A History of Achievement. A Future of Innovation. |

Treasury and Trade Solutions | Citi Commercial Cards

Presented by:

Maureen Bilbrey

Director, Public Sector

Citi Commercial Cards Fraud Controls

October 2014

A History of Achievement. A Future of Innovation.

1

Fraud Overview

• Credit Card Fraud is an industry-wide issue, regardless of brand

• Issuers, Acquirers, Merchants and Consumers all work toward fraud prevention

• Historically, fraud was easier to detect and mitigate… – Fraud used to follow patterns that included:

• High-value transactions that did not fit into T&E or P-card portfolios such as Jewelry and Electronics

• Test transactions intended to validate stolen card data ($1 gas or vending machine auth)

– Now fraud is happening: • At lower dollar amounts and at common merchant types like grocery stores and gas

stations • In the home area of the cardholder

Credit Card Fraud occurs when one individual illegally obtains the account number of another with the intent to utilize the information to make purchases.

A History of Achievement. A Future of Innovation.

2

Detection Challenges

• Cardholder account data is obtained through multiple compromise events and comingled making detection of CPP difficult; Additionally merchant information is sold alongside the stolen card numbers so that fraud transactions can be centralized to the home area of the cardholder

• Fraud transactions are intended to “blend” with normal card use, such as low-dollar use at common merchant locations

• An uptick in fraud centered around T&E merchants, including airlines, railways, hotels and restaurants means that activity completely normal for a traveler now have to be scrutinized for potential fraud

Top 10 Merchants with Fraud:

1. Gas Pumps 2. Airlines 3. Grocery Stores 4. Hotels 5. Restaurants 6. Home Supply Stores 7. Miscellaneous Stores 8. Convenience Stores 9. Travel Agencies 10. Electronics Stores

Detecting and mitigating fraud is a balance. At Citi, our goal is to keep card-usage high but fraud low. Industry trends and client needs dictate how this is done.

A History of Achievement. A Future of Innovation.

3

Account Data Compromise (ADC) - Background

ADC trends continue to be a significant

concern for the industry because:

– Increased program costs and cardholder

impact – Lack of consumer confidence – Adverse media publicity – Brand damage/regulator interest – Increased legal action – Financial gains within large, organized fraud

rings To combat this, swift action is required by the

associations, banks and regulators

Recent Large Market Compromises:

Account Data Compromise (ADC) is a confirmed merchant compromise event wherein Fraudsters have been able to illegally obtain credit card

A History of Achievement. A Future of Innovation.

4

ADCs today:

– Data breaches occur daily

– Concentrated in the U.S. due to the fact that we are the only G20 country that is not yet a Chip market

– Advanced malware masks the source of the breach

– Attacks ranging from small merchants (“Mom & Pop) to large retailers (e.g. Target)

– Common targets are restaurants, hotel/motels and, recently, large chains

– Merchant POS machines, software systems and other third party system access points are all targets for this type of fraud

– From 2011-2013 Food, Retail & Hospitality merchants made up over 85% of all account data compromise cases

Account Data Compromise (ADC) – Current Trends

U.S. 70.03%

ASPAC 4.90%

EUR 17.17%

CAN 5.18%

LATAM 1.63%

EMEA 1.09%

% of Events by Region 2013

A History of Achievement. A Future of Innovation.

5

Introduction of Chip & PIN In 2015, merchants and issuers in the US will be converting systems to allow for Chip-enabled transactions. As such a shift is expected in fraud tactics.

How does it work?

• Credit cards have microchips embedded into the plastic which maintain a counter that is then compared to the bank’s system of record; In order for Chip technology to be utilized, banks must issue chip cards and merchants must implement Chip payment systems

What’s the benefit?

• Fraudsters today are able to obtain magnetic stripe data and produce duplicate cards encoded with this same information; The microchip counter is unable to be duplicated, so a counterfeit card would not contain the appropriate authentication required for a transaction to be approved

Does this eliminate fraud?

• Not exactly, but it does shift fraud into different paths; We can expect a drastic drop in counterfeit (card-present) fraud but an uptick in e-commerce (online) fraud once Chip technology is utilized

What’s next?

• In anticipation of an increase in online fraud, Citi is deploying 3D Secure – an authentication tool intended to determine fraud risk at online merchants and authenticate users when necessary

A History of Achievement. A Future of Innovation.

6

The Citi Fraud Teams in Action Citi Fraud Management aims to mitigate all fraud types by leveraging clearly defined teams, working in tandem, in order to provide a holistic and safe solution for clients.

Fraud Analytics: Prevention and Detection

Analytics

Analytics

• Fraud analysis throughout the course of the day, identifying unusual spending patterns

• Resulting fraud patterns triangulate back to potential data compromise location

• Engages Citi’s partners and external working groups to identify common points of compromise

Strategy Development

Strategy Development

• Review fraud dollar losses by fraud type

• Establish fraud risk and thresholds by fraud type

Fraud Early Warning: Detection

Transaction Verification

Transaction Verification

• Account review by tenured fraud rep to determine validity of transactions in question

Notification

Notification

• Verify cardholder activity using best-practice procedures

• Monitor High Risk accounts for a set period after fraud attempts

Security Operations Recovery and Deterrence Recovery

Recovery

• Investigate fraud disputes and execute chargeback/ recovery processes

1

2

3

A History of Achievement. A Future of Innovation.

7

Fraud Analytics

Commercial Card has a team solely dedicated to fraud detection and prevention utilizing the following methods:

– Defect Analysis: Each time a card is closed for fraud, the Analytics team reviews all fraudulent and

valid card activity. The purpose is to identify locations where card information may have been compromised so as to proactively search for other accounts that could also be impacted and more keenly monitor transactions.

– Association/Industry alerts: Issuers are able to obtain lists of accounts that are believed to be compromised in some way. These accounts are reviewed to determine if action is needed and, if so, marked for stricter fraud monitoring.

– Fraud Forums: Citibank Commercial Card works closely with other Citi lines of business as well as industry partners to share information regarding trends and activity. By sharing information on a wider scale, the industry is able to more effectively combat the negative impacts of fraud.

– Strategy Modeling: All transactions flow through a system that monitors their level of risk. This is determined based on industry trends and client-specific parameters. When there is a need to intercept fraud, the Analytics team must balance this with cardholder experience to ensure that the strategies in place do not cause negative impact.

The Fraud Analytics team works to proactively identify accounts that may have been compromised. The goal of the Analytics team is to maximize card protection while minimizing cardholder impact.

A History of Achievement. A Future of Innovation.

8

Fraud Early Warning (FEW) Alert Methods Overview Key Features

• Citi Commercial Card continues innovating our overall communication strategy by implementing advanced technology to create a single source solution to contact cardholders via text message, e-mail and voice

• Cardholders are contacted when fraud is suspected on the cardholder’s account. Immediate communication with the cardholder will limit losses related to fraud and minimize cardholder impacts

SMS Alerts

• Receive and send free text message alerts regarding potentially fraudulent activity on your account(s). If the charge is yours, reply back as directed - no further action is required. If the charge is not familiar, respond back as directed and Citi will send you a follow-up text with a toll-free number to call for further resolution

E-mail Notice

• Our e-mail notifications are another way for you to stay in touch - whether you’re at your desk, out of the office or even traveling abroad. To verify your card activity, just call the toll-free number included in the e-mail message and connect to one of our fraud specialists.

Voice

• When suspect transactions occur, an automated system allows you to listen to the recent activity on your account and verify this using the prompts on your phone. Did you miss our call? No problem! The 24x7 automated system allows you to call and resolve whenever it’s most convenient for you.

Sample Benefits to Clients

• Security: Verify charges by replying to Citi’s text message—free of charge

• Timeliness: Receive immediate notification of suspect transactions for immediate action

• Convenience: Confirm or refute suspicious activity immediately, even when traveling

Citi Fraud Early Warning Determines that the Cardholder Should

be Contacted

E-mail • Sends e-mail to

the cardholder

• Cardholder confirms or denies charge by calling Citi

SMS • Citi sends Text Message

(SMS) to the cardholder

• Cardholder confirms or denies charge thru SMS or by calling Citi

Voice • Recorded system places

call to the cardholder

• Cardholder confirms or denies charge during call with Citi

Coming Soon… Interactive Email will allow cardholders to validate transactions electronically!

A History of Achievement. A Future of Innovation.

9

Security Operations The Security Operations team works to ensure that all fraudulent charges are credited back to the account. This is dependant upon the cardholder returning the Declaration of Unauthorized Use form.

Receiving Credit For Fraud Transactions

• At the time of account closure, cardholders are advised about the Declaration of Unauthorized Use form, which is sent via email and accessed using the Passphrase provided to them at the time of call

• In accordance with association guidelines regarding the fraud recoveries process, cardholders who identify any posted fraud transactions on their account have 60 days from transaction date to return the form, which can be sent back electronically, by mail or fax

• Once the form has been received within this timeframe and pending any additional investigation, credits are issued (within1-2 billing cycles)

• Cardholders should review their statements to ensure all credits have been received

A History of Achievement. A Future of Innovation.

10

Minimize Fraud and Misuse

• Ensure all employees understand company policies for card use including that the card is for authorized use only

• Utilize merchant category code (MCC) restrictions

• Establish transaction limits

• Eliminate or restrict cash limits

• Use reporting tools to monitor card usage

• Report cancelled cards for terminated employees immediately

Tips for Program Administrators

A History of Achievement. A Future of Innovation.

11

Fraud Prevention

• Never leave your card in an unlocked desk and cabinet

• Do not leave receipts lying around

• Be careful when providing card information to another person

• Review your statements/account activity regularly

• Contact Customer Service immediately if you do not recognize activity on your account

• Use your card only for authorized uses

• Keep your account information current (i.e. relocations, agency transfers)

• Do not keep your PIN with the card

• Password protection

• Use employee’s correct verification information when submitting applications

Tips for cardholders

A History of Achievement. A Future of Innovation.

12

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advise. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the “promotion or marketing” of any transaction contemplated hereby (“Transaction”). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor. Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment or firm offer and does not obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms for any Transaction. We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided. © 2014 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.