Results 1 to 6 of 6

Thread: Controls--Online Portals and Prepaid Debit Cards

  1. #1
    P2F2 Member
    Join Date
    Jan 2011
    Location
    Minnesota
    Posts
    193

    Controls--Online Portals and Prepaid Debit Cards

    The School Employees Retirement System of Ohio has two information requests.
    1. For those systems that have a member self-service portal, what controls are in place to prevent the creation of a fraudulent member account?
    2. Do any systems allow members to direct deposit benefit payments to a prepaid debit card, such as Green Dot or any other financial institution?
    a. If not, what controls are in place to prevent it?
    b. If so, how does the system deal with situations such as overpayments or other errors that would require recovery of the funds?
    Any information would be very much appreciated.

    Thank you.

    Tracy Valentino, CPA
    Chief Financial Officer
    School Employees Retirement System of Ohio
    300 E. Broad Street, Suite 100
    Columbus, OH 43215
    614-222-5890
    tvalentino@ohsers.org

  2. #2
    P2F2 Member
    Join Date
    Jan 2011
    Location
    Minnesota
    Posts
    193
    The School Employees Retirement System of Ohio has two information requests.
    1. For those systems that have a member self-service portal, what controls are in place to prevent the creation of a fraudulent member account? Members must supply their name, date of birth, social security number and zip code to create an account on out self-service portal. Once an account is created a confirmation letter is mailed to the address on file. Members are requested to call if they did not take this action. We are in the process of implementing two factor authentication on the self-service portal to further enhance security when members create accounts and during later login attempts.
    2. Do any systems allow members to direct deposit benefit payments to a prepaid debit card, such as Green Dot or any other financial institution? There are no restrictions on the financial institutions members may use.
    a. If not, what controls are in place to prevent it?
    b. If so, how does the system deal with situations such as overpayments or other errors that would require recovery of the funds?

    We are currently doing research to learn more about prepaid debit cards. We are following our current processes of requesting the money be returned and our legal team will determine if legal actions should be taken if we can identify who committed the fraudulent act.

    When implementing the online bank changes option, we did a risk analysis and realized occasionally we could have accounts redirected to accounts that were not our benefit recipients and the funds may not be recoverable. It was determined the risk is offset by the reduction in costs for one staff person (salary and benefits) that occurred after the implementation of online banking changes. That does not mean we are not always looking to make our online processes more secure. For example, we are getting ready to change our practice of not asking an account be deleted from the pension file after it is sent to our custodial bank. We have an additional two to three days where we could request the custodial bank to delete an account from the pension file before it is released to all our recipients’ banks. For various reasons, we have avoided this practice the last eight years.

    We capture the data for the pension file about five business before the end of the month. When a bank is changed online, the benefit recipient receives a letter confirming the bank change. If a member did not make the change, he or she calls STRS. If we have a bank change that is not authorized, we can avoid the overpayment by having the custodial bank delete the account from the file. These couple of additional days should give the time needed for last minute unauthorized changes to be deleted and not paid assuming the benefit recipient calls right away. (It should be noted that benefit recipients cannot change their bank account online if they recently changed their mailing address.)

    We monitor if monthly benefits are going to the same bank account and if they are, does it make sense. This is done for all accounts and not just those with an online account

    Marcy Hill
    Director, Member Services
    STRS Ohio

  3. #3
    P2F2 Member
    Join Date
    Jan 2011
    Location
    Minnesota
    Posts
    193
    Tracy – This is what Ohio PERS does.
    1. For those systems that have a member self-service portal, what controls are in place to prevent the creation of a fraudulent member account? For the member they are required to provide personal data to register for an online account, upon registration we require them to answer security related questions that are account specific – they must provide accurate responses to gain access (3 out of 5 questions must be answered correctly). If they don’t pass the security requirements the on-line account is disabled and they must call in to verify identify and gain access. In addition to registration controls, we have additional controls and securities that are in place for the various processes that can be conducted online (i.e. when updating a bank we require they validate their current bank account number before the update can be made, for survivor beneficiaries we provide them a confirmation code that must be entered, or we may require their challenge question be answered, etc.).
    2. Do any systems allow members to direct deposit benefit payments to a prepaid debit card, such as Green Dot or any other financial institution? We currently allow direct deposit updates via our online system to prepaid cards and financial institutions. We are working on an additional control to prevent prepaid debit cards from being entered and require those updates to be submitted on paper in the future.
    a. If not, what controls are in place to prevent it? We plan to block any bank update that is not a financial institute/bank routing number. In this situation, we will provide a message informing the member/beneficiary that we don’t allow electronic changes for prepaid cards and provide them the paper form to print and complete (which requires a signature).
    b. If so, how does the system deal with situations such as overpayments or other errors that would require recovery of the funds? We have a reversal process to reclaim funds from the bank. If the funds are still available the funds are returned directly from the bank. If they are not, we will execute our overpayment process and correspond with the member/beneficiary for collection.

    Any information would be very much appreciated. If you need additional information, please contact: Tonya Brown, OPERS, Interim Director of Operations @ tbrown@opers.org or 614-224-6204.

  4. #4
    P2F2 Member
    Join Date
    Jan 2011
    Location
    Minnesota
    Posts
    193
    The School Employees Retirement System of Ohio has two information requests.
    1. For those systems that have a member self-service portal, what controls are in place to prevent the creation of a fraudulent member account? We are currently assessing adding more controls including more local domain knowledge, using a subscription service to validate user identity anonymously through a digital fingerprint process, mailing confirmation of registration, mailing one-time pin to address on file to complete registration
    2. Do any systems allow members to direct deposit benefit payments to a prepaid debit card, such as Green Dot or any other financial institution?
    a. If not, what controls are in place to prevent it?
    b. If so, how does the system deal with situations such as overpayments or other errors that would require recovery of the funds? We are currently assessing this too. Challenge is identifying all known prepaid debit card ach numbers. Some well-known banks offer these services too. We currently follow the same procedures as we do with a typical checking/savings account. Attempt reclaim through our bank, and if fraud is known, bank has fraud affidavit and research process.

    Rhonda H. Covarrubias
    TMRS – Director of Finance
    P.O. Box 149153
    Austin, TX 78714-9153
    (512) 225-3706

  5. #5
    P2F2 Member
    Join Date
    Jan 2011
    Location
    Minnesota
    Posts
    193
    Hi Tracy – I am an accountant with MOSERS. I can address how we handle payments to debit cards. We have a “pay card” agreement set up with our local bank who issues the cards to members if they request it. If we ever have to recover funds from these cards, we do have to handle it differently – we can’t reverse funds the way we do a typical EFT payment. Bank staff is more involved, however we know immediately if we are able to recover all the funds. If we cannot fully recover, the member gets a letter requesting the payment be returned. This particular scenario is fairly rare because we have the most trouble with members losing/never receiving their cards – therefore all the funds are still in place. Members forget they requested the card, and then when it comes, they think it’s a credit card and toss it. We (Benefits and Finance dept) all wish we had never gone down this slippery slope. It’s been more headache than benefit. I believe we are down to less than 50 (of our almost 50,000 benefit recipients) members on pay card because we no longer promote it.

    On the flipside, if a member has their own debit card and can provide us with the proper routing and account number, we never know (and don’t care) if it’s a debit card or a traditional bank account. If/when we need to recover and funds are not sufficient, the member gets a letter requesting payment be returned just as if it were a traditional bank account.

    Hope this helps!

    Tena Sapp
    Accountant
    Missouri State Employees Retirement System
    573-632-6123

  6. #6
    P2F2 Member
    Join Date
    Jan 2011
    Location
    Minnesota
    Posts
    193
    For our portal, we use a person authentication process via Lexus/Nexus for account set up. I was on a panel at the last P2F2 conference on this topic – the handouts might be helpful?
    As to Green Dot bank and others, yes we do allow electronic transfers to these institutions. We collect overpayments via our ongoing benefit payments and other direct contact methods. When we receive an online account change request (as well as address and email) we notify the member via snail mail and email of the change and ask them to contact us if they are not the party making the request.

    Hope this helps.

    Robin Madsen, Chief Financial Officer
    Financial Services
    California State Teachers' Retirement System
    Rmadsen@CalSTRS.com | www.CalSTRS.com
    916-414-4385

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •