Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 13, 2018
Protecting Our Senior Citizens from Financial Abuse
By all accounts, elder financial abuse appears to be a multi-billion-dollar problem. A 2011 New York State study found that, for every documented case of elder financial exploitation, more than 43 other cases went unreported. A 2015 report from True Link Financial estimates that nearly $17 billion is lost to financial exploitation, defined as the use of misleading or confusing language, often in conjunction with social pressure and tactics, to obtain a senior’s consent to take his or her money. According to the same report, another $6.7 billion is lost to caregiver abuse, which is deceit or theft by someone who has a trusting relationship with the victim, such as a family member, paid caregiver, attorney, or financial manager.
Over the last several months, Risk Forum members have had several conversations with boards and members of different regional payment associations. The topic of elder financial abuse and exploitation came up often. It has been over seven years since Take On Payments last explored the topic, so we are overdue for a post on the subject given both the interest from some of our constituents and new legislation around elder financial abuse recently signed into law.
With an aging baby boomer population representing the fasting growing segment of the population, awareness of the magnitude of elder financial abuse and an understanding of ways to identify and prevent it are critical to the well-being of our senior citizens. And that is exactly the intent of the Senior SAFE Act that on May 24 was passed by Congress and signed into law under Section 303 of the Economic Growth, Regulatory Relief, and Consumer Protection Act. Briefly, the act extends immunity from liability to certain individuals employed at financial institutions (and other covered entities) who, in good faith and with reasonable care, disclose the suspected exploitation of a senior citizen to a regulatory or law enforcement agency. The employing financial institutions are also immune from liability with respect to disclosures that these employees make. Before they were afforded immunity, banks and other financial-related institutions had privacy-violation concerns over disclosing financial information to other authorities. The new immunities are contingent on the financial institution developing and conducting employee training related to suspected financial exploitation of a senior citizen. The act also includes guidance regarding the content, timing, and record-keeping requirements of the training.
Massive underreporting of elder financial abuse and exploitation makes it difficult to estimate the amount of money lost. While the law does not require financial institutions to report suspected financial abuse and exploitation, it definitely encourages them to create employee educational programs by offering immunity. And those who know the Risk Forum well know that we are strong advocates of education. Elder financial abuse is a growing problem that must be tackled. How is this law changing your approach to reporting suspected cases of elder financial abuse and related employee education?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 6, 2018
The FBI Is on the Case
I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).
All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.
Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.
It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.
One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.
The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:
- Personal data breach
The top three crime types with the highest reported losses were:
- Business email compromise
- Confidence/Romance fraud
The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 30, 2018
Are You at Risk from Zombie Credit Cards?
Do you have any infrequently used credit cards hiding in the back of a drawer? Maybe a card you applied for to get a discount on a new washing machine? Or a card you used frequently a few years ago that has been superseded by a newer card with better rewards or a lower interest rate? You know, the kind of card you might think is dead but isn't quite.
I had a card like that in the back of a drawer, until my bank canceled it a few weeks ago. The bank pointed out that I hadn't used the card in years but offered me the opportunity to reactivate.
No, thanks. I don't need the extra exposure of a forgotten card that has long outlived its usefulness. It's enough trouble keeping track of the cards I do use.
When it comes to inactive credit cards, it turns out I'm not alone. The 2016 Federal Reserve Payments Study finds that, of general-purpose credit cards issued to consumers, 42 percent were not used to make at least one purchase a month during 2015. As a percentage share, this is about the same as 2012, when 44 percent of credit cards were not used at least once a month. ("General-purpose" cards use one of the four major credit card networks, while "private-label" cards can be used only at a particular merchant or limited set of merchants.)
In 2015, there were 192 million consumer general-purpose credit cards outstanding and inactive. That's about four inactive credit cards for every five adults in the United States. (The adult U.S. population in 2015 was 247 million.)
Of course, inactive cards are not necessarily abandoned cards, as mine was. Perhaps their owners reserve them for a special purpose, or keep them around for times when particular retailers offer discounts. Perhaps they are backups in case primary cards are compromised. Or perhaps they serve as an emergency credit cushion—a "just-in-case" line of credit.
Nevertheless, these account numbers are out there. Mine could be sitting in the database of a magazine that is automatically renewed every year or maybe attached to an expired membership at a website I don't use anymore. It's good to have that card canceled, to avoid the risk that the card will rack up charges, zombie-like.
So what about those infrequently used cards at your house? Are you holding on to an older card because a longer lifespan card could possibly improve your credit score? If not, today might be a good day to cancel and then cut them up.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 23, 2018
Learning about Card-Not-Present Fraud Mitigation
Over the last year, I have had the pleasure of working with Fed colleagues and other payments industry experts on one of the Accredited Standards Committee's X9A Financial Industry Standards workgroups in writing a technical report on U.S. card-not-present (CNP) fraud mitigation. You can download the final report (at no cost) from the ANSI (American National Standards Institute) web store.
As this blog and other industry publications have been forecasting for years, the migration to payment cards containing EMV chips may already be resulting in a reduction of counterfeit card fraud and an increase in CNP fraud and other fraudulent activity. This has been the trend in other countries that have gone through the chip card migration, and there was no reason to believe that it would be any different in the United States. The purpose of the technical report was to identify the major types of CNP fraud and present guidelines for mitigating these fraud attacks to the various payments industry stakeholders.
After an initial section identifying the primary stakeholders that CNP fraud affects, the technical report reviews five major CNP transaction scenarios, complete with transaction flow diagrams. The report continues with a detailed section of terms, definitions, and initialisms and acronyms.
The best defense against CNP fraud from an industry standpoint is the protection of data from being breached in the first place. Section 5 of the report reviews the role that data security takes in CNP fraud mitigation. It contains references to other documents providing detailed data protection recommendations.
Criminals will gather personal and payment data in various attacks against those who don't use strong data protection practices, so the next sections deal with the heart of CNP fraud mitigation.
- Section 6 identifies the major types of CNP fraud attacks, both attacks that steal data and those that use that data to conduct fraudulent activities.
- Section 7 reviews mitigation tools and approaches to take against such attacks. The section is subdivided into perspectives of various stakeholders, including merchants, merchant acquirers and gateways, issuers and issuer processors, and, finally, payment card networks.
- Section 8 discusses how a stakeholder should identify key fraud performance metrics and then analyze, report, and track those metrics. While stakeholders will have different elements of metrics, they must each go to a sufficient level so the results will provide key insights and predictive indicators.
The report concludes with several annex sections (appendices) covering a variety of subjects related to CNP fraud. Suggestions for the improvement or revision of the technical report are welcome. Please send them to the X9 Committee Secretariat, Accredited Standards Committee X9 Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, MD 21401. I hope you will distribute this document among those in your institution involved with CNP fraud prevention, detection, and response to use as an educational or reference document. I think it will be quite useful.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Protecting Our Senior Citizens from Financial Abuse
- The FBI Is on the Case
- Are You at Risk from Zombie Credit Cards?
- Learning about Card-Not-Present Fraud Mitigation
- Behind the Growth in Debit Card Payments
- Attack of the Smart Refrigerator
- Down but Not Out
- Thinking about My Grandmother and Future-Proofing Payments
- Consumer Habits and Cash Use
- The GDPR's Impact on U.S. Consumers
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud