Presented by: Alan Sambridge, Head of Fraud Management, Citi Commercial and Prepaid Cards, EMEA

October 22nd 2009

Commercial Cards Learning Series - Fraud Management

Disclaimer

“These materials are provided for educational and illustrative purposes only

and not as a solicitation by Citi for any particular product or

service.”

Overview of Fraud Session

The goal of this session is to provide you with on overview of various types of fraud and card misuse/abuse.

Provide best practices to protect your organisation's card program from fraud loss, including a review of product design, and understanding the risk factors.

Identify and define strategies to prevent external fraud and internal card misuse and abuse

Increase your awareness of the services and support Citi has built to assist our clients in safeguarding their card programs against fraudulent transactions.

1

Misconceptions – Your Average Fraudster

2

The Traditional View ! The Real View !

Today’s Agenda

3

External Fraud

Internal Fraud

Programme Structure

Fraud Management

Fraud Scams

Card Fraud Top 10

2010 Hot Spots

USA - 2010

Fraud Partnership and Prevention

Future Enhancements - SecureCode + VBV

Skimming

Fraud Prevention Practical Tips

Questions ?

4

We have systems, controls and alert mechanisms.

We manage loss.

We exchange intelligence globally.

We exercise balance wherever possible.

External Fraud

Forces of Nature

We will always have exposure to fraud risk, due to powerful external influences.

The key is to manage well, but without impacting client.

Internal Fraud

Within the current economic climate, have your process controls been checked ?

5

Do you know the danger that lies beneath the waves ?

Why a bigger issue now ?

Income and bonuses down. Employment Loyalty Reduced. Susceptibility to approach.

Internal controls and procedures weak, due to cutbacks and staff reductions.

No HR background checks or segregated control responsibilities,

mobile phones in secure areas, no two-key systems.

So far in 2009…..

x1 arrest and prosecution of a client employee for serious fraud.

x1 arrest for serious drugs trafficking using business travel as cover.

x3 under misconduct investigation, for personal spend.

Internal FraudControlled Risk

There will always be an exposure to internal fraud, you will have internal controls

6

Think carefully about what our products are used for.

Do you have the right card for the right purpose?– Corporate Card (T+E) for Travel and “walking” cards.– Purchasing Card for Business to Business– Dept or CTA (Central Travel Account) type card spending.– “One Card” - a mix of both Corporate Card and Purchasing Card.

Why Use Different Cards for Travel Spend ?– A business traveler uses their Corporate Card to get them from location A to B.– A travel agent purchases multiple flights, hotels and organise conferences.

You may expect the travel agent to have a CTA Card/Diversion Accounts and obtain discounts on volume spend or ensure your corporate preferred airline is booked.

A frequent traveller would benefit from a diversion account, allowing his credit limit to be managed more effectively.

7

Programme Structure

Controlling Corporate spend, is just as important as preventing fraud.

Controlled Risk

Fraud management can be less intrusive, if a client has a clear policy and structure.

We wish we could control fraud like a TV remote !

But it can be made easier……….

Make some very clear and simple rules.

No Personal Spend is allowed and explain why.(limited consumer protection on goods, secondary taxation, etc.,)

Place a formal document on your intranet site to increase policy awareness.

Back up the policy with adequate disciplinary action as a consequence of misuse.

Use Citi data resources to support you and review merchant (MCC code) spend.

Be suspicious of late expenses, which can later become a “dispute”.

Cards used in non-Corporate areas, risk compromise at a greater level.

8

Programme StructureControlled Risk

From your plan, we now know:– Your destination from your product selection, which will help us to help you operate effectively.– The selected course is a safe route for both of us.– We can train your cardholders about managing unexpected situations. – They have confidence in our Product and Support Services– Our constant investment / innovation in technology to support client needs and service levels

is delivered seamlessly.

Fraud Management

You need a “Fraud Manager” to act effectively.

9

Known Scams

The “Known” Phishing Scams– The bank security check email / call– Update your details email

The New “Spear-Phishing”– The email from a “friend”– The Local Authority / Govt., email– The Employment Agency email

Upcoming Hacking– Home P.C. Take Over (Trojans)– Telephone taping (Homes)– Man in the middle – Facade PC screens

(Token Hijack and false screens).– Malware on mobile phones.

10

Card Fraud Top 10

Fraudulent Application Never Received Issuance (NRI) Account Take Over (ATO) Merchant Fraud Lost / Stolen Mail / Telephone Order (MOTO) Counterfeit Plastic / Cloned Cards Internet / E-Commerce ATM + Point of Sale Compromise Internal Fraud.

11

Fraudsters are creative, take advantage of weakness and have no regulatory constraints.

Current Types of Plastic Fraud

Citi doesn’t like me

2010 Global Hot Spots

The following areas and events will be monitored closely during 2010 to avoid fraud loss.

South Africa – Already a high counterfeit skimming country – World Cup in July.

Australia / Thailand / Europe

Popular backpackers destination for students

from both Europe and Asia.

More students and post-grads will be travelling

due to the recession – no job, so travel !

Temptation to supplement spending money

with cards will be high.

Commonwealth Games, India

Increasingly a counterfeit destination for purchasing Telecoms goods.

Their domestic web protection system is easy to manage, but it means more merchants are managing liability shift to protect themselves.

Winter Olympics, Vancouver - Not a big fraud event, but it draws our attention to North America !

12

USA 2010

13

During 2010, Mexico and Canada will adopt Chip and PIN.This will improve services to our cardholders, but fraud risk in the USA will increase.

The US has no plans to implement Chip and PIN and therefore we will be vigilant in 2010, monitoring non-business spending that may actually be counterfeit fraud.

Cardholders will find it difficult to believe, that the USA is such a high-risk zone, that maintaining Customer Service versus Risk, will become a challenge for us in 2010.

Education and training will be our central area of focus in 2010 and contact with cardholders is paramount.

Fraud Partnership and Prevention

Partner with Citi to leverage Citi’s Fraud prevention expertise.

Citi can assist you in training and in your product design.

Work with you to ensure your card program transactions do not appear on the “fraud radar”.

Do you have a Specialist Department, Product Buyers or senior executives who travel frequently?– Citi can organise additional training– regular conference calls– discuss new methods for supporting your cardholders

whether they travel around the block, or around the world.

14

With so many telephone and email scams, how can we warn our cardholders, or contact them ?

Education – We always ask cardholders to contact their local Service Centre.(number on the reverse of the card)

We call and email, so please do not be alarmed – We will identify ourselves.

Citi needs to be able to reach cardholders, their assistants, or PA’s, as soon as possible to protectthe cardholder

It is difficult for both Client and Citi in these situations, but if we can request a call to us, they know they are in touch with the correct people.

Together with you, Citi Fraud Specialists:– Help you to mitigate risk– Reduce declines – Support your cardholders during a fraud episode– Can work with you to prevent fraud from occurring again

15

Fraud Partnership and Prevention

Future Events - Verified by Visa/SecureCode

Like Chip and Pin, this online password security system is being installed around the world.

You just need a password at checkout when you shop online

Not currently applicable to US cards

India is currently “live” and we have plans to roll out this capability to other Asia Pacific countries.

Look for these logos on merchant websites

16

ATM Skimming—What is a Suspicious Device?

What is “skimming”? – Any terminal that reads and copies your magnetic stripe– A false cover over an ATM card insert slot, or a waiter with a small machine in his hand

Why steal your card when an extra swipe with a small hand-held device will create a copy and you will not report any loss?

A skimmer pulls the data from your card, giving the thief all the information needed to make a counterfeit card. A skimmer can hold card data from hundreds of cards. This information can be downloaded into a computer and e-mailed anywhere in the world

Remember this applies to business cards not just to personal cards

Do you ever check unmanned machines, before you use them ?

17

ATM Skimming—What does a Skimmer Look Like ?

18

Now Technology Allows the Camera to be Even Smaller …

Could You Spot the Camera?

19

Now What was Your PIN Number Again?

20

Fraud Prevention Practical Tips

Never let your credit card or debit card out of your sight

Rigorously check your monthly card billing statements

Contact Citi immediately if there are unrecognized transactions on your statement

Do not throw away card receipts (check against your statement)

Never leave your cards in an unlocked desk or drawer

Be careful when providing card information (such as PIN number or passwords) to another person

Avoid letting merchants take your card put of sight

Use your card only for authorised use as defined by your organisation

Keep your account contact information up to date

Do not keep your PIN in your wallet or purse

Do not use common personal information, such as date of birth, for a password/PIN

21

Any Questions ?

OUR AIM ?

Low Fraud

and

Happy Clients !

22

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot beused or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby("Transaction"). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment to lend, syndicate afinancing, underwrite or purchase securities, or commit capital nor does it obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable lawor regulation, you agree to keep confidential the existence of and proposed terms for any Transaction.Prior to entering into any Transaction, you should determine, without reliance upon us or our affiliates, the economic risks and merits (and independently determine that you are able to assume these risks) as well asthe legal, tax and accounting characterizations and consequences of any such Transaction. In this regard, by accepting this presentation, you acknowledge that (a) we are not in the business of providing (and you arenot relying on us for) legal, tax or accounting advice, (b) there may be legal, tax or accounting risks associated with any Transaction, (c) you should receive (and rely on) separate and qualified legal, tax and accountingadvice and (d) you should apprise senior management in your organization as to such legal, tax and accounting advice (and any risks associated with any Transaction) and our disclaimer as to these matters. Byacceptance of these materials, you and we hereby agree that from the commencement of discussions with respect to any Transaction, and notwithstanding any other provision in this presentation, we hereby confirmthat no participant in any Transaction shall be limited from disclosing the U.S. tax treatment or U.S. tax structure of such Transaction.We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer IDnumber. We may also request corporate formation documents, or other forms of identification, to verify information provided.Any prices or levels contained herein are preliminary and indicative only and do not represent bids or offers. These indications are provided solely for your information and consideration, are subject to change at anytime without notice and are not intended as a solicitation with respect to the purchase or sale of any instrument. The information contained in this presentation may include results of analyses from a quantitative modelwhich represent potential future events that may or may not be realized, and is not a complete analysis of every material fact representing any product. Any estimates included herein constitute our judgment as of thedate hereof and are subject to change without any notice. We and/or our affiliates may make a market in these instruments for our customers and for our own account. Accordingly, we may have a position in any suchinstrument at any time.Although this material may contain publicly available information about Citi corporate bond research, fixed income strategy or economic and market analysis, Citi policy (i) prohibits employees from offering, directly orindirectly, a favorable or negative research opinion or offering to change an opinion as consideration or inducement for the receipt of business or for compensation; and (ii) prohibits analysts from being compensated forspecific recommendations or views contained in research reports. So as to reduce the potential for conflicts of interest, as well as to reduce any appearance of conflicts of interest, Citi has enacted policies andprocedures designed to limit communications between its investment banking and research personnel to specifically prescribed circumstances.

© 2009 Citi®group Global Markets Inc. Member SIPC. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world.

© 2009 Citi®group Global Markets Limited. Authorized and regulated by the Financial Services Authority. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world.

© 2009 Citi®, N.A. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world.

© 2009 Citi®group Inc. All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world.

© 2009 All rights reserved. Citi® and Citi® and Arc Design are trademarks and service marks of Citi®group Inc. or its affiliates and are used and registered throughout the world.

efficiency, renewable energy & mitigation25