Retail Payments Risk Forum
Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
Take On Payments
October 31, 2016
Of Piggy Banks and Bank Branches
Fall is my favorite time of the year. Football season cranks into high gear, pumpkins replace chocolate in my desserts, and excellent payment-related events take place with great published content. On the content front, this fall has not disappointed. I have recently read several excellent reports, including the FDIC's 2015 National Survey of Unbanked and Underbanked Households. Although the focus of the survey is on the unbanked and underbanked population, there are some interesting findings concerning banked households, including their methods used for accessing their accounts. After seeing these findings, I began pondering the question, why do I still visit a bank branch for my deposit account needs?
According to the FDIC survey, 75 percent of banked households use a bank teller to access their accounts. However, a teller is the primary or main access method for only 28 percent of banked households, suggesting that over 70 percent of households prefer to interact through a non-face-to-face channel. The other physical channel, the ATM, is the primary access method for only 21 percent of banked households. The FDIC found that online and mobile banking usage is lower than the physical channels; however, nearly 50 percent of banked households' primary method of access to their account is digital (online or mobile). So while a majority of banked households still visit a physical location to access their accounts, almost half of them prefer to access their account digitally.
As I think about my own banking practices, I visit physical banking locations less and less. I will drop in to make a check deposit, but only if I am running errands and a physical location just happens to fall on my route. Or sometimes my kids want a sucker and I know my local branch will come through. They have even provided my children with piggy banks during visits! I use mobile check deposit more often than not. I still visit ATMs, but those interactions are substantially fewer today thanks in large part to being able to obtain cash back via my debit card at a number of retailers.
So I will visit a branch for my deposit account needs if it is convenient for me while running errands or if my kids want candy or some other treat. And these two reasons aren't necessarily sustainable. I am running fewer errands as more of my shopping takes place in the digital world (and my phone is becoming more convenient for check depositing). And unfortunately, I am not getting any younger, which means my children are growing up, and as they do, suckers and piggy banks will more than likely not stir up as much excitement as they currently do.
As a traditionalist, my past thinking led me to believe that the demise of bank branches was overblown. However, my thinking has changed. The bank branch will not disappear overnight or completely in the long term, though indications are that the number of branches will decline. As I contemplate the results of the FDIC study coupled with observations from my own behavior, it becomes obvious to me that the physical importance from a deposit account perspective is being diminished in this digital age. I am not sure what the branch of the future will look like, but I feel confident in saying that tellers, and even ATMs, focusing on deposit accounts will not be primary reasons for consumers to visit. Why will you visit your local branch in the future?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
October 17, 2016
EMV Comments That Make Me Cringe
Some aspects of the chip card implementation in the United States certainly make us frustrated. For one, the customer experience could be seen as slightly more negative because of the longer transaction time and confusion about the debit card selection menu. However, at several payments conferences I have attended recently, I have heard comments made by speakers and panelists about EMV chip cards and their technology that caused me to cringe a bit. I understand that a number of stakeholders are not proponents of EMV technology for a variety of reasons and, while some parts of their comments are factually accurate, they certainly are not "the truth, the whole truth and nothing but the truth."
Cringe #1: The United States is implementing 20-year-old-technology with EMV chip cards. Yes, the first EMV specifications were publicly released in 1995. But isn't that like saying that the gasoline-powered automobile is technology that is 130 years old? Microsoft's first release of Windows was in 1985. Do we hear complaints about it being 30-plus years old? The reality is that the EMV specifications, like practically all software development, are continually updated over the years with enhancements continuing as long as the software is still being supported. The EMV specifications are now at version 4.3, released in November 2011, with 20 supplemental bulletins issued since then and more on the way.
Cringe #2: EMV (chip) cards haven't solved the card-not-present (CNP) fraud problem. Again, this is an accurate statement. CNP card fraud is the second largest category of fraud losses in the U.S. (see the chart). But, the statement is misleading inasmuch as the EMV specifications and chip cards were never intended to address the CNP ecommerce environment. Counterfeit card fraud, whereby the criminal produces a card using data obtained from a skimmer or data breach, has been the number-one source of card-present fraud in the United States. It was this type of card fraud that the chip card was designed to target, and, from all accounts to date, it has been highly successful in doing so.
Source: Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, Aite Group, July 2016
Cringe #3 – Using a PIN improves the security of the chip card. While a cardholder using a PIN in lieu of a signature does clearly result in a lower level of fraud losses, the claim is somewhat of an apples and oranges comparison. The chip on the card authenticates the card itself, while the use of a PIN is intended to authenticate the cardholder performing the transaction. These are two separate types of authentication which, when combined, make the transaction more secure—a good thing. The use of a PIN should result in lower lost/stolen card fraud as it invokes two-factor authentication—something you have (card) and something you know (PIN).
Are the current EMV specifications perfect? Of course not, and that is why there are constant efforts to identify ways to improve them. But one must recall that the EMV specifications provide global interoperability and must be developed keeping that requirement in mind. What are your thoughts on the EMV specifications and how they can be improved?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
October 11, 2016
Taking a Quantum Leap into Payment Security
It was 1969, and the only thing hotter than muscle cars was space exploration. Several of my elementary school books found ways to talk about space, astronauts, NASA, or all of them, and more than one almost guardedly indicated that someday man may even reach the moon. Those of you who recall black-and-white TV might remember watching the moon landing live in the summer of '69.
Despite all that was speculated and wondered about at the time—from extraterrestrials to moon colonies—the space race had been "won." There followed a decline in related interests and, ultimately, a moderating of investment in basic scientific research. One of those sciences, quantum research, is of particular note in regards to potential commercialization for computing and communications. And we're behind like we were in the space race in the early 1960s.
NASA research and development (R&D) appropriations in 1959 were about $200 million. By 1966, R&D totaled almost $5 billion, according to the NASA Historical Data Book for 1958–1968. U.S. federal funding for quantum research each year is just barely what space R&D totaled in 1959. Those numbers offer their own stark contrast, but I'll add one other point of comparison—between what we're spending in this area versus China—one of only three countries to ever soft land on the moon, and now the first to launch a quantum communications satellite. Their annual funding has been conservatively estimated at over $10 billion, according to the Wall Street Journal.
To explain why a payment blogger cares about all this, I'll ask a couple of questions. What would it be worth to have a payment scheme based on "unhackable" communication? Impossible? Maybe not.
Quantum communication is secure against computing because its encryption relies on physics, not math. Josh Chin's August 16 article in the Wall Street Journal explained it this way:
Quantum encryption is secure…because information encoded in a quantum particle is destroyed as soon as it is measured. Gregoir Ribordy…likened it to sending a message written on a soap bubble. "If someone tries to intercept it when it's being transmitted, by touching it, they make it burst," he said.
There are critics. U.S. security experts have questioned whether intricacies of quantum communication can be simplified enough for practical, broad use. Others have stipulated that it's possible for hackers to trick incautious recipients. Indeed, this blogger has espoused the idea that nothing is infallible against a determined criminal. But it's hard to argue the advance wouldn't change the game. One might speculate that quantum communication could yield results similar to those described in the etiological tale of the Tower of Babel where languages were confused. Mischief wasn't halted for all time, but altering communication put some pacing on misbehavior. Changing the game, wholesale, is worth considering as the evidence is overwhelming that we're losing in payment security by making changes at the margin to current schemes, methods, and processes.
I'll close with this. Substantial sums of federal money were spent on infrastructure, R&D, policing, and defense owing to the space race. I think most will agree we got our money's worth, especially considering that aside from stated objectives, investing in the space race gave us everything from microchips to satellite navigation—and let us not forget CorningWare. Investing in quantum research holds similar promise, and payment security might benefit from some catch-up.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
October 3, 2016
Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
On September 23, phase 1 of NACHA's three-phase rules change took effect, mandating two same-day ACH clearing/settlement windows for credits only. The subsequent two phases add debit payments in 2017 followed in 2018 by receiving banks being obligated to make credit payments available to receivers by 5 p.m. on the settlement day.
Prior to this change, using legacy ACH, one had to wait one business day for payments to clear and settle. A payment cap of $25,000 along with a mandatory interbank fee of 5.2 cents are other noteworthy differences for same-day ACH items as compared to legacy ACH. For some, these are unwelcome limits and fees, and time will tell the extent to which they stifle (or not) the service's growth. As the Federal Reserve's Financial Services website notes, a further limitation is that the federal government will neither originate nor accept same-day payments at this time, although plans are under way for their eventual participation.
I and others in the forum have commented on various aspects of this long-awaited enhancement here, here, and here. Now is probably a good time to proffer some questions for future consideration in helping to measure the success of this new venture.
- Will projections in the first 12 months of service match NACHA's expectations of same-day garnering one percent of total ACH payment volume? Furthermore, will volume trending point to NACHA achieving its projection of 1.4 billion same-day payments by 2027? Early numbers may be somewhat misleading if payment originators inadvertently send payments for same-day settlement that were intended to be settled the following business day.
- Whatever volume is achieved, will the primary payment use cases identified by NACHA be the actual drivers of same-day volume?
- Payroll for hourly workers, late and emergency payrolls
- Business to-business invoice payments with remittance information between trading partners that are under the $25,000 cap
- Expedited consumer bill payments using both ACH credits and debits for just-in-time and late payments
- Account-to-account transfers among accounts owned by the same consumer
- Given the 18-month full implementation, how will same-day ACH hold up against existing faster payment schemes that leverage such things as debit card networks that offer much faster payments or even new faster payment schemes that are not reliant on existing payment rails?
- How much, if any, will payment fraud increase with the availability of faster ACH?
- How will service usage be impeded, if at all, by originating banks passing along the cost of the interbank fee to their payment originators?
- Will the somewhat complicated eligibility requirements of no support for federal government payments, deferred debit, service and delayed funds availability slow adoption?
Despite these questions, there is reason to be optimistic. This is a major step forward for same-day ACH. What are your views on how these questions will eventually resolve themselves?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Don't Forget the Check
- Fraud Reduction at the IRS: Some Happy Returns
- Phone Scams and Phishing
- Asset Size Matters in Survey Responses
- Wouldn't It Be Nice to Tap and Pay?
- The Social Benefits of Biometrics
- The Five-Star That Flops
- ACH: No Trace Left Behind
- Pssst…Have You Heard about PSD2?
- Mobile Banking and Payments Survey Results
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud