Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 23, 2016
What Would Happen If the Lights Went Out for a Long, Long Time?
In 1859, a massive geomagnetic solar storm known as the Carrington Event caused extensive damage to telegraph systems and other nascent electrical devices worldwide. Telegraph lines sparked and telegraph operators could send and receive messages without the use of electric batteries. The Northern Lights lit up the sky in all of North America. Though not widely reported, on July 23, 2012 a massive cloud of solar material similar in magnitude to the Carrington storm erupted off the sun's surface, radiating out at 7.5 million miles per hour. Fortunately the impact of the solar storm missed Earth by nine days because of the Earth's orbit position.
One report estimates that a Carrington-level storm today could result in power outages affecting as many as 20–40 million Americans for a duration ranging from 16 days to two years at an economic cost of up to 2.5 trillion dollars. A research paper in Space Weather estimated the odds of a Carrington-level storm at about 12 percent over the next 10 years. Early warning of such a storm is possible since satellites can detect impending storms and have the potential to provide a minimum one-day warning before it hits Earth.
So what would happen if the lights went out in much of the United States because of such a cataclysmic event? One could anticipate serious disruption of electronic payments such as ACH, cards, and wire transfers in the affected areas and beyond. What would one do to facilitate commerce in such an emergency? Well, cash and, to a lesser degree, checks could come to the fore. Use of checks would be problematic given the electronification of checks, high risk of fraud, and overdrawn accounts if banking systems are not up and running. Cash would have fewer problems if it were on hand to distribute to the affected population. Perhaps cash accompanied by ration books could be used to mitigate hoarding.
For a low-probability extreme-impact event that results in cash becoming the only way, among existing payment instruments, for commerce to take place, what contingency plans are in place to ensure that consumers and businesses can obtain cash? Since the contingency systems we have in place to handle a future Hurricane Katrina or Hurricane Sandy are likely not sufficient for an extreme event of nationwide scale, some of the issues that need to be resolved include:
- How does one ensure that sufficient cash is on hand during an emergency?
- How is cash going to be distributed and accounted for along the supply chain with ATMs and bank offices and their core systems inoperable due to no electricity?
Addressing these questions and others involves a monumental effort, and I don't have a ready answer. Fortunately, cash solves the problem for small-scale, low-value payments during a long-term power outage. That is, during the immediate, in-person exchange, it is an instrument that doesn't require electricity, communication networks, or computers.
This and other major calamities have always made me concerned about the push in some quarters for a full transition to electronic payments at the expense of payments less reliant on electricity and our communication networks. As an engineer by training, it is in my nature to wonder what can go awry if failsafe systems aren't in place when the unexpected happens.
With the possibility of a catastrophic event in our lifetime, would you rather have cash in hand or a card/mobile app? As for me, I'm going to the bank to cash out my accounts and then on to the hardware store to buy a gas-powered electric generator. Just kidding, though I think serious consideration and appreciation is needed for the contingency aspects of cash when things invariably go awry.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 16, 2016
Improving Customer Authentication: Is the PIN Past Its Prime?
The Financial Fraud Action UK recently released its Year-End 2015 Fraud Update. This report, filled with fraud-related figures from a fully EMV(chip)-migrated country, provides insight into what the future of fraud in the United States might look like as we are approximately eight months into our EMV journey. And if indeed the United Kingdom’s experience is a harbinger of things to come in the United States, then I think there will be disappointment for anyone who thought EMV by itself would be a magic bullet. After I spent time studying this report, it became evident that customer authentication is the latest low-hanging fruit and fraudsters are having a feast.
Fraud losses on payment cards in the United Kingdom (£567.5m) are approaching pre-EMV migration levels, and fraud loss rates have increased above 8 basis points (0.08%), hitting a level last seen in 2009. Diving deeper, we find that:
- As expected, card-not-present (CNP) fraud losses represent a majority of card fraud losses (70 percent). Interestingly though, ecommerce spend volume grew faster than ecommerce fraud losses in 2015, suggesting that the industry made headway in its efforts to mitigate ecommerce fraud.
- Lost and stolen card fraud (remember, the United Kingdom is a PIN environment) increased more than 24 percent in 2015, reaching levels last seen in 2006. The report highlights distraction thefts through cameras or simply shoulder surfing as methods of fraudulently obtaining PINs.
- Card ID theft fraud losses, defined as losses from spend on fraudulently opened or obtained cards through stolen personal information, increased by 28 percent and are now approaching counterfeit card levels.
- A bit of good news is that counterfeit card fraud losses remain well below pre-EMV levels and fell even further in 2015—perhaps, as the report suggests, driven partly by the increased acceptance of EMV cards in the United States.
- Beyond cards, remote banking fraud losses (losses from Internet, telephone, and mobile banking) increased by more than 134 percent during the last two years, totaling nearly £169 million.
EMV is performing exactly as expected and doing a phenomenal job of authenticating payment cards in the card-present environment. Why are fraud losses increasing in a mature EMV environment? Because customer authentication remains a challenge, as is evident by rising fraud losses from lost and stolen cards, card applications with stolen identities, and remote banking.
Whether on the front end of authenticating the user during the account opening process or the back end of authenticating the user at the time of payment, authentication measures are coming up short, and these measures include PINs and passwords. Replacing passwords has been an ongoing conversation and likely may continue to be a conversation piece rather than a prolific action item. Yet there is a growing push for the use of PINs coupled with EMV cards here in the United States. While PIN authentication is an improvement over signature authentication, it, too, has its flaws. With improvements and advancements in new technologies such as biometrics, perhaps it's time for the industry to advance beyond PINs. Because of the current signature-laden EMV environment in the U.S., the timing is perfect.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 9, 2016
Follow the Money!
This catchphrase originated in the movie All the President’s Men. It is usually used in politics and means to follow the trail of corruption to the source. This catchphrase came to mind when I attended a panel discussion, “Cash Visibility & the Supply Chain: Tracking Your Cash,” at the NACHA Payments Conference last month in Phoenix. Besides the moderator from the Federal Reserve, the panel comprised a representative from GS1 US (the United States affiliate for the international standards body for supply chain management), a banker, and two big-box merchants.
Throughout the industry, cash handling is well-controlled and secure, but it can be inefficient and prone to error and duplicative work in the quest to minimize the ever-present potential for loss or theft. It is ironic that something as valuable and fungible as cash is tracked in some cases with less sophistication and efficiency than a package delivered to a consumer. State-of-the-art supply chain logistics that have long been in use for retail giants like Walmart and Target are just now being pursued among cash industry partners through the Cash Visibility initiative.
The idea behind this initiative is to apply the latest supply chain logistics to the collection, transport, reconciliation of deposits and orders, and distribution of cash among banks, cash processing facilities, merchants, and the Federal Reserve Banks. The Federal Reserve Banks are in the mix as the wholesale suppliers of cash to banks.
Depending on the type of big-box merchant, cash purchases at the point-of-sale can range from 10 to 25 percent or more of total payments. That's hundreds of billions of dollars in annual sales that need to be withdrawn and deposited at banks for retailers that deal in cash. The following is a representation of the proposed process for improving the wholesale and retail delivery of cash:
Source: GS1 US. Used with permission.
The panelists identified the following benefits once the system is widely adopted:
- Faster resolution of discrepancies between origin and destination
- Improved data accuracy with reductions of staff time, errors, and exceptions due to reduced manual data entry and paper records
- Value-added information on status and value of cash in transit
- Automated custody instead of manual paper-based systems that exist today
It was further noted that as the initiative gains traction, other improvements can be realized such as the depositor and receiver having real-time access to where cash is in transit and when it will arrive at its destination.
Various proof-of-concepts are being planned for later this year from the partners participating in this initiative. Partners include the Federal Reserve, financial institutions, armored carriers, retailers, and solution providers. One early finding at a cash processing facility where the concept was tested was an average reduction in staff time involved in cash handling from six hours to two hours. This web page offers more information on the initiative and how to get involved. Similar programs are under way in France and Germany.
Prior to the session, I would not have guessed there was any opportunity to advance the evolution of cash to a faster and more secure payment system.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 2, 2016
Mobile Financial Services Are Still Growing
The Federal Reserve Board's Division of Consumer and Community Affairs (DCCA) recently released its Consumers and Mobile Financial Services 2016 report. This annual research effort began in 2011 to measure the adoption and usage of mobile banking and payment activities by consumers and the use of mobile technology in making financial decisions. The latest survey was fielded in November 2015 with a respondent base of 2,510 adults age 18 and over, of which 1,064 had participated in both the 2013 and 2014 surveys.
Key adoption and usage findings from the survey include:
- The major barriers to mobile payment adoption remain the same as in previous studies—satisfaction with current methods of payment and concerns about security.
- Convenience is the most common reason given by the respondents for adopting mobile banking.
- Perhaps reflecting a positive effect of mobile phone security education, 70 percent of smartphone users indicated they password-protect their phone and 78 percent indicated they download applications only from their primary application store.
- Mobile phone penetration has remained consistent over the last three years at 87 percent of the U.S. population, although smartphones now account for 77 percent of mobile phones versus 61 percent in 2013.
- Ownership of smartphones is higher for Hispanics than for non-Hispanic whites in this survey.
- Usage of mobile banking services by those with mobile phones increased to 43 percent from 33 percent in 2013. Smartphone owners showed a higher usage rate of mobile banking, at 53 percent, but this rate was essentially flat from 2014.
- While usage of mobile banking has generally increased every year for each age group, younger consumers have consistently been the most likely users while the older segment has been the least likely, as the table shows:
- The most common mobile banking activity is checking an account balance or making a specific transaction, followed by transferring money between accounts and receiving an account alert.
- Despite the strong usage of mobile banking, more than 80 percent of smartphone owners with a bank account visited a branch or used an ATM over the last 12 months, while only 29 percent called their banks.
- Mobile payment activity still lags mobile banking activity. Only 24 percent of mobile phone owners had made a mobile payment over the last 12 months, compared to 43 percent of mobile phone owners with a bank account who used mobile banking. The study found that there is no clear relationship between mobile payment usage and income or education level. As in previous surveys, minorities make mobile payments at a higher rate than white, non-Hispanic consumers.
Additional findings from the survey as to security and privacy and the use of the phone in making financial decisions will be highlighted in future blogs. This survey provides valuable data in the ongoing evolution and adoption of mobile banking services and I hope you will read it in detail.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- What Would Happen If the Lights Went Out for a Long, Long Time?
- Improving Customer Authentication: Is the PIN Past Its Prime?
- Follow the Money!
- Mobile Financial Services Are Still Growing
- Be Careful, Be Very Careful
- "I want to be alone; I just want to be alone"
- Combat Gear for Tax Season
- Same-Day ACH: A Call to Action
- Continuing Education in Mobile Payments Security
- The Insider on the Outside
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud