Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 27, 2017
Don't Forget the Check
As the data in the recently released Federal Reserve Payments Study show, the decline of check usage continues—albeit at a slower rate than what past studies found. Despite the rapid decline in volume on the consumer side over the last 15 years, the check remains a key payment instrument for business customers. According to the study, in 2015, consumers and businesses wrote more than 19 billion checks representing $27.3 trillion.
While the share of the number of checks (12 percent) is dwarfed by the number of other noncash payments (debit/credit/prepaid card and ACH), which continue to grow, the check remains a key target of criminals. For that reason, we need to maintain, if not enhance, risk monitoring. Criminals use the check both to conduct fraudulent transactions and to launder money. The Financial Crimes Enforcement Network reports that the number of Suspicious Activity Reports (SAR) involving checks continues to increase. That number has grown more than 141 percent since 2013, as the chart shows. Also, checks are 71 percent of the total—by far the most common payment type of all the SAR categories.
In addition, the Association for Financial Professionals notes in its 2016 Payments Fraud and Control Survey that checks remain the most targeted payment method. Seventy-one percent of the 627 responding companies reported successful or attempted check fraud on their business accounts in 2015. The survey also found that checks accounted for the largest dollar amount of loss of all the payment methods, including wire transfers. On a positive note, the percentage of companies actually suffering a financial loss from check fraud declined from 57 percent in 2013 to 43 percent in 2015.
Checks remain a target since they are so easy to counterfeit or alter compared to electronic items. While much of the risk management effort focuses on electronic payments, be sure not to forget about the paper check. It is obvious the crooks haven't.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 20, 2017
Fraud Reduction at the IRS: Some Happy Returns
On a regular basis, Retail Payments Risk Forum members get asked, "What is the most significant risk facing the industry today?" While we often have lively, wide-ranging discussions on payment matters, we quickly reach consensus when asked the aforementioned question. Generally speaking, we would all answer "cybersecurity" (as would many other experts).
To fully understand the significance of cybersecurity, we have to explore other root risks. For payments, one of the largest issues is cybersecurity attacks that aim to steal identities. Identity theft is a not a new issue, but, more than ever, it's attached to cybersecurity. In the spirit of tax season and identity theft, I‘d like to provide an update on the recent efforts of the IRS Security Summit as it works to protect the industry from identity theft related to tax fraud.
Last year was the first full year for the IRS Security Summit and its seven work groups. Thanks to this industry collaboration, the IRS received 237,750 new identity theft affidavits between January and September 2016—50 percent fewer than what the IRS received during the same period in 2015. In addition, in 2016, the IRS stopped 50 percent more fraudulent returns from processing compared to 2015, preventing $7.2 billion in fraud losses. Even more promising is that fewer fraudulent returns actually made it to the IRS in the first place.
These results show improvements at each point of the tax refund cycle by the combined efforts of tax professionals, state tax agencies, financial services partners, and designated IRS personnel. Several tactical approaches the work groups are developing include:
- Identification of data elements transmitted on both business and individual tax returns that can be used to identify fraud
- A program to allow financial institutions to flag suspicious refunds before they are deposited
- The requirement for tax software products to improve password practices and customer validation procedures
- A new W-2 verification code for taxpayer authentication
- The External Leads Program for suspicious refund returns
- National education and awareness campaigns
- National Institute of Standards and Technology Cybersecurity Framework for the tax industry
- The creation of a cyber-threat assessment tool
This year, the IRS Security Summit is continuing its work with efforts cyber in nature. In January, the summit launched the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (IDTTRF-ISAC). This association will issue early warnings, identify fraud schemes, assess threats, address cybersecurity issues, and provide better data for law enforcement. While the design work for the IDTTRF-ISAC is still in progress, the work group has already reviewed the sharing practices followed by the Department of Health and Human Services and the Federal Aviation Administration. To provide the tax ecosystem a highly secure, web-based information exchange will require dedicated, well-qualified analytic and cybersecurity professionals to join an already effective, mostly volunteer task force.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 13, 2017
Phone Scams and Phishing
According to a recent report from the Anti-Phishing Working Group (APWG), more phishing attacks were recorded in 2016 than in any prior year since the group began monitoring in 2004. The APWG defines phishing as a criminal mechanism employing both social engineering, often through the use of email, and technical subterfuge to steal consumers' personal identity data and financial account credentials.
While phishing attempts through electronic channels are undoubtedly up, the telephone call remains a valuable tool for fraudsters. The Federal Trade Commission (FTC) just released its 2016 Consumer Sentinel Network Data Book and revealed that of the fraud-related complaints it received in 2016 with the method of initial contact reported, 77 percent of the respondents claimed that initial contact was made via telephone. Only 8 percent reported email as the method of initial contact. Thinking broadly about these reported trends by the APWG and the FTC, I have two observations:
- No doubt phishing emails are a growing concern based on the data from the APWG. The FTC data just might reveal what I have been hearing for the last few years: the sophistication of phishing schemes is increasing each day. About 45 percent of the fraud complaints filed with the FTC did not report the method of initial contact. Maybe these individuals did not want to report that information. Or with the increasing sophistication of phishing emails, perhaps many of these individuals still do not realize that email was in fact the entrée for fraudsters to obtain payment, personal, or financial information. Educating the public and our employees to recognize phishing emails is vitally important.
- Phone scams are likely to increase as chip-enabled EMV cards and their acceptance become more widely adopted, making it more difficult for fraudsters to conduct counterfeit card fraud. Look no further than the United Kingdom, where the Financial Fraud ActionUK's Fraud The Facts 2016 report notes that overall financial fraud increased by 26 percent from 2014 to 2015, due in large part to the growth of impersonation and deception scams. It further notes that these scams typically involve a phone call, text message, or email. With the FTC reporting a 40 percent increase in the number of fraud complaints from 2014 to 2016, with the telephone being the initial method of contact, it is imperative for individuals to carefully handle calls before providing sensitive information.
The Retail Payments Risk Forum often stresses the importance of consumer education, as fraudsters often see the consumer as a weak link. Education is critical to preventing individuals from falling for phishing emails or phone scams. We strongly encourage individuals to exercise caution before opening attachments within emails or sharing personal or financial information over the phone. And before making good on an unexpected payment request from an email or phone call, it's a great practice to directly reach out to the payee through a known legitimate email address or phone number. For more information about recognizing and handling telephone scams, visit this FTC web page.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 6, 2017
Asset Size Matters in Survey Responses
A January post highlighted some of the key findings of the 2016 Mobile Banking and Payments Survey conducted in the Sixth District. The post and the related survey report segmented the findings between banks and credit unions to help financial institutions setting strategy for mobile banking and payment services.
As promised, we analyzed the results to each of the questions based on the reported overall asset size of the responding financial institutions broken down into five asset range segments. The table shows these segments and the percentage breakdown of the 117 respondents by each segment.
You can find the supplemental data for all the survey questions here. One of the most striking differences among the segments is the institutions’ plans to offer mobile payment services. As the chart shows, the smaller the financial institution, the more likely it is to have no plans to offer mobile payment services within the next two years.
We hope this information will help financial institutions as they evaluate and plan their mobile banking and mobile payment services. Next quarter, we will publish a report consolidating all the data received across the seven Federal Reserve districts that participated in the survey. If you have any questions concerning the Sixth District results, please let us know.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- The Year(s) of Ransomware
- What Canada Knows That We Don't
- Calculating Fraud: Part 1
- Additional Authentication: Is the Protection Worth the Hassle?
- Would Consumers Ever Give Up Their Passwords?
- Will the Password Ever Die? Part 1
- Catch Me If You Can
- Governance Down Under
- Don't Forget the Check
- Fraud Reduction at the IRS: Some Happy Returns
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud