Risk and compliance are mission-critical for financial institutions. With the continued acceleration of digitization, the expanding role of faster and instant payments, and the news of bank failures in the first half of the year, financial institutions are taking note and identifying priorities for the remainder of this year and into the next. For example, what is one area of fraud garnering more attention? How is the role of the Consumer Financial Protection Bureau (CFPB) evolving? How can financial institutions prepare for increased regulatory scrutiny in the weeks and months ahead?
Let's start by looking at a few emerging fraud scenarios.
Credit-push fraud continues to grow as fraudsters increasingly entice consumers, businesses, and other organizations into sending money out from their accounts. These scams often use social engineering to persuade account owners to initiate a payment from their account to a fraudster's account.
On the consumer side, puppy and romance scams are two of the most popular. Puppy scammers post fake litters online or pose as an existing breeder to take advantage of rising puppy sales. People send payment for the puppy and never receive the animal or follow-up communication in return. Historically, these transactions, authorized by the account holder, have been considered authorized payments.
In the business space, credit-push fraud includes business email compromise (BEC), which, according to the Federal Bureau of Investigation (FBI), is when "criminals send an email message that appears to come from a known source making a legitimate request." For example, when the account of a business executive is compromised or impersonated and used to request or order the transfer of funds. Another popular scam is vendor impersonation fraud, where a vendor your company regularly deals with sends an invoice with a fraudulent, updated mail address.
This increase in credit-push fraud has driven action from national bodies like Nacha, which addresses this topic in its guidance, A New Risk Management Framework for the Era of Credit-Push Fraud. This framework calls for a new focus on defining the role of the receiving account-holding institution:
The receiving institution is often considered a passive participant in the payment flow, responsible only for the timely, accurate posting of transactions. In credit-push fraud scenarios, the receiving institution may be best positioned to identify questionable or suspicious credit payments. Receiving institutions can and should take an active role in identifying fraud [emphasis ours].
New risk management guidance for receiving institutions can address inbound transaction monitoring standards and sound business practices for controls on funds availability for potentially fraudulent transactions and accounts, including early access to funds. The industry then can consider whether the industry should adopt this guidance should be adopted as new rules.
The Framework concludes, "Enhanced industry guidelines and potential changes to the Nacha Operating Rules will ask receiving banks and credit unions to take a more active role in fraud prevention."
To that point, Nacha recently requested comments on nine proposals that could result in updates to the Nacha Operating Rules. Seven of the nine address the authorized push credit fraud, with one calling for more monitoring responsibilities for the Receiving Depository Financial Institution (RDFI). Industry response on the proposals was due June 16, 2023, and next steps remain to be determined, but on the whole, expect some of these topics to advance to rulemaking.
Consumer Financial Protection Bureau (CFPB)
In addition, all signs point to CFPB becoming more proactive in its regulatory and compliance role. CFPB has a piece of several key regulations, and when it comes to consumer protection, they, most recently, have been taking action. Fortunately, CFPB is quite transparent, and FIs can sign up for email updates to help them stay on top of what's happening.
As regulations receive additional scrutiny, FIs may want to monitor consumer complaints; chances are, they are the same issues raised to the CFPB and provide a glimpse into what's to come. In addition, CFPB regularly releases interpretations of regulations that will impact financial institutions, so be sure to check its compliance resources page often for updates.
If you still need to set up a complaint-monitoring process at your financial institution, now would be an excellent time to set one up. In most instances, regulators will follow up on complaints filed against a financial institution in person.
Steps Financial Institutions Can Take
As financial institutions look to the future, they should view mitigating risk in an evolving digital world as an ongoing challenge and opportunity to educate themselves and their staff on current and emerging risk and compliance issues. Front-line staff especially require education around credit-push fraud-how to spot and stop it before it occurs.
Technology also plays an essential role in fraud monitoring. Do your homework and implement solutions that work for you, keeping in mind that most out-of-the-box solutions will require software modifications to meet your organization's unique needs. Don't forget to ensure that you're enacting "commercially reasonable fraud detection" both on the sending and receiving side of transactions to remain in alignment with Nacha's guidance in A New Risk Management Framework for the Era of Credit-Push Fraud.
To stay on top of increasing regulatory scrutiny, visit regulators' websites frequently and sign up for email updates and communications. Also, talk with other operations people at financial institutions to identify emerging trends and challenges. Today's trends can become tomorrow's regulations. Put processes and systems in place before challenges and problems intensify.
Finally, NEACH and NEACH Payments Group (NPG) are well-positioned to help you navigate the new world of risk and compliance. We welcome the opportunity to help provide insights into the evolving regulatory landscape and support you in your risk mitigation and compliance efforts. Contact us via email at email@example.com or by phone at 781-321-1011 for more on the education, training, and knowledge opportunities at NEACH and the consulting, audit, and risk assessment support NPG can provide.
Though we can't predict what new regulatory developments may evolve, we can prepare and respond to today's emerging threats by shoring up our compliance and risk management programs. Taking steps in that direction will not only help to safeguard your institution but will support your members and customers as well.
AUTHOR: Mary Mumper-Morrison, AAP, APRP, CAMS
Mary Mumper-Morrison serves as the Director of Education for NEACH and Lead Advisor of its subsidiary, NEACH Payments Group (NPG). She is based in New Haven, Connecticut and is focused primarily on addressing compliance and risk issues. Connect with Mary to read more of her blogs, articles, and posts.