What Happens When TSA Mangles Your Bag?


By Robert McGarvey


It’s a traveler’s nightmare. Something is stolen from your checked bag – it’s almost always the good stuff too such as jewelry or a slick camera – or maybe the bag and its content simply are demolished and what you retrieve at baggage claim is scrap.  Then what?

Surely you’ll be made whole, particularly when your gripe is with TSA, a federal agency, not an airline.


An NJ.com story’s headline tells you what to expect: Good luck getting money from the TSA for your lost, damaged luggage.  

New data via Dorian Banutoiu – which looks at 16 years of claims, 2002-2017, is just as grim.  It shows that of 218,000 claims, 101,000 were denied, 9000 are pending, and 83,000 are marked paid.

The NJ.com research crunched data from only the 15 busiest airports – Newark included – and it found that: “Of the 34,127 claims filed at these airports from 2010 to 2017, almost 41 percent — or four out of every 10 requests — were denied. In contrast, about 26 percent were approved for payment or settled for a lesser amount. About 13 percent were under review, and the rest had been canceled.”

In the LA Times, reporter Hugo Martin – drawing on TSA data mainly from 2016 – concluded this: “Of the TSA claims that are resolved, 54% are denied, 24% are approved in full, 12% are settled for an amount less than what was requested and 10% are canceled or closed out for other reasons.”

Martin continued: “The most common items lost or damaged are bags, cases, purses, clothing, computers and accessories and jewelry.”

That’s right, the good stuff.  Nobody wants to take my 20 year-old LL Bean toiletry bag, please.

Martin added: “Jewelry, cash and camera equipment are the items rejected by the TSA at the highest rate, at least 70% of the time.”

The data also show that claims made at checkpoints are far more likely to be approved than are claims involving checked baggage.  That’s bad news because NJ.com data show that 75% of claims involve checked baggage. Just 24% are at checkpoints.

The average settlement amount over the past 16 years is $199.

Curiously, according to Travel Pulse, “If you are filing a claim, you are more likely to get repaid if you file it in the first half of the year, according to the data, which found that there was a lower average of payments approved in the second part of the year.”

NJ.com added: “Critics say the TSA takes an overly harsh approach, often claiming it can’t find evidence that it was responsible for the loss or damage. And the agency continues to deny the problem of theft at airports, they say, though there’s few other explanations for the losses.”

Theft, according to NJ.com, is the biggest issue: “About 60 percent of all the claims at these airports related to property loss.”

Some airports have so much theft that occasionally local police issue warnings, as happened not long ago at Orlando.  

Some grumbles about TSA are genuinely macabre, such as an NFL player’s complaint – with photos to prove his point – that TSA spilled his late mother’s ashes in his bag.  

Particularly interesting in the NJ.com data dump is its tally of which airports are most likely to see claims denied and the big winner – by far – is Las Vegas/McCarran where 56% of claims are denied.

The best airport for these matters is San Francisco where essentially all claims are approved.

Newark Airport, for what it’s worth, came in just behind San Francisco, approving roughly 65% of claims.

How not to become a victim? That’s easy. Never pack anything of value in checked baggage. Clothing, maybe. But jewelry, electronics, etc., nope, do not think about it. Carry it on. Or leave it at home.

Also, report any losses as soon as detected, ideally within 24 hours.  Procrastination will work against you.

Some passengers are also buying GPS trackers for their luggage – although there’s no clear connection between tracking a bag’s whereabouts and stopping theft of particular content.

The bad news of course is that, in coach, the battle for the overhead bin is as fierce as ever, as a USA Today headline shouted.  That forces many passengers to check bags and that triggers many possible miseries.

There is a cure. My advice regarding valuables is if you don’t need it, don’t bring it.  Personally I travel with an old Chromebook – not worth $100 – and if it went missing I’d shed no tears.  I bring no jewelry.  Nothing of any real value. Haven’t in some years.

Spartan? I suppose. But very, very practical in today’s travel marketplace.  




Sustainability, Business Travel and You


By Robert McGarvey

87% of us want to travel sustainably, said a recent poll via Booking.com. But more of us fail than succeed.  39% said they always or usually travel sustainably. But 48% of us admit we fail.

Business travel is a substantial offender. Said pwc: “Business travel remains our single largest source of carbon emissions, and – as we’ve continued to reduce our emissions from energy – has grown to around 80% of our total carbon footprint in 2017.”

Most big businesses would have to say ditto. Where their pollution is biggest is in travel.

The prime offender of course is air travel:  it amounts to 70% of our total emissions, per pwc.

The more I dig into sustainability and business travel, the more questions and concerns I have.  Suddenly sustainability seems a life or death issue.

One look at starving polar bears ought to persuade you that this stuff is serious, it is way beyond a crunchy granola fear.

Here’s the idea that frightens many business travelers: “The simplest way to cut emissions caused by travel is to avoid it,” said pwc.  


I am a product of a time and a work culture where a possible trip produced quick assent: sure, I’ll go.  It could be a convention in Chicago, an angry client in Washington DC, a prospective new client in Los Angeles, or a speech in Boston. It didn’t matter. Sign me up.

Now I am beginning to question every trip: is it necessary? Can I do it via telephone?  

When the impact of business travel was mainly on my time, I shrugged off the time burdens and said sure.  Now – increasingly – the impact seems to be on the planet itself and that is a much bigger issue.

A bonus: traveling less is also good for our personal health.  The evidence is strong that a heavy travel load is bad for our bodies.

That’s another reason to really question our trips.

Do you remember when it was common for a big company to send a few hundred junior execs off to a conference center to spend three or four days learning, say, Lotus 123 or WordPerfect? That was the norm and, for many Boomers, it seemed fun.

Millennials, who today are carrying the bulking of the business travel load, aren’t buying the rationale of that trip, mainly because they know that they could learn new software perfectly well at their desks – with no new carbon hits such as are associated with those those trips of yesteryear to learn new software.

Oh, I also vividly recall a story told me by the VP of HR at a Fortune 100 company where, in the mid 1980s, as a junior exec, he was sent off to one of those trainings where he in fact learned Lotus 123. Just one problem.  When he returned to his office, he still did not have a computer and by the time he got a computer a few years later, he didn’t remember a thing about Lotus 123.

But he did tell me that under his leadership the company was minutely scrutinizing all planned educational meetings – and he hoped to eliminate most.

That’s a harsh reality. As I look back I see a lot of trips that I now see as unnecessary.  

I am a fan, incidentally, of big, glitzy, high energy sales conferences – they pump up attendees in ways that won’t happen when you sit at a desk and watch a video of even a high impact speaker like Tony Robbins.  In person just is more powerful.

Small meetings where intimate exchanges happen also can only be in person.

But a lot of business travel remains a product of habit, of how we have always done business.  And maybe it’s time to rethink.

Right now, hotels are tripping over themselves to announce they will no longer use plastic straws.  Some also are replacing individual toiletries with bulk dispensers. Many others encourage us to use towels and sheets multiple days.

So what?

All those steps are good as far as they go but they don’t go far and if you never use a plastic straw again in your life it will have zero impact on polar bears.

We probably shouldn’t be in that hotel room at all.

What really matters is flying only as necessary.  Using public ground transportation. Walking is better still.

Always ask, is this trip necessary? Really?

What’s the lowest carbon impact to get this business handled?

The encouraging reality is that more of us are genuinely asking those kinds of questions and acting accordingly.  The old days of “sure, boss, I’ll be in Houston tonight, no prob” are over. Maybe we’ll go to Houston, maybe we won’t, and what’s new now is that we’ll carefully assess the alternatives. When flying is the better choice, off we go. When it isn’t, home we stay. And that’s a better reality. For us and for the planet.

The Good News About AML: Technology to the Rescue


By Robert McGarvey


For CU2.0


Talk with credit union AML/BSA staffers as well as senior executives and you will hear a torrent of woe is me complaining about rising workloads, intransigent regulators, too tight budgets, and inadequate resources.

And then there is a new report from Aite Group’s Julie Conroy – based on extensive interviews with over 40 BSA/AML experts – and the title tells you the theme: The AML of Tomorrow: Here Today.

In the second paragraph Conroy puts out the good news: “Advanced technologies such as machine learning, robotic process automation (RPA), and natural language processing and generation are helping to even the playing field by enhancing both detection and operational efficiency. The even better news: Regulators are gradually growing comfortable with the use of these advanced technologies for AML.”

Read that again.  What she is insisting is that financial institutions now have access to technologies that will let them keep pace with – maybe get a step ahead of – criminals who want to launder money.

The stakes are high.  Two credit unions in the past decade have effectively been put out of business because of AML deficiencies – Bethex and North Dade.  

No credit union wants to be linked with money laundering. But, frankly, trying to keep up with this with a small staff who are doing everything by hand is a loser’s tactic.

How much money is laundered annually? Nobody knows. The United Nations has estimated it’s somewhere between $800 billion and $2 trillion.  The high end is about the GDP of Brazil and more than Italy’s.  That’s a lot of money in motion and, accordingly, you have to assume that the people who have put it in motion are savvy, wily, and of course know exactly the defenses used by banks and credit unions.

Accordingly, FIs are spending a lot to defend themselves – much of it on payroll. Conroy cited a report from the Clearing House that estimated that major US FIs spent $8 billion on compliance in 2017. She also noted that one large US FI interviewed for her report employed more than 5000 in compliance and “can’t hire fast enough.”

All those workers push out an avalanche of SARs. In 2013 they filed 1.22 million. By 2017 that rose to 2.03 million.

Conroy also pointed to a numerical disconnect that frustrates AML workers and their bosses.  “the fact remains that there are on average only 1,200 moneylaundering- related convictions per year in the U.S., compared with over 1 million SARs filed per year.”

In other words: is all the work really worth the effort and expense?

It gets worse. In many institutions, said Conroy, business line execs grumble that AML teams are “hassling” their customers, making it harder to do the business that brings in money to the FI.   AML, in many institutions, is seen as a nuisance that wastes money while making it harder to make money.


Wrote Conroy: “All of this points to the need for the AML function to find technology that enables precise detection while minimizing false positive noise.”

She continued: “The trifecta of increasing criminal sophistication, a steady increase in regulatory expectations, and under-resourced AML departments are bringing AML efforts to a breaking point. As a result, financial services firms are beginning to embrace technologies such as machine learning, RPA [robotic process automation], and natural language processing and generation.”

“Today’s AML function can no longer rely on legions of AML analysts, investigators, and rules-based automation. The use of advanced technologies is needed to aid AML departments in the gathering, filtering, and meaningful assessment of data from multiple sources in multiple formats.”

That prescription puts fear in the hearts of many credit union leaders – they worry about the costs and also the complexities of advanced technologies.

But Conroy has this absolutely right. The only way to stay ahead the AML wars is with technology that can automate much detection and even reporting.  There just aren’t enough AML staffers to be hired and so they get paid ever more.

But – and this is crucial – many of them are burning out, even quitting.  

The machines won’t quit on you.

What should your next step be?

In her report Conroy reviews the many technology options out there. Get the report, read her reviews.

And then what?  Her advice is simple: accept that you can’t wait, delay is not an option.

She added: “Try starting small. Cloud-based solutions can be implemented in modules that wrap around or interact with legacy systems to improve performance without a ‘rip and replace’ scenario. In this way, FIs can address the most pressing system deficiencies relatively quickly with less impact to budget and IT resources.”

It’s good advice.

Just don’t wait.


Fiserv Core Flaw Exposed Customer Data at Hundreds of Banks: Security Researcher


By Robert McGarvey


Highly regarded security researcher Brian Krebs has published a bombshell report that maintains a flaw in some Fiserv banking technology leaves customer data potentially exposed to criminals.

Krebs does not finger credit unions that may have fallen victim to this but there is no reason to think some aren’t.  

Krebs credited the flaw discovery to independent security researcher Kristian Erik Hermansen who noticed that when he setup an alert on his bank account, the alert was assigned an event number.  So Hermansen, on a hunch, tried to log into an event number a digit different and what he found was that he indeed could log in.  This matters because, said Krebs, “In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.”

That means a criminal could add his email address to the account and get alerts on, for instance, all transactions.

Krebs also noted that a criminal could hunt for customers who had set up high minimum balance alerts – $5000, say. Which would tell the crook he could siphon out $4999 and he might be undetected for some time.

Krebs said he personally signed up for accounts at two small banks that use Fiserv.  Here’s what he found: “In both cases I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request.”

He said he found “hundreds” more banks with similar vulnerabilities.

Krebs told Fiserv what he had discovered. The company responded this way: “Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave said. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”

Cave elaborated to Credit Union Times: “This is related to a one-way messaging feature on a limited number of bank websites. Upon notification, we promptly developed a patch to update the feature, deployed the patch to clients using the feature and completed testing to confirm the issue has been fully resolved. Our ongoing research and continued monitoring have not identified, and we have not received reports of, any adverse consumer impact.”

There is no count of the number of websites impacted by this flaw.

Any credit union running a Fiserv core and/or online banking ought to quickly contact Fiserv and inquire into the availability of that patch.  They ought also to see if they can replicate Krebs’ hack of the alerts system. And – above all else – check your own systems to see if you can replicate the Hermansen hack.

If you can, take action.

Krebs said that, in his inspection, the Fiserv patch in fact works.  “This author confirmed that Fiserv no longer shows a sequential event number in their banking sites and has replaced them with a pseudo-random string.”

But Fiserv is not blowing trumpets to announce the patch or the flaw.

A scan of Fiserv’s Twitter feed found no mention of the flaw or Krebs’ reporting or the purported patch.   

There’s silence over at Facebook too.

Julie Conroy of Aite told Krebs this about Fiserv’s customers: “These financial institutions use a core banking provider like Fiserv because they don’t have the wherewithal to do it on their own, so they’re really trusting Fiserv to do this on their behalf,” Conroy said. “This will not only reflect on Fiserv’s brand, but also it will impact customer’s perception about their small local bank, which is already struggling to compete with the larger, nationwide institutions.”

What she is saying is that big banks – that ordinarily don’t buy off the shelf technology from a Fiserv – may have a competitive advantage because they build their own.

I’m not sure that is true – I doubt most consumers have a clue as to whether their bank or credit union technology is off the shelf or bespoke.

But Conroy is right: in some ways the big banks keep expanding their technology lead over small institutions. That does not have to be the case. A smart credit union can use fintech alliances to create an institution that is the rival of even the most polished money center banks.

But the credit union has to want to get there.

And a necessary first step is cleaning up that Fiserv mess if your institution is a victim.  Do it now.


The 20% Travel Ripoff


By Robert McGarvey


Can you do basic arithmetic? Do percentages? Of course you can and, in fact, we learn in fifth and sixth grades how to compute simple percentages in our heads. Quick now, what’s 20% of $100 – or 20% of $250?

Sure, you can do the math. But now some MGM resorts in Las Vegas – notably Aria, Bellagio, and my once personal favorite, Vdara – will tack on a 20% upcharge when you get a massage, facial, haircut, and similar.

Bellagio, on its website, explains the upcharge: “For your convenience a 20% service charge will be added to each spa and salon service received. A portion of the service charge is dispersed to the spa and salon staff members who served you and the remainder is an administrative fee. Additional gratuities are at your discretion.”

The LATimes, in reporting on this, quoted an email from company spokesperson Brian Ahern: “Our employees go above and beyond to provide the best possible service, and it’s important that they receive recognition for a job well done.”


A coerced tip somehow counts as “recognition for a job well done?’

When a masked man puts a gun in your gut and takes your wallet, is this recognition for a job well done?

It’s Vegas, baby.

But it is nonsensical.

It’s picking my pocket to let the employer underpay its employees and why, by the way, is the customer hit with an “administrative fee” when paying a tip?

Don’t ask, there is no answer.

The trouble is that what starts in Las Vegas often spreads, like a bad disease, across hospitality.  Consider resort fees.  Sure, a few Las Vegas hotels shun the practice but most slap a fee – $39 per night at Vdara and Bellagio, by the way – and you got me what you get in return.

Across America, many, many more hotels – some in cities – have climbed on and now impose “resort fees” or “urban amenity” fees mainly as a way to hike room rates without actually hiking room rates.  But that $99 hotel room has become $129 and the culprit is the resort fee.

Now, Las Vegas has decided we are too dumb – or cheap – to tip their salon and spa employees and, oh wait, isn’t it the employer’s job to compensate employees?  Not the customer’s?

It’s Vegas, baby.

A few years ago I ran across a spa in Arizona that hit customers with an automatic 20% tip and when I asked the company president what possibly justified this, he took offense. Didn’t I see that he was providing his spa customers with a convenience? Doing the math for them because, presumably, they are too blissed out by the spa treatment, or maybe just too stupid, to do a simple calculation that most 12 year-olds can do in an instant.

Johnny, what’s 20% of $120?

Jane, how about 20% of $160?

(Hint: just multiply 2 times the first two digits and, bingo, you have the sum.)

I am and have been opposed to mandatory gratuities – anywhere from cruise ships to spas.

I also, some years ago, drove a taxi and gratuities made or broke my night.  If I got stiffed by too many fares, I cursed them and I went home with a lot less dough than I had hoped for.

I understand the importance of gratuities.

But I resent it when they are shoved down my throat.

I am okay, by the way, with Danny Meyer’s campaign to end restaurant tipping and instead build tips into the prices for food shown on the menu. Of course I’ve eaten at enough Meyer places to believe his staff will deliver good service without the promise of a possible tip, or the withholding of one – and the difference between what Meyer believes is right and what MGM is forcing on customers is that Meyer shows one price, tip already built in, whereas in the hotel business there’s a service price and then, by magic, a service charge is tacked on so that $100 haircut now is $120.

With Meyer there is no chicanery. That’s the difference.

Automatic “gratuities” by the way seem rampant in the spa world and you have to ask: why is management so cheap that it won’t pay its employees adequately and why are customers so passive that they go along with this extortion?

Maybe what starts in Vegas really should stay in Vegas.

BSA, AML, and Your Credit Union: The New Perils


By Robert McGarvey


For CU2.0

Ask a senior credit union executive what’s new at his/her institution in regard to anti money laundering (AML), Patriot Act, and Bank Secrecy Act initiatives and the reality is that you will have a longer and friendlier conversation if you asked about his/her last colonoscopy.

Yes, it’s that bad.

And that’s despite the reality that a credit union can be shut down if it grievously botches its BSA and AML analysis.

Buckle up because in December 2016 FinCEN issued a press release where it announced a $500,000 fine against a credit union named Bethex in the Bronx.

Bethex has assets of under $13 million.  

They were folded into USALLIANCE, a Rye NY credit union. Bethex was no more.

FinCEN outlined Bethex’s sins: “In 2011, Bethex began providing banking services to many wholesale, commercial money services businesses (MSBs). Many of these MSBs were located in high-risk jurisdictions outside New York and engaged in high-risk activity, including wiring millions of dollars per month to countries at risk for money laundering. When Bethex began to service these MSBs, it did not take steps to update its AML programs.” 

“Among other violations, Bethex failed to timely detect and report suspicious activity to FinCEN and did not file any Suspicious Activity Reports (SARs) from 2008 through 2011. In 2013, as a result of a mandated review of previous transactions, it late-filed 28 SARs. The majority of the suspicious activity involved high-volume, large amount transfers outside of Bethex’s expected customer base by MSBs capable of exploiting Bethex’s AML weaknesses. Most of those SARs were inadequate and contained short, vague narratives encompassing a broad summary of multiple and unrelated instances of suspicious activity. For example, one SAR covered over $906 million in total aggregate of suspicious transactions, but provided little information useful to law enforcement investigators.”

In 2015, North Dade – a small Florida credit union – was effectively put out of business because of AML and BSA violations.  In 2013, tiny North Dade moved over $1 billion in wires, often overseas. According to FinCEN: “When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage,” said FinCEN Director Jennifer Shasky Calvery. “This case raises pretty obvious questions that no one seems to have asked. Why would MSBs located all over the world choose a small Florida credit union to conduct close to $2 billion in transactions? Credit unions pride themselves on close and low- risk relationships with known neighborhood customers. However, North Dade welcomed customers far beyond its field of membership, without adequate policies and procedures to ensure AML compliance.”

Face this reality: the big banks have big teams in place to handle BSA, AML, etc. They also have invested – heavily in many cases – in automation that takes a lot of the heavy lifting out of compliance. Machines do the work.

Credit unions – especially the vast majority with assets under $1 billion – generally have not invested in automation for compliance. “There are case management systems that are good. They can be expensive for a small FI.  A lot of bigger banks are using robotics to get screenshots of bank statements and so on – an analyst doesn’t have to spend an hour collecting it. Only the biggest banks are doing this,” said Alma Angotti, managing director in the Global Investigations & Compliance practice of management consulting firm Navigant Consulting, Inc.

Another issue that many small financial institutions now face: “Many employees in compliance are burning out,” said John Podvin, a Dallas lawyer well known in BSA circles.  He added: “There are people in BSA who are asking themselves, do I want to be second guessed all the time. Some are leaving the field.”

A reality in BSA/AML is that the easier course is to file a SAR (suspicious activity report – this documents flags an action for possible investigation by law enforcement). Do that and a financial institution probably has satisfied its regulators. “There is no downside to filing,” said Angotti.

Where the credit union may find itself in a pothole is when it does not file a SAR. In that case the credit union needs to justify why it did not file – and an examiner may well challenge the credit union.

And that means many more hours get invested in explaining and justifying decisions.  Said Podvin: “There are increasing expectations from examiners – that’s the biggest problem now.”

“It’s one thing for a big bank with a staff of several hundred working in compliance. It’s different for a community bank.”

Or credit union.

A result is that slender compliance staffs may be worn down in many small credit unions.

Another barrier at credit unions: there may be “competition for scarce IT resources,” said Angotti. Doing BSA/AML research is computer intensive and, at least at smaller institutions, there may be a battle for resources and ask yourself this: who will win if the fight is between marketing, which needs IT resources to power a new campaign that may bring in lots of new members, and compliance which wants to research possibly suspicious activity by members?

It’s a fight that compliance usually does does not win.

Don’t expect BSA/AML workloads to magically lighten.  

Possible light at this tunnel’s end, said Podvin, is a federal effort to streamline some BSA/AML compliance.  He pointed to pending legislation, HR 6068, as offering hope to financial institutions. The aim of the bill, in its own words, is to “reduce regulatory burdens, and ensure that the information provided is of a ‘high degree of usefulness’ to law enforcement.”

Don’t count on relief until a bill is signed into law.

Meantime, good advice for top credit union management is keep your ear to the ground and ask – and ask again- your BSA and AML teams what issues are they facing and what resources they need to do their jobs better and smarter.  

No credit union CEO wants to increase the budget for compliance work.

But no credit union CEO wants his/her institution to go the way of Bethex.

That makes the choice easier.