One of the best weapons in the fight against fraudsters is sharing information. It can also be one of the trickiest issues to navigate, given the many privacy concerns.
Nacha’s Risk Management Advisory Group (RMAG) is working to address this with open discussion around new ideas and tools to address sharing information about fraud while protecting individuals’ privacy as required by law.
Jordan Bennett, Nacha Senior Director, ACH Network Risk Management, said RMAG would like to create an environment in which Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFIs) feel comfortable sharing information, and an RDFI can respond to the ODFI before a victim may notice the funds missing from their account.
“RDFIs can assist in fraud detection by spotting unusual and unauthorized activity like multiple large transfers to a new account, contacting the ODFI about the potential fraud, and working together to return the funds to the ODFI,” said Bennett.
Brian W. Jones, General Counsel at Merrick Bank, a Nacha Direct Member headquartered in South Jordan, Utah, noted that in the current climate, “The tension is between disclosing information to third parties in order to conduct a fraud investigation versus the obligation to your customers to keep that non-public personal information private.”
Banks, he said, face new challenges today. “We used to have to worry just about the Gramm-Leach-Bliley Act (GLB), which governs how banks use and secure their customers’ non-public personal information,” said Jones, who noted that GLB expressly allows sharing non-public personal information to prevent fraud and resolve customer disputes and inquiries (12 CFR § 1016.15).
“But in the last couple of years, states have gotten into the action,” said Jones, an RMAG member. “California passed its own privacy law. It’s really a reaction to the Googles and Facebooks of the world, but financial institutions have become subject to some of those state laws.”
The legal contours of the newer state laws around data sharing under circumstances like these are not as clear or well-settled as they are under GLB, Jones explained. This means banks and other financial institutions often have to weigh the perceived risks associated with sharing their customer information with third parties.
Jones noted that the California law echoes the sentiment of many Americans that their data belongs to them and can be pulled back from any company, including a bank, at any time. In some respects, state laws such as California’s can differ from—and potentially be at odds with—GLB.
“It’s a complex mishmash of new privacy laws, old privacy laws, new data uses, new property rights, and the value of data going up as well,” said Jones. And that creates a dilemma for financial institutions when someone notifies them that they’re a victim of fraud.
“How do I investigate that claim while remaining sensitive to our customers’ privacy expectations under the various laws, and complying with the promises we’ve made to them regarding use of the non-public personal information they’ve trusted us with?” Jones asked.
He offered the common scenario of phishing attacks against an elderly person. The victim is contacted by a fraudster claiming to be from their FI, who convinces them to share their banking credentials. The fraudster accesses the consumer’s account, uses bill pay to initiate ACH credits for purchases, or transfers money to their own account at another institution. The victim sees the items on their monthly statement and contacts the bank to let them know the outgoing bill payments and transfers were unauthorized.
Investigating and verifying that the these claims of fraud are legitimate, and not merely an attempt by the account owner to avoid paying for large purchases, can be difficult without sharing customer account data and other non-public personal information with other FIs, as well as third parties such as outside data analytics firms, payment networks, and merchants.
In terms of enforcement, Jones also noted that only the banking regulators can enforce GLB against a bank; individuals—such as the victim in his scenario—cannot. “So, while the FDIC likely applies a higher level of scrutiny of a bank’s compliance with GLB than a typical consumer might, it gives me some comfort that regulators are also more familiar with GLB’s requirements and exceptions than a typical consumer might be,” said Jones.
Still, Jones continues to run into issues where other banks get tightlipped when asked to disclose customer information in order to facilitate the investigation of unauthorized ACH transactions. “We can’t tell you. They’re our customer, and I’d be disclosing non-public information to a third party,” is a reply he’s heard often. Jones’ response is that if they they’re a fraudster, that bank has no obligation to protect them, and if they’re not a fraudster, the bank has an exemption in GLB that allows both parties to investigate and prevent fraud.
Another key issue that often emerges is when an RDFI sees a potential problem (or is notified of a problem) and then asks for a Letter of Indemnity (LOI) from the ODFI. For example, Bank A sends a transfer to Bank Z, which upon receipt either suspects fraud or knows it outright. Bank Z calls Bank A to tell them—and to ask for a LOI.
Jones has been Bank A in that example. Each time he thanks Bank Z for its diligence, and then happily signs the LOI it wants—for good reason.
“Our main goal is to get our money back from the receiving financial institution as quickly as possible,” said Jones.
But sometimes LOIs are a speed bump.
To help make the LOI process even easier, authorized users at ODFIs can now use Nacha’s secure Risk Management Portal to safely provide a standardized LOI to RDFIs. (Learn more in our blog)
Nacha’s standardized LOI states that the “ODFI agrees to indemnify the RDFI from and against any and all claims, demands, losses, liabilities and expenses, including attorneys’ fees and costs, resulting directly or indirectly from compliance by RDFI with ODFI’s request.”
Jones recognizes that can be daunting.
“A lot of times when businesspeople see an indemnification demand, they see that as almost like a lawsuit, like it’s a bad thing,” said Jones. “But it’s not, really. It’s a request to stay friends and stay cooperative. It’s a request that says, ‘If a lawsuit comes in, we’re going to stay on the same side and won’t be blaming each other.’”
Or, looked at another way, “Take care of your fellow Nacha member who just did a good deed and let you know of the fraud, and accommodate them in a way that protects your interest in promptly retrieving funds involved in the fraudulent transaction, while encouraging the RDFI to notify you of any similar circumstances in the future,” said Jones. He noted that when Merrick Bank is the RDFI in such a situation, he asks the ODFI to sign an LOI.
Jones suggests that financial institutions that are concerned about signing LOIs “get with your attorney now, review the Nacha form LOI and get comfortable with it beforehand,” and put policies in place. “Because when you get a fraudulent claim, time is of the essence, and you won’t want to be wasting time getting comfortable with the idea of indemnification while the fraudster’s trail goes cold.”
Down the road, Jones said he would like to see Nacha develop an API that makes it easy for banks and credit unions to enter data when fraud is suspected, and have it automatically sent where it needs to go. The current system, he said, can often be cumbersome.
“They have to look up who the ODFI was, then they’ve got to find a phone number. It’s all these little steps that just add friction,” said Jones.
Nacha’s Bennett said RMAG is working to improve fraud information sharing for the good of the payments industry. “It’s helpful for all parties to contribute to the conversation and hear different points of view, because ultimately, everyone’s goal should be to both identify fraud and prevent it,” said Bennett.