Fighting Fraud: Safeguarding Your Business. November 5th, 2015

Transcription

1 Fighting Fraud: Safeguarding Your Business November 5th, 2015

2 Duane Bunn, SVP, Dealer Financial Services Treasury Management Sales Manager

3 Duane Bunn Bank of America Merrill Lynch Duane Bunn Dealer Financial Services, Treasury Management Sales Manager Provides advise and strategies with Treasury Management services to automotive, marine and recreational vehicle dealerships throughout Bank of America. Establishes fraud prevention strategies for clients within Dealer Financial Services Directs ecommerce solutions, i.e., data transmissions, file transfer, data enrichment through EDI processes Debugged first Positive Pay Issue File in conjunction with ADP, Reynolds and Reynolds, UCS, EDS and others More than 26 years of extensive banking experience Bachelor s of Business Administration in Institutional Finance from the University of North Florida Master s of Business Administration (concentration in Finance) from the University of North Florida Member of the Association of Certified Fraud Examiners 3 duane.bunn@baml.com

4 Agenda Fraud Landscape Payments data compromise (Merchant) ACH Fraud

5 Fraud Landscape

6 In the News White House Cybersecurity Event to Draw Top Tech, 1 Sony Pictures Wall Street Execs terabytes of data Obama convenes top executives, including Bank of America, to help improve information sharing as breaches get more sophisticated. Impostors bilk Omaha company out of $17.2 million 2 An employee owned commodities trader founded 120 years ago, has been taken for $17.2 million in an international swindle, according to federal court documents. Home Depot 5 56 MM customer records ebay MM userrecords records 80 million social security records stolen from insurance giant Anthem, Inc. 3 FBI: North Korea to Blame for Sony Hack 4 Target 5 56 MM credit card records White House Cybersecurity Event to Draw Top Tech, Wall Street Execs Impostors bilk Omaha company out of $17.2 million Insurance giant Anthem hit by massive data breach (Feb. 6, 2015) Despite evidence, FBI insists North Korea to blame for Sony hacking biggest data breaches hacks/

7 Contributors to Online Fraud 2015 AFP Payments Fraud & Control Survey 62% of organizations were I i i t targets of payments fraud in of malware and viruses % of companies that were subject to payments fraud in 2014 did not suffer a financial loss from the attack $20,000 was typical financial loss, reduced from $23,100 the prior year prior year 76% of organizations that experienced attempted or actual payments fraud in 2014 did so as a result of actions by an outside individual 34% of organizations experienced credit/debit card fraud din % of companies experienced wire transfer fraud in 2014, up from 14% in 2013 Fraud prevention services not being used or leveraged correctly Segregation of duties not being implemented Increasing variants Key contributors to online fraud Opt out of administrative and application controls More sophisticated and targeted threats Not utilizing all the available company, user, account controls AFP is a registered trademark of the Association for Financial Professionals

8 When was the Last Time You Reviewed and Tested Your Fraud Plan? 1 Fraud Plan 10% 13% 13% 43% No plan Within last 3 months 7 12 months Over 1 year 3 6 months 21% 1. Bank of America Merrill Lynch April 8 fraud webinar registration stats

9 Make A Cyber Attack Plan Prevention ESTABLISH sound internal COMMUNICATE and ESCALATE any transaction payment processes using enforce processes across that does not follow the best practices organization established process Response CONTACT your treasury DISABLE impacted YOU determine based on representative and follow electronic equipment your internal controls their instructions ti and user access 1. AFP is a registered trademark of the Association for Financial Professionals. 60% of companies do not have a response plan for a cyber breach companies surveyed in 2015 AFP 1 Risk Survey

10 Global Fraud Landscape Fraud has many faces phone fraud social engineering ponzi schemes pyramid schemes emp ployment scams Keyloggers ATM real est tate fra aud Fraud / mming ATM Card skim Phone fraud social engineering orde ers mo oney posit counte erfeit and remote de Internet ticket fraud dating fraud PayP Pal sc cams mail fraud money orders counterfeit and remote deposit fra aud rity Internet investment scams wire and ACH fraud reverse mortgage gg scams counterfeit cashier checks mobile funeral and cemetery fraud cash checking fraud phishing uses jans line viru troj onl haridentity theft telemarketing fraud health care and real estate fraud cmail fraud health insurance fraud mail fraud Internet auction fraud 10

11 Client Attack Malware Threats User Targeted & Malware Installed Phishing & SMishing: Infected files/malicious links sent through or SMS message Driveby Downloads: Clicking on a document, ad, or video, posted on legitimate website initiates malware download Using infected flash drive Attack is Launched and Fraud Committed: Credential theft and/or HTML injection Transaction manipulation

12 Keylogging Covert action of tracking (or logging) the keys struck on a keyboard, so that the person using the keyboard is unaware that their actions are being monitored Keylogger products have been available to purchase for years Originally developed for legitimate uses but are also used for illicit purposes Can be a piece of hardware or a thumb-drive that attaches to a computer and records keystrokes Can be software that can capture and relay similar information All of these devices and software applications are readily available for purchase. Hardware keyloggers can be bought online for around $40

13 Phishing Looks like a legitimate correspondence from the company Wording does not have the level of refinement expected from an authentic company message Has an attention getter High dollar amount of a cell bill in this example Embedded links activate Malware download on your device Often works whether or not you have a relationship with the company CallMe.org Support mycallme Account Your wireless bill is ready to view Dear Customer, Your monthly wireless bill for you account is now available online. Total Balance Due: $ Log in to mycallme to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment it s free. Smartphone users: download d the free app to manage your account anywhere, anytime. Thank you CallMe Online Services callme.org Contact Us CallMe Support quick & easy support is available 24/7. Get Piece of Mind Set up secure AutoPay from your checking account. Learn more Go Paperless Save time, money and the environment. Learn more Online Deals! Shop the Best Deals in your area for Phone, TV, Internet and Wireless. Learn more Device Tutorials Information specific about your phone Smart Controls Block calls, set mobile purchase limits, manage usage, and more Payment Arrangements Explore your options for arranging a payment plan PLEASE DO NOT REPLY TO THIS MESSAGE 2012 CallMe Intellectual Property, All rights reserved. CallMe, The CallMe logo and marks contained herein are trademarks of CallMe Intellectual Property. CallMe Inc. provides products and services under the CallMe brand. Privacy Policy 13

14 Employee Phishing Be alert for phishing campaigns against employees that appear to be internal Employees are sent s in the form of Phishing attempts Company employee s internal address has been compromised Has an attention getter High dollar amount of a cell bill in this example s attempt to drive action such as payment or profile change Be able to recognize requests that are not consistent with their usual behavior Follow your Authentication procedures From: qualityfurniture@aol.com Sent: Thursday, March 28, :35am To: Pfeiffer, Margaret Subject: Good morning Account #: From: qualityfurniture@aol.com Sent: Thursday, March 28, :16am To: Pfeiffer, Margaret Subject: Good morning I am in my nephew s funeral service at the moment but I have an urgent outstanding transaction which I ll need you to complete today. Firstly, I will need you to update me with the available balance in my account. Secondly, am in the middle of a meeting now and will not be able to make or receive calls kindly me information you will require to initiate an ongoing domestic wire transfer. I will be very busy but will frequently check my for your response. We can schedule your furniture delivery for Monday next week if I hear from you. Please acknowledge the receipt of this . From: qualityfurniture@aol.com Sent: Thursday, March 28, :59am To: Pfeiffer, Margaret Subject: Good morning Hi are you going to be at the office today? I have an urgent outstanding tt transaction ti that I would like you to complete for me today. Thanks. 14

15 Spoofing Once fraudsters have Malware or Spyware on your computer system they can: Harvest your access credentials; internal systems, financial systems, , etc. Read your business contacts and collect their information Initiate to accounts payable pretending to be you Ask the recipient to process a payment to pay an invoice Await receipt of payment or as in this example, they follow up to check on payment If you receive an such as this: Contact the sender by an alternate method to validate the instruction Follow your authentication procedures Employ dual controls prior to making payment changes or processing payments Validate that presented invoices are legitimate 15 From: Treasurer@mycompany.com Sent: Tuesday, July 8, :17am To: chris.smith@mycompany.com Subject: FW: Wire Transfer This is the third one. We are pulling the confirmation now and will send to you. From: Treasurer@mycompany.com Sent: Wednesday, June 11, :30am To: chris.smith@mycompany.com Subject: FW: Wire Transfer FYI, this needs to get processed today. I checked with (insert name here) to get your help processing it along. I will assume we take care of any vendor forms after the fact. I can send an directly to (insert name here) or let you drive from here. Let me know. From: Treasurer@mycompany.com Sent: Wednesday, June 11, :59am To: chris.smith@mycompany.com Subject: FW: Wire Transfer Process a wire of $73, to the attached account information. Code it to admin expense. Let me know when this has been completed. Thanks Forwarded message From: CEO@rnycompany.com y Sent: Wednesday, June 11, :45am To: Treasurer@mycompany.com Subject: Wire Transfer Insert name (Treasurer), Per our conversation, I have attached the wiring instructions for the wire. Let me know when done. Thanks. Insert name, (CEO) Look at the spelling of the words and names carefully CEO@mycompany.com CEO@rnycompany.com

16 Recognizing Fake URLs and Websites Understanding a few simple rules can help you spot a fraudster Good General Rule Type the Web site address in your address bar directly, rather than use a link in an message, especially if you are going to a financial site Check the URL or Fake sign in middle of address By simply hovering over the link with your mouse. The URL will appear in your browser or status bar (the bar that is usually at the bottom of your screen) and you can see what tthe name of the site is before you actually click on it For examples, if you go to a website that is you are not going to the Bank of America site at all Legitimate site and companies use a domain name as part of their name rather than sign Fake URLS spelling mistakes Some URLs look very much like the name of a well known company but there may be letters transposed or left out An example might be mircosoft.com instead of microsoft.com These slight difference can be easy to miss and what phishers are counting on

17 Payments data compromise and technologies to help secure your business

18 Data Compromises Are Constantly in the News 18

19 Typical data breach/fraud cycle Merchant/Agent fails to comply pywith payment py industry security standards. 1 Hackers search for merchants or agents with weak controls or known security vulnerabilities. 2 3 Network fraud mitigation activities Compromise investigation/forensics Distributionof of compromised accounts Development of fraud fighting technologies Dispute resolution and loss recovery processes Execution of fraud and data security compliance programs Hackers identify target and steal sensitive information by: Breaching the system/network Compromising point of sale (POS) software Tampering with POS devices and ATMs (PIN theft) Skimming 2 Criminals manufacture counterfeit cards for use at 4 retail stores or at ATMs. Fraudsters may also use subsequent phishing attacks to steal additional information to conduct identity theft or card notpresent (CNP) fraud Fraudulent transactions are conducted at merchant locations (retail, CNP or Issuer fraud mitigation activities begin. Issuer contacts cardholder to investigate suspicious transactions. Or, cardholder contacts issuer to report a lost or stolen card or a suspicious transaction. Issuer conducts a fraud investigation. If fraud is confirmed, the issuer blocks the card and lists it on the network exception fl file. Issuer sends the cardholder a new card. Fraudulent transactions are identified by issuer risk detection systems or by cardholders monitoring their account activity. ATMs). Criminals often target products that can be quickly converted to cash. 16 Source: Visa Franchise Data Compromise Trends and Cardholder, Security Best Practices (October 26, 2010, Visa, Inc.). 19

20 Common Causes of a Breach or Compromise Not Changing the Vendor Supplied Password Upon Installation Trivial and Common Passwords for POS Systems Outdated Antivirus Software Definitions Improper Firewall Configuration Remote Access to Systems by Third Party Providers Use of Vulnerable or Non Compliant Software Having Remote Access Turned On at All Times

21 Enhancing Payment Data Security with a Multi Layered Approach There is no magic bullet that protects your business from all security threats all the time and across the entire enterprise. However, businesses can significantly improve their security posture with a layered solution that includes three elements like: Point to Point Encryption (P2PE) Encryption is designed to protect cardholder data from the point of data entry Uses a key management feature making cardholder data unreadable to anyone who does not have the encryption key Protects cardholder data in transit If properly implemented, P2PE can reduce your scope of PCI DSS validation 21

22 Multi Layered Approach Tokenization Technology Tokenization Technology Replaces cardholder data (PAN) with surrogate values (token) Designed to work in concert with encryption to eliminate storage of cardholder data Allows merchant to limit the storage of cardholder data with the tokenization system If properly implemented, tokenization can reduce your scope of PCI DSS validation 22

23 Tokenization Overview What is a Token? Tokenization is the process of substituting a sensitive data element with a proxy. The proxy will have limited to no value outside of its intended duse. Tokenization of Card Number: A proxy value is used as the payment token during the transaction so that true card number is never exposed to merchant. Why is it Important? Enhanced Security By securing token provisioning through strong detection capabilities, and continuing to push for stronger authentication practices, we can count on tokenized transactions being more secure potential to reduce card alerts. Reduce Physical Card Issuance (expense impact) Opportunity to Impact Non Approval Rate Risks? Card Not Present (request token) becoming Card Present (Contactless) Fraud Token Issuance (from increase in Account Takeover, PHISHing, and plastic card number compromises). 23

24 Multi Layered Approach EMV ChipTechnology EMV Chip Technology Protects against counterfeit cards by replacing static data with dynamic Works with card present transaction only Requires a dual processing terminal (mag strip and chip) 24

25 ACH Fraud

26 Fraud in the ACH Example Scenarios Fraud risk occurs when a payment transaction is initiated or altered in an attempt to misdirect or misappropriate funds by any party to the transaction(s) with fraudulent intent. (1) Fraudcan occuronon ACH credits An employee receives an that leads him to an infected site, which installs malware to access authentication ti ti information and initiate iti t credit transfers. Since 2011, cybercriminals have been using NACHA s name, logo, contact information and product names, such as Direct Deposit via ACH, through phishing communications and social engineering tactics to gain access to consumer and business computer devices. (NACHA Website) Example of a Fraudulent e Mail Subject: ACH Transfer Review ACH Transfer (ID: ) is going to be reviewed because of the incorrectly input data when sending the payment. Important: Please fill in the application form attached attentively and send it to us. After that your transfer will be processed. If you have any questions or comments contact us at info@nacha.org. Thank you for using Employee Name Risk Management Services 26 (1) ACH Risk Management Handbook (NACHA).

27 Fraud in the ACH (Cont.) Example Scenarios Fraud can occur on ACH credits A bookkeeper creates ghost employee records to originate fictitious payroll payments June 19, 2013 (Reuters) Three women pleaded guilty on Wednesday to criminal charges arising out of what prosecutors say was a corrupt payroll project that cost more than $600 million. The average instance of payroll fraud lasts about 36 months. That s three years of paying ghost employees or overpaying existing ones. (Forbes 9/10/13) Under ACH Rules, the time limit for attempting to reverse an erroneous credit is 5 days (1) ACH Risk Management Handbook (NACHA).

28 Fraud in the ACH Example Scenarios Or, on ACH debits A fraudster uses the account information taken from the MICR line of a company s check kto initiate iti t an unauthorized debit to the company s account A business prints its account information on invoices to encourage electronic payments, but the information is intercepted by fraudsters who use it to debit the account Despite the continued decline in their use, paper checks remain dominant payment method The typical organization makes 50% of its B2B payments by check. (AFP 2013 Electronic payments Survey) A consumer provides stolen or erroneous bank account information to pay bills or make purchases via ACH debit Nationwide Utility Payment Scam Hurts Thousands USA Today 7/12/12 Victims are told that all they have to do is provide their personal information. In exchange, they are given a bank routing number and checking account number to provide their utility company when making a payment Under ACH rules, the timeframe for returning unauthorized corporate transactions is one day after the settlement of the entry. The time frame for returning consumer entries is 60 days after settlement.

29 Utility Industry Focused Phishing Phishing Scam: Federal Government to pay your utility bills Utility Bill Payment Scam Scam: Fraudsters claim a government grant will pay your utility bill in full for one month. Example: [Collected via e mail, May 2012] My friend just informed me that President Obama is paying her electric bill this month. That supposedly you call and use your SS# as the bank account, then give them the routing number of and that's it, it pays for your electric bill but only once a year. My daughter called me a couple of days ago asking me if I had already paid my Florida Power & Light (FPL) bill, I told her that I hadn t and she proceeded to tell me that the accounts were being funded by some entity for this month only for Florida residents. I have her my account information, including SS#. I received a confirmation # from FPL. Today she calls me to tell me that she had found out this was a scam. She has no idea of how this was distributed, of friend of hers is the one who provided all of the information. 29

30 ACH Fraud Prevention Steps Businesses Can Take to Minimize Fraud Risk 1 2 Monitor and reconcile your accounts daily Consolidate your ACH debit activity to one account (or a limited number) to facilitate this monitoring 3 UseACH fraud prevention services Debit Blocks Debit Authorizations ACH Positive Pay Remove account numbers from websites and correspondence Consider UPIC to mask the account where you receive ACH credits Convert more payments from check to electronic Notify your bank promptly about any discrepancy in your account Return unauthorized transactions within the NACHA time frames

31 ACH Fraud Prevention Steps Businesses Can Take to Minimize Fraud Risk If you originate ACH payments 1 Segregate duties and set dollar limits appropriate for users and payment types Leverage your bank s reporting tools to validate files and totals Deactivate entitlements of employees who have left the company immediately If you are a biller using ACH debit Consider establishing limits on ACH debits (e.g. dollar amount, customer type, etc.) Always obtain proper authorization from the Receiver Use prenotes when possible Address returns promptly and monitor return rates If you use WEB, you must employ commercially reasonable systems to detect fraud (1) Please refer to for complete information about the obligations of ACH Origination

32 How the Industry Addresses Fraud and Risk Examples of NACHA Rules (1) Network Enforcement Rule (11/8/07) Allows NACHA to request data from ODFIs about any Originator that appears to exceed a threshold of 1% for debits returned as unauthorized Company Name Identification (6/20/08) Expands the description of the Company Name Field to require that it contain a name of the Originator that is known and readily recognized by the Receiver Corporate Account Takeover (1/1/12) Provides an RDFI that reasonably suspects that a credit is unauthorized with an exemption to the funds availability requirement under Reg CC ACH Security Framework (9/20/13) Establishes minimum data security obligations for ACH Network participants to protect data within their purview Stop Payments (9/20/13) / Expands rule language governing effective period for stop payment orders on debit Entries to non consumer accounts ODFI Return Rate Reporting (3/15/13) Reduces the ODFI Return Rate Reporting period from 60 to 30 days for reducing return rates below the return rate threshold Data Passing (3/15/13) Prohibits sharing of certain customer information for the purpose of initiating debits not covered by the original authorization Proof of Authorization o for Non Consumer Entries es(9/ (9/19/14) Permits an RDFI to request proof of a non consumer Receiver s authorization for a debit (1) For the complete NACHA Rules, please refer to

33 How the Industry Addresses Fraud and Risk Unauthorized ACH Debits A Key Indicator The rate of unauthorized debit returns has declined to 0.03%, but the volume of unauthorized entries is How increasing the as the Industry use of the ACH Addresses for debit transactions Fraud grows. and Risk Unauthorized ACH Debits and Return Rates (1) thorized ACH Debit Returns (Million ns) Unau % 0.12% 0.10% 0.08% 08% 0.06% 0.04% 0.02% 02% 0.00% Unauthorized Return Rate Unauthorized Debit Returns Unauthorized Return Rate Returns for authorization issues are due to a problem with authorization, including unauthorized, revoked authorization, stopped payments or customer disputes. The authorization related return rate for ACH entries is lower than reported fraud rates for credit cards (0.07 %) and signature debit cards (0.06%) (NACHA) 33 (1) NACHA.

34 How the Industry Addresses Fraud and Risk NACHA Requests for Comment on Additional Rules to Address Risk and Quality the ACH (1) Risk and Network Enforcement Improve ability bl to identify and enforce Rules against those responsible for highest, h and most disproportionate, levels of exceptions Reduce number of exceptions caused by these outliers ACH Quality Fees Establish economic incentives for ODFIs to improve origination quality Reduce number of exceptions across the entire ACH Network Provide partial cost recovery to RDFIs for exception handling (1) Request for Comment period closed on January 13, 2014

35 Q&A

36 Best Practices for Protecting Against Fraud Online checklist Be attentive during online session: are login prompts occurring where they should? Do your online screens look correct? Make use of fraud prevention tools like Positive Pay for checks and ACH transactions. Educate all users to recognize phishing scams and know to not open file attachments or click links in suspicious s. Always be on lookout for: Any requests for personal information Urgent appeals claiming your account will be closed if you fail to respond Messages about system/security updates Use caution when visiting iii Internet sites, avoiding social ilnetworking & unknown sites that are not trusted and used for business purposes Consider the use of dedicated, hardened computer Keep your anti virus software/system patches up to date. Consider antimalware software that specifically protects your Internet Browser Implement duty segregation/dual administration Prohibit shared user names/passwords and avoid using automatic login features that save usernames/passwords Never access online banking via Internet cafes, public libraries or open Wi Fi hotspots Report suspicious transaction activity to bank/authorities immediately 36

37 Resources Duane Bunn SVP, DFS Treasury Sales Manager office cell 37

38 Disclaimer Bank of America Merrill Lynch is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation ( Investment Banking Affiliates ), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker dealers and members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. This document is intended for information purposes only and does not constitute a binding commitment to enter into any type of transaction or business relationship as a consequence of any information contained herein. These materials have been prepared by one or more subsidiaries of Bank of America Corporation solely for the client or potential client to whom such materials are directly addressed d and delivered dli d(th (the Company ) in connection with an actual or potential ti lbusiness relationship lti and may not be used or relied upon for any purpose other than as specifically contemplated by a written agreement with us. We assume no obligation to update or otherwise revise these materials, which speak as of the date of this presentation (or another date, if so noted) and are subject to change without notice. Under no circumstances may a copy of this presentation be shown, copied, transmitted or otherwise given to any person other than your authorized representatives. Products and services that may be referenced in the accompanying materials may be provided through one or more affiliates of Bank of America, N.A. We are required to obtain, verify and record certain information that identifies our clients, which information includes the name and address of the client and other information that will allow us to identify the client in accordance with the USA Patriot Act (Title III of Pub. L , as amended dd( (signed into law October 26, 2001)) and such other laws, rules and regulations. We do not provide legal, compliance, tax or accounting advice. Accordingly, any statements contained herein as to tax matters were neither written nor intended by us to be used and cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on such taxpayer. For more information, including terms and conditions that apply to the service(s), please contact your Bank of America Merrill Lynch representative. Investment Banking Affiliates are not banks. The securities and financial instruments sold, offered or recommended by Investment Banking Affiliates, including without limitation money market mutual funds, are not bank deposits, are not guaranteed by, and are not otherwise obligations of, any bank, thrift or other subsidiary of Bank of America Corporation (unless explicitly stated otherwise), and are not insured by the Federal Deposit Insurance Corporation ( FDIC ) or any other governmental agency (unless explicitly stated otherwise). This document is intended for information purposes only and does not constitute investment advice or a recommendation or an offer or solicitation, and is not the basis for any contract to purchase or sell any security or other instrument, or for Investment Banking Affiliates or banking affiliates to enter into or arrange any type of transaction as a consequent of any information contained herein. With respect to investments in money market mutual funds, you should carefully consider a fund s investment objectives, risks, charges, and expenses before investing. Although money market mutual funds seek to preserve the value of your investment at $1.00 per share, it is possible to lose money by investing in money market mutual funds. The value of investments and the income derived from them may go down as well as up and you may not get back your original investment. The level of yield may be subject to fluctuation and is not guaranteed. Changes in rates of exchange between currencies may cause the value of investments to decrease or increase. We have adopted dpolicies i and guidelines designed d to preserve the independence d of our research analysts. These policies i prohibit employees from offering research coverage, a favorable research rating or a specific price target or offering to change a research rating or price target as consideration for or an inducement to obtain business or other compensation. Copyright 2014 Bank of America Corporation. Bank of America N.A., Member FDIC, Equal Housing Lender.. 38