Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 26, 2012
Is the Internet the world's largest crime scene?
"If the Internet is a place, it's probably the world's largest crime scene," said Peter Liske, vice president of product management at Threatmetrix. Listening to Peter talk recently at the 1st annual CARTES in North America conference, I immediately visualized my computer screen filled with chalked outlines of bodies representing victims of online crimes. While crime on the Internet can take on many forms, I am focusing today's blog on online shopping fraud. According to CyberSource's 2012 Online Fraud Report, merchants lost an estimated $3.4 billion in 2011 due to fraud taking place in "the world's largest crime scene."
Although $3.4 billion in losses is nothing to smile about, the report offers some good news in the merchants' ongoing battle against cybercriminals. Most notably, merchants are proving that when technology and other fraud detection tools are implemented effectively, fraud can be reduced. In 2011, merchants reported that 0.6 percent of orders were lost to fraud, a 33 percent decrease from 2010. A key reason for this decline of orders lost to fraud appears to be increased investment or usage of tools by the merchants to identify, track, and prevent fraud. In 2011, merchants used more technology and other tools to automatically detect fraud. They also engaged in more manual reviews of orders. In fact, during 2011, the largest merchants (annual online revenue of over $25 million) used more automated fraud detection tools than did smaller merchants, resulting in substantially lower fraud rates for the largest merchants.
Unfortunately, these fraud detection tools come with a cost, and the manual review of transactions is both an expensive and laborious task. According to the CyberSource report, 75 percent of the merchants surveyed do not plan to increase staffing levels related to fraud management in 2012. Further, 78 percent of the merchants expect to make no increase to their fraud management budgets in 2012.
As sales volume on the Internet continues to grow, merchants will have the difficult task of fighting fraud with their limited resources. To keep battling in "the world's largest crime scene," it will be imperative for them to optimize their automated fraud detection tools in today's constrained environment. As merchants engage in this tight-wire act between fraud losses and prevention costs, will they continue to be able to lower the incidents of fraud?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Is the Internet the world's largest crime scene?:
March 19, 2012
Balancing payments risk management and regulation with innovation
Government must be careful not to overreact to, or stifle, new innovations that can greatly benefit the consumer and the American economy. Government should take advantage of marketplace solutions to issues where appropriate. To do this, and at the same time to be in a position to act appropriately, it is important for government to maintain expertise in electronic money and payments development, and to consider carefully major questions presented by these developments. (Excerpt from 1996 paper prepared by the Department of Treasury on emerging electronic money and banking innovations.)
This quote appeared in a presentation given last week by John Carlson, executive vice president at BITS, a nonprofit group that fosters communication around technology issues that affect the financial services industry. John used this quote to demonstrate that, even in 1996, the Treasury Department recognized the need to not over-regulate at a time when financial institutions were beginning to experiment with Internet banking.
In the presentation "Hardening Payments for the Next Generation," which he gave at the BAI Payments Connect conference, John stressed that we still have to exercise care as financial institutions continue to innovate. The industry must still consider how it will balance the benefits of innovation in payments with the need to manage changing risks and ensure that regulators keep up with the changes. John warned that, despite the myriad of new threats, the temptation to overreact to these with regulation and legislation may stifle payment innovations. He emphasized that, instead, payment stakeholders must collaborate and share information.
Following are a few other noteworthy points from the presentation.
Rise in fraud and security issues in payments
John noted that as more nonbanks enter the marketplace and new innovative alternative products are introduced, payments fraud is evolving alongside. We need to keep looking at emerging payment issues involved with EMV-enabled payments, for example, as well as mobile payments, cloud computing, and payments conducted via social media. At the same time that these products are entering the marketplace, fraud is evolving in new and unexpected ways. And as global crime rings increasingly engage in cross-border activities, for example, a rise in cyber-security threats will likely continue.
We are also seeing some conflicting trends in consumer trust of security issues, according to John. While many consumers respond conservatively in surveys on payments security, for example, consumers generally are becoming increasingly willing to share personal information with "friends" in social media sites like Facebook and LinkedIn. And while consumers are gradually warming up to alternative payments in the mobile channel, most fail to employ general protections such as mobile device password locks.
A challenging regulatory environment
John mentioned that U.S. financial institutions are subject to independent regulatory oversight by a host of federal and state agencies, but the regulatory environment for nonbanks is not well understood. This lack of clarity around the nonbanks results in unclear liability for financial institutions and their customers alike. Consumers are likely to go to financial institutions for error resolution because of trust and familiarity, even when the risk and liability belong to the nonbank partner.
Third-party risk will continue to be a significant concern going forward, said John, as banks recognize the economic benefits they can get from outsourcing. As a result, regulators will focus on banks' vendor management programs to ensure that banks exercise comprehensive due diligence when they engage with vendors, and that they continue to provide oversight of the vendor throughout the duration of the relationship.
John noted that while there is a great deal of discussion on regulation of the emerging mobile channel, it is likely that such regulatory guidance will be embedded in vendor oversight guidance, of which there have been many iterations over the years.
Trust is necessary element of a successful payment system
John's presentation concluded in saying that "trust is central to everything we do." Financial institutions and other stakeholders with access to payment data and personally identifiable information have a growing responsibility to protect that data as the risk grows for network and device compromise. With more personal information exposed via social media, we will need to consider incentives for stakeholders to safeguard information by banks and other competitors in the payments space. Furthermore, those nonbank competitors and outsourcing partners need to be held to similar business practice standards for security and safety and soundness.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Balancing payments risk management and regulation with innovation:
March 14, 2012
How do new faces affect risks in money transfer business?
According to a February 21 American Banker article, Facebook has officially entered into the money transfer business. Facebook reported in its S-1 filing last month that it generated about $555 million dollars in 2010 (or 15 percent of its revenue that year) from payments, and that it holds money transmitter licenses in 15 states. Facebook credits are a digital currency that companies use on the site's online applications and games such as Farmville.
Facebook is not the only nonbank business entering the money transmittal business, though it certainly may be one of the more prominent. But as money transmitters are playing an increasingly larger role in our nation's payments system, now may be the time to take stock of the risk environment and continue our discussion on an appropriate strategy for risk governance.
FinCEN SAR filings on the rise for money transfer services
According to FinCEN's May 2011 report The SAR Activity Review: By the Numbers, depository institutions have a greater potential of exposure to money laundering crimes than do nondepository institutions. Nondepository institutions include money service businesses (MSBs), securities and insurance firms, and even casinos. You can see from the following table that over the last five years, the number of depository institution SARs decreased as of December 2010, while nondepository institution SARs have increased.
The report's findings for MSBs in particular are startling. It says, for example, that “in 2010, suspicious activity filings by the MSB industry hit an all time high with 596,494 SARs filed in 2010, up 12% from the prior year and over 18,000 more forms submitted than the previous high in 2007.” In fact, money transfer SAR filings in 2010 comprised 70 percent of all financial services filings by MSBs. SARs by MSBs listing money transfers increased 23 percent from 2009, while money order SARs fell 3 percent for the same period.
Under the radar: When MSBs fail to file
When MSBs were subject to enforcement actions in 2011, their primary infraction often involved failure to register with FinCEN. In addition, according to FinCEN's 2011 Annual Report, filing failures were often accompanied by other legal violations, such as failing to file currency transaction reports and currency structuring.
To help industry partners, regulators, and law enforcement monitor MSBs, FinCEN recently announced the launch of a new MSB registration website. FinCEN updates the database weekly.
As nonbank companies, including social media firms like Facebook, enter the payments business, it will be critical to keep an eye on small innovative and possibly unlicensed start-up money transmitters.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference How do new faces affect risks in money transfer business?:
March 5, 2012
Generations of payment innovations
Bob Kennedy is a director and payments expert in the Fed Atlanta's supervision and regulation department. As Bob prepares for retirement next month, we sat down to talk about his thoughts on the retail payments environment in the United States.
P&R: Bob, you've gained a reputation in industry circles as an expert in the payments field and a frequent speaker at industry events with a long and distinguished career in bank supervision. Can you tell us a little about your background and your retail payments experience?
Bob: I actually come from a banking family. My grandfather actually set up a bank in the 1890s in a small town in rural Alabama to provide simple financial services to businesses and over time it grew and expanded to more consumer-based financial services. My father took over the business and employed me as early as age 12 on the teller line one day a month after school, authenticating customers who came in to cash their social security checks.
Payment services were pretty simple back then. At our little bank, customers had traditional demand deposit accounts but we did not issue checkbooks. So when they wanted to make a purchase at a merchant they would use counter checks and fill in their account information. The merchant would call my father at the bank to verify the customer's identity and funds availability.
By the 1960s, things were getting more complicated. Our customers were starting to shop more in nearby cities, so they asked us for preprinted checkbooks. My father lost an important control when we started to issue these, but we recognized the need to change with our customers so we could keep their business. Then in the 1970s, our customers demanded credit cards. The point of this history summation is that the family bank had to change to adapt to consumer demand. The same holds true today as we continue to see disruptive forces that are changing the payments business.
P&R: How would you characterize the general landscape today for bank adoption of emerging retail payments?
Bob: I would characterize the landscape as exciting because nothing is static—there is a lot going on, and we're seeing community banks beginning to adopt new types of payments. Banks are adapting to consumer demand, as before, but at the same time they need to be able to find a reward for providing the product or service, and that's in the form of revenue or customer retention. They have to have a use case for offering new services.
One of the biggest drivers of change in retail payments these days is the demand for payments data, which has become a virtual treasure trove in the sense that it provides tangible evidence about consumer decisions about products and services. A consumer who buys something has made a clear decision about the product, the retailer, and the date and time when he or she makes the purchase. This is why data mining is becoming so important to merchants in developing marketing strategies.
For example, a large retailer with a decoupled debit card may obtain information about individual consumer spending habits that it uses to help understand future potential consumer choices about products and services. According to a recent article by Charles Duhigg in the New York Times, this retailer has collected tons of data on every regular customer they have. With a "Guest ID" that the store assigns to these regulars, they track everything they buy. I believe this is why a lot of big nonbank firms like Google and PayPal are trying to establish a foothold in retail payments through the introduction of new payment channels. They recognize the monetary value of payments data at the point of sale.
P&R: What are the primary risk concerns for banks in retail payments today?
Bob: There are multiple risks for banks to consider, including operational and liquidity risks. Clearly, for U.S. banks, strategic risk is critical today with nonbank firms introducing disruptive innovations and evolving as a competitive force for banks that must remain relevant and profitable at the same time. They are forced to continually assess their business models as a result. On the positive side, we are seeing new partnerships. I read about the new alliance with Regions Bank and Western Union, leveraging each firm's agent or branch networks to provide remittance and banking services on a complementary, cross-selling versus competitive basis.
That brings us to vendor management. With banks outsourcing and partnering with nonbank, third-party firms, increased oversight for those relationships is required, along with more expertise at the bank level. For many community banks, hiring that level of expertise is challenging, and they need to rely on the risk management services from their core processors.
In addition, liquidity risk for banks in this new payments landscape has been heightened by the more rapid clearing and settlement of payment files.
Finally, security and privacy are big issues for U.S. financial institutions today, not only from a regulatory perspective but also—more importantly—from the need to protect the bank's reputation among its customers as a trusted payments partner.
P&R: What trends should industry stakeholders watch going forward?
Bob: Technological advancements are making our retail payment systems more effective, efficient, and easy. U.S. banks are doing a good job and approaching these new services and partnerships with sound due diligence. Retail payments will continue to change going forward, with disruptive services and nonbank firms appearing in ways we cannot predict. I think it will continue to be an exciting area to watch for a long time.
TrackBack URL for this entry:
Listed below are links to blogs that reference Generations of payment innovations:
- Cash: Reports of Its Pending Death are Greatly Exaggerated
- The 411 on Banning the RCC
- Surviving the Emerging Payments Providers
- Between a Rock and a Hard Place?
- There's an App for That!
- What Is GPR Feeding On? Part 2 of 2
- Mobile Security and Privacy
- What Is GPR Feeding On? Part 1 of 2
- What Would Happen If the Lights Went Out for a Long, Long Time?
- Improving Customer Authentication: Is the PIN Past Its Prime?
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud