Commercial Cards Learning Series - Fraud Management Presented by: Alan Sambridge, Head of Fraud Management, Citi Commercial and Prepaid Cards, EMEA

October 22nd 2009

Disclaimer

“These materials are provided for educational and illustrative purposes only and not as a solicitation by Citi for any particular product or service.”

Overview of Fraud Session y The goal of this session is to provide you with on overview of various types of fraud and card misuse/abuse. y Provide best practices to protect your organisation's card program from fraud loss, including a review of product design, and understanding the risk factors. y Identify and define strategies to prevent external fraud and internal card misuse and abuse y Increase your awareness of the services and support Citi has built to assist our clients in safeguarding their card programs against fraudulent transactions.

1

Misconceptions – Your Average Fraudster

The Traditional View !

2

The Real View !

Today’s Agenda y External Fraud y Internal Fraud y Programme Structure y Fraud Management y Fraud Scams y Card Fraud Top 10 y 2010 Hot Spots y USA - 2010 y Fraud Partnership and Prevention y Future Enhancements - SecureCode + VBV y Skimming y Fraud Prevention Practical Tips y Questions ?

3

External Fraud Forces of Nature y We have systems, controls and alert mechanisms. y We manage loss. y We exchange intelligence globally. y We exercise balance wherever possible.

We will always have exposure to fraud risk, due to powerful external influences. The key is to manage well, but without impacting client.

4

Internal Fraud Within the current economic climate, have your process controls been checked ?

Do you know the danger that lies beneath the waves ?

5

Internal Fraud Controlled Risk There will always be an exposure to internal fraud, you will have internal controls Why a bigger issue now ? y Income and bonuses down. Employment Loyalty Reduced. Susceptibility to approach. y Internal controls and procedures weak, due to cutbacks and staff reductions. No HR background checks or segregated control responsibilities, mobile phones in secure areas, no two-key systems. So far in 2009….. y x1 arrest and prosecution of a client employee for serious fraud. y x1 arrest for serious drugs trafficking using business travel as cover. y x3 under misconduct investigation, for personal spend.

6

Programme Structure Controlled Risk Controlling Corporate spend, is just as important as preventing fraud. Think carefully about what our products are used for. y Do you have the right card for the right purpose? – Corporate Card (T+E) for Travel and “walking” cards. – Purchasing Card for Business to Business – Dept or CTA (Central Travel Account) type card spending. – “One Card” - a mix of both Corporate Card and Purchasing Card.

y Why Use Different Cards for Travel Spend ? – A business traveler uses their Corporate Card to get them from location A to B. – A travel agent purchases multiple flights, hotels and organise conferences. You may expect the travel agent to have a CTA Card/Diversion Accounts and obtain discounts on volume spend or ensure your corporate preferred airline is booked. A frequent traveller would benefit from a diversion account, allowing his credit limit to be managed more effectively.

7

Programme Structure Controlled Risk Fraud management can be less intrusive, if a client has a clear policy and structure. We wish we could control fraud like a TV remote ! But it can be made easier………. y Make some very clear and simple rules. y No Personal Spend is allowed and explain why. (limited consumer protection on goods, secondary taxation, etc.,) y Place a formal document on your intranet site to increase policy awareness. y Back up the policy with adequate disciplinary action as a consequence of misuse. y Use Citi data resources to support you and review merchant (MCC code) spend. y Be suspicious of late expenses, which can later become a “dispute”. y

8

Cards used in non-Corporate areas, risk compromise at a greater level.

Fraud Management You need a “Fraud Manager” to act effectively. y From your plan, we now know: – Your destination from your product selection, which will help us to help you operate effectively. – The selected course is a safe route for both of us. – We can train your cardholders about managing unexpected situations. – They have confidence in our Product and Support Services – Our constant investment / innovation in technology to support client needs and service levels is delivered seamlessly.

9

Known Scams y The “Known” Phishing Scams – The bank security check email / call – Update your details email The New “Spear-Phishing” – The email from a “friend” – The Local Authority / Govt., email – The Employment Agency email Upcoming Hacking – Home P.C. Take Over (Trojans) – Telephone taping (Homes) – Man in the middle – Facade PC screens (Token Hijack and false screens). – Malware on mobile phones.

10

Card Fraud Top 10 Current Types of Plastic Fraud

Fraudulent Application Never Received Issuance (NRI) Account Take Over (ATO) Merchant Fraud Lost / Stolen Mail / Telephone Order (MOTO) Counterfeit Plastic / Cloned Cards Internet / E-Commerce ATM + Point of Sale Compromise Internal Fraud.

Citi doesn’t like me

Fraudsters are creative, take advantage of weakness and have no regulatory constraints.

11

2010 Global Hot Spots The following areas and events will be monitored closely during 2010 to avoid fraud loss. y

South Africa – Already a high counterfeit skimming country – World Cup in July.

y

Australia / Thailand / Europe Popular backpackers destination for students from both Europe and Asia. More students and post-grads will be travelling due to the recession – no job, so travel ! Temptation to supplement spending money with cards will be high.

y

Commonwealth Games, India Increasingly a counterfeit destination for purchasing Telecoms goods. Their domestic web protection system is easy to manage, but it means more merchants are managing liability shift to protect themselves.

y

12

Winter Olympics, Vancouver - Not a big fraud event, but it draws our attention to North America !

USA 2010 y

During 2010, Mexico and Canada will adopt Chip and PIN. This will improve services to our cardholders, but fraud risk in the USA will increase.

y

13

The US has no plans to implement Chip and PIN and therefore we will be vigilant in 2010, monitoring non-business spending that may actually be counterfeit fraud.

y

Cardholders will find it difficult to believe, that the USA is such a high-risk zone, that maintaining Customer Service versus Risk, will become a challenge for us in 2010.

y

Education and training will be our central area of focus in 2010 and contact with cardholders is paramount.

Fraud Partnership and Prevention

y Partner with Citi to leverage Citi’s Fraud prevention expertise. y Citi can assist you in training and in your product design. y Work with you to ensure your card program transactions do not appear on the “fraud radar”. y Do you have a Specialist Department, Product Buyers or senior executives who travel frequently? – Citi can organise additional training – regular conference calls – discuss new methods for supporting your cardholders whether they travel around the block, or around the world.

14

Fraud Partnership and Prevention With so many telephone and email scams, how can we warn our cardholders, or contact them ? y Education – We always ask cardholders to contact their local Service Centre. (number on the reverse of the card) y We call and email, so please do not be alarmed – We will identify ourselves. y Citi needs to be able to reach cardholders, their assistants, or PA’s, as soon as possible to protect the cardholder y It is difficult for both Client and Citi in these situations, but if we can request a call to us, they know they are in touch with the correct people. y Together with you, Citi Fraud Specialists: – Help you to mitigate risk – Reduce declines – Support your cardholders during a fraud episode – Can work with you to prevent fraud from occurring again

15

Future Events - Verified by Visa/SecureCode y Like Chip and Pin, this online password security system is being installed around the world. y You just need a password at checkout when you shop online y Not currently applicable to US cards y India is currently “live” and we have plans to roll out this capability to other Asia Pacific countries. y Look for these logos on merchant websites

16

ATM Skimming—What is a Suspicious Device? y What is “skimming”? – Any terminal that reads and copies your magnetic stripe – A false cover over an ATM card insert slot, or a waiter with a small machine in his hand y Why steal your card when an extra swipe with a small hand-held device will create a copy and you will not report any loss? y A skimmer pulls the data from your card, giving the thief all the information needed to make a counterfeit card. A skimmer can hold card data from hundreds of cards. This information can be downloaded into a computer and e-mailed anywhere in the world y Remember this applies to business cards not just to personal cards y Do you ever check unmanned machines, before you use them ?

17

ATM Skimming—What does a Skimmer Look Like ?

18

Now Technology Allows the Camera to be Even Smaller … Could You Spot the Camera?

19

Now What was Your PIN Number Again?

20

Fraud Prevention Practical Tips y Never let your credit card or debit card out of your sight y Rigorously check your monthly card billing statements y Contact Citi immediately if there are unrecognized transactions on your statement y Do not throw away card receipts (check against your statement) y Never leave your cards in an unlocked desk or drawer y Be careful when providing card information (such as PIN number or passwords) to another person y

Avoid letting merchants take your card put of sight

y Use your card only for authorised use as defined by your organisation y Keep your account contact information up to date y Do not keep your PIN in your wallet or purse y Do not use common personal information, such as date of birth, for a password/PIN

21

Any Questions ?

OUR AIM ?

Low Fraud and Happy Clients !

22

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction"). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor. Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate a financing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the existence of and proposed terms for any Transaction. Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks) as well as the legal, tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you are not relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accounting advice and (d) you should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. By acceptance of these materials, you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirm that no participant in any Transaction shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction. We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided. Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at any time without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative model which represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of the date hereof and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly, we may have a position in any such instrument at any time. Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly or indirectly, a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated for specific recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies and procedures designed to limit communications between its investment banking and research personnel to specifically prescribed circumstances.

© 2009 Citi®group Global Markets Inc. Member SIPC. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world. © 2009 Citi®group Global Markets Limited. Authorized and regulated by the Financial Services Authority. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world. © 2009 Citi®, N.A. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world. © 2009 Citi®group Inc. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world. © 2009 All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world.

efficiency, renewable energy & mitigation 25