Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 16, 2017
No Magic Bullet for Preventing Data Breaches
Much has been written about the Equifax data breach, including a Take On Payments piece several weeks ago. Since the announcement of the breach in early September, my LinkedIn timeline has been filled with articles and messages from sales and development professionals claiming that their technologies and solutions could have prevented the Equifax breach. Unfortunately, the weakest leak isn't a technology problem or issue. It is, and will continue to be, the human element.
Before I hear from the sales and development professionals I just referred to, let me say that I believe that technology does play an important role in mitigating data breaches. For example, statistics show that homes equipped with a security system—"hard targets"—are significantly less likely to be burglarized than homes without them—"soft targets." I suspect the same is true for companies and data breaches in that those who do a better job of securing their data with technology are harder targets than those who do not. However, technology is only one aspect of preventing data breaches—which brings us back to the human element.
We are the weakest link. We architect and program security systems with flaws. We fail to properly update software or install patches on a timely basis. We open suspicious attachments on emails. We sometimes visit dubious websites and click on suspicious ads or links. We divulge too much information over social media. We share sensitive information with people we think we know and who we think are friendly. And we are mistake- and accident-prone. Education does and will continue to help, but humans will continue to make mistakes and be accident-prone, thus data breaches will remain an ongoing problem.
The late, great musician Tom Petty said, "Music is probably the only real magic I have encountered in my life. There's not some trick involved with it. It's pure and it's real." While Petty's remark that music is probably the only real magic is debatable, there is no debating that data breach prevention has no magic bullet. Educating people remains critical, but, as is all too often the case, education also ends up falling short. As a risk expert, I really wish that I had the answer to preventing data breaches. Unfortunately, human actions trump any answers that I might have. Given the grim outlook for data breaches, it is imperative for companies and individuals to have a plan in place to minimize the damage when a data breach occurs.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
October 2, 2017
A Record-Breaking Season of Hurricanes and Data Breaches
I lived in the panhandle of Florida in 2005, during a record-breaking hurricane season. Four hurricanes that started in the Atlantic—including Katrina—reached Category 5 status that season. That disastrous hurricane season seemed unsurpassable. Yet hurricane Harvey and Irma set new records (both made first landfall in the United States as Category 4 hurricanes).
As Hurricane Irma made its destructive way across the Caribbean, a different kind of disaster was also setting records. On September 7, Equifax announced a data breach potentially affecting most U.S. adults. Could this year also prove to be a record-breaking year for data breaches? According to the Identity Theft Resource Center (ITRC), there are already 976 on the books. Breaches reached a record high of 1,093 in 2016—a substantial hike of 40 percent over the near-record high of 780 reported in 2015.
Truth be told, we can't be sure these data breach "records" are even accurate. Data breach notification laws vary by state in terms of definitions and standard reporting elements. Even the ITRC questions whether there actually are more breaches or the numbers have risen because more states are requiring public release of information on them.
The ITRC Breach Report is a compilation of breaches confirmed by various media sources and notification lists from state governmental agencies. This list is updated daily and published each Tuesday. The ITRC has been tracking breaches since 2005, but only since 2010 has that tracking included the information that has been exposed. Even so, many notifications made available do not include what damages, or types of records, were at stake.
To that point, we don't understand the extent victims will suffer when, for example, card information is stolen along with Social Security numbers. We have yet to see standard data on how fraud trends morph when a certain type of data breach occurs. Lack of correlation could be a risk to consumers.
With data breaches, as with hurricanes, we can respond better if we know what is at stake. Is it time for states to adopt a uniform set of statutes regarding data breach notifications? What do you think?
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 25, 2017
Fed Payments Webinar Series Launching
One of the comments we consistently received when we conducted the Mobile Banking/Payments Survey last fall was the desire for the Atlanta Federal Reserve to provide more educational opportunities on current payment technologies and issues. Not only have small and mid-sized financial institutions expressed this need, but so have consumer advocacy groups and law enforcement agencies. Educational efforts, along with research, on payment risk issues are at the core of the Retail Payments Risk Forum's overall mission.
In response to these requests, the Risk Forum is launching a webinar series called Talk About Payments (TAP). The TAP webinars will supplement this blog, forums and conferences we convene, and other works we publish on the Forum's web pages. The current plan is for the webinars to be presented once a quarter. Financial institutions, retailers, payment processors, law enforcement, academia, and other payment system stakeholders are all welcome to participate in the webinars. Participants can submit questions during the event.
We will have our first webinar—titled "How Safe Are Mobile Payments?"—on Thursday, October 5, from 1 to 2 p.m. (ET). The webinar will cover such topics as mcommerce growth, mobile wallets, tokenization, fraud attack points, and risk mitigation tools and tactics.
Participation in the webinar is complimentary, but you must register in advance. To register, go to the TAP webinar web page. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information.
We hope you will join us for our first webinar on October 5, and for our future webinars. If there are any particular topics you would like for us to cover in future webinars, please let us know.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 18, 2017
The Rising Cost of Remittances to Mexico Bucks a Trend
From time to time, I like to look back at previous Risk Forum activities and see what payment topics we've covered and consider whether we should revisit any. In September 2012, the Risk Forum hosted the Symposium on 1073: Exploring the Final Remittance Transfer Rule and Path Forward. Seeing that almost five years have passed since that event, I decided I'd take another, deeper look to better understand some of the effects that Section 1073 of the Dodd-Frank Act has had on remittances since then. I wrote about some of my findings in a paper.
As a result of my deeper look, I found an industry that has been rife with change since the implementation of Section 1073 rules, from both a regulatory and technology perspective. Emerging companies have entered the landscape, new digital products have appeared, and several traditional financial institutions have exited the remittance industry. In the midst of this change, consumers' average cost to send remittances has declined.
Conversely, the cost to send remittances within the largest corridor, United States–Mexico, is rising. The rising cost is not attributable to the direct remittance fee paid to an agent or digital provider but rather to the exchange rate margin, which is the exchange rate markup applied to the consumer's remittance over the interbank exchange rate. As remittances become more digitalized and the role of in-person agents diminishes, I expect the exchange rate margin portion of the total cost of remittance to continue to grow.
Even though the average cost of sending remittances to Mexico is on the rise, I found that consumers have access to a number of low-cost options. The spread between the highest-cost remittance options and the lowest-cost options is significant.
With greater transparency than ever before in the remittance industry, consumers now have the ability to find and use low-cost remittance options across a wide variety of provider types and product options. To read more about the cost and availability of remittances from the United States to Mexico and beyond in a post-1073-rule world, you can find the paper here.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- No Magic Bullet for Preventing Data Breaches
- A Record-Breaking Season of Hurricanes and Data Breaches
- Fed Payments Webinar Series Launching
- The Rising Cost of Remittances to Mexico Bucks a Trend
- Identity Theft Part 2: Prevention
- Identity Theft: A Growing Epidemic
- Are Our Wallets About to Get Thinner?
- Extra! Extra! Triennial Payments Data Available in Excel!
- Are Business Payments Directories Coming to the Fore?
- Are Consumers Out of Touch?
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud