Corporate payments still suffer from a relative lack of automation, and in Iqbal Khan's view, that increases the probability of fraud. The executive director for JPMorgan Treasury services says e-payments are safer than paper, because infiltration requires more skill than Abagnale-style check fraud.
BTN: How are current economic issues impacting corporate payments?
Khan: With the downturn there will be an increase in fraud that's perpetrated against corporations, so they have to be vigilant. If you look at [the JPM sponsored 2009 AFP Payments Fraud and Control Survey], some of the more sophisticated type of fraud like phishing will also be active.
How does corporate phishing compare to its consumer cousin?
The [tactical] approach is the same. But to a large extent, both regulators and banks protect consumers. While on the corporate site, companies are much more responsible for their security. Banks are less legally required to make up for losses for corporate phishing attacks than retail phishing attacks.
How do you encourage vigilance among corporate clients?
The most important thing is to assume responsibility for your own accounts, and to make sure you have the fraud protection that you should have on your accounts. The corporate treasurer should do a survey of accounts and provide stats around which accounts have positive pay, which have reverse positive pay, which accounts post no checks and figure out the gaps in coverage.
What are the benefits of positive pay?
Positive pay is more expensive [than reverse positive pay], but the money is available at the teller window. Positive pay can also correct mistakes. The bank of first deposit is required to capture an image of the deposited check and encode it for downstream processing. Less image capture is done by the bank of first deposit and more of the work is being pushed out to clients through check scanners, flat bed scanners and even phone cameras. OCR technology used to read the MICR information from images is not as accurate as the magnetic MICR ink readers of days past. When one of our clients issues a check, if the capture and encoding is not done accurately, they could end up paying too much or too little on the check if the dollar amount is not correct. If the account number is encoded incorrectly, they could end up paying on a check that they did not draft. These issues are resolved when the client reconciles their account. The benefit of positive pay is that these problems are addressed before they hit the client. The paid items won't match the issues on file so an exception will be generated. Bank operations reviews all exceptions. Their first course of action is to scrutinize the check to ensure information was captured correctly. If they spot an error, they resolve the issue and then post an adjustment.
When do you recommend reverse positive pay?
It's cheaper, but we can't make the money available at the teller window. We have noting to compare the check to because we don't have the initial check on file. We send the raw data to the client and have them make a decision on whether a check is good or bad. We see reverse positive pay as good for downmarket clients, with lower check volumes, generally firms with $100 million or less in revenues. We can offer reverse positive pay at a very low price point, so the clients can get fraud protection without the complexity of setting up a positive pay function.
Will the threat of ACH, phishing or other fraud adversely impact the adoption of automated corporate payments?
We actually see it going the other way. Despite the fact that the volume of paper checks is starting to decline, the growth in paper check fraud continues; the general view is crooks view electronic payments are being far more resistant than paper products. We recommend our clients utilize electronic payment vehicles whenever possible because electronic fraud is more complex to perpetrate.
How does the institution locate potential gaps in fraud prevention?
The philosophy at J.P. Morgan a few years ago was that fraud would happen most frequently on high volume check disbursement accounts. Therefore, when we measured our fraud prevention penetration [primarily positive pay back then] we measured the percentage of large corporate high volume (>500 per month) check disbursement accounts that were protected by Positive Pay. As Positive Pay penetration grew [and more recently positive pay with payee name protection] on high volume disbursement accounts, fraudsters expanded their activities to go after lower volume accounts owned by smaller, less visible clients. In some cases, we saw checks passed on accounts that had no check volume. Overall fraud incidents started to increase slightly. As a result, we were forced to take action down three concurrent paths: Review how we internally track, monitor and report on client fraud protection. Rather than solely reporting on positive pay penetration on high volume accounts, we are reporting on the percentage of commercial accounts with check and ACH fraud protection across our DDA platform for all lines of business.