Safeguard Your Assets ABCs to Mitigate Fraud in an Evolving Payments Environment. April 10, 2014

Transcription

1 Safeguard Your Assets ABCs to Mitigate Fraud in an Evolving Payments Environment April 10, 2014

2 Speakers Milton Santiago, Portal and Treasury echannel Executive, Bank of America Merrill Lynch (Moderator) Larry Brennan, Vice President, PCI Compliance and Data Compromise, Bank of America Merchant Services Mary O Toole, Director, Senior ACH Product Manager, Bank of America Merrill Lynch

3 Milton Santiago Bank of America Merrill Lynch Milton Santiago Portal and Treasury echannel Executive Establishes global strategy for client-facing channels, including primary Treasury Management portal and mobile banking, for business banking, commercial, large corporate and financial institution clients Directs ecommerce solutions, i.e., data transmissions, file transfer, data enrichment through EDI processes Developed CashPro Online, a web-based Treasury solution More than 20 years of extensive banking experience Bachelor s degree in Computer Information Systems from DeVry University 3

4 Larry Brennan Bank of America Merchant Services Larry Brennan Vice President, PCI Compliance and Data Compromise Manages Merchant Data Security Program Aids merchants in meeting their PCI requirements to card organizations and is responsible for overseeing management of merchant data compromise incidents Previously was Site Leader for Bank of America Merchant Services Inside Sales Team responsible for more than 100 merchant services telesales representatives supporting two lines of business. Also directed staffing /development in products and services sold to small business customers via the telephone Has 15 years of financial services industry experience with an emphasis in merchant services Prior Bank of America Merchant Services, retired from U.S. Navy after 22 years of service 4

5 Mary O Toole Bank of America Merrill Lynch Mary O Toole Director, Senior ACH Product Manager Team lead of ACH Product Management Team, Global Treasury Solutions where responsible for executing business strategy to grow electronic payments through product development, promotion, market expansion Manages financial performance of product, and drives end-to-end delivery of ACH services to clients in Large Corporate and Commercial markets Joined company in 2002, through its predecessor, FleetBoston Financial Previously, was ACH Product Manager at JPMorgan Chase. Began her career at MetLife Insurance Company in Treasury and Bank Operations, leading Treasurer s Planning Board tasked with developing/implementing paper-to-electronic payments strategy Worked in payments field for over twenty years, and is active in many industry groups and initiatives Attended Fordham University, holds a Bachelor of Arts degree in Political Science and Master of Business Administration degree in Financial Management 5

6 Agenda Fraud Landscape Payments data compromise (Merchant) ACH Fraud

7 Fraud Landscape Milton Santiago

8 ATM ATM/ Card skimming employment scams real estate fraud money orders counterfeit and remote deposit PayPal scams charity fraud viruses trojans online Global Fraud Landscape Fraud has many faces phone fraud - social engineering ponzi schemes pyramid schemes Keyloggers Fraud Phone fraud - social engineering Internet ticket fraud dating fraud reverse mortgage scams counterfeit cashier checks mobile funeral and cemetery fraud cash checking fraud phishing identity theft telemarketing fraud real mail fraud money orders counterfeit and remote deposit health care and estate fraud health insurance fraud mail Internet investment scams wire and ACH fraud fraud Internet auction fraud 8

9 Client Attack Malware Threats User Targeted & Malware Installed Phishing & SMishing: Infected files/malicious links sent through or SMS message Drive by Downloads: Clicking on a document, ad, or video, posted on legitimate website initiates malware download Using infected flash drive Attack is Launched and Fraud Committed: Credential theft and/or HTML injection Transaction manipulation 9

10 Phishing Looks like a legitimate correspondence from the company Wording does not have the level of refinement expected from an authentic company message Has an attention getter High dollar amount of a cell bill in this example Embedded links activate Malware download on your device Often works whether or not you have a relationship with the company CallMe.org Support mycallme Account Your wireless bill is ready to view Dear Customer, Your monthly wireless bill for you account is now available online. Total Balance Due: $ Log in to mycallme to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment it s free. Smartphone users: download the free app to manage your account anywhere, anytime. Thank you CallMe Online Services callme.org Contact Us CallMe Support quick & easy support is available 24/7. Get Piece of Mind Set up secure AutoPay from your checking account. Learn more Go Paperless Save time, money and the environment. Learn more Online Deals! Shop the Best Deals in your area for Phone, TV, Internet and Wireless. Learn more Device Tutorials Information specific about your phone Smart Controls Block calls, set mobile purchase limits, manage usage, and more Payment Arrangements Explore your options for arranging a payment plan PLEASE DO NOT REPLY TO THIS MESSAGE 2012 CallMe Intellectual Property, All rights reserved. CallMe, The CallMe logo and marks contained herein are trademarks of CallMe Intellectual Property. CallMe Inc. provides products and services under the CallMe brand. Privacy Policy 10

11 Employee Phishing Be alert for phishing campaigns against employees that appear to be internal Employees are sent s in the form of Phishing attempts Company employee s internal address has been compromised Has an attention getter High dollar amount of a cell bill in this example s attempt to drive action such as payment or profile change Be able to recognize requests that are not consistent with their usual behavior Follow your Authentication procedures From: qualityfurniture@aol.com Sent: Thursday, March 28, :35am To: Pfeiffer, Margaret Subject: Good morning Account #: From: qualityfurniture@aol.com Sent: Thursday, March 28, :16am To: Pfeiffer, Margaret Subject: Good morning I am in my nephew s funeral service at the moment but I have an urgent outstanding transaction which I ll need you to complete today. Firstly, I will need you to update me with the available balance in my account. Secondly, am in the middle of a meeting now and will not be able to make or receive calls kindly me information you will require to initiate an ongoing domestic wire transfer. I will be very busy but will frequently check my for your response. We can schedule your furniture delivery for Monday next week if I hear from you. Please acknowledge the receipt of this . From: qualityfurniture@aol.com Sent: Thursday, March 28, :59am To: Pfeiffer, Margaret Subject: Good morning Hi are you going to be at the office today? I have an urgent outstanding transaction that I would like you to complete for me today. Thanks. 11

12 Spoofing Once fraudsters have Malware or Spyware on your computer system they can: Harvest your access credentials; internal systems, financial systems, , etc. Read your business contacts and collect their information Initiate to accounts payable pretending to be you Ask the recipient to process a payment to pay an invoice Await receipt of payment or as in this example, they follow up to check on payment If you receive an such as this: Contact the sender by an alternate method to validate the instruction Follow your authentication procedures Employ dual controls prior to making payment changes or processing payments Validate that presented invoices are legitimate From: Treasurer@mycompany.com Sent: Monday, July 8, :17am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer This is the third one. We are pulling the confirmation now and will send to you. From: Treasurer@mycompany.com Sent: Thursday, June 11, :30am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer FYI, this needs to get processed today. I checked with?? to get your help processing it along. I will assume we take care of any vendor forms after the fact. I can send am directly to??? or let you drive from here. Let me know. From: Treasurer@mycompany.com Sent: Tuesday, June 11, :59am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer Process a wire of $73, to the attached account information. Code it to admin expense. Let me know when this has been completed. Thanks Forwarded message From: CEO@mycompany.com Sent: Tuesday, June 11, :45am To: Treasurer@mycompany.com Subject: Wire Transfer Nick, Per our conversation, I have attached the wiring instructions for the wire. Let me know when done. Thanks. Charlie 12

13 Recognizing Fake URLs and Websites Understanding a few simple rules can help you spot a fraudster Good General Rule Type the Web site address in your address bar directly, rather than use a link in an message, especially if you are going to a financial site Check the URL or Fake sign in middle of address By simply hovering over the link with your mouse. The URL will appear in your browser or status bar (the bar that is usually at the bottom of your screen) and you can see what the name of the site is before you actually click on it For examples, if you go to a website that is you are not going to the Bank of America site at all Legitimate site and companies use a domain name as part of their name rather than sign Fake URLS spelling mistakes Some URLs look very much like the name of a well-known company but there may be letters transposed or left out An example might be mircosoft.com instead of microsoft.com These slight difference can be easy to miss and what phishers are counting on 13

14 Payments data compromise and technologies to help secure your business Larry Brennan

15 Data Compromises Are Constantly in the News 15

16 Typical data breach/fraud cycle Merchant/Agent fails to comply with payment industry security standards. 1 7 Hackers search for merchants or agents with weak controls or known security vulnerabilities. 2 3 Issuer fraud mitigation activities begin. Issuer contacts cardholder to investigate suspicious transactions. Or, cardholder contacts issuer to report a lost or stolen card or a suspicious transaction. Issuer conducts a fraud investigation. If fraud is confirmed, the issuer blocks the card and lists it on the network exception file. Issuer sends the cardholder a new card. Network fraud mitigation activities Compromise investigation/forensics Distribution of compromised accounts Development of fraud fighting technologies Dispute resolution and loss recovery processes Execution of fraud and data security compliance programs 6 Hackers identify target and steal sensitive information by: Breaching the system/network Compromising point-of-sale (POS) software Tampering with POS devices and ATMs (PIN theft) Skimming Fraudulent transactions are identified by issuer risk detection systems or by cardholders monitoring their account activity. 4 5 Criminals manufacture counterfeit cards for use at retail stores or at ATMs. Fraudsters may also use subsequent phishing attacks to steal additional information to conduct identity theft or card-notpresent (CNP) fraud. Fraudulent transactions are conducted at merchant locations (retail, CNP or ATMs). Criminals often target products that can be quickly converted to cash. 16 Source: Visa Franchise Data Compromise Trends and Cardholder, Security Best Practices (October 26, 2010, Visa, Inc.). 16

17 Common Causes of a Breach or Compromise Not Changing the Vendor-Supplied Password Upon Installation Trivial and Common Passwords for POS Systems Outdated Antivirus Software Definitions Improper Firewall Configuration Remote Access to Systems by Third-Party Providers Use of Vulnerable or Non-Compliant Software Having Remote Access Turned On at All Times

18 Looking For the Path of Least Resistance 2,164 data compromise incidents reported in 2013 exposing 822 million records globally (1) 73% of the cyber-attacks on large merchants in 2012 weren t specifically targeted at a single merchant. The business simply exhibited a weakness that the attacker knew how to exploit, as cybercriminals look for the path of least resistance (2) 2012 Data breaches by industry (3) 50% 45% 40% 30% 24% 20% 10% 9% 7% 3% 12% 0% Retail Food & Beverage Hospitality Financial services Nonprofit All others 18 (1) Data Breach Quick View - Risk Based Security & Open Security Foundation, February (2) Verizon, 2013 Data BREACH Investigations Report, April (3) Trustwave 2013 Global Security Report.

19 The Costs of a Data Compromise Are Significant The average cost of a data breach to a U.S. based company in 2013 was $188 per stolen record. Globally, the average cost was $277 per stolen record (1) Financial impacts: (2) Card organization fines and assessments passed through to merchant PCI Compliance fines for not properly protecting card account information Fraudulent transactions conducted with compromised cards Reimbursements for forensics and card replacement costs by issuer Insurance claims Government fines and penalties Lawsuits Potentially more damaging than any hard dollar financial impacts is the loss of public trust and confidence in a corporate brand caused by news of a data security breach Companies who are struggling financially jeopardize the very existence of the company if they are breached due to lost revenue from reduced customer confidence 19 (1) Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis, May (2) PCI Security Standards Council: Why comply with PCI Security Standards?

20 Enhancing Payment Data Security with a Multi-Layered Approach There is no magic bullet that protects your business from all security threats all the time and across the entire enterprise. However, businesses can significantly improve their security posture with a layered solution that includes three elements like: Point-to-Point Encryption (P2PE) Encryption is designed to protect cardholder data from the point of data entry Uses a key management feature making cardholder data unreadable to anyone who does not have the encryption key Protects cardholder data in transit If properly implemented, P2PE can reduce your scope of PCI DSS validation 20

21 Multi-Layered Approach Tokenization Technology Tokenization Technology Replaces cardholder data (PAN) with surrogate values (token) Designed to work in concert with encryption to eliminate storage of cardholder data Allows merchant to limit the storage of cardholder data with the tokenization system If properly implemented, tokenization can reduce your scope of PCI DSS validation 21

22 Tokenization Overview What is a Token? Tokenization is the process of substituting a sensitive data element with a proxy. The proxy will have limited to no value outside of its intended use. Tokenization of Card Number: A proxy value is used as the payment token during the transaction so that true card number is never exposed to merchant. Why is it Important? Enhanced Security - By securing token provisioning through strong detection capabilities, and continuing to push for stronger authentication practices, we can count on tokenized transactions being more secure potential to reduce card alerts. Reduce Physical Card Issuance (expense impact) Opportunity to Impact Non-Approval Rate Risks? Card Not Present (request token) becoming Card Present (Contactless) Fraud Token Issuance (from increase in Account Takeover, PHISHing, and plastic card number compromises). 22

23 Multi-Layered Approach EMV Chip Technology EMV Chip Technology Protects against counterfeit cards by replacing static data with dynamic Works with card-present transaction only Requires a dual processing terminal (mag strip and chip) 23

24 ACH Fraud Mary O Toole

25 Quick Facts About ACH Payments After a decade of growth, check conversion applications are in decline. Volume growth is now driven by native electronic payments ACH Payments by Number and Type (1) (In Billions) Native Electronic Converted Checks Consumer bill payment applications dominate, and the majority of ACH transactions are debits How ACH is Used (2) ACH Transaction Split (2) 1% 1% 14% 31% 42% 58% 53% 25 (1) The 2013 Federal Reserve Payments Study (2) NACHA. B2B Direct Deposit Other Consumer Bill Pay International Credits Debits

26 Quick Facts About ACH Payments (Cont.) Rate of Third-Party Fraud in 2012 (1) By Frequency in Basis Points 3.60 By Value in Basis Points Cards ACH Check An unauthorized transaction (third-party fraud) is a transaction made or attempted by an individual who is not authorized by the accountholder or cardholder to use a payment instrument. Cards ACH Check Although third-party fraud attempts were higher for ACH than check, check fraud is greater in terms of dollar value. 26 (1) The 2013 Federal Reserve Payments Study

27 Fraud in the ACH Example Scenarios Fraud risk occurs when a payment transaction is initiated or altered in an attempt to misdirect or misappropriate funds by any party to the transaction(s) with fraudulent intent. (1) Fraud can occur on ACH credits An employee receives an that leads him to an infected site, which installs malware to access authentication information and initiate credit transfers. Since 2011, cybercriminals have been using NACHA s name, logo, contact information and product names, such as Direct Deposit via ACH, through phishing communications and social engineering tactics to gain access to consumer and business computer devices. (NACHA Website) Example of a Fraudulent Subject: ACH Transfer Review ACH Transfer (ID: ) is going to be reviewed because of the incorrectly input data when sending the payment. Important: Please fill in the application form attached attentively and send it to us. After that your transfer will be processed. If you have any questions or comments contact us at info@nacha.org. Thank you for using Employee Name Risk Management Services 27 (1) ACH Risk Management Handbook (NACHA).

28 Fraud in the ACH (Cont.) Example Scenarios Fraud can occur on ACH credits A bookkeeper creates ghost employee records to originate fictitious payroll payments June 19, 2013 (Reuters) Three women pleaded guilty on Wednesday to criminal charges arising out of what prosecutors say was a corrupt payroll project that cost more than $600 million. The average instance of payroll fraud lasts about 36 months. That s three years of paying ghost employees or overpaying existing ones. (Forbes 9/10/13) Under ACH Rules, the time limit for attempting to reverse an erroneous credit is 5 days 28 (1) ACH Risk Management Handbook (NACHA).

29 Fraud in the ACH Example Scenarios Or, on ACH debits A fraudster uses the account information taken from the MICR line of a company s check to initiate an unauthorized debit to the company s account A business prints its account information on invoices to encourage electronic payments, but the information is intercepted by fraudsters who use it to debit the account Despite the continued decline in their use, paper checks remain dominant payment method The typical organization makes 50% of its B2B payments by check. (AFP 2013 Electronic payments Survey) A consumer provides stolen or erroneous bank account information to pay bills or make purchases via ACH debit Nationwide Utility Payment Scam Hurts Thousands USA Today 7/12/12 Victims are told that all they have to do is provide their personal information. In exchange, they are given a bank routing number and checking account number to provide their utility company when making a payment Under ACH rules, the timeframe for returning unauthorized corporate transactions is one day after the settlement of the entry. The time-frame for returning consumer entries is 60 days after settlement. 29

30 Utility Industry Focused Phishing Phishing Scam: Federal Government to pay your utility bills Utility Bill Payment Scam Scam: Fraudsters claim a government grant will pay your utility bill in full for one month. Example: [Collected via , May 2012] My friend just informed me that President Obama is paying her electric bill this month. That supposedly you call and use your SS# as the bank account, then give them the routing number of and that's it, it pays for your electric bill but only once a year. My daughter called me a couple of days ago asking me if I had already paid my Florida Power & Light (FPL) bill, I told her that I hadn t and she proceeded to tell me that the accounts were being funded by some entity for this month only for Florida residents. I have her my account information, including SS#. I received a confirmation # from FPL. Today she calls me to tell me that she had found out this was a scam. She has no idea of how this was distributed, of friend of hers is the one who provided all of the information. 30

31 ACH Fraud Prevention Steps Businesses Can Take to Minimize Fraud Risk Monitor and reconcile your accounts daily Consolidate your ACH debit activity to one account (or a limited number) to facilitate this monitoring Use ACH fraud prevention services Debit Blocks Debit Authorizations ACH Positive Pay Remove account numbers from websites and correspondence Consider UPIC to mask the account where you receive ACH credits Convert more payments from check to electronic Notify your bank promptly about any discrepancy in your account Return unauthorized transactions within the NACHA time-frames 31

32 ACH Fraud Prevention Steps Businesses Can Take to Minimize Fraud Risk If you originate ACH payments 1 Segregate duties and set dollar limits appropriate for users and payment types Leverage your bank s reporting tools to validate files and totals Deactivate entitlements of employees who have left the company immediately If you are a biller using ACH debit Consider establishing limits on ACH debits (e.g. dollar amount, customer type, etc.) Always obtain proper authorization from the Receiver Use prenotes when possible Address returns promptly and monitor return rates If you use WEB, you must employ commercially reasonable systems to detect fraud 32 (1) Please refer to for complete information about the obligations of ACH Origination

33 How the Industry Addresses Fraud and Risk Examples of NACHA Rules (1) Network Enforcement Rule (11/8/07) Allows NACHA to request data from ODFIs about any Originator that appears to exceed a threshold of 1% for debits returned as unauthorized Company Name Identification (6/20/08) Expands the description of the Company Name Field to require that it contain a name of the Originator that is known and readily recognized by the Receiver Corporate Account Takeover (1/1/12) Provides an RDFI that reasonably suspects that a credit is unauthorized with an exemption to the funds availability requirement under Reg CC ACH Security Framework (9/20/13) Establishes minimum data security obligations for ACH Network participants to protect data within their purview Stop Payments (9/20/13) Expands rule language governing effective period for stop payment orders on debit Entries to non-consumer accounts ODFI Return Rate Reporting (3/15/13) Reduces the ODFI Return Rate Reporting period from 60 to 30 days for reducing return rates below the return rate threshold Data Passing (3/15/13) Prohibits sharing of certain customer information for the purpose of initiating debits not covered by the original authorization Proof of Authorization for Non-Consumer Entries (9/19/14) Permits an RDFI to request proof of a non-consumer Receiver s authorization for a debit 33 (1) For the complete NACHA Rules, please refer to

34 Unauthorized ACH Debit Returns (Millions) How the Industry Addresses Fraud and Risk Unauthorized ACH Debits A Key Indicator How the Industry Addresses Fraud and Risk The rate of unauthorized debit returns has declined to 0.03%, but the volume of unauthorized entries is increasing as the use of the ACH for debit transactions grows. Unauthorized ACH Debits and Return Rates (1) % 0.12% 0.10% 0.08% 0.06% 0.04% Unauthorized Return Rate % % Unauthorized Debit Returns Unauthorized Return Rate Returns for authorization issues are due to a problem with authorization, including unauthorized, revoked authorization, stopped payments or customer disputes. The authorization-related return rate for ACH entries is lower than reported fraud rates for credit cards (0.07 %) and signature debit cards (0.06%) (NACHA) 34 (1) NACHA.

35 How the Industry Addresses Fraud and Risk NACHA Requests for Comment on Additional Rules to Address Risk and Quality the ACH (1) Risk and Network Enforcement Improve ability to identify and enforce Rules against those responsible for highest, and most disproportionate, levels of exceptions Reduce number of exceptions caused by these outliers ACH Quality Fees Establish economic incentives for ODFIs to improve origination quality Reduce number of exceptions across the entire ACH Network Provide partial cost-recovery to RDFIs for exception handling (1) Request for Comment period closed on January 13, 2014

36 Q&A Have a question? Please click on the question box, type your question, and send.

37 Best Practices for Protecting Against Fraud Online checklist Be attentive during online session: are login prompts occurring where they should? Do your online screens look correct? Educate all users to recognize phishing scams and know to not open file attachments or click links in suspicious s. Always be on lookout for: Any requests for personal information Urgent appeals claiming your account will be closed if you fail to respond Messages about system/security updates Use caution when visiting Internet sites, avoiding social networking & unknown sites that are not trusted and used for business purposes Consider the use of dedicated, hardened computer Keep your anti-virus software/system patches up to date. Consider antimalware software that specifically protects your Internet Browser Implement duty segregation/dual administration Prohibit shared user names/passwords and avoid using automatic login features that save usernames/passwords Never access online banking via Internet cafes, public libraries or open Wi-Fi hotspots Report suspicious transaction activity to bank/authorities immediately 37

38 Resources Milton Santiago Larry Brennan O: F: Mary O Toole mary.s.o toole@baml.com 38

39 Safeguard Your Assets ABCs to Mitigate Fraud in an Evolving Payments Environment

40 Disclaimer Bank of America Merrill Lynch is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation ( Investment Banking Affiliates ), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. This document is intended for information purposes only and does not constitute a binding commitment to enter into any type of transaction or business relationship as a consequence of any information contained herein. These materials have been prepared by one or more subsidiaries of Bank of America Corporation solely for the client or potential client to whom such materials are directly addressed and delivered (the Company ) in connection with an actual or potential business relationship and may not be used or relied upon for any purpose other than as specifically contemplated by a written agreement with us. We assume no obligation to update or otherwise revise these materials, which speak as of the date of this presentation (or another date, if so noted) and are subject to change without notice. Under no circumstances may a copy of this presentation be shown, copied, transmitted or otherwise given to any person other than your authorized representatives. Products and services that may be referenced in the accompanying materials may be provided through one or more affiliates of Bank of America, N.A. We are required to obtain, verify and record certain information that identifies our clients, which information includes the name and address of the client and other information that will allow us to identify the client in accordance with the USA Patriot Act (Title III of Pub. L , as amended (signed into law October 26, 2001)) and such other laws, rules and regulations. We do not provide legal, compliance, tax or accounting advice. Accordingly, any statements contained herein as to tax matters were neither written nor intended by us to be used and cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on such taxpayer. For more information, including terms and conditions that apply to the service(s), please contact your Bank of America Merrill Lynch representative. Investment Banking Affiliates are not banks. The securities and financial instruments sold, offered or recommended by Investment Banking Affiliates, including without limitation money market mutual funds, are not bank deposits, are not guaranteed by, and are not otherwise obligations of, any bank, thrift or other subsidiary of Bank of America Corporation (unless explicitly stated otherwise), and are not insured by the Federal Deposit Insurance Corporation ( FDIC ) or any other governmental agency (unless explicitly stated otherwise). This document is intended for information purposes only and does not constitute investment advice or a recommendation or an offer or solicitation, and is not the basis for any contract to purchase or sell any security or other instrument, or for Investment Banking Affiliates or banking affiliates to enter into or arrange any type of transaction as a consequent of any information contained herein. With respect to investments in money market mutual funds, you should carefully consider a fund s investment objectives, risks, charges, and expenses before investing. Although money market mutual funds seek to preserve the value of your investment at $1.00 per share, it is possible to lose money by investing in money market mutual funds. The value of investments and the income derived from them may go down as well as up and you may not get back your original investment. The level of yield may be subject to fluctuation and is not guaranteed. Changes in rates of exchange between currencies may cause the value of investments to decrease or increase. We have adopted policies and guidelines designed to preserve the independence of our research analysts. These policies prohibit employees from offering research coverage, a favorable research rating or a specific price target or offering to change a research rating or price target as consideration for or an inducement to obtain business or other compensation. Copyright 2014 Bank of America Corporation. Bank of America N.A., Member FDIC, Equal Housing Lender.. 40