Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 24, 2017
FIDO Tightens Authentication's Leash
Our blog often covers user authentication challenges confronting financial institutions and merchants. We feel this topic is essential given that consumers are increasingly going online to make payments and their passwords tend to be weak. Financial institutions and merchants face a difficult balancing act. They must be confident that their authentication tools effectively confirm the legitimacy of the individual attempting a transaction, but they also have to make sure these tools don't create a bad experience for the customer.
A meeting in 2009 between a fingerprint-sensor manufacturer and a global, third-party payment provider to fingerprint-enable online payments quickly turned into a conversation on how to develop an industry standard for the general use of biometrics to identify online users. Ultimately, this meeting led to the formation of the FIDO (Fast IDentity Online) Alliance in 2012. FIDO currently has a global membership of more than 250 companies and agencies spanning the payments, mobile, PC, and transaction security industries.
FIDO's principal effort has been to develop a set of specifications and certifications covering consumer devices, mobile and web applications, and biometric authentication methods for e-commerce applications. Products certified to these authentication specs reduce password dependence, transaction friction, and stolen password attacks such as phishing, man-in-the middle attacks, and transaction replays.
FIDO initially focused on mobile devices—which allow authentication with the fingerprint sensor, microphone, and camera—and developed the Universal Authentication Framework. This framework provides enhanced security using public-key cryptography, with the keys and biometric templates remaining on the mobile device. The user goes through a device registration process that creates the biometric template and a cryptographic key pair on the device and registers only the public key with the online service. To perform a transaction, the customer uses one of the phone's biometric sensors to unlock the private key on the device.
To expand these strong cryptographic authentication capabilities to second-factor use cases on the web, FIDO established a second set of specifications known as FIDO U2F, or Universal Second Factor protocol. With this protocol, the user inserts a certified U2F device, also known as a security key, into a device's USB port or uses the device's Bluetooth or near-field communication features. The application running in a FIDO-compliant web browser first challenges the user for a password and then authenticates the user with the cryptographic private key on the U2F device.
Authentication of customers, especially on a remote basis, will always be a challenge as criminals find more and more ways to spoof identities. The industry's efforts to increase the security of remote payments remain ongoing and the cooperative work demonstrated by groups such as the FIDO Alliance plays an important part in that effort.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 17, 2017
Staging the ATM
As the installation of the first automated teller machine (ATM) recently reached its 50th anniversary (48 years since the first U.S. installation), the core functionality of the present-day ATMs has changed very little. They remain primarily designed to provide customers with cash at their convenience, but now most full-function ATMs also accept deposits with image capture and currency counting capability. Sure, the machines of today are much more technologically sophisticated and reliable than the initial ones that were more mechanical in operation. The industry, however, has undergone some major changes.
Accessed by a magnetic stripe or chip card and authenticated using a PIN, the ATM has served consumers and financial institutions well. The 2016 Federal Reserve Payment Study showed that ATM withdrawal volume remained flat from 2012 through 2015 at approximately 5.8 billion transactions valued at $700 billion, or an average transaction value of $122.
Banks in a number of South American and Asian-Pacific countries have installed biometric sensors in their ATMs either to eliminate the need for payment cards and PINs or to serve as an additional authentication factor. However, a couple of major U.S. banks have taken a different path in a quest to eliminate the payment card and PIN; they have developed a staged transaction process using the customer's mobile phone. While there are some variations from bank to bank, the process generally works as follows:
- The customer opens the mobile banking application using the normal authentication process.
- The customer selects the ATM withdrawal option then identifies the ATM location and amount of withdrawal.
- When at the designated ATM, the customer selects the function button on the ATM for a cardless transaction.
- The next step depends on the particular bank.
- Some banks display a 2D barcode on the ATM screen, which the mobile phone's camera reads to validate the transaction and dispense the requested amount of cash.
- Other banks, to complete the transaction, may require the customer to enter both the normal payment card PIN and a numeric token value that the application sent to their phone when they made the transaction selection.
This technology offers banks a number of financial benefits over biometric readers. The barcode or token process requires only software development within the mobile banking application and ATM, so banks don't have to purchase, install, and maintain biometric hardware sensors. A drawback is that only the ATMs of the customer's own financial institution supports the staged transaction. In addition, card readers will have to remain a key component of ATMs to service customers of other banks as well as the bank's own customers who wish to continue to use their cards. Because criminals continue to insert card-skimming devices and cameras to capture card data and customer PINs—an industry-wide and global problem—the new functionality will only minimize, not prevent, such fraudulent activity.
Many financial institutions seem to be making a concerted effort to migrate customers from payment card-based transactions to options such as mobile pay wallets and now staged ATM transactions. Mobile wallet adoption rates by consumers have been low to date, so it will be interesting to see if the adoption rate of cardless ATM transactions will be any different. What do you think?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 10, 2017
Can Migrants Teach Us Anything about Millennials?
While attending a recent conference, I became involved in a discussion regarding millennials and their alleged rejection of banks. The other people in this conversation thought that this millennial mindset is negatively affecting banks and other financial institutions (FIs). One person cited a Goldman Sachs report that said 53 percent of millennials surveyed indicated they have no need for a bank in the near future. Another mentioned the Millennial Disruption Index, which found that 71 percent of millennials would prefer to go to the dentist than listen to what banks are saying.
It would come as no surprise to those who know me or have read some of my previous blogs on similar topics that I was the outlier in the conversation. And after reading Inter-American Dialogue's May 2017 report, On the Cusp of Change: Migrants’ Use of the Internet for Remittance Transfers, I feel as strongly as ever that this generation will, in fact, need banking relationships.
While the survey behind the report focused on migrants' use of remittance transfers, Inter-American Dialogue also surveyed migrants on bank account ownership. The survey found that over 70 percent of Mexican migrants in the United States own a bank account, up from only 29 percent in 2005. The report concludes, with support from additional survey data, that bank account ownership is predominantly a function of years being in the United States; those migrants here for 10 years or longer are much likelier to own a bank account.
While millennials may not need traditional FI products today as they wait longer to purchase homes and start families than did previous generations, I believe the day will come when they find they need FIs. Only then will we know whether that wait is shorter or longer than the 10 years it takes for most Mexican migrants to establish banking relationships. Millennials have a host of alternative financial products to choose from—and to ignore—but so do migrant workers. Yet we know that, eventually, most migrant workers recognize they need banks.
I am not suggesting that financial institutions simply wait for millennials to realize their need for a banking relationship. FIs should be actively pursuing new products or developing strategies to attract millennials to traditional products. As millennials establish themselves and grow more prosperous, I believe they will realize banking relationships are extremely important to that process. The notion that millennials never need banks is one that I am not buying (not even with my bitcoins). Are you?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 26, 2017
Responsible Innovation, Part 2: Do Community Financial Institutions Need Faster Payments?
In my last post, I introduced themes from a summit that the Retail Payments Risk Forum cohosted with the United Kingdom's Department for International Trade. The summit gathered payments industry participants to discuss faster payments and their effects on community financial institutions (FIs). This post, the second of three in a series, tackles the question of whether community FIs and their customers actually have an appetite for increasing the speed of payments.
A summit attendee from WesPay, a membership-based payments association in the United States, presented the findings of a survey of 430 U.S. FIs about current payments initiatives. An important discovery was that awareness and adoption of faster payments solutions remains low, as the responses to two survey questions indicate:
- For same-day ACH, a majority (57 percent) indicated that the first phase—faster credits—"has had no measurable impact on our customers'/members' transactions."
- When asked about the Federal Reserve Faster Payment Task Force, 34 percent of respondents indicated they were unaware of the initiative, and 46 percent indicated they had only high-level knowledge.
Responses to another of WesPay's survey questions suggest that, although there may be low awareness of many current initiatives, many financial institutions are recognizing that faster payments are inevitable. A majority (60 percent) agreed that faster payments initiatives are "an important development in the industry. However, our institution will be watching to see which platform becomes the standard."
NACHA's representative presented statistics from phase one of same-day ACH, with reminders about the phases to come.
- Same-day ACH reached a total of 13 million transactions in the first three months (launched September 23, 2016).
- Phase 2 will allow for direct debits to clear on the same day (to launch September 15, 2017).
- Phase 3 will mandate funds availability for same-day items by 5 p.m. local time (to launch March 16, 2018).
- The current transaction limit is $25,000, and international ACH is not eligible.
Results of a study by ACI Worldwide, a global payments processor, look a little different from WesPay's survey results. The study looked at small to medium-size enterprises to gauge real-time payments demand. For the U.S. respondents, the research revealed that:
- Fifty-one percent are frustrated by delays in receiving payments.
- Forty-two percent are frustrated by outgoing payments-delivery timeframes.
- Sixty-five percent would consider switching banks for real-time payments.
We don't know yet what U.S. adoption rates will be, but Faster Payments Scheme Ltd. (FPS) in the United Kingdom already has a story to tell. U.K. panelists attending the summit at the Atlanta Fed stated that FPS has had constant adoption growth due to cultural change and customer expectations.
- FPS reached a total of 19 million transactions in the first three months (launched May 27, 2008).
- The FPS transaction limit increased in 2010 from £10k to £100k, and then to £250k in 2015.
- On April 2014, Paym, a mobile payments service provider, launched, using FPS. Paym handles person-to-person and small business payments, similar to Zelle in the United States, which started up in June 2017, using ACH.
- FPS had a total volume of 1.4 billion items in 2016.
For payment networks offering new solutions, community FIs are the critical mass that ensures adoption. Their participation will require practical benefits with a lot of support before they are willing to commit. Some community FIs might be forced to adopt new systems because everyone else has. Will new networks in the United States contest same-day ACH, which already has the advantage of ubiquity? Likely, as options develop, so will customer culture and expectations.
In the final installment of this "Responsible Innovation" series, I will look at future impacts of faster payments.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- FIDO Tightens Authentication's Leash
- Staging the ATM
- Can Migrants Teach Us Anything about Millennials?
- Responsible Innovation, Part 2: Do Community Financial Institutions Need Faster Payments?
- Calculating Fraud: Part 2
- Watching Your Behavior
- Responsible Innovation Part 1: Can Community Banks Remain Competitive?
- The Year(s) of Ransomware
- What Canada Knows That We Don't
- Calculating Fraud: Part 1
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud