AuditLink Advisor – September 2009

When What You Think Is Not What You Get

President Ronald Reagan liked to use the term “trust, but verify”.  He used the phrase to describe how he dealt with the Soviet Union in reducing the nuclear arms threat.  

Recently our Credit Union found out the hard way that what we thought to be true was not true.  It began on a Saturday morning with a member calling the office and saying that they had received a suspicious call on their cell phone.  The call was a “robo” call in which the member was advised that their debit card had been deactivated and that to reactivate the card they simply needed to press “1”.  Upon doing so they were instructed to enter their entire debit card number, their PIN number, their CVV number and the expiration date on the card.  Within 45 minutes of the member receiving a phone call, a duplicate card had been created by the criminals and used at an ATM machine Barcelona Spain to withdraw almost $8,000 from the member’s account. Exact quotes of my instant reaction are not printable here.  But I can tell you that I immediately said that this couldn’t be since we had specified with our card processor, FIS, that the daily limit at an ATM was $200.00.

The next thing I did was to walk to one of our own ATM machines and withdraw $200.00 and then turn around and withdraw another $200.00.  Guess what!!  I got the second $200.00.  What I thought to be true, wasn’t.  

Robo calls continued to flood our members.  Most of them saw through the scam and hung up.  Some started to enter the requested information and then got cold feet and hung up.    Some even entered incorrect information.  The scam was sophisticated enough that the robo system knew whether the debit card number was the right length and even rejected some simple PINs like “1111” or “9999”.  The robo calls could not be traced as they were being “spoofed”.  Also there was no “800” number to be shut down since the member didn’t have to call back any number, they just entered their information after pressing “1”.  

Numerous calls were made to law enforcement agencies.  The response was not very comforting.  The ambassador from Spain was even contacted.  He simply replied that they were aware of the fraud and were attempting to stop it.  

So we were powerless to stop the robo calls and we had a huge exposure that we weren’t aware of and we started to make calls to FIS.  We asked them repeatedly how this could happen.  We said that we could see computer screens where it said that the daily limit was $200.00.  They said that those screens were only for our use and that there were “other” places where this information had to be entered.  We immediately asked for the $200.00 per day withdrawal limit at an ATM be put into effect.  It took OVER 24 hours for the limit to actually be put into effect.  And yes once they told us that the withdrawal limit was in effect we verified that fact by going to an ATM and trying to withdraw more than $200.00 in a 24 hour period.  And yes, finally the limit that we thought was in place was actually in place.  We also took another step of blocking debit card transactions from the country of Spain.  Again, this took more than 24 hours to put into effect, but this time short of an expensive trip to Spain, we were now able to verify that it was indeed in effect.  About a month later, we did have a member travel in Europe and their debit card transactions in Spain were rejected.  

Trust, but verify.  Every day credit unions rely on things to work the way that we think they should work.  But be judicious when dealing with huge companies.  Be cautious and verify.  You must constantly be on guard.  You must never take for granted that someone else knows what you want.  You are responsible. You must take ownership.  You must verify to the extent possible.  The consequences of not doing so can be very expensive. 

David J. Wright
Services Center Federal Credit Union

New International ACH Transactions (IAT) OFAC Scans 

International ACH transactions (IAT) data will process with the ACH file beginning September 18th.  At that time CU*BASE will run OFAC scans on required financial institutions or individuals involved in the transfer. Many addenda records will exist for  international transfers, unlike just one when the transaction is of
domestic origin.  Changes to existing screens may not be noticeable immediately, although there are some which are more obvious.  The ACH Exception listing (MNACHP #4) will have a new option to assist with the scan and two additional columns.  The screen ‘Work With Daily ACH
Exceptions’ will show a column labeled ’I’ to indicate if  the transaction is an IAT next to a column labeled ’O’  to show if an OFAC scan has been successfully completed.  Further, notice the new ‘OFAC’ selection which allows you to run a scan on demand of these IAT transactions.   CU*BASE creates an Audit Tracker Record at the time of the scan for those transactions only.  Domestic transactions (those currently processed) will work the same way as they do today.   

Expect to start receiving IAT data from September 18th forward.  At that time the new functionality will be formatted and the Fed will begin  the new process.  

What can you do right now?

Sign up for training:

September 15 special training web conference. [Click here]

Take a look at a presentation that profiles these CU*BASE changes.

View an Overview Presentation Showing Screenshots [Click here]

Remember:  Check out the Kitchen page to follow our progress on this and other major  initiatives. Go there now]

The Advisor Recommends

During the first twenty-five audit link reviews, one major area of discussion has been Regulation E.  The focus of these discussions generally revolve around dispute resolution regarding
charge-backs and fraudulent activity.  What becomes painfully evident during this process is the fact that many clients have never really dug deep enough to understand processes, nor the global settings configured at their card processor.  Dave alludes to this in his front page article.  It is not as much about trust as it is about simply doing the proper due diligence concerning global settings configurations.  Many cases have revealed configurations set long ago that have not been adjusted and no-one in the organization recalls the decisions or why they were made. 

The Heartland Payment Systems fiasco shed new light on this area of auditing and compliance.   While examining and refreshing your current configurations, consider these questions.  What countries have you blocked?  What merchant codes have you blocked?  Do you know which businesses are causing excessive losses?  How is data updated at the card processor and which elements are simply set as global settings for all members. What are your offline limits?  Spend some time performing a due diligence review and determine the modifications you can make now to benefit your bottom line in the future.  I guarantee you will learn, like Dave did, that assumptions about how configurations were set was not the case.   While completing your review also update yourself on the methods with which you handle disputed items, the affidavits your members are signing, and your practices for providing provisional credit. 

How do you measure up?

The Annual Report published by the Federal Reserve listed the most common regulation infractions reported during 2008.  The link to the full report is posted at the end of this article, if you care to read it in its entirety. 

Read along as we list the three most vulnerable regulations identified along with their most prevalent violations.  True, this report is not specific to credit unions, but the information is valuable to your overall preparedness.  Take a look.    How does your credit union measure up?

Regulation B—Equal Credit Opportunity

  • Collect personal demographics information  of applicants seeking credit for purchase or refinance of principal residence.
  • Prevent improper collection of demographic information when not permitted by the regulation.
  • Don’t require signature of spouse or other person who is not a joint applicant when the credit applicant is qualified for the amount and terms of the loan.
  • Provide credit applicant with written notice of denial or other adverse action stating the specific reason for it.

Regulation E—Electronic Fund Transfers

  •  If notified of a transactional error by the member, determine if true within 10 business days.
  • If alleged error can not be investigated within 10 days, give member provisional credit for amount of error.
  • When EFT is offered, provide complete disclosures that include error-resolution and limitations on transfers.

Regulation Z—Truth in Lending

  • Accurately disclose the finance charges in closed-end credit transactions.
  • Accurately disclose the amount financed by subtracting prepaid finance charges from the amount financed.
  • Accurately disclose the payment schedule required to repay the credit obligation.  Include amounts, number of payments, and timing of payments.
  • Disclose the annual percentage rate in closed-end credit transactions.
  • These next regulations don’t apply to credit unions, although they mirror similar regulations established by the NCUA.

Regulation P—Privacy of Consumer Financial Information

  •  Provide clear and conspicuous Privacy Notices annually.
  •  Disclose your institution’s information-sharing practices in privacy notices.
  • At point of relationship with consumer, provide clear and conspicuous privacy notice that accurately reflects privacy policies.

Regulation DD— Truth in Savings

  • Provide required language in advertisements containing the term “annual percentage yield”.
  • Use the term “annual percentage yield” when advertisement states a rate of return.
  • Provide initial account disclosures containing all required information.
  • Provide account disclosures in writing and in a form the consumer may keep.

The 95th Annual Report of the Federal Reserve Board is posted at this link:

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>