Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 17, 2017
Payments people start biting their nails when they hear "share more with more." They have been conditioned to keep payments information from ever being shared. But that is in the context of protecting legitimate payments system users from losing money while a fraudulent party benefits. At 7,000 members, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is currently the largest financial services trade association in the world. I attended their Fall Summit last October, a month fittingly designated National Cybersecurity Awareness Month, and heard plenty about sharing. The mission of FS-ISAC is always strength in sharing; this year's summit focused on expanding the trust.
Payments people are used to looking for fraud by way of chargebacks and returns, one payment-channel silo at a time. Shhh. Don't let ACH people share information with wire people, and vice versa—the risk department will let us know if there is an issue. Of course, payments fraud is an ever-increasing battle, and we must remain vigilant. However, who is prepared to recognize payment events that from a bird's-eye view may look legitimate but, when analyzed, point to a threat of mass destruction?
Recent distributed denial-of-service (DDoSs) attacks highlight the scale of network bandwidth that can be unleashed on connected systems. Payments are just that, a network of systems that connect every aspect of our economy. There are countless examples of services or goods not being rendered when payments aren't received. Liquidity failures do tend to cause a state of panic. Even attacking one specific sector such as payroll processing on the first of the month could lead to disaster. As my colleague pointed out in a July 2016 blog, cash is alive and well, but payments systems today rely totally on telecommunications, which rely on our power grid.
Admiral James Stavridis, the keynote speaker at the FS-ISAC Summit, echoed the importance of expanding trust, along with the need to increase the resiliency of the nation in the event of a cyber-incident. Stavridis provided many encouraging solutions, one being that it is time for a cyber-force branch of the military. The United States Air Force was formed as a separate branch of the military in September 1947 under the National Security Act of 1947 as aerial warfare advanced. Stavridis proposed that now is the time for us to consider that cyber-incidents could be used as weapons of mass destruction. He applauded the current combat against cybercrime, yet encouraged new thought on what could be in store and how quickly it could arrive.
How do payments people continue down the path of protecting individual players while simultaneously protecting the nation from a crippling cyber-incident? It could be just a matter of whom you invite to the table. As I saw with attendance at the FS-ISAC Summit, the cybersecurity conversation needs to include diverse skill sets. There has been a trend in moving information security departments away from their information technology partners and under the risk and compliance umbrella so they can remain unbiased when scrutinizing payment transaction red flags and other systems. Additionally, legal barriers are being reevaluated to ensure that law enforcement can access information, most notably by FinCEN expanding Suspicious Activity Report requirements to include cyber events.
And, more deeply about whom we are trusting at the table, are we actually expanding the information shared? Could we make correlations by looking at payment volumes together with cyber activity and reports of fraud?
There is a growing sense that payment security equates to cybersecurity and national security. With Stavridis and others promoting the movement for "expanding the trust," new ideas continue to emerge. Hopefully, the technologies and strategies that are made to wow us (for example, the internet-of-things, machine learning, and the distributed ledger) can also serve to unite and protect us.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 9, 2017
The Year in Review
As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.
Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.
Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.
Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.
Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.
Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.
EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.
Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.
Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.
All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.
December 22, 2016
Why U.S. Card Fraud Is Now Present and Accounted For
Last year, I wrote a post called "Why Is the U.S. Card-Present Fraud Breakout Not Present?" in which I discussed the lack of publicly available information on the distribution of U.S. card fraud by type. I'm happy to report that more detailed data on card fraud in the United States is now present and accounted for in the Initial Data Release (IDR) of the 2016 Federal Reserve Payments Study.
As is common in other countries, card fraud can be categorized as follows across person-present and remote payment channels:
- Counterfeit card: Fraud is perpetrated using an altered or cloned card.
- Lost or stolen card: Fraud is undertaken using a lost or stolen card.
- Card issued but not received: A newly issued card in transit to a card holder is intercepted and used to commit fraud.
- Fraudulent application: A new card is issued based on a fake identity or on someone else's identity.
- Other: "Other" fraud includes account takeover and other types of fraud not covered above.
- Fraudulent use of account number: Fraud is perpetrated without using a physical card.
An extract from the fraud section of the IDR shows breakouts for card fraud by type across five countries.
As reflected in the numbers, the United States continues to be by roughly an order of magnitude a continuing and persistent target for card counterfeiters using stolen card data compared to other countries that have adopted much earlier counterfeiting controls using EMV (chip) cards. Use of chips makes in-person card fraud more difficult, because of built-in technology to thwart the creation of counterfeit chip cards. As adoption of chips for cards and terminals improves in the United States, fraud using stolen card data is likely to shift from person-present to remote channels as has already occurred in other developed countries. My colleague, Doug King, discusses these issues in detail in an interview conducted last year.
Look for other Take On Payments posts that highlight additional key findings from the 2016 payments study.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 12, 2016
Making Sense of Dollars, Part II
The first of this two-part post took us back to the '60s and a BBC clip that assumed we'd be a cashless society by now, given it was the dawn of the digital age. A half-century later, we're hardly closer to being cashless, and those who predicted an end to cash have been replaced by those who argue that going cashless or to less cash is "for the best." This post recaps oft-cited reasons for abandoning cash, amending them with counterpoints. I trust market determinations more than I do the wisdom of the well-intended, and the free market seems to be in complete disagreement with those who assert we'd all be better off without cash.
- Cash is expensive as a cost of acceptance for merchants.
I've talked to many retailers—large and small—who prefer cash because they say it saves them money, especially when compared to credit cards. But what do they know? Many studies show that cash is neither universally nor unanimously the most expensive payment method. Indeed, there seems to be more evidence than not that cash is among the least expensive payment alternatives.
- Cash makes tax evasion pervasive.
First, tax evaders have options; cash is not their only tool. Second, tax evasion seems correlated to high taxes (see the National Bureau of Economic Research working papers 6903 and 8551; there are others). Reading further, I find tax evasion is less about opportunity (afforded by cash, for instance) and more about bad tax policy. A revolt was ignited and a great country was born amidst the perception that taxes were too high and unjust. Eliminating cash would not likely have stopped that rebellion, and it's unlikely to fix today's problem.
- Cash complicates monetary policy.
Cash can only complicate monetary policy when those making the policy want to use negative interest rates to achieve desired ends. To date, there is little to no evidence that this policy path is effective; certainly it's no panacea. That makes it premature if not fully misguided to decry cash. Even if the policy proves useful, eliminating bills may or may not make it more difficult for savers to hoard. I assert they'll find a way.
- Cash encourages crime because it's too effective (too liquid, too widely used, "too anonymous").
By that thinking, once cash is eliminated, we'll need to determine what to do about oxygen and water as there is overwhelming evidence that malefactors use these things to good effect as well. The point is, cash works well for the unjust but also for the just. It accounts for 40 percent of all transactions, as measured by the Boston Fed's survey of consumer payment choice. Here the anti-cash crowd backs off the cry of "cashless," running out a "less cash" compromise. Large notes, some say, are used far more often for illegal activities than not, and the proof seems to be TV shows, movies, and pop culture. Seriously. Don't we have to do better than that before dispensing with a primary bloodline for commerce? There is no denying that the untraceable nature of cash frustrates crime fighting; it also frustrates surveillance against the just. Those who value liberty are likely to continue to value the option to spend anonymously.
There is at least one official push to rid society of cash, and its sponsors include card networks, who would stand to benefit were cash to disappear. Anyway, legislating safety that overpromises and hides the harm it can do holds considerable risk.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
- Expanding Cybersecurity
- The Year in Review
- Why U.S. Card Fraud Is Now Present and Accounted For
- Making Sense of Dollars, Part II
- Making Sense of Dollars, Part I
- Are Mobile Phone Payments Secure?
- "Good, Better, Best" in Understanding Merchant Payments
- The Downside of a Wide Paintbrush
- Of Piggy Banks and Bank Branches
- EMV Comments That Make Me Cringe
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud