Retail Payments Risk Forum
Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
Take On Payments
November 21, 2016
Are Mobile Phone Payments Secure?
A consistent and leading reason consumers give as to why they don't use their mobile phone to make payments is their concern about the phone's level of security. While many consumers don't believe that mobile payments are as safe as other payment methods, is that actually the case? For more than six years, the Federal Reserve Banks of Atlanta and Boston have been supporting the Mobile Payments Industry Workgroup (MPIW). The MPIW was created to facilitate the development of a vision for a mobile payments environment that will be effective, secure, and ubiquitous. This group has met frequently to address the issues of technology, standards, security, privacy, functionality, regulation, and adoption barriers. The various deliverables from past MPIW meetings focus on security and risk and can be found on the Federal Reserve Bank of Boston's website.
As this blog has noted numerous times over the last two years, the migration to chip cards for in-person POS payments will shift more fraud over to the card-not-present (CNP) market. With the introduction of numerous mobile wallets since 2014 that can be enabled on smartphones, the MPIW believed that an assessment should be made of the risk issues associated with commerce generated through the mobile phone—or m-commerce—whether through a browser or a specific wallet application. Over the last eight months, Fed representatives and mobile payment experts have been working on the development of a white paper, which was released on November 8. You can access the full report here.
The MPIW's report provides an assessment and the future position of mobile payments as a part of the overall e-commerce growth expected in the United States. It groups the various types of remote mobile payments into four use cases and dissects the transaction flow for each use case with a description of the potential risk attacks in each key function of the transaction. We believe the report provides the payments industry with a sound primer of mobile wallet transaction security issues. While there are attack points in the mobile phone channel just as there are in other payment channels, the mobile phone offers features that can make a mobile payment transaction much more secure than many people currently believe. The MPIW will continue to assess the mobile CNP payments environment and produce presentations and other materials intended to educate the industry and consumers.
You can find additional MPIW white papers and other publications on the MPIW web page.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 14, 2016
"Good, Better, Best" in Understanding Merchant Payments
The marketing mantra "Good, Better, Best" from Sears in selling different grades of merchandise at different price points might serve as a guide for segmenting quality levels of information needed in understanding merchant payments. While attending several merchant-focused conferences and trade shows this year, I began thinking about this mantra in relation to the dearth of even "good," rigorous information on the payments experience of the important retail trade sector of our economy. Payment information such as person-present and remote payments, successful and unsuccessful fraud attempts, use of technology, cost of acceptance, and other information by type of payment instrument is simply not widely available. In cases where some information exists, it isn't representative of the entire retail industry.
Currently, there is a wealth of information available on payments for the overall economy through the previous and pending release of the latest Federal Reserve's Triennial Payments Study, the first of which was compiled in 2000. But the focus of this study is the broader landscape, with individual sectors of the economy not examined in detail. Today, the Fed continues to collect and publish aggregate survey information from payments providers (including some private-label card issuance information from retail merchants) via the payments study and from consumers via surveys conducted by the Consumer Payment Research Center at the Federal Reserve Bank of Boston. However, there is no major representative survey of quantitative payments information about businesses, of which merchants are a critical part since so many payments are made by consumers for purchase of goods/services.
How important is the retail trade sector to the economy? Using figures from the U.S. Census Bureau, these charts show the 1.2 million businesses engaged in retail, accommodation, and food services. Collectively, the businesses employ 27 million people and produce annual sales of $5.4 trillion. More to the point, the lion's share of retail payment transactions are thought to be accepted via this sector of the economy, making it the sector to be impacted the most by payment economics and policy.
Many government entities, including the Reserve Bank of Australia, have surveyed merchants in their own countries. The Bank of Canada has a report due next year; the European Commission surveyed 10 European Union (EU) states; and the European Central Bank surveyed 13 EU states. Colleagues of mine at the Federal Reserve Bank of Kansas City offer a comprehensive review and compelling case for "Measuring the Costs of Retail Payment Methods" here in the United States.
Below are some of the benefits of conducting a merchant study in the United States. Doing so could
- Narrow the gap in tracking merchant payments and payment fraud information compared with other developed countries.
- Offer detailed breakouts of point-of-sale and remote payments that provide information on fraud and other losses prevented and actual losses incurred.
- Help identify efficiency-improving changes in retail payments and strengthen the understanding of payments end to end for a sector with high impact in payments.
- Contribute to social welfare analyses by providing more facts about merchant benefits, costs, and fraud risks associated with different payment methods.
Perhaps we should apply the mantra of retail and move from good or better to best. Perhaps we should aspire to doing the best reporting we can muster for this important sector of our economy. What are your views on the value of such an undertaking?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 7, 2016
The Downside of a Wide Paintbrush
Fall is the time of the year that I normally do my exterior home painting and touchup. During the summer, I noticed that my deck and stair metal support poles were a bit dull and had some rust spots, so that was to be my project. The poles have a 4-inch diameter, so I was in a bit of a quandary over the best width paintbrush to use—a 2-inch or a 4-inch. The 4-inch brush would provide faster coverage so my football-game-watching time wouldn't be compromised, but the 2-inch brush would give me greater control and reduce drips and splatters. I went with the expedient choice, and it turned out to be a mistake, as my coverage was uneven with plenty of drips and splatters.
I mention this story because I recently appeared at the National ATM Council's (NAC) annual conference. NAC is an industry trade organization representing nonfinancial-institution ATM owners/operators in the United States. I was asked to speak primarily about the Fed's research into the use of cash as well as the current chip card and terminal deployment status. After my presentation and in the subsequent days of the conference, I was approached by a number of owners/operators telling me that their banks had recently terminated their longstanding relationships; they were deemed to be "high risk" since they were in the currency business. Many were scrambling to establish new banking relationships and wondering why this was happening.
Being an old ATM guy, I was a bit surprised hearing about this action due to the built-in controls on ATM currency settlement and reconciliation that severely limit the ability for an ATM owner/operator to launder money through an ATM. It would be very easy for the bank to spot an imbalance if the money being replenished far exceeded the currency paid out by the ATM. There is still the concern, of course, regarding the initial load (deposit) to establish the account to ensure that those are legitimate funds, but that concern exists with the establishment of all banking relationships by any type of business.
Financial institutions certainly have the obligation to develop a risk management strategy and determine which types of business activities they deem acceptable versus those considered high risk. Supporting ATM operators with their currency needs could be considered a niche business with some unique requirements and may not be the best allocation of resources for all financial institutions. At the same time, bankers may not want to paint a business with the wide brush of "high risk" just because they deal with currency as a major part of their business operation. To do so may force many of these operators to shutter their units, which often are located in areas where there is not a wide choice of ATM locations.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Don't Forget the Check
- Fraud Reduction at the IRS: Some Happy Returns
- Phone Scams and Phishing
- Asset Size Matters in Survey Responses
- Wouldn't It Be Nice to Tap and Pay?
- The Social Benefits of Biometrics
- The Five-Star That Flops
- ACH: No Trace Left Behind
- Pssst…Have You Heard about PSD2?
- Mobile Banking and Payments Survey Results
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud