111 Bank Fraud Prevention

In recent years, incidents of fraudulent bank transactions have increased significantly. In 2021, 71% of businesses reported being victims of some form of payment fraud, with check fraud alone rising over 300% post-pandemic. Non-profits are particularly targeted as they often lack the sophistication to prevent or detect fraud. Multiple forms of payment fraud were experienced by the Archdiocese of Baltimore parishes and schools at the end of 2022 and the beginning of 2023. To minimize the potential for loss from fraudulent banking transactions, the Board of Financial Administration and the College of Consultors have approved the following policy:

111 Positive Pay:

All parishes and schools within the Archdiocese of Baltimore must implement the highest level of Positive Pay offered by their bank for checks and ACH/Wires for all bank accounts. Positive Pay must verify payee, check number and amount. In addition, they must ensure additional preventive and detective controls are put in place over all bank accounts to minimize the opportunity for loss. Failure to use Positive Pay will increase the Risk Deductible from $2,500 or 25% of the loss (depending on the usage of internal controls) to 50% of the loss.

Procedures:

Bank/Payment fraud can occur through various methods, including but not limited to:

Checks stolen from the mail
Phishing scams
Vendor impersonation
Executive impersonation
Unauthorized online access
Payroll account change
Account takeover & mule accounts
Double deposit (remote and in person)

To prevent and/or detect the various forms of payment fraud listed above, parishes and schools should implement the following procedures:

No cost office internal controls:

Deliver mail that includes checks directly to the post office or mail carrier; do not use the blue post office boxes or home mailboxes.
Limit your bank accounts. Every account adds additional risk.
Utilize the Archdiocese of Baltimore Payer Express system for insurance premium payments
Pay through ACH/Wire (push method preferred over pull method) – with dual approval requirements
Verify payment instructions or changes using Callbacks to known & trusted numbers
Ensure proper safekeeping of both check stock and checks received, as well as the timely destruction of received checks
Implement the use of Multi-Factor Authentication for online access to all accounts at financial institutions and/or for systems which hold account information
Frequently Update Passwords and use strong passwords i.e. passwords that include a number or special character. Additional password best practices include: Never use personal information, use a longer password, don’t use the same password on multiple accounts and include Capital letters, numbers and symbols.
Review bank transactions through the online banking portal several times during the week
Complete monthly bank reconciliations for each bank account immediately after receiving the statement

Security Software purchased by the Parish Office:

Antivirus/Malware Prevention Software
Multi factor authentication software
VPN software for those who access the Parish system remotely

Restrictions/Controls set up through an FDIC insured bank with fees

Positive Pay(Recommended/Preferred) & Reverse Positive Pay

If you make payments by check add either Positive Pay or Reverse Positive pay features offered by your bank. The Positive pay system should be the highest option available by the bank, which should include the check number, check amount and payee. If payee is not available by your bank, please request the bank upgrade and inform your Regional Controller and Risk Insurance.
If you make payments by ACH – add ACH Positive Pay or equivalent features offered by your bank. If you allow certain business’s access to automatically pull payments (not recommended) then you need to add bank features that limit this ability to only approved vendors and always have maximum amounts set that would require manual review and approval if not met.