Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 29, 2012
Crossing the Border: More Reason to Check Your Pockets
It's no secret that cross-border travel has involved a lot more restrictions since 9-11. Declaration of assets and physical inspection of luggage and other items are expected, as well as tedious and unpleasant, aspects of a vacation or business trip. That could change soon and not for the better, under a new rule proposed October 2011 by the Department of the Treasury's Financial Crimes Enforcement Network (FinCEN). The new rule would require travelers to add the balances of prepaid cards to declaration reports.
While issuing such a rule sounds reasonable in theory, enforcement is likely to be another matter. Unlike checking the content of physical items, digital value stored in or accessed by a plastic card or a mobile phone is difficult to measure. How can you tell how much money is loaded on the prepaid card to validate the declared value? In fact, how will enforcement officials even distinguish prepaid cards from credit and debit?
FinCEN's proposed rulemaking expected to be final soon
FinCEN's Notice of Proposed Rule Making (NPRM), expanding the scope of its cross-border reporting requirements to include "tangible prepaid access devices," is poised to assume its final form, some expect as soon as the end of the year. Currently, travelers have to report aggregated cash and other monetary instruments exceeding $10,000. The premise behind this requirement is that it prevents money laundering and criminal-terrorist financing by enabling the traceability of currency and its equivalents, and hopefully eliminating anonymous flows of money into and out of the United States.
Previously, FinCEN issued a rule recognizing the advanced innovations in prepaid payment methods and the subsequent need to expand the definition to include all form factors backed by prepaid value, in addition to cards. That rule also changed the payment method definition from "stored value"—implying value stored digitally within the form factor—to "prepaid access," a term that more accurately describes the process for electronic retrieval of prepaid funds maintained by the payment provider.
Handheld readers at borders and airports?
According to comments published in response to the NPRM, the Department of Homeland Security is working on a "handheld reader with features that will, among other things, allow law enforcement to quickly and accurately differentiate between a traveler's debit, credit, and prepaid products…in a manner which imposes minimal to no inconvenience to individuals and complies with U.S. laws, regulations, and procedures." Furthermore, according to the comments, the enforcement challenge is not new, nor is the concept of a device or document that can be used to access value. The current challenges are similar to those presented in the past with other monetary instruments such as checks, money orders, and traveler checks.
Still keeping an eye on bulk cash
A recent study conducted by U.S. and Mexican officials reported that stored-value and prepaid cards are "potentially powerful means for both transporting and laundering money," but still found that the majority of illicit funds movement across the U.S. and Mexican border takes place in the form of bulk cash. In fact, most of the criminal movement of funds does not involve laundering, which is typically accomplished by first depositing illicit funds into a bank or business before moving it. This is particularly important in addressing criminal terrorist financing that may only involve transport. It will be important for regulators to strike a balance between proactive enforcement in addressing crime in electronic channels and effective management of more basic schemes involving the transport of cash across borders.
Many questions still remain
Many commenters to the NPRM have expressed opposition to the premise that prepaid access devices should be classified as monetary instruments since they merely access funds held at a bank or financial institution. When law enforcement takes possession of a cash or monetary instrument at the border, they are effectively holding the funds, but not so with a prepaid card or other device. Holding the card does not provide access to the underlying funds. Furthermore, the legislation is easy to evade. According to a comment from the Network Branded Prepaid Card Association, "a card can truthfully be reported as having just $1,000 on it; and then two hours later, the card can be loaded with funds from another location and have $15,000 on it."
Commenters also suggested alternatives that would focus the final-rule decision making on more effective measures, such as carrying a large number of cards, particularly if the cards are not embossed with the cardholder's name. For example, a person carrying more than 20 nonpersonalized cards would have to declare the aggregated value and be prepared to address questions by border patrol agents. Such a measure could avoid the need for high-cost readers and the potential privacy issues that may ensue if the final rule is issued as proposed.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Crossing the Border: More Reason to Check Your Pockets:
October 22, 2012
Ignorance Is No Excuse--Or Is It?
Last time I got a speeding ticket (just for the record, it's been a very long time), the officer didn't care that I didn't realize the speed limit was only 35 mph. As he told me, ignorance of the law is no excuse for breaking the law. Contrast that with consumer payments protections. Consumers can practice unsafe computing and expose their account information, yet regulations still protect them if an unauthorized payment is made using the information the consumer revealed. Although an unauthorized payment is transacted by someone else, the consumer, through his or her own behavior, may be aiding and abetting the lawbreaker.
As we study different payment types and channels here at the Retail Payments Risk Forum, a consistent theme has emerged: consumer behavior plays a significant role in payments issues, and consumer education is the antidote. Although the consumer may be protected from financial consequences even when they engage in unsafe online behavior, it is in everyone's best interest, including the consumer's, if the consumer is armed with enough information to behave safely and responsibly.
Take card payments and the conversion under way to EMV standards. As the cards are converted to a chip and reissued to consumers, the consumer will need to understand where and how the card can be used. Education will be critical if the chip implementation also includes the use of PINs. A recent analysis by DataGenetics shows that nearly 27 percent of PINs can easily be guessed by attempting 20 simple combinations such as "1234" or "0000." PINs can be an effective authentication method, if only the consumer is thoughtful in choosing a hard-to-guess PIN.
Consider ACH payments and the dreaded account takeover. The information used to perpetrate an account takeover is sometimes gained through malware that enables key logging. The malware is installed on the consumer's computer most likely because of the consumer's unsafe computing practices, such as clicking on unfamiliar links and opening attachments sent by suspicious or unknown sources.
The same is true for the emerging mobile channel, essentially a handheld computer with security considerations similar to the online channel. The September 2012 GAO report on Mobile Device Security concludes, "Mobile devices face an array of threats that take advantage of numerous vulnerabilities commonly found in such devices. These vulnerabilities can be the result of inadequate technical controls, but they can also result from the poor security practices of consumers." The report recognizes that many education and awareness efforts, both public and private, have occurred or are underway, but it remains unclear whether those efforts have raised consumer security awareness or had any beneficial effect on the security of the mobile device.
Diagnosing is the easy part...
While it's easy to recognize that consumer behavior is a problem in electronic payments, the solution of providing consumer education is elusive. As it turns out, financial institutions are in a good position to provide education. For one thing, consumers tend to trust their financial institutions, with their financial information and with their privacy. From a practical standpoint, financial institutions are commonly the connection point between the consumer and these payment types. However, the traditional connection point of the branch is evolving to the online and mobile channels.
So what can financial institutions do to better educate consumers in the new digital and mobile environment? They already devote significant resources to providing education, but the effectiveness of these efforts can be questioned as the incidences of fraud appear to be rising. Are there best practices for consumer education in the non-face-to-face environment that financial institutions should employ to positively impact fraud?
By Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Ignorance Is No Excuse--Or Is It?:
October 15, 2012
When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore
This post features a discussion with Terri Sands, senior vice president of electronic banking and fraud management at State Bank & Trust Company in Atlanta, on the landscape for risk management for community banks.
P&R: Terri, we talk a lot about how payments are migrating from paper to electronic methods. How does this affect community banks in payment services today?
Terri Sands: It wasn't long ago that community banks viewed fraud as an issue reserved for their larger brethren. Smaller institutions were able to deal with one-off issues such as the occasional stolen checkbook or bank card or other fraudulent transactions on a case-by-case basis. And while those events may have added some expense for the community bank's bottom line, it was rarely viewed as a material event affecting the institution and its brand.
But over the past several years, fraud's impact on community banking significantly changed. Fraud has become a constant threat to financial institutions and other industries regardless of the size and complexity of the organization. In the midst of increased attacks on financial institutions and their customers' accounts, the industry has become increasingly concerned over how to effectively protect against fraud. Basically, you can't read the newspaper or read e-mails without some form of fraudulent attack that has hit the financial sector—some are minor, others are major. However, when fraud hits close to home, it is always significant, regardless of the dollar amount.
P&R: We've been hearing a lot about corporate account takeovers in recent years. Is this affecting community banks, and what can they do about it?
Sands: For community banks, corporate account takeover attacks initiated by computer viruses have become a particularly sinister problem. In those circumstances, a corporate customer has inadvertently installed a virus on a computer by clicking on a link embedded in an e-mail that then provides a fraudster with critical online banking credentials. The fraudster uses the online banking credentials—that is, the user ID and password—to reroute credit transactions to an account and then immediately withdraws funds or pays a "money mule" to withdraw the funds and wire the money to a designated account.
Corporate customers may not even realize their money has been stolen until they check or the bank checks the account. Regardless of how this virus occurred, the customer may feel uncertainty about security and about the bank's ability to protect their money in the future. So for many community banks, this type of fraud has truly been the turning point as it is hitting their customers and therefore hits closer to home—it has become reality.
Community banks have the same fraud risk management responsibilities as the larger banks. They should network with the industry and law enforcement to share information on attacks in an effort to collaborate on mitigation strategies and share intelligence about other types of attacks affecting their customers. This is a great way to further enhance any bank's risk and fraud management program. Community banks should also include customer education as part of an effective fraud management strategy, to help them to be more proactive in their own defensive practices to ward against fraud. Of course, as the industry is well aware, the interagency regulatory guidance published in June 2011 on authentication in an online banking environment also provides community banks with a roadmap for assessing a bank's risk profile and ensuring adequate protection against risk vulnerabilities.
P&R: Is fraud mainly an online problem today?
Sands: Fraud can happen online or offline. The risk may result from a simple form of social engineering such as a phone call or e-mail attempting to gain customer information or from an internal gap in the payment process that can be exploited. Either way, fraud management is not a one-time fix but an ongoing process. Community banks must remain ever-vigilant in efforts to protect consumers from risk of fraud and possible financial loss.
TrackBack URL for this entry:
Listed below are links to blogs that reference When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore:
October 1, 2012
Summer Is Gone, but ACH Fraud Remains
As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.
In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.
Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:
- ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
- ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
- RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
- RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
- RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.
In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.
The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Summer Is Gone, but ACH Fraud Remains:
- What Would Happen If the Lights Went Out for a Long, Long Time?
- Improving Customer Authentication: Is the PIN Past Its Prime?
- Follow the Money!
- Mobile Financial Services Are Still Growing
- Be Careful, Be Very Careful
- "I want to be alone; I just want to be alone"
- Combat Gear for Tax Season
- Same-Day ACH: A Call to Action
- Continuing Education in Mobile Payments Security
- The Insider on the Outside
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud