Retail Payments Risk Forum
Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
Take On Payments
February 21, 2017
The Social Benefits of Biometrics
Based on my experience, most discussions about the authentication of individuals using a biometric modality (such as fingerprints, or voice or facial recognition) often just focus on key issues such as reliability, security, ease of use, cost, and privacy concerns. Certainly these are important issues, but one that is often omitted in the conversation is the use of a biometrics system for health and safety purposes.
My wife and I were recently blessed with the birth of our fifth grandchild, a beautiful baby girl. During the hospital visit, the risk management side of me evaluated the security aspects of the facility. What methods prevent the accidental swapping of babies or the theft of a newborn? While the frequency of such incidents in developed countries is very low, it is a more challenging issue in developing countries where medical recordkeeping is often minimal and limited to paper documents.
Talking to the hospital staff, I found out they have a number of safeguards in place to ensure the right baby is with the right mother:
- Wristbands with barcodes that have to be scanned each time the nurse visits their room
- An embedded RFID transmitter in a cut-resistant bracelet on the baby's leg that allows staff to see on a locational display where the baby is at any time and to sound an alarm if the infant is taken outside the protective area
These systems link the baby to the mother, but what actually documents the identity of the baby? The paper card with the baby's left and right footprints and the mother's right thumbprint has been used for decades, but is that sufficient for the future?
This issue of infant authentication reminded me of a presentation I recently attended given by noted educator and biometrics researcher Professor Anil Jain at Michigan State University. Jain and his team worked under a grant from the Bill and Melinda Gates Foundation to develop a reliable, low-cost authentication process for young children. The primary purpose was to enable the tracking of children's vaccination schedules to ensure that the right child receives the full regimen of immunizations. One of the critical issues Jain and his team faced is the difficulty in obtaining usable fingerprints from newborns—the skin on their fingertips is pliable, which results in poor contrast between the pattern of their ridges and valleys.
The goal of the research program was to determine the earliest possible age at which reliable fingerprints could be obtained using current technology. Using a high-resolution optical reader providing a fast capture rate (infants don't like to be still for very long), the research team found that fingerprint enrollment for children older than six months provides acceptance rates of 99 percent. This method can potentially serve as a reliable authentication method for the remainder of their life. Coupled with the creation of an electronic health registry, the health care worker needs only to scan a child's finger to bring up immunization records and determine any future vaccinations required. You can find a short presentation of Jain's work here.
While the public is likely to continue to question the overall benefits of biometrics, Jain's work shows an additional use for biometrics technology. Where else might biometric programs be applied?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 13, 2017
The Five-Star That Flops
For the most rabid college football fans, a major day just occurred—National Signing Day, the day when high school seniors sign scholarship papers to attend their colleges of choice. Not only have these seniors been evaluated by coaches, but also entire websites are devoted to their evaluation and ranking using a star-based system, with a five-star player being a top-rated, can't-miss player. Traditionally, much fanfare accompanies these players, and media and fans shower them with attention. Many times, these five-star players go on to accomplish great things at their respective schools, but sometimes they are "busts," failing to live up to lofty expectations and making minimal or no impact for their team. Unfortunately, my college team has had its fair share of five-star busts. Because of being let down, I no longer get caught up in recruiting rankings and I don't fret about the big recruit that got away. And in 2017, this is my new attitude when it comes to mobile payments at the point of sale, or POS.
I've been in the payments industry for a decade, and for over half of that time, I've been hearing and reading how mobile payments are going to change the POS experience. I've heard major announcements about new mobile payment wallets, from Apple Pay to Samsung Pay, and platforms, such as LevelUp, time and time again. I have overheard conversations with contemporaries and colleagues about the latest and greatest mobile solution that will forever change my experience at the POS.
But in 2017, I am not hearing any of this anymore because I am tuning it out. Oh, I am sure that I could attend a conference this year and within the first hour, someone would state that 2017 is the year of mobile payments. But after hearing about the next great mobile wallet or that this wallet will finally bring mobile payments to scale repeatedly, year after year (you get my tone by now), I am no longer getting caught up in the hype around using my phone instead of a card at the POS.
However, I will continue to get excited about mobile commerce opportunities. With more and more people shopping on their mobile phones and tablets, apps and in-browser platforms are making that experience so much better. When picking up a coffee on my way to the office or grabbing a chicken sandwich for lunch after ordering ahead on my mobile phone, I always wonder to myself, why are all those people standing in line? (I am a bit worried, and apparently rightfully so, that as more people use order-ahead features, that pick-up line might grow to be worse than the traditional ordering line.) During the Christmas season, I purchased many gifts on my mobile phone, and that experience was almost always simple and seamless—unlike in years past, when it was a bit cumbersome.
Using my phone to order ahead or shop online has truly simplified my life, unlike using my phone as a replacement to a card at the POS. With so much hype around mobile at the POS, I believe that many people only relate mobile payments to this use case, but it is so much broader. And I believe the mobile commerce piece is akin to the unheralded two-star recruit who goes on to lead his team to the national championship. What do you think 2017 entails for mobile and its place in payments and commerce?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 6, 2017
ACH: No Trace Left Behind
In my payments research role, I believe that one problem with ACH is the lack of any definitive method for identifying a payment and any associated return, dishonored return, or contested-dishonored return using only the existing 15-digit trace number. Ideally, the trace number alone should facilitate the correct retrieval of payment or return details even if other payments contain duplicate payment details, such as for recurring payments.
This PDF file contains an image that outlines the complex web of relationships that can be used to trace back returns to the original payment. Without the benefit of a unique trace number, the identification of the original payment could involve using common data elements to minimize misidentifying the payment.
A unique trace number would offer the following advantages:
- Unambiguously identify a specific payment
- Facilitate tracking features similar to what is available from package delivery services such as transmittal, settlement and receipt date/time, and similar tracking of any associated return(s)
- Enhance risk-monitoring capability
- Simplify reconciliation and auditing
- Flag or prevent a return from settling before its associated forward payment
- Identify "orphan" returns sent across the public network when the original payment was sent privately between financial institutions (FI)
- Link together forward and return payments for certain international payment applications that are not possible today
Under NACHA rules, the FI originating the payment assigns a unique 15-digit trace number; the trace number's uniqueness is necessary to differentiate each payment in the batch. Uniqueness is not mandated across payments in other batches in the same payments file. Consequently, a trace number could be repeated in multiple payment files on the same day or across many days—and, even more troublesome, within the same payments file. NACHA strives for uniqueness by mating the trace number with an associated batch number, transmission (file creation) date, and a file ID modifier. Unfortunately, any return of a payment only passes along the original trace number without the benefit of the mated data.
A possible solution that could overcome the current limitations of the trace number would be a one-time-use, ACH-operator-assigned, 15-character alphanumeric trace number. When the originating network operator receives a file, the operator would replace the FI trace number with a unique trace number that he or she would forward to the receiving FI. Any return sent back to the originating FI would have the unique operator trace number converted back to the original FI trace number. For convenience, a cross-reference file associating operator trace numbers with FI trace numbers could help facilitate non-network communication between originating and receiving banks.
Operators could guarantee uniqueness by allowing an operator trace number to contain digits and upper and lowercase letters. Expanding to a 62-character set results in over 3.5 trillion distinct values using the last seven characters of the trace number (the first eight characters are the originating FI's routing and transit number). Further requiring at least one non-numeric character allows differentiation with FI numeric-only trace numbers.
What are your views on the benefits and disadvantages of non-repeatable trace numbers?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 30, 2017
Pssst…Have You Heard about PSD2?
No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.
The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:
- Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.
- Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.
- Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.
- Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.
While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
* Final rules are expected to be published in January 2017.
- The Social Benefits of Biometrics
- The Five-Star That Flops
- ACH: No Trace Left Behind
- Pssst…Have You Heard about PSD2?
- Mobile Banking and Payments Survey Results
- Expanding Cybersecurity
- The Year in Review
- Why U.S. Card Fraud Is Now Present and Accounted For
- Making Sense of Dollars, Part II
- Making Sense of Dollars, Part I
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud