JPMorgan Chase Commercial Card Solutions Risk Management May, 2007

JPMorgan Chase Commercial Card Solutions Risk Management May, 2007

Agenda Definitions Fraud Dispute Case Study – Employee Fraud State of Oklahoma Audit Findings 2

Definitions 3

Definitions Fraud – Unauthorized use of a payment card resulting from lost, stolen or compromised account. The user has malicious intent and is seeking personal gain from use of account. Dispute – Authorized cardholder questions the validity of a transaction. More along the lines of a transaction that was “mistakenly” applied to an account. MasterCard defines valid dispute reasons. Employee Abuse – Authorized cardholder uses card in a manner which the State receives no benefit. MasterCard defines the type of employee abuse for which customers can be indemnified. 4

Fraud 5

Common Fraud Types Lost/Stolen Counterfeit Card Mail Theft/Non-Receipt Unauthorized Use Skimming Phishing 6

Lost/Stolen Major source of fraud, along with counterfeit cards Perpetrator not sophisticated May know cardholder address, date of birth and social security number Generally does not have false identification Various types of spending 7

Counterfeit Card Credit card has been manufactured Security features will not be present or authentic Sophisticated perpetrator False identification used Often found within organized fraud rings 8

Mail Theft/Non-Receipt New account or replacement card recently mailed Perpetrator slightly more sophisticated Will know cardholder address, usually does not know date of birth and social security number Generally does not have false identification In-store purchases or mail/telephone order 9

Unauthorized Use Transactions are made without an actual plastic via mail or telephone orders Perpetrator is more sophisticated Adult or Internet-type transactions 10

Skimming Magnetic stripe is compromised Card has been manufactured Identification matches with a false name embossed on credit card Sophisticated perpetrator - organized fraud rings Enhanced security features deter perpetrators 11

Phishing Phishing is an attempt to gain private information about you and your accounts. Most often via email that looks like it is from your financial institution You should never reply to or enter any information if you receive a suspicious e-mail If you are unsure if the e-mail is legitimate call the 800 number on the back of your card 12

Phishing It is not JPMorganChase’s practice to: Send e-mail that requires you to enter personal information directly into the e-mail Send e-mail threatening to close your account if you do not take immediate action of providing personal information Send e-mail asking you to reply by sending personal information Send e-mail asking you to enter your user ID, password, or account number into an e-mail or nonsecure web page 13

Protection Against Fraud Loss is a Partnership Fraud statistics vary from customer to customer, depending upon the controls they have in place. Statistically, customers with higher loss are not taking advantage of the controls and reporting provided by the Bank. JPMChase is there to assist in reducing fraud losses through preventative measures, reporting, and recovery efforts. There are a number of things customers can do to guard against fraud. 14

Card Design Security Features Hologram Stylized Logo Tamper-evident signature panel (CVC2) Unique magnetic stripe coding (CVC1) 15

Top Fraud MCCs 5411 – Grocery Stores 5732 - Electronics 5311 – Department Stores 5310 – Discount Stores 4812 – Telecommunication Equipment including telephone sales 16

Fraud Detection System Criteria for queues based on current fraud trends Reacts to request for authorization Queues are populated with authorization “hits” on criteria Queues can be defined for specific MCCs, dollar amounts, states/countries, etc. 17

Fraud Detection System Detection cases are reviewed by a fraud analyst Cardholder or Program Administrator is contacted to validate activity Accounts may be temporarily suspended until activity is validated Account analyzed by history, previous spending patterns, type of transaction, recently issued card 18

Disputes 19

Dispute Handling Guidelines Merchants have 45 days to respond to your dispute claim Provisional credit provided during the research process File disputes timely Maintain sufficient documentation on transactions to support your dispute Avoid card sharing, it forfeits your dispute rights Avoid use of department cards 20

Chargeback Tip - Disputes Cardholder should contact merchant to resolve dispute Cardholder must tender return of merchandise Quality of service requires supporting documentation Issuers may assist with cancellation of recurring payments on behalf of the cardholder 21

Case Study Employee Fraud 22

Case Study Recovering From Employee Fraud Classic Fraud Profile Trusted long term employee Employee rarely took vacations/time off Employee had no real backup Had multiple levels of responsibility Employee enforced policy for everyone else Had access to forms to cover fraud Start small and built up over time New supervision – limited training 23

Case Study Recovering From Employee Fraud Internal Weaknesses Poorly trained supervision Was a program administrator and a cardholder Limited transparency Limited audit/review by department No internal audit Limited review by accounts payable Weak purchase oversight, small dollar purchases Start small and built up over time New supervision – limited training 24

Case Study Recovering From Employee Fraud Best Practices/Learning Points Act quick and decisively Advise senior management immediately Get HR involved Think before you act or say anything Consider the consequences Work the data There is a reason for the program There are corrective actions There have been successful accomplishments 25

Case Study Recovering From Employee Fraud Best Practices/Learning Points Clearly define the underlying issues Have the facts straight Describe why the program exist Describe the effectiveness Describe what you are doing to resolve the issue Consider the former employee Consider the current co-workers 26

Case Study Recovering From Employee Fraud Corrective Action Steps New reporting requirements Transaction monitoring Minimum use requirements Card Authorizations Review of authorized levels Internal audit corrective action plans New supervisor manual 27

MasterCoverage Liability Protection Program Coverage afforded by MasterCard to indemnify entities for instances of employee abuse Maximum coverage of 100K per cardholder Program administrator action required Adhere to claim criteria Limited to certain activity up to 75 days before and 14 days after JPMC is notified of employee termination Claims available through customer service or program coordinator Key Requirements Employee must be terminated Cards must be cancelled within two business days of employee termination date 28

MasterCoverage Liability Protection Program Key Exclusion Department Cards Charges made by someone who is not an employee 29

State of Oklahoma Audit Findings 30

State of Oklahoma Purchase Card Audits 2006 Audit Cycle Purchase Card Expenditures 17.9MM For the agencies audited, there was 7MM or 39% of purchase card expenditures 25 Agencies audited On average of 42% of the expenditures for each Agency were tested Estimated administrative cost savings for the State of Oklahoma for calendar year 2006 of 6.4 MM* *2005 RPMG Research, P-Card Benchmark Survey Results 31

Most Common Purchase Card Audit Findings Receipts filed were not properly signed, dated, and annotated as “Received” Internal Procedures were not properly submitted or updated to the Department of Central Services Memo Statements were not properly signed, dated, or included in the Agency’s purchase documentation Employee Agreements that were not signed by participating employees of the Purchase Card program 32

Highest Occurrences of Quantifiable Audit Findings Applicable items that exceeded 500 were not included on the inventory list of the Agency Receipts reviewed were not properly signed, dated, and annotated as “Received” Employee Agreements that were not signed by participating employees of the Purchase Card program 33

Findings Associated with Highest Dollar Amount Total purchase card expenditures exceeding the amount encumbered by the agency Purchase card transactions not having appropriate documentation Purchase card transactions not having a detailed or itemized receipt 34

Highest Error Rate Associated with Purchase Card Findings Agencies who reported lost cards did not have Missing Lost Card Reports on file at the time of the audit Items for Inventory were not included on the inventory list of the Agency 35

Outcome of Continuous Monitoring Performed 13 agency directors voluntarily deactivated cards due to lack of or inappropriate Approving Officials 4 more agency directors deactivated their cards during or regular audits 5 purchase cards were cancelled and 4 were placed on hold due to cardholders not recorded on the DCS training log 36

Questions? 37

Contacts David W Cox Lisa Martin Vice President Department of Central Services JPMorganChase (312) 954-3533 State of Oklahoma (504) 522-1654 38