© 2016 Treasury Strategies, Inc. All rights reserved.

Presented By

February 11, 2016

How Banks and Corporates Can Prevent Payments Fraud Together

Agenda

2

Panelist Introductions

Industry Overview and Survey Results

Perspectives on Payment Fraud• The Banker’s View• The Corporate View• The Technologist View

The Power of Collaboration to Prevent Payment Fraud

Open Q&A

Panelists

3

Mike VigueBottomline TechnologiesCorporate Vice President

Margaret MacLeodBBVA Compass BankExecutive Director –eBanking Manager

Shelley TravisBB&T BankSVP – Treasury Services Product and Risk Manager

Craig MondscheinTishman SpeyerSenior Treasury Director

Dave RobertsonTreasury StrategiesPartner & Director

Industry Overview

• Security spending has doubled in the last four years

• Many companies that were breached were “compliant” on their various security assessments

• There is a major shortage of security talent and it’s expected to get worse

• According to Mandiant, the average hacker dwell time* is 205 days

4

*Dwell time: the number of days a threat actor remained undetected within an environment without remediation

3.48.4

22.7 24.928.9

42.8

101.5

0

20

40

60

80

100

120

2009 2010 2011 2012 2013 2014 2015

Mill

ions

Number of Detected Incidents1

Recent History of Detected Incidents

5

Heartland Payment Systems Google

Epsilon Zappos

Target

SonyeBay

Anthem BCBSUS Office of

Personnel Mgt.

Sources:1 PwC Report – The Global State of Information Security Survey

Data breaches are increasing and there are over one million threats a day!

Survey Results

Rising Concern: Banks & Corporates

7

Banks are more concerned about payment fraud and cyber risk than their corporate counterparts. They are also more apt to require their employees to undergo training.

54%

23% 21%

1%

29%

37%

24%

10%

0%

10%

20%

30%

40%

50%

60%

A Top Priority Quite A Lot Moderately Very Little/Not at all

% o

f Res

pond

ents

How big of a concern is payment fraud/ cyber risk for your organization?

55%

25%

8%11%

25%

35%

23%17%

5%

15%

25%

35%

45%

55%

65%

Yes - for all employees

Yes - for employees in

key roles

No - but we are exploring

No/Not Sure

Do you require fraud/cyber risk training of employees?

Banks Corp

Preventative Measures: Banks & Corporates

8

Roughly half of corporates have instituted dual approvals on both payment requests and initiation in their payments system/bank portal.

The nature and frequency by which banks perform fraud analytics varies.

17%14%

8% 7%

31%

20%

2%

0%5%

10%15%20%25%30%35%

Inrealtimeandacrossallpayment

applications

Inrealtimeforeachindividualapplication

Inabatchmodeandacrossallpayment

applications

Inabatchmodeforeachindividualapplication

Itvariesbyapplication

I'mnotsure Other

%o

fRes

pond

ents

Banksperformfraudanalytics

55%

4% 9%12%

20%

0%

10%

20%

30%

40%

50%

60%

We have dual controls on

both

Requests but not initiation

Initiation but not requests

We don't have dual controls on

either

I'm not sure

% o

f Res

pond

ents

Doyouhavedualcontrolsonpaymentrequestsand/orpaymentinitiation?

Payment Fraud Occurrences: Corporates

9

Many corporates don’t know about threats until there is a loss.

The average time to detect fraud incidents was just over one month.

1The majority of attacks originated from an external source with the remainder split between current/former employee and unknown sources.

21% 18%

52%

10%

0%

10%

20%

30%

40%

50%

60%

Yes - within the last year

Yes – but it has been more than

a year

No I'm not sure

% o

f Res

pond

ents

Has your organization been a victim of cyber security attack?1

35%

12%

21%

32%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Yes – within the last year

Yes – but it has been more than

a year

No I'm not sure

Has your identified and thwarted prior cyber seorganization curity attacks?

Corporate Impact on Banking Relationships

10

Roughly half of corporates consider a bank’s fraud performance when selecting a bank. Most corporations believe that the liability for a fraud loss depends upon the situation.

74%

11% 8% 6%1%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Itdepends Yourbank Yourcompany I'mnotsure Splitbetweencompany&

bank

Shouldafraudulenttransactionoccur,whoshouldassumetheliabilityfortheloss?

48%

32%

20%

0%

10%

20%

30%

40%

50%

60%

Yes No I'mnotsure

%o

fRes

pond

ents

Doesabank’sfraudperformancefactorintoyourorganization’sbankrelationship

decisions?

Poll Question #1

Are you more optimistic about:

A. The US presidential election

B. Your ability to prevent fraud

11

Banker’s Perspective (BB&T)

12

Current Fraud Scenarios• Social engineering – masquerading as someone in authority (CEO/CFO/etc.)• Request for refund on invoice that was “overpaid”• Bank’s safeguards triggered but client directs payment to be released

Current Protection Environment• Hard token usage at login and payment initiation• Anti-malware requirement• Transaction scoring – outbound calls for confirmation• Continued client education

- Consistent communication regarding recommended security protocols- RMs/treasury consultants proactively advising clients

Top Forward-looking Priorities• Continuing education – find new approaches to prevent desensitization• Evaluating enhanced authentication processes• Deepen integration across systems – internal/external/frontend/backend

Bank Perspective (BBVA)

13

Current Fraud Scenarios• Social engineering – masquerading as someone in authority (CEO/CFO/etc.) or as a trading

partner• Log-in credential issues – click link and “update”

Current Protection Environment• Mandatory usage of Trusteer Rapport through the online banking platform• eBanking platform – multiple layers and multiple types of controls• “Challenge” user at every login• Continued client education

- What can happen, how BBVA can help- Internal client-facing employees advise clients on safeguards- Publishing periodic whitepapers on the subject

Top Forward-looking Priorities• Risk-based authentication software that learns users’ behaviors and transaction patterns• REAL-time tools – especially around ACH/Wire – proactive monitoring at the point of

payment initiation vs. post-processing• Launching a soft-token application

Corporate Perspective

What can Corporates do to help reduce loss due to fraud?

14

Education• Corporate treasury has to learn about

the latest threats and schemes fromtheir banking partners

• Internal mass education to allemployees globally who handle bankaccounts or sensitive information

Enhance Controls• Controls must be reviewed to insure

that proper segregation of duties exist,vendor creation is properly controlled,and payments are properly authorized

• Correct inadequate controlsimmediately, before they contribute to aloss

IT Involvement• IT department has to have up to date

firewalls and fraudulent e-mail detection• Latest VPN technology• Password reset requirements• Policies concerning mobile banking

applications and security

Partner Involvement• Educate and cooperate with vendors

and suppliers to identify fraudulentpayment requests to minimize criminalsreceiving your outgoing payments

• Educate and cooperate with customersto identify fraudulent invoices tominimize criminals receiving yourincoming payments

Poll Question #2

Compared to last year, have fraud attempts at your organization:

A. Decreased significantly

B. Decreased slightly

C. Stayed flat

D. Increased slightly

E. Increased significantly

Note: Select one response only.

15

Timothy Geithner, former Secretary of the Treasury(2/19/15)

“There are two types of companies:

Those who have been hacked, and those who don’t yet know they have been hacked”

– John ChambersCEO of Cisco

But Everyone Already Knows That

16

Database Security

Access Controls

User Monitoring and Analysis

Network/Endpoint Monitoring

Log Analyzers (SIEM)

Firewall/Intrusion Prevention

6

5

4

3

2

1

A Multi-Layered Approach is Needed

Supported by FFIEC recommendations

17

How Can You Stop Fraud in Real-Time?

Insider fraud activity goes undetected

Challenge Implication

How Do You Identify Insider Fraud?

How Can You Stay One Step Ahead of New Tactics?

How Do You Prioritize and Identify Real Threats?

Fraud is often identified after the money is gone

New tricks – social engineering, cross-channel

Information overload –too many alerts

However, Banks and Corporates Still Face Challenges

18

Keys to Success

5. Collectirrefutableforensicevidence

1. Capture & analyzenetwork traffic tocomplement otherlayers of defense

19

2. Prioritize alerts withrisk scoring

3. Leverage robustinvestigation tools suchas link analysis andvisual replay

Best Practices

4. Create a non-invasive andscalable infrastructure

Stop Fraud Before Financial Loss

If you’re not blocking fraudulent transactions

It’s like having a surveillance camera without locking the front door

20

Authorized users• Trusted with access to sensitive information

• Aware of the different roles/database structure

• Can fall victim to social engineering schemes

Protect Against External and Internal Risks

21

Teller Fraud Case Study: Global Bank

Key Concerns• Infrastructure relied heavily on costly

monitoring and storage of log files• Unable to detect employee access to

sensitive data (e.g. read only activity)• Unable to detect more elaborate

schemes – for example, skimmingsmall dollar amounts or data leakage

Results• Prevented a collusion scheme targeting

dormant accounts in excess of$400,000.

• Fraud investigation time has beenreduced by 90%- from days to hours

• Bank can add new types of alertswithout IT development, search andreplay user activities.

A large global bank had the ability to detect large-scale fraud – but the cost and time required to review log-based activity reports rendered their current infrastructure inadequate to identify more elaborate schemes. This bank leveraged real-time network monitoring of teller activity to strengthen fraud controls.

22

Key Concerns• Financial downturn would increase

risk that employees may be temptedto commit fraud.

• Looking to minimize resources andtime required for a new system

• Staying one step ahead of emergingfraud trends, such as insidercollusion.

Results• Proof of concept was live within days.• Migration to production completed

within one month following the pilot.• Return on investment was realized

within a number of months.• Analytics are being leveraged to meet

other business objectives.

User Behavior Monitoring Case Study: Finance Company “Ensuring we have robust systems …that manage and eliminate risks posed to our business is of paramount importance,” says an executive at a leading affinity card, point of sale loan, and personal finance company. The company leveraged user behavior monitoring to track employee activity and identify suspicious behavior.

23

Results• 4 terabytes of data are indexed each day• HTTP monitoring detected a malware signature

that was not yet updated into the endpoint system• The solution also monitors payment activity from

authorized users within the application• The bank is now considering using the platform

for case management

Web Payment Fraud Case Study: A Large BankThis bank leveraged Web Payment Fraud as an overlay to existing infrastructure, providing additional layer of security for their HTTP traffic.

Bank.com

E-banking Application

Customers Download Endpoint Monitoring

Web Payment Fraud

24

Bottomline’s Cyber Fraud and Risk Management Platform

In 2015, Bottomline acquired Intellinx, a cybersecurity company

The Bottomline platform is used by >200 organizations, and 10 of the top 50 banks worldwide.

Flexible architecture for many use cases:• Enterprise-wide platform• Centralized case management overlay• Single application monitoring• Pre-Integrated with Bottomline SaaS solutions

25

• What Banks Can Do More Of:– Continue to communicate with and educate corporate customers– Strengthen operating models between bank and customers when fraud occurs– Continue to expand authentication options and fraud prevention services

• What Corporates Can Do More Of:– Leverage fraud prevention services– Educate employees– Support additional authentication methods– Communicate with banks about what’s working or not

• What Technology Providers Can Do:– Maintain tight integration across security layers and payment systems– Establish anti-fraud networks across their clients

One Thought to Leave On:Banks and Corporates Should Work Together

26

A. Education

B. Policies and controls

C. Fraud detection systems and integration

Note: pick one response - your top priority

Poll Question #3

What is your top forward-looking priority to improve fraud prevention in your organization?

27

Thank you!Mike Vigue, Corporate Vice President,

Cyber Fraud and Risk Management

AddressBottomline Technologies

325 Corporate DrivePortsmouth, NH 03801

Phone & EmailDirect Line: 603.501.5238mvigue@bottomline.com

www.bottomline.com