Anncr.:
As a bank that focuses on business, we work with business leaders all day, every day. We have a front-row seat to what's working, and what has potential. The First Business Bank Podcast is dedicated to sharing insights to help you work better, smarter, and faster to achieve your goals. Let's get into the show.

Mark Meloy:
Hello, I'm Mark Meloy, CEO of First Business Bank. Welcome to the First Business Bank Podcast.

Mark Meloy:
Today, we're talking about managing payment fraud risk. That title might sound scary, and I hope it grabs your attention. Many of you have listened to other podcasts from First Business Bank about fraud and email compromise. We are not going to repeat those messages today. But you can, at your leisure, if you wish, if you haven't listened to them, go right ahead and do so.

Mark Meloy:
But you should understand: That email compromise is a means by which fraudsters can gain access to your confidential bank information; about your operating accounts, as well as your hard-earned cash.

Mark Meloy:
Today, the focus of this podcast is protecting your confidential information, as well as your money. Our experts will share simple tips, such as slowing down the urgency of a request; implementing good controls; and subscribing to First Business Bank's Fraud Prevention Services.

Mark Meloy:
Rest assured: Using the banking payment system; with the consistent application of best practices and some really good fraud prevention services; is actually a very safe and sound way to conduct commerce.

Mark Meloy:
I'm joined by a couple of my colleagues who spend much of every day at First Business Bank managing payment options for our clients. They're each going to introduce themselves before we get into our conversations. Melissa, I'll start with you.

Melissa Fellows:
Good afternoon. I'm Melissa Fellows; I'm the market leader for the Treasury Management Team here in our Madison market. And spend a lot of time working with businesses on their operating accounts as it relates to liquidity management, payments, information reporting, and of course, fraud.

Mark Meloy:
Theresa?

Theresa Wiese:
Thanks, Mark. My name is Theresa Wiese. I'm the managing director of Compliance and Risk Management for First Business Bank. My team and I spend a lot of time with clients, um, kind of helping to resolve fraud situations. Um, and so hopefully this afternoon will be, uh, informative for you all.

Mark Meloy:
Great. So Melissa, I'll start with you. When you talk about payment types and fraud related to them, what exactly are we referring to?

Melissa Fellows:
Sure. So today what we're referring to is fraud payments as it impacts a business checking account. Um, such as ACH ch- checks and wires.

Melissa Fellows:
While all fraud is scary, um, I think what is most important about today's conversation is that it pertains to a business checking account, which is really where businesses are most vulnerable. Uh, operating cash is critical for a business.

Mark Meloy:
Great. Theresa, what would you say are the most common fraud attacks reported by businesses?

Theresa Wiese:
Well, today, uh, and ... well, really, the last, um, probably 20 years, uh, check fraud. Uh, it's still alive and well. Uh, last year, we had, the bank had prevented losses of almost a million dollars. So that was fraud that we were able to prevent. Um, using some of our services.

Theresa Wiese:
Um, there was potential loss of about a million-eight. Uh, recovered losses were about 800,000. And then we had, um, sm- small-client losses. Um, but check, check fraud is still the number one fraud that we're seeing out there.

Melissa Fellows:
Um, and I'd just like to add on, I think it's, you know, remarkable. You know, we're talking about the, the large volume that we see, and the large dollar amounts.

Melissa Fellows:
But I think what is remarkable that Theresa and her team are able to do behind the scenes that, um, you know, maybe your business clients don't even realize is the additional monitoring that really, I think, speaks to, um, why that loss for the end user is, is so low.

Theresa Wiese:
Right. And, a- really, to add to the ... what we're seeing, as far as fraud goes, uh, ACH and wires are really a close second.

Theresa Wiese:
The, uh, the challenge with ACH and wires is that, um, because the payments are immediately available when they hit the receiving bank, and they're a lot faster; uh, the fraud, the, the dollars, uh, are gone much faster as well.

Theresa Wiese:
Which means we can't recover, um, electronic transactions very successfully. Um, checks, we have a little bit more success with. But wires and ACH are a little bit more of a challenge.

Melissa Fellows:
And you know, one of the things, you know, too, Theresa, in talking about your team is just the limits that we institute, um, and that you may experience, you know, with your relationship as far as daily limits.

Melissa Fellows:
So for example, um, you know, another way to mitigate, um, overall exposure is to make sure that you're actively reviewing your limits that you have set.

Melissa Fellows:
So for example, normal course of business for you is, um, you know, X dollar amount. And, you know, oftentimes towards the end of the year, um, there's bonus payrolls or, or distributions. And so, it's better in that situation to, to look at a temporary increase and to reach out to your banker to maybe make a slight adjustment.

Melissa Fellows:
But to have a limit in place that really truly reflects normal course of business. I think is another thing to think about as you're, um, managing payments and, and controls for users.

Theresa Wiese:
Yeah, and that's a good point, Melissa. Um, because I think sometimes the limits, uh, can be a bit of an annoyance (laughs) to clients. But they are really important, uh, when it comes to mitigating fraud.

Theresa Wiese:
Um, because if there are limits in there, and a fraudster tries to, you know, insert, uh, a transaction within an ACH file or something like that that goes over the limit, we're able to catch that. So, that's a great point.

Theresa Wiese:
The other thing that I'd like to add, uh, as it relates to wire transfers. For wires that originate at the very first time, where our Operations Team has not seen it before; um, they will reach out to our client on established phone number that we have on file. And confirm, you know, all the attributes of the wire.

Theresa Wiese:
For example, the instructions, make sure the instructions are correct. Um, that the dollar amount is correct, and get confirmation from the client.

Theresa Wiese:
And there are times where if the wire seems a bit unusual; for example, um, it's kind of an unusual dollar amount, or it's to a beneficiary that has never been used before. They will probe a little bit more with the authorized signer that they're calling, just to make sure that the wire, uh, is indeed legitimate.

Mark Meloy:
Yeah, those are really good points. Kind of a common theme is if it seems unusual or out of character, you know, take the time, slow down, and try to understand the facts.

Mark Meloy:
Melissa, what are some of the, your top suggestions for businesses to avoid fraud?

Melissa Fellows:
Yeah, really, um, a number of things. And, and while they might sound elementary, um, all very important. And I think are, um, constant things that I know that, that we're talking with clients about. Especially when we're out on treasury review.

Melissa Fellows:
So, um, you know, the first thing that I would recommend is just review the account signers. Um, making sure that, um, the signatories on business accounts are reflective of the current team. And that, that those individuals should have access to sign, um, on the business checking, or business accounts.

Melissa Fellows:
Uh, kind of going along with that would be who has access to your online banking platform? And with that access, what control are you giving them? Um, do you have the work controls in place where one person initiates and another is logging in to approve?

Melissa Fellows:
The other thing that we recommend is that you have somebody outside of someone who's initiating payments complete the reconciliation. So, again, just breaking up the controls and, and who's responsible for what.

Melissa Fellows:
You know, we touched a little bit on limits. And so, you know, going back to that ACH daily limit; making sure that it's reflective of normal course of business. And you also have the ability within online banking to set limits per user.

Melissa Fellows:
So, depending on what that user's responsibility is; and maybe what their role or level is within the organization; um, you might have a daily limit of X. But you can, you know, bring that back to, uh, a specific user level. And you can do that for both ACH and wire.

Melissa Fellows:
Something that I think, uh, is, is fairly elementary but so important is to migrate your bank statements to online. Um, if you haven't done that already.

Melissa Fellows:
It's an additional piece of paper with your bank account information on it. And all of your account activity and your balance. So, to receive that information in secure portal really just kind of further limits the exposure and, and paperwork, account information, um, in the mail.

Theresa Wiese:
I was just going to add that to, to Melissa's point on the electronic statements; uh, we've had situations, unfortunately, where, uh, fraudsters have gone into a business park. Um, and some business parks have mailboxes sitting out on the curb. And have just stolen, uh, paper statements right out of the mailboxes, and then created counterfeit checks.

Theresa Wiese:
So, um, getting those paper statements, uh, to electronic is just a really great idea.

Melissa Fellows:
That's a really good point. And any of the, the last thing that I'll add is just, um, adding bank fraud prevention tools such as Positive Pay Service for check fraud. And, and really working with your bank to help you automate that process.

Mark Meloy:
Good. Um, Melissa, staying with that theme a little bit, what is, um, autoband authentication? And what are the best practices regarding sources of content information?

Melissa Fellows:
Yeah. So, um, autoband authentication, the way that I like to look at it, is really anything outside of the computer network.

Melissa Fellows:
So, you enter in your user ID and your password, um, to get in your online banking. But when you're entering into a higher-risk transaction; so that would be anytime that you're moving money outside of your bank account; that's where there's maybe that additional keep up or a mobile token. Um, where you get a, a PIN that refreshes every so often.

Melissa Fellows:
So if a fraudster does, if they're key-logging or they're trying to log in simultaneously with you, that outside authentication, or that PIN number really verifies and ensures that when there is money moving outside of your bank account, that it truly is the person that's initiating that transaction.

Mark Meloy:
Thanks. Theresa, what's the best way to companies to train their employees? And how often should they do it?

Theresa Wiese:
Well, I'm a big believer in, uh, little snippets often. You know, if you do one, one training a year, uh, it gets lost. And, and sometimes people think of, you know, "Oh, I have to take this 30-minute, you know, webinar on, uh, fraud, or check fraud or payment fraud or whatever it is." And, and they do it because they have to. And then it, it, it's kind of lost. Um, in, in everyday work that they have.

Theresa Wiese:
So, I- I would suggest a quick email frequently. Or if you have a, a company newsletter, you know, send out reminders. Uh, Melissa had some really good points as it relates to checking account activity. You know, being wary of a transaction that you're, uh, not used to seeing. Dollar amounts being different. Um, anything that seems a little out of the ordinary. So, just, any way that you can get little snippets out there, reminding people throughout the year.

Theresa Wiese:
Um, another good one; and we use it internally as well; (laughs) um, is, is the top-down approach. So it's the, the CEO of the company, um, Mark or CEO for First Business Financial Services, sending out a reminder email, just reminding people to take it slow. To be thoughtful in what they're doing. That tends to carry a, a fair amount of weight as it relates to kind of fraud and training as well.

Theresa Wiese:
Um, communication is really just important. And it doesn't have to be a real formal way of doing that.

Melissa Fellows:
I think communication is key. I think, um, if a company is a target of fraud, um, the natural, natural reaction might be to, to keep it in and, and to not broadcast it. And no, it doesn't need to go public by any means. I think communicating it and having, um, especially people that are closest to, um, to payments and, and to banking. Um, just to put them on alert.

Melissa Fellows:
And even going back to autoband authentication, um, another form of autoband authentication is calling or walking down the hall to verify that the request that's coming through is truly legitimate as well.

Mark Meloy:
Those are great points. And Theresa, your, your comments reminded me of just some kind of communication that we do w- with regularity around the bank.

Mark Meloy:
And that is, reminding people about the need to keep confidential information off the top of their desks. Out of the common areas of, of their office so that, um, not anybody, uh, can casually pick it up or see it or what-have-you. Because you know that happens at businesses. And, and it's easily preventable if people just take care of their workstations.

Theresa Wiese:
Absolutely.

Mark Meloy:
Theresa, what's the timeline for businesses to report fraud on their accounts after they notice it?

Theresa Wiese:
So, th- the challenge is, is a very short timeline. Uh, essentially, the bank, um, because of bank regulations, (laughs) has 24 hours from when the, uh, check or the electronic transaction, like an ACH, was posted to the account.

Theresa Wiese:
And typically, checks and ACH transactions are posted at night. Um, by our core processor. So that means from, you know, two a.m. to two a.m., you have a, a very short window. So, really, from a client perspective, we need to know in that business day. So eight to four p.m. is, is kind of the cutoff. Uh, whether or not there's an item that needs to be returned.

Theresa Wiese:
And, you know, Melissa has talked about online banking. And the importance of, you know, making sure that you've got authorized people that are accessing your account via online banking. You know, look at your account every day. Um, and we've got some bank tools as well that can help with this.

Theresa Wiese:
Look at your account. If something is unusual, contact us. And, um, we can return, um, if necessary. But if we miss a day; um, so you notice it two days later; um, unfortunately, our hands are tied because of the bank regulations for returning, um, items. And, uh, we may not be able to recover any funds that were lost due to fraud.

Melissa Fellows:
That's such an important point. And I think that most businesses don't realize how important, um, timing is. In that quick timeframe that we really have to turn it around to prevent a loss.

Melissa Fellows:
It is different for businesses than it is for consumers. Um, and therefore, I think that's why there's, there's better tools and ways to automate that for businesses to help them catch and identify fraud when it happens right away.

Mark Meloy:
Real good. So Melissa, ca- can we just go old school, and avoid all these high-tech fraud tools that they just write checks and originate ACHs or send wires?

Melissa Fellows:
Uh, short answer to that is "No."

Mark Meloy:
(laughs)

Melissa Fellows:
A lot of businesses are, are working globally now. And so you have to be comfortable to accept and send wires.

Melissa Fellows:
Um, you know, one way to, to prevent fraud is to send payments electronically. Um, every time you write a check, you have your bank routing number, bank account number, and a signatory on the bottom of that check. So that's a piece of paper, again, with very sensitive information floating around. So, by migrating payments to electronic, uh, you are protecting your account information.

Melissa Fellows:
Ways to further automate that, though, um, you know, checks are still very relevant. And, um, a way to automate that; there's really great tools that, that your bank can help you with to automate that for your business.

Melissa Fellows:
So, um, one of the tools that, that we put in place; probably most commonly on a money market account; would be an ACH Block. And that's really telling your bank that there are not going to be any ACH debits that would post from this account.

Melissa Fellows:
So if someone does get ahe- ahold, again, of the bank routing number; which is public information; and a bank account number, which can be found on the statement or on the bottom of a check, um, ACH Block is telling us that this account should never receive any debits. And we will return that item. No loss, no notice to the company. The item gets returned.

Melissa Fellows:
A lot of checking accounts, for example, have ACH debits post into them. Um, a common, um, ACH debit could be an insurance payment pulled. Tax payments are pulled through ACH. And so, we need to filter those types of payments coming through.

Melissa Fellows:
And so what, uh, we recommend is an ACH Positive Pay Service. Where a company, through their online banking platform, manages, uh, who their authorized list of companies that they're allowing to pull from their accounts.

Melissa Fellows:
So this also allows the businesses to be more comfortable with ACH. And we're also seeing, uh, a vendors and business partners; if you're going to do business with us, you have to be able to accept ACH. Or we have to pull an ACH from you.

Melissa Fellows:
So this gives your business some control, and that you're telling us Company ABC can pull from our account. And then one step further, you're able to identify a maximum dollar amount.

Melissa Fellows:
So, um, for example, if a payment should be $10,000, and, uh, the initiator makes a mistake and adds a zero, you're gonna get a notification. And $10,000 payment to a $100,000 payment, that's, that's a big typo.

Melissa Fellows:
Um, and so you can get a notification; uh, either go out, decision that item to approve it. Um, if it truly should be coming through. Or, you can return it.

Melissa Fellows:
And again, it's within that timeframe where you're notifying us to return it. And then you send it back where then there's no loss to your company.

Melissa Fellows:
And then, uh, last but not least: uh, Payee Positive Pay, which is fraud prevention for checks. And so, um, banks have really come a long way, um, with this technology to make it easy for companies to use.

Melissa Fellows:
Whether you're writing a couple of checks a month or thousands of checks a month, you can go out, um, you know, and manually enter a couple of checks a month.

Melissa Fellows:
And, and what you're entering and what you're providing the bank is the check number, the payee name, the dollar amount. That tells us the items that we should be clearing and processing.

Melissa Fellows:
And again, as they're clearing your account, if something doesn't match up; if somebody intercepts a check; you know, let's say they keep the, the check number and the dollar amount. But they, they change the payee name; that will get caught, and you will get an exception notice to them, you know, log in to your online banking. You can view the image of the item, and then you can decision at that time to either pay or return.

Melissa Fellows:
Again, the importance of any of those tools is the timing. It allows you to identify the fraud when it's happening. And it's really important to have it before fraud happens. There have been a number of instances where we've worked with businesses and they have fraud on their accounts, and they don't have these tools in place.

Melissa Fellows:
And, and what happens in those cases is that we work with them; we place a freeze on their account. And we're, um, monitoring each transaction as they clear. Um, you know, meanwhile we're working with the company to fill out, uh, affidavits and working with the police to create a police report ... while implementing fraud prevention. Because it, it's going to happen again.

Melissa Fellows:
And so, um, just from a timing standpoint, from a cost standpoint, um, you know, these are, are, real inexpensive fraud, um, insurance tools that, that prevent any loss.

Melissa Fellows:
And one of my favorite questions is the, when a company reaches out and says, "You know, we have an item that, that's posting in our Positive Pay. And, and we returned it. What do we do?"

Melissa Fellows:
You don't have to do anything additional, other than to, you know, be vigilant; monitor account activity. Um, because you have the right measures in place. And you're gonna catch it before there would be a loss.

Theresa Wiese:
Yeah, those are a lot of really good points. I, I think (laughs) about a conversation I had with a friend of mine who's a business owner. And she, she didn't really want to pay the, the monthly fees for ACH Block. And Positive Pay, which are fairly reasonable.

Theresa Wiese:
Um, and when I, you know, because she said, "Well, I check my account every day, and I, um, you know, I'm making sure that I've got limits in place."

Theresa Wiese:
And I said to her, "Yeah, well, what happens, though, when you go on vacation? What happens if you're just really busy? You're super-busy, you just don't have time."

Theresa Wiese:
And y- you know, and I, I explained all of the issues with, um, our returns and how quickly we have to return checks with ACH transactions. And, you know, and I said to her exactly what Melissa said of, you know, "Can you really afford to close your account, re-open a new account, contact all the vendors that are debiting your account because you gave them authority to do that through electronic payments? Contact law enforcement, and that kind of thing?"

Theresa Wiese:
That is less tangible than, you know, paying, paying a service fee for ACH Block or Positive Pay. But that's a real number, and it's a big number.

Melissa Fellows:
To add on to that, the national average for a loss; regardless if there's an actual fraud loss to the account or not; um, you know, ranges between 15 and, and 20,000 on average. And that's due to the time involved. And the cost for, um, you know, maybe opening a new bank account.

Melissa Fellows:
Whereas, you know, if you compare that to having fraud tools; um, you know, in many cases, that could be, that could be 15 years of, of, of fraud tools in place.

Theresa Wiese:
Right. And, and just the very last point to this discussion, because it's a great discussion; uh, just to keep in mind that the account agreements that our businesses sign, um, make them liable for all losses if they don't implement our fraud prevention tools. So that's just (laughs) another really important, um, point, uh, that y- you are bound by your account agreement, from a liability perspective, um, to incur those costs.

Theresa Wiese:
So, j- just more reasons to be vigilant and, and be on the lookout for fraud.

Mark Meloy:
Good. Good. What about internal fraud? Is there a good way to spot that before it gets out of control?

Theresa Wiese:
Well, um, Melissa talked about this kind of at the beginning of this podcast. And, and it's the dual controls and the segregation of duties.

Theresa Wiese:
Uh, you know, Melissa pointed out that in, uh, online banking, you can set up so that no one person has complete control of a transaction. One person would, for example, on an ACH file, input the file; the other person would approve and transmit it.

Theresa Wiese:
Um, those things are really important. Um, that, you know, in the payment process, um, there's lots of different points. Um, from the, you know, receiving the invoice to generating the check or the ACH payment; to reconciling the account.

Theresa Wiese:
And it's really important to have different people involved in that process. So that no one person is controlling a complete transaction.

Theresa Wiese:
And it can be a little bit challenging in smaller businesses, where there isn't a big, you know, department that, that's doing the payment processing and things like that.

Theresa Wiese:
But, I would encourage businesses to really even look outside of the department. If you have a very small department that's doing, um, accounts payable, for example; um, you know, maybe somebody in a different department can at least, you know, review the invoice, um, to the payment and make sure that it's properly payable. And that the dollars, dollar amounts match.

Theresa Wiese:
So it's really thinking about segregation of duties, and dual controls.

Melissa Fellows:
The other thing that that reminded me of is that companies have the ability to ... So when you're setting up a template for a wire, when you're setting up a template for ACH; you can lock that to prevent other users from changing account information.

Melissa Fellows:
And I would strongly recommend that, you know, after implementation, that, that you do put those measures in place to prevent, um, account numbers from changing. Dollar limits could remain the same, But, uh, to, to lock down the account information as well is I think is another, uh, good practice.

Mark Meloy:
Good. Great, uh, great insight from both of you.

Mark Meloy:
Well Melissa and Theresa, thanks for taking time to share your thoughts and experiences with our audience today. And to you, our audience, thanks for listening to the conversation.

Mark Meloy:
I hope you found the topic helpful and applicable to managing fraud risk.

Mark Meloy:
A thought for the day is: Don't fall victim to the perceived need for speed by trying to shortcut your processes. Trust me: Consistent practices will lead to success, as well as your own restful, sleep-filled nights.

Mark Meloy:
Let us know if there are other topics or information you'd like to learn about. And join us next time on The First Business Bank Podcast.

Anncr.:
If you want more content like what you just heard, delivered straight to your inbox, go to firstbusinessbankpodcast dot com. And if you haven't already, make sure to subscribe to the First Business Bank Podcast wherever you listen to podcasts.

Anncr.:
If you're listening on Apple Podcasts, please leave a quick rating of the show. Thanks so much for listening.

Anncr.:
First Business Bank. Member of FDIC.