Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 1, 2016
Putting All Our Payment Eggs in a Single Basket
More than 60 percent of risk managers at financial services firms believe the probability of a global, "high-impact event" has increased of late, according to a new survey from the Depository Trust & Clearing Corporation. Worry over actual or potential cyberattacks underpins this belief. In a discussion about the survey, a colleague lamented the invention of computers and wished that our financial transactions hadn't become so dependent on technology. At first I thought to agree until it dawned on me that this thinking is tantamount to tossing the baby with the bathwater.
The problem revolves around thieves, not their tools. We have never been free from worry over theft, and this was true when our best computer was an abacus. When the Aztecs used chocolate for money, counterfeiters of the day took the cacao bean, separated the original contents from the husk, and repacked it with mud. And still, in any place where commerce is overly cash-based, thieves tend to concentrate their efforts, targeting the most vulnerable with everything from counterfeit notes to outright theft. The digital age did not usher in larceny; thieves have always stolen, and hiding from computers won't insulate us from bad guys.
But hold up, you say. A block chain—the part of bitcoin technology that ensures anonymity—just might insulate you. Not to take away hope, but what have we ever invented that hasn't been hacked, cracked, or abused? I can think of nothing, no matter how cleverly conceived or well defended, that isn't eventually defeated.
I don't despair over it all and will say why in a moment, but first I need to note that even with a long list of advances, both in how and what we exchange, the new has not eradicated the old. Coins survived the advent of paper. And despite decades-old, recurring predictions of their looming demise, both coins and paper have survived the magic of computing. As a result, despair gives way to cheer. There are options, and plenty of them.
Options—different forms of payments based on diverse platforms and premises—make for textbook risk mitigation. First of all, what survives gets better. It must so that it can survive. Consider what bills look like today, with their numerous anticounterfeiting elements, compared to what they looked like 20 years ago. Or consider when checks dominated fraud conversations and contrast that to their relative (un)importance in fraud conversations today. Moreover, multiple payment channels and options mean less concentration of risk. To the extent that cash, checks, and more remain—"cyberstuff" too, but with the cyber-world diversified, not overly consolidated—risk can be spread and hence reduced.
An advanced society that wants to endure, stay resilient and strong cannot rely on only one means of exchange based on only one platform. For those wishing for one or just fewer, more modern payment solutions (with apologies to all paper haters), my advice is be careful what you wish for. For the average consumer, my advice is pay attention to the "payments intelligentsia" and be wary of pushes for an advanced, universal, singular way to do payments. Be particularly wary of changes that aren't being called for by the market itself. We can never eliminate risk but we can mitigate it and minimize the extent that bad people can create widespread trouble.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
January 25, 2016
Waiting for the Other EMV Shoe to Drop
The EMV, or chip card, liability shift for point-of-service (POS) transactions began on October 1, 2015. The sun continued to rise and set each day thereafter, despite the predictions of a few that EMV conversions would bring retailer POS checkout processes to a grinding halt and create major consumer dissatisfaction. Sure, there have been some issues around longer card transaction processing time and, some retailers chose to defer their EMV implementation until after the holiday buying season. But, all in all, the terminal and card conversions have moved steadily forward.
In the United States, there are an estimated 410,000 to 425.000 ATMs operating with 55–60 percent of them owned by independent (non-financial-institution) deployers. The impact of the next EMV liability shift on October 1, 2016, might be more significant, especially for these independent ATM operators. On that date, an ATM that accepts any MasterCard-branded card must be EMV operational or the ATM owner will face liability for any fraudulent transaction performed with a counterfeit MasterCard. Under current network rules, the card issuer currently assumes 100 percent of fraud losses from ATM withdrawals made with a counterfeit card. While Visa's timetable for ATMs to be EMV operational is not until a year later, since virtually all ATMs in the United States accept both Visa- and MasterCard-branded cards, the earlier timeline for MasterCard essentially forces all ATM deployers to be ready. While the liability shift is not a mandate, it is expected that most ATM deployers will make their ATMs EMV operational to avoid being saddled with the additional liability.
For the independent ATM owner, their decision to upgrade, maintain, or remove a particular terminal is a challenging one. Their terminals are generally the more simplified table-top cash dispensers rather than the fully function ATMs installed by financial institutions. They are often installed in convenience stores, restaurants, bars, and other specialty retail locations. While their purchase cost is substantially less than full-service, heavily armored ATMs, their average transaction volume is also substantially less due to their location and the foreign transaction fees imposed by most cardholders' financial institutions. Their revenue comes primarily from an ATM surcharge fee and a dwindling network interchange, out of which they have to pay all their operating expenses, including rent to the retailer where the ATM is located. An ATM generating $100 a month in net profit is considered a successful ATM. The cost to upgrade such a terminal is highly variable depending on its current hardware and processing capability, but just the cost of an EMV card reader, its installation, and testing is generally in the $500 to $800 range. The older cash dispensers may not be suitable for upgrades.
This industry has seen its cyclical periods of prosperity and austerity over the last 15 years, with its financial challenges generally centered on the hardware and software upgrades related to regulatory compliance—first with Y2K compliance, then with the American with Disabilities Act (ADA), Triple DES, PCI, Windows XP nonsupport, and now EMV. As occurred with these earlier technology upgrades, the industry is seeing further consolidation of ATM terminal portfolios. A number of industry observers share my prediction of a contraction in the ATM installed base by as much as 15 percent by the end of 2016 due to further bank consolidations and the cost impact of the EMV upgrade. Since cash operations is a major function of the Federal Reserve System, we will be watching this impact with considerable interest.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 19, 2016
Mobile Wallets: Is This the Year?
In our 2015 year-end retrospective post, we commented on the slow pace of adoption of mobile payments despite the introduction of several major mobile wallets. While some consumer research continues to point to widespread consumer usage of mobile wallets in the coming years, we have seen similar projections from past research fail to materialize.
So what have been the major barriers to adopting mobile wallets? And for those who have adopted them, what functions are the most important? As I have noted before, I am a firm believer in former Intel CEO Andrew Grove's 10X rule: a new technology experience must be at least 10 times better than the previous method to achieve widespread consumer adoption and usage. A number of different elements—speed, cost, convenience, personalized experience, ease of use, and so on—can all contribute to achieve that 10X factor. Another critical element is the consumer's trust in the security of the wallet to ensure that payment credentials and transaction information will not be compromised in some way. The market research and strategy firm Chadwick Martin Bailey (CMB) conducted mobile wallet research in March–April 2015 on a nationally representative sample of smartphone owners and specifically asked mobile wallet nonusers what were their particular security concerns. As the chart shows, identity theft and the interception of personal information during the transaction were the top two reasons given.
The tokenization of payment credentials goes a long way to providing a higher level of security, but a major educational effort is required to relay this knowledge to consumers to increase their level of confidence. The CMB study found that 58 percent of nonusers would be somewhat or extremely likely to use a wallet if tokenization of their payment account information were performed.
But is it enough to convince consumers that mobile payments are more secure to significantly speed up adoption and usage? Mobile wallet proponents have been saying for years that the mobile wallet must deliver more than just a payment function, that it should include incorporate loyalty, couponing, identification, or other functions.
So if the desired end state is known, why is it taking so long for the mobile wallet providers to achieve that winning solution? The retailer consortium MCX is going into its fourth year of development and has just recently begun a pilot program of its CurrentC wallet in the Columbus, Ohio, market. Two of MCX's owners and major U.S. retailers, Walmart and Target, have announced in the last couple of months their plans to develop and operate their own mobile wallet. While these companies still profess their support of the MCX program, have they concluded that a common mobile wallet solution among competing retailers doesn't meet all their specific needs? Or is it a desire to offer their customers a wider choice of shopping experience options and differentiate their experience? Or is it another reason altogether? Only time will tell.
So do you believe that 2016 will be the year of the mobile wallet? Let us know what you think.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 11, 2016
Prisoner Release Cards: How to Protect the Interests of Recently Released Inmates?
I recently watched a late-night comedian criticize prison reentry programs in the United States. The segment focused on the resources—or lack thereof—that are provided to released inmates. One of these resources, I have recently learned, is increasingly a prepaid card.
Upon imprisonment, inmates are given a trust account to hold money that they receive for prison work and from family and friends. When they are released, they may also receive start-up funds to help with the reentry process. According to the Federal Bureau of Prison's Inmate and Custody Management Policy, "an inmate being released to the community will have suitable clothing, transportation to inmate's release destination, and some funds to use until he or she begins to receive income. Based on the inmate's need and financial resources, a discretionary gratuity up to the amount permitted by statute may be granted." While the policy expands the details of what constitutes suitable clothing and the method of transportation, there is no mention of how to disburse funds to the released individuals.
Enter prison-release prepaid cards. Many state and federal prison systems enter into contracts with prepaid card providers pursuant to a public bidding process to provide prison release funds through a prepaid card as an alternative to cash or checks. This shift in disbursement methods may be attributable to concerns about cash controls in the prison setting and the high check-cashing fees some inmates who lack traditional bank accounts incur, to name a couple of possibilities. Regardless of the disbursement method that the correctional agency chooses, this vulnerable population depends on every last penny.
Some people maintain that account fees are too high on these prepaid cards and that agreements with cardholders contain forced arbitration clauses. Could the correctional agency negotiate better terms on behalf of the released prisoner? Or could the inmate possibly be given options for the trust fund distribution—cash, check, prepaid card, or even a Paypal account?
A late-night comedian may have the ability to isolate one slice of the problem with prison release programs, but our regulations shouldn't piece together a solution to an overarching issue. Likewise, there are challenges with creating blanket regulations for a product category like prepaid cards that contains many different products meeting a wide variety of distinct needs, each with unique characteristics and different users. Isn't the goal is to provide released prisoners the freedom to use money that belongs to them, as for any other citizen?
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Putting All Our Payment Eggs in a Single Basket
- Waiting for the Other EMV Shoe to Drop
- Mobile Wallets: Is This the Year?
- Prisoner Release Cards: How to Protect the Interests of Recently Released Inmates?
- The Year In Review
- Help Determine the Payment and Fraud Data You See Reported
- Down and Out in Myanmar
- Inquiring Minds Want to Know More about Card Fraud
- Half Full or Half Empty?
- Bitcoin's Bright Side
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud