Hidden Traps of Payment Processing

By Sean Carter


Financial institutions are expected to be responsible and accountable for the operation of their payment processing systems, regardless of whether that function is handled by a third-party vendor. Most third-party vendors limit their accountability to failures within their own systems. Errors that originate within a bank or retailer’s system – not their job.

Even verifiable third-party vendor errors can result in a big headache. Bank customers don’t know the difference. They’ll leave a bank over a botched bill pay, no matter the origin.

Within community banks, staff experience and training don’t always keep up with the technological advances in payment processing. It’s a prescription for a perfect storm – and a perfect customer-relations headache.

The efficiency of Automatic Clearing House processes has escalated the probability of fraudulent transactions, if no one experienced is watching. And the consequences are expensive: With the advent of the CFPB, financial institutions are being more closely scrutinized in regards to the handling of consumer disputes and account monitoring activity such as stop payments and over draft program. Over the last couple of years FIs have been punished monetarily; fines levied have reached 10 million.

Third party vendors always push system upgrades. Regulators (and customers, too, if they knew) don’t want to hear that your bank didn’t want to pay for an upgrade. You need to understand all parts of the game.

Here are a few tips on the points of vulnerability in every financial institution, and simple steps to reduce human error, to help you avoid the roughest seas.


Eyes On the Street, and On the Sheet

In our company’s experience, a signal example of street vigilance is this: Four and half years ago, a loan officer working for a bank that had locations in Baltimore drove out to the address of a property that was the subject of a loan request. The property just next door was a burned-out building. The loan officer recognized the wrecked property as the given address of the bank’s then-biggest ACH debit originator transaction customer, which did $60,000 in debit transactions per month.

Those ACH debits were actually a pay-for-work scam perpetrated by local gangs. The gangs – no strangers to payment fraud — would contact neighborhood folks looking for them to pay a fee in the hopes of landing them a job. The method in some cases for payment was ACH. Gangs throughout the country have gotten into check fraud by buying payroll checks and direct deposit stubs from local folks. They then steal the account numbers on the bottom of the checks or stubs and commit fraud by writing checks drawn on the companies’ account numbers.

If not for the lending officer’s institutional knowledge, the bank might have been out millions. That’s a couple of magnitudes bigger than a botched bill pay.



Watch Out for Customers

We’ve all heard about mortgage customers who didn’t understand the conditions of their agreements when they took them out, before the mortgage crisis hit. That problem isn’t limited to mortgage products – it’s also a problem with wire transfers, ACH origination, exception processing for card and ACH disputes which can leave the FI exposed in the areas of Regulation E error resolution, security procedures that weren’t followed or stressed enough in cross training, lack of implementation of ACH Risk Management program components; inexperienced staff failing to catch the signs of increasing returns or issues surrounding a particular customer – and compromise of cross channel risk principles.

IT specialists within banks can track how long a customer opening an online account took to read the agreement. If it took the prospect only a few seconds to read a 52-page agreement, that’s a problem the IT team should monitor – though many legitimate customers might be exhibiting the same behavior.

Customers also need to be warned: Do not discuss your account online! Most bank websites have posted this type of warning for years. But there are new customers all the time, and we all remember what P.T. Barnum said about who gets born every minute. Fraudsters target the most vulnerable amongst us and this in some cases is the elderly. There has been a big push at the CFPB to help strengthen protections for the elderly. FIs need to understand the signs of fraud and put in procedures to help prevent losses.

FFIEC requires customers to be educated about the risks of online banking and how to protect themselves. Does your staff know? And of your staff, who needs to be let into the system to monitor activity?


Vendor Safeguards

When opening a peer-to-peer online payment account, get a voided check from the customer, and put a limit on the amount and frequency of payments. Identify the tools the vendor is offering including limits are fraudulent transaction detection and implement them. If your third-party vendor does not offer risk management tools, you should implement in house controls.

Have the customer check a box for a one-time stop, two times, or indefinitely.

When online customers call the bank to say the site is down, they may be the target of a ‘man in the middle’ attack. It’s of critical importance to validate the phone numbers of those customers calling in.

Auditors cite financial institutions for returning items as stop payment (R-08 that should have been returned as authorization revoked. Stop payments are prepost events; returns for revocations are adjustments, or correction of posted items. To get into compliance with the new rules, one must establish: The intent of the account holder Have the customer check a box for a one-time stop, two times, or indefinitely. Training of frontline staff; and operations staff having controls in place to check forms with return codes.

Corporate accounts: Corporate accounts are not afforded the same protections as consumer accounts within the payment system or by federal regulation. Staff must be aware of this and the FIs disclosure should be very clear on this matter. FIs that provide the same disclosure to both consumer and corporate accounts maybe increasing their own risk and causing more confusion to both staff and the account holder.


Sean Carter, AAP, is senior vice president at NEACH.