No business can afford to ignore the risk posed by corporate identity theft. By assuming the identity of a corporation, perpetrators can establish new corporate credit card accounts, set up false subsidiaries using the names of legitimate companies to perpetrate fraud, or even pose as reputable businesses to lure customers into providing personal information (phishing).
The Federal Trade Commission estimates that identity theft costs American consumers and businesses more than $50 billion each year. To address this criminal activity, the Federal Financial Institutions Examination Council (FFIEC) recently updated its guidelines for authentication in an Internet banking environment.
Smart Business talked with Lynn Nettleton of PNC to learn more about the new guidelines.
What effect will the new guidelines have on financial institutions?
The financial services industry is the top sector affected by identity theft, so banks are strongly committed to enhancing security to protect our clients’ financial information.
In October 2005, the Federal Financial Institutions Examination Council noted that for high-risk online transactions involving access to customer information or the movement of funds, single-factor authentication (such as user name and password) is no longer adequate. By the end of 2006, most financial institutions will have taken measures to enhance online authentication for their consumer and corporate customers, such as requiring their customers to answer a secret question or type a unique code.
How secure are electronic payments?
Paper transactions actually carry more risk than any other payment type. Advances in technology are helping businesses make online payments in a secure environment. The added benefit is that some of these transactions are also cheaper to process.
Automated clearinghouse payments (ACH) are a cost-effective way for suppliers and customers to make electronic payments, reducing labor costs for printing and stuffing envelopes, mailing and manually entering data. However, anyone leveraging the ACH system must enter bank account information before an electronic payment can be initiated.
To reduce the risk of account information being compromised, companies can apply for a Universal Payment Identification Code (UPIC), a unique account identifier issued through a financial institution that becomes an organization’s permanent electronic payment address. By obtaining a UPIC number, companies can mask their real account numbers. UPIC technology also limits account activity to credits and blocks all debits. If a company should move its accounts, the UPIC number remains the same.
Credit cards can help to streamline operational efficiencies. Both VISA and MasterCard have implemented universal precautions for businesses that accept card payments. These standards require companies to follow certain procedures when handling cardholder data and include a number of criteria, such as quarterly network scans and audits by qualified independent security assessors, to ensure that merchants and service providers protect cardholder data.
Purchasing cards can actually help companies better manage their spending and improve bottom-line results. New technology is available to enhance controls on purchases made by employees with purchasing cards, such as monthly and per-transaction limits, as well as merchant spend categories that only permit use of the card with certain merchants.
What additional steps can you take to protect your company from fraud-related online banking?
- Work with information technology (IT) experts to ensure security measures are in place, such as anti-virus and anti-spyware software and up-to-date software patches.
- Take advantage of bank security tools to protect your business. For example, Positive Pay allows businesses to send a list to their bank of all checks issued, so the bank can match the check numbers, dollar amount and account numbers of all in-bound checks against the list. Any checks that do not match are flagged for review. Positive Payee adds a layer of security by including the payee name on the list provided to the bank.
- Avoid writing down passwords or storing them in computer files. Enforce standards that require employees to periodically change passwords and use a combination of numbers and letters.
- Don’t conduct business from a public or shared computer.
- Don’t click on links in e-mails or enter credentials on the linked site.
- Educate employees on the risks posed by corporate identity theft and the steps they can take to protect financial and personal information.
This was prepared for general information purposes only and is not intended as specific advice or recommendations. Any reliance upon this information is solely and exclusively at your own risk.
LYNN NETTLETON is senior vice president and group manager of online banking for PNC. Reach her at (412) 762-6018.