgan Chase is at the forefront of battling fraud in thecommercial card industry. Our, four-pronged approach tomanaging fraud has produced strong results. Working aroundthe-clock to prevent fraud and improve processes is an investmentin commercial card program excellence, providing our valuedcustomers with a level of confidence that their programs willprovide the full range of expected benefits. We believe that acollaborative relationship with our trusted clients, involvingongoing consultancy and sharing of best practices, help create anunparalleled level of confidence in JPMorgan Chase commercialcard products.JPMorgan Chase is at the forefrontof battling fraud in the commercialcard industry.
2016 JPMorgan Chase & Co. All Rights Reserved. JPMorgan Chase Bank, N.A. Member FDIC. All services are subject to applicable laws and regulations and serviceterms. 250784
With their numerous benefits, commercial cards, which include corporate travel and entertainment (T&E) cards, purchasing cards, fleet cards and more, are . well-established vehicles for business-to-business (B2B) payments, particularly in North America. Yet, news about data breaches and card fraud ca
