Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 25, 2016
Be Careful, Be Very Careful
Less than halfway through the spring season of banking and payments conferences, the dominant theme of cybercrime is ringing loud and clear. In the 2015 conferences, it was virtual currency, but this year, it is the threat of cyberattacks against individuals and business in both widespread and singular manners. At a payments conference last week, a representative of the Internet Crime Complaint Center (IC3) told the session audience about her center's work. The IC3 has served since 2000 as a conduit for the public to provide information to the FBI regarding suspected Internet-facilitated criminal activity. IC3 tracks and investigates hacking, money laundering, identity theft, advanced fee, and ransomware schemes. It also tracks and investigates efforts to steal intellectual property and trade secrets.
In its latest annual report, IC3 provides detailed statistics on Internet-related complaints and trends. In 2014, the center received almost 270,000 complaints, accounting for more than $800 million in losses. Average monthly complaints received were 22,452. Complaint volume peaked in July at 24,521; the month with the fewest was February, with 20,888.
I asked the IC3 representative about the top complaints the unit was currently seeing. She indicated that email compromise of targeted businesses was the primary complaint and the one that generally resulted in the highest financial loss per complaint. It is common for employees in accounting areas to be targeted. They receive spoofed emails instructing them to initiate wire transfers or to change invoice remittance payments to fraudulent parties and locations, often accounts at financial institutions located in eastern Europe or the Asian-Pacific region. Although representing less than 1 percent of the total complaints filed in 2014, the losses from business email compromise accounted for 28 percent of the total losses reported, and from January 2015 to January 2016 the loss rate increased 270 percent.
Advanced fee schemes involving home rentals or sales, automobile sales, dating services, and lottery/prize winnings are also common. As the name implies, the criminals gain the confidence of victims and demand upfront payment as a sign of good faith. Once they receive the first payment, they will often try for additional payments before disappearing.
Finally, intimidation or extortion schemes are becoming more prevalent. The criminal generally contacts the victims by phone, accuses them of being past due on tax payments or utility bills, and says if immediate payment is not made, their property will be confiscated or they will be arrested. Often the criminal has used social engineering or public records to obtain legitimate data to make their representation of the agency seem more legitimate.
The size and frequency of data breaches of financial institutions, retailers, health care and insurance companies, and government agencies have led some people to conclude that just about everyone's personal identification information has been compromised to some level. I believe it is sensible to be a bit distrustful and apprehensive about the legitimacy of offers or information you might receive through emails or websites, especially those with which you are unfamiliar. Many of the attempts are easy to spot but many others involve highly sophisticated techniques, so one should be extremely careful when on the Internet.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 18, 2016
"I want to be alone; I just want to be alone"
This was spoken forlornly by the Russian ballerina Grusinskaya in the 1932 film Grand Hotel by the famously reclusive screen star Greta Garbo. This movie line causes me to occasionally wonder why we all can't just be left alone. Narrowed to payments, why does paying anonymously have to indicate you are hiding something nefarious?
Some of you may be asking why it would be necessary to hide anything. I offer the following examples of cases when someone would want to pay anonymously, either electronically or with cash.
- Make an anonymous contribution to a charitable or political organization to avoid being hounded later for further contributions.
- Make a large anonymous charitable contribution to avoid attention or the appearance of self-aggrandizement.
- Recompense someone in need who may or may not be known personally with no expectation or wish to be repaid.
- Pay anonymously at a merchant to avoid being tracked for unwelcome solicitations and offers.
- Make a purchase for a legal but socially-frowned-upon good or service.
- Shield payments from scrutiny for medical procedures or pharmacy purchases that are stigmatized.
- Personally, use an anonymous form of payment to avoid letting my wife find out what she will be getting as a gift. (Don't worry; my spouse never reads my blogs so she doesn't know she needs to dig deeper to figure out what she is getting.)
Some of these cases can be handled easily with the anonymity of cash. As cash becomes less frequently used or accepted or perhaps even unsafe or impractical, what do we have as an alternative form of payment? Money orders such as those offered by the U.S. Postal Service are an option. The postal service places a cap of $1,000 on what can be paid for in cash. Nonreloadable prepaid cards such as gift cards offer some opportunity as long as the amount is below a certain threshold. Distributed networks like bitcoin offer some promise but may come with greater oversight and regulations in the future. Some emerging payment providers claim to offer services tailored for anonymous payments. Still, though, the future for a truly anonymous, ubiquitous payment alternative like cash doesn't look promising, given the current regulatory climate.
I acknowledge that one needs to find a proper balance between vigorously tackling financial fraud, money laundering, and terrorist financing and the need that I think most of us share for regulators and others to keep out of our personal business unless a compelling reason justifies such an intrusion. Consequently, we should be scrupulous about privacy but offer the investigatory tools when payments are used for nefarious purposes to identify the activities and the people involved. In many ways, this balancing act dovetails with the highly charged debate going on between the value of encryption and the needs of law enforcement and intelligence agencies to have the investigatory tools to read encrypted data. As Greta Garbo famously said and perhaps inadvertently foretold, some of us just want to be left alone.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 11, 2016
Combat Gear for Tax Season
Recently, a local newspaper reported on two ex-bankers who were sentenced for their roles in a two-year-long fraud scheme. These ex-bankers created fraudulent bank accounts, then generated more than 2,000 false tax returns totaling more than $2.8 million in fraudulent refunds. The IRS has plenty more stories of tax fraud to tell.
Currently, "file taxes" is number one on my to-do list, and maybe yours. Do you shiver considering the possibility a tax return in your name has already been filed by someone else? Criminals, organized or not, know they can earn a living by filing fake returns. Even a legitimate taxpayer who owes taxes can be a victim of identity theft tax (IDT) refund fraud, as defined by the Internal Revenue Service's (IRS) Security Summit. (Note: The Electronic Tax Administration Advisory Committee, which reports to Congress, calls IDT refund fraud stolen identity refund fraud, or SIRF).
Formed on March 19, 2015, the Security Summit joins the IRS, state departments of revenue, and members of the tax refund ecosystem to discuss ways to combat IDT refund fraud. The Summit currently has seven working groups, including one focused on refund authentication and fraud detection. We have blogged before on the importance of data analytics in detecting fraudulent filings; this working group is attempting to strengthen these data tools. The working group also laid out best practices for software providers in enhancing identity requirements and strengthening validation procedures. At the end of last year, Congress provided a big assist in these efforts by passing the Protecting Americans from Tax Hikes, or PATH, Act of 2015, which closes one of the biggest loopholes in the tax refund process by requiring employers to electronically file W-2 forms and 1099 forms with the IRS by January 31 of each year instead of March 31. This new requirement, which becomes effective in 2017, will allow federal and state taxing authorities to match returns with actual W-2s for the first time.
The Security Summit also has a Financial Services Working Group, which explores ways to prevent criminals from using stolen identification credentials to establish financial services products such as checking accounts and prepaid cards that would allow the criminal to access the proceeds of fraudulent returns. After all, fraud may not be realized until after processing the tax return. Refunds are distributed either by check or direct deposit via ACH, which can be sent to a prepaid account (card) or traditional bank account. The IRS can't determine which account type an ACH refund is destined for since routing number and account number aren't standardized by account type, nor is there a database of routing numbers to identify prepaid accounts. Some have suggested that knowing when it is a prepaid account could be helpful in risk rating the return before sending the refund. The Financial Services Working Group has developed a standard state ACH file-naming convention so that state tax refunds can be identified by the industry in order to apply enhanced fraud filtering. Suspicious state tax refund deposits can be detected based on amounts, name matching, account type, length of relationship, and volume of deposits or withdrawals. The new format standard will strengthen fraud control systems in that all tax refund deposits will be able to be further scrutinized.
The Security Summit has a total of seven working groups, and they have their work cut out for them. While I shiver to think I could be a victim to identity theft, I support the progressive efforts to stop this crime, especially in the pre-filing and pre-refund stages so the criminals can't see a reward for their efforts.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 4, 2016
Same-Day ACH: A Call to Action
As my colleague recently blogged, there were standing-room only crowds during four sessions related to same-day ACH at an annual conference sponsored by EastPay and the Atlanta Fed. I moderated two of the sessions, which focused on operational and product opportunities available to financial institutions (FIs) in supporting faster payments.
My suspicion is that attendance was so heavy because many FIs still have a lot to do to get ready for faster payments. I was already aware of the lack of readiness among some of the processors that these FIs rely on so heavily. During one session, only a few hands were raised among 60 attendees when they were asked if they had been contacted by their processor about preparing for the September 2016 rollout. Of course, engagement is best when it's a two-way street. On the other side of things I have heard that processor training sessions devoted to supporting same-day ACH have been poorly attended. Additionally, FI session attendees indicated that no efforts were under way to educate corporate account holders about the looming service changes to ACH.
If my suspicions are right, the current state of things is troubling; the window of time left to prepare for Phase 1 is shrinking. September is less than six short months away.
Not being ready has some potentially serious, but avoidable, consequences for FIs and their account holders. Here are a few of the risks:
- The two same-day submittal windows, which narrows the time between payment submittal and settlement, added to Phase 1 offer potentially greater risk of funds being sent out fraudulently as a result of corporate account takeovers unless FIs put proper controls in place to mitigate this risk. The potential for harm may be somewhat diminished given the individual transaction cap of $25,000.
- Since the identification method for same-day payments relies on the requested settlement date using the Effective Entry Date field, some FIs could end up being surprised to learn their credits have settled sooner than they intended. Originators that have not been careful in selecting the settlement date will experience this "surprise."
- If corporate originators inadvertently send same-day payments, such a mistake could prove costly. This is because the 5.2 cent same-day interbank fee, paid by the originating bank to the receiving bank, will likely be passed along to the originator. A corporate originator mistakenly sending same-day credit payments to 10,000 employees could incur an additional $520 fee plus any other upcharge associated with sending same-day payments.
- Taxpayers may expect that just-in-time payments or late payments to avoid additional penalties can be made using same-day ACH to the IRS. As my colleague noted in the post I mentioned above, such payments will not be supported in Phase 1. Therefore, it is critical that FIs educate their account holders about this limitation.
- Unless controls are put in place by their processors, FIs may have difficulty stopping same-day service to corporate account holders they judge to be too risky for sending same-day payments, or when agreements have not been put in place allowing corporate participation.
- Since next-day ACH is the earliest settlement generally available today, some processors preclude using today's date as a settlement date. Unless this restriction is removed, originators would not be able to send same-day payments when Phase 1 service becomes available.
The risks outlined above are just some of the reasons FIs and their processors will want to be sure they are prepared for the September 23 deadline. Failure to do so could damage account holder relationships. NACHA, the regional payments associations, and the ACH operators offer a wealth of information on same-day ACH that all parties need to avail themselves of.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Be Careful, Be Very Careful
- "I want to be alone; I just want to be alone"
- Combat Gear for Tax Season
- Same-Day ACH: A Call to Action
- Continuing Education in Mobile Payments Security
- The Insider on the Outside
- Same-Day ACH: An NFAQ
- Card Chargebacks: Sorting Out the Facts
- Warning! This Vehicle Has Been Immobilized
- 2016 Payment Predictions
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud