Lesson 8: Risk Mitigation
How can Agency/Organization Program Coordinators (A/OPCs) and contractor banks help to minimize the risk of misuse/abuse and fraud?
A/OPCs should work to minimize the risk of misuse/abuse and fraud in your GSA SmartPay® Fleet program. The most important thing you can do is to be aware of what activity is occurring on the accounts under your purview. Do not be afraid to ask card/account holders questions if you identify unusual or suspicious transactions or behavior.
Risk mitigation controls, policies and practices are critical tools for ensuring the efficiency and integrity of payment solution programs by eliminating payment delinquencies, payment solution fraud, misuse, waste and abuse.
Public Law 112-194 (Government Charge Card Abuse Prevention Act of 2012) [PDF, 7 pages] and OMB Circular A-123, Appendix B [PDF, 71 pages] place a great deal of emphasis on risk management.
Contractor banks shall support goals to manage risk by:
- Developing an efficient approach to risk identification, analysis and mitigation.
- Suggesting and sharing industry leading practices.
- Developing and suggesting internal controls.
- Assisting in the development of risk mitigation policies.
- Providing agencies/organizations with exception reports that flag high risk transactions.
- Assisting agencies/organizations and GSA in the communication of policies to card/account holders.
What control mechanisms do A/OPCs have to assist in managing the GSA SmartPay program?
A/OPCs may proactively implement controls to ensure proper use of the card/account and reduce risk to all parties (the card/account holder, the agency/organization and the contractor bank). These controls are often referred to as authorization controls and include:
Standard commercial default limits suggested by the contractor bank during card/account setup that may be changed by an agency/organization.
Dollars Per Transaction Limit
Restricting the dollars per single transaction that can be spent on each card/account as set by the A/OPC.
Dollars Per Month Limit
Restricting the dollars per month that can be spent on each card/account as set by the A/OPC.
Transactions Per Day Limit
Restricting the number of transactions per day on each card/account as set by the A/OPC.
Transactions Per Month Limit
Restricting the number of transactions per month on each card/account as set by the A/OPC.
Merchant Category Code (MCC)
Restricting the types of purchases made by each card/account as set by the A/OPC. Purchases are restricted depending on the type of merchant (identified by the MCC). For fleet, instead of MCC, include Product Number/Code.
Preferred Supplier Listing
Each card/account may be restricted from making purchases at certain merchants; straight-through processing (STP) or virtual accounts may have established relationships with a specific supplier.
Preferred Supplier Listing Threshold
Each card/account may be restricted to certain dollar thresholds and preferred suppliers.
Controls that flag and deny invalid cards/accounts (such as lost, stolen, suspended and canceled cards/accounts).
The ability for the A/OPC to make changes on a large number of cards/accounts (to meet contingency operations such as natural disasters).
The ability for the A/OPC to adjust card/account information based upon hierarchy levels.
The ability for the A/OPC to activate/deactivate multiple cards/accounts upon demand or activate/deactivate automatically based upon established business rules provided by the agency/organization at the task order level. No transactions shall be authorized on a deactivated card/account.
User Account Recognition
The ability to uniquely identify and authenticate an account user before processing card-not-present transactions. The transaction processing shall support a two factor authentication where one of the factors is provided by a device separate from the computer gaining access. The concept to tie the financial authorization process with an online authentication.
The ability to notify the agency/organization on card-not present transactions.
When appropriate authorization controls are combined with effective oversight and consistent enforcement of agency policies/procedures, the result is a well-managed program. While there can be a cost to implement certain controls, the costs should be balanced against the benefits received by reducing delinquency and misuse.
What program management tools are available to assist agencies in minimizing instances of misuse/abuse and fraud?
- Credit limits restrict single, daily, weekly or monthly expenditures by the card/account holder.
- In accordance with agency/organization policy, an A/OPC may set the limits which best meet the agency’s needs.
- Setting limits that are realistic, but not excessive, will deter card/account holder misuse.
- By reviewing card/account holder spending patterns, you may be able to lower limits without disrupting the agency’s mission.
- A/OPCs also have the authority to raise limits at any time in response to emergency or unforeseen situations.
- MCCs are established by the associations or contractor banks to identify different types of businesses.
- Merchants select the codes best describing their business.
- You may limit the types of businesses where the account will be accepted by limiting the MCCs available to the card/account holder.
- The contractor bank has established sample templates that may assist you in determining which MCCs should be restricted.
- In the event that a card/account holder needs to make a purchase outside of his/her restricted MCCs, A/OPCs are authorized to override the restriction for a transaction by contacting the contractor bank’s Customer Service Representative.
- Agency/organization policy should specify who is authorized to perform overrides.
- For fleet, instead of MCC, include Product Number/Code.
- A/OPCs have access to many standard and ad hoc reports online through the contractor bank’s Electronic Access System (EAS). See Lesson 5 of this training.
- In those instances when the fleet card/account is not needed on a continuous basis, deactivation of the account may serve as a deterrent to fraud and/or misuse.
- You may deactivate the account when a card/account holder is not using or is not planning to use the fleet card/account.
- By understanding the card/account holder’s need and use of the account, you can work with the card/account holder to establish deactivation guidelines.
- Deactivation and reactivation can be completed through the bank’s EAS or by calling the bank’s customer service phone number.
- The banks have developed written guides for A/OPCs and card/account holders.
- A/OPC Guide: This guide addresses issues of concern to the A/OPC, including responsibilities of program participants, account setup and maintenance, account suspension/cancellation, disputes, reports and invoicing procedures. The guide is available from the banks in hard copy and/or electronically.
- Card/Account Holder Guide: This guide addresses authorized uses of the fleet card/account, disputes and billing.
GSA Provided Resources
- GSA developed and hosts an online training course for fleet A/OPCs that discusses their responsibilities.
- The annual GSA SmartPay Training Forum for A/OPCs provides training on the bank’s EAS, best practices and program management.
- Free online resources from the GSA SmartPay website to assist purchase A/OPCs in detecting and preventing misuse and fraud.
- Printable resources such as Helpful Hints for Fleet Account Use [PDF, 10 pages] is a card-sized brochure that provides information on the fleet card/account. This brochure can be ordered online and can be passed out to card/account holders when they receive their fleet card/accounts.
How do program management tools make it easier to audit and manage the use of fleet cards/accounts?
Program management tools such as online reports make it easier to identify questionable transactions from proper transactions. Online reports provide auditors and A/OPCs with immediate access to information such as the merchant name, the type of merchant, the dollar amount of the transaction and the date of the transaction. In some instances, merchants also provide line item detail for transactions, including quantities, prices and product descriptions. GSA continues to work with the associations to increase the availability of line item detail.
What can drivers do to minimize instances of misuse/abuse and fraud?
- Double check that they are using the correct card before making a purchase.
- Keep their Driver ID/PIN confidential and do not write it on or near the physical card.
- Ensure pumps are not compromised.
- Use pumps that face the attendant since they are less likely to have skimming devices installed.
- Secure the fleet card/account when stored and don’t leave it in the vehicle or in a place accessible to all.