At Glenbrook, risk management is a fundamental aspect of our work across diverse clients, spanning merchants, networks, banks, and regulators. While the Visa and Mastercard merchant settlement dominated the headlines recently, we want to draw your attention to several recent fraud incidents that underscore the criticality of effective risk management to your business and the safety and soundness of the payments industry.
In a highly disruptive incident, healthcare payments provider and data exchange Change Healthcare was rendered offline for weeks. As The Wall Street Journal reports, “Change is the largest U.S. clearinghouse for medical claims, processing around 15 billion transactions a year.” This attack’s aftermath, including a reported $22 million ransom payment, brings home Associate Partner Cici Northup’s observation that healthcare is an industry of intricate complexity, with sensitive data and payments exchanged between multiple parties for a single billing. The financial and reputational impact resulting from just one incident can be immense, underscoring the need for robust fraud management.
While the exact details of the Change ecosystem attack remain unclear, there were likely numerous potential entry points. Change’s extensive reach, touching 1 in 3 patients in the US, and its integration with legacy systems across a diverse range of medical providers and third-party service providers create a staggering level of complexity in the financial environment. Partner Yvette Bohanan asserts:
“It’s crucial to identify the key risks for your specific organization and the third parties you rely on, and then create a clear, measured assessment of how well you are controlling those risks.”
We are acutely aware that frauds and scams are targeting individuals at an alarming scale, with the Atlanta Fed highlighting that $2.7 billion in annual consumer losses result from fraudsters impersonating legitimate actors. A report from Visa last month described “increasingly organized, sophisticated threat actors targeting the most vulnerable point in the payments’ ecosystem: humans.” The prevalence of America’s “scamdemic” was underscored by a widely discussed February piece in The Cut, in which scammers convinced a personal financial advice columnist to hand over $50,000 in cash through an elaborate scheme. Cash, the ultimate real-time irrevocable payment system, is a prime target for this nefarious activity.
But in an increasingly digital world, scammers also take advantage of digital real-time payment rails, leading their operators and regulators to fret over how best to protect consumers. In the UK, for example, regulators announced in March that they would allow banks to take up to 72 hours to review and investigate payments to root out authorized push payment (APP) fraud; historically, they have had until the end of the day. That complements a regulatory requirement to reimburse all APP fraud victims (with limited exceptions) that will come into force in October of this year. More traditional payment rails are also feeling the heat: Nacha announced last month that network participants would require a “base level” of fraud monitoring to curtail credit push fraud. We expect to see more emphasis from regulators and networks on risk management and control requirements for the foreseeable future.
Are you a payments professional trying to wrap your head around risk management for your organization? Have you had particular success in solving a problematic risk puzzle? We want to hear from you. Until next time – stay alert!