Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 19, 2016
Mobile Banking and Payments—What's Changed?
This week, the Federal Reserve Banks of Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond are launching an online mobile banking and payments survey to financial institutions based in their respective districts. The purpose of the survey is to achieve better understanding of the status of mobile banking and payments initiatives, products, and services that financial institutions offer in the various regions of the country. The results of the survey at the individual district level should be available to participants by mid-December; a consolidated report for all the districts will be published in early 2017.
The last survey, which had 625 participants, was conducted in the fall of 2014. That was before the launch of the various major mobile wallets operating today, so it will be interesting to see what level of impact these wallets have had on the mobile payments activity of financial institutions. You can find the results of the 2014 Sixth District survey on our website. This survey effort complements the 2016 Consumer and Mobile Financial Services survey conducted by the Federal Reserve Board's Division of Consumer and Community Affairs.
First designed by the Federal Reserve Bank of Boston in 2008, the survey has been updated over the years to reflect the many changes that have taken place in the mobile landscape in the United States. Similar to past surveys, the 2016 survey looks to capture:
- Number of banks and credit unions offering mobile banking and payment services
- Types of mobile services offered or planned
- Mobile technology platforms supported
- Features of mobile services offered or planned
- Benefits and business drivers associated with mobile services
- Consumer and business adoption/usage of mobile services
- Barriers to providing mobile services
- Future plans related to mobile payment services
If your financial institution is based in one of the participating districts and has not received an invitation to participate in this year's survey, please contact your district's Federal Reserve Bank. For the Sixth District, you can contact me via email or at 404-498-7529. You can also contact me if you need assistance in locating your district's lead survey coordinator.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 12, 2016
Risk Mitigation Isn't Just for Banks
My summer in Atlanta wouldn't be complete without "shooting the Hooch." Friends and family gather upriver on the Chattahoochee River, bringing rafts, tubes, or kayaks for a chance to beat the pervasive southern heat. This year, towards the end of our two-hour float, we came upon Diving Rock, a crowded swimming hole where people stop to watch cliff jumpers. A jumper can choose either a 20- or a 30-foot freefall into the river below. As the family's "chief risk officer," when my eight-year-old son asked me if he could jump, I quickly assessed the inherent and residual risks of such an activity at this location. I concluded that our family was risk-averse in this situation and there would be no jumping.
Conversely, when my son asked if he could play tackle football, I decided we had an appetite for this type of risk. I don't want to detail all of the risk factors compared to the mitigation controls that went into my assessments and ultimate decisions. But looking at these two personal examples made me wonder: in a business context, who else is faced with important risk decisions? And who, besides banks, should be conducting constant risk assessments for their organization?
A tax preparer faces fines and, in extreme cases, jail time for filing returns with errors. Those who receive return-related penalties can also face suspension or expulsion of themselves or their entire firm, or other enforcement action by the IRS. Can a tax preparer be held liable for filing returns with errors even if unaware that the taxpayer was acting illegally? The tax preparer is held to the reasonable person standard, so if it is something he or she should have known, yes. But if the client omitted pertinent details, the tax preparer might have no way of knowing. Since the consequences are severe, should the tax preparer dig deeper and try to catch fraudulent client activity prior to submitting a return or keep blinders on?
I pay for monthly parking at a city garage. This week I found out that they monitor my activity closely with the access card I use. They know whether or not my car is in or out of the garage. They have triple-factor authentication to prevent parking space fraud. In order to get in or out, you need the weight of a vehicle at the gate with an authorized access card and the correct in and out record on the card in order to be provided pass through.
Doesn't it stand to reason that all organizations—whether they're responsible for tax preparation, parking space provision, or payment network access—in pursuit of success, whatever that is for them, should conduct assessments and implement mitigation controls in order to understand how customers engage in their services, especially if they can be held liable for those activities? Should payment services be any different and if so to what extent?
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 29, 2016
The Simple Consider Three but Four is the Key
In July of 1991 the late sports columnist and humorist Lewis Grizzard gave his top 30 reasons for loving America. The second item on his list read as follows:
I can still see reruns of the Andy Griffith Show. My favorite scene remains the time a reporter came to Mayberry to do a story on the city with the lowest crime rate in the state. The reporter found Barney alone at the sheriff's department and asked him, "How many are on the Mayberry force?"
Barney replied, "Well, there's Andy [the Sheriff] and me…," then patted his holster and added, "And baby makes three."
Payments has three officers, if you will, that are charged with securing the landscape, just like in Mayberry. In either case, the work of the officers on the beat is about "prevention, response, and remediation."
With payments, "prevention" is about thwarting attacks—both physical and cyber-related, fraud, and outright theft. The work consists largely of insulating and securing processes, systems, and valuables with the most up-to-date security tactics and applications. It also involves educating and training staff. Awareness of and good judgment about the landscape, discerning the right policies and approaches, are vital.
"Response" entails reacting to incidents or problems. Here, the work is about having the wherewithal to detect a problem. It also entails reporting—before, during, and after events, both internally and externally. Additionally, response is about investigating and understanding precisely what happened and how. Determining how to seal the hole or holes that gave rise to the problem in the first place also falls under "response."
"Remediation" is the after-event work. This is about repairing the damage resulting from an event and includes everything from recovering losses and further shoring up security to assisting those harmed by an event. Repairing reputational damage falls under remediation.
Back to Mayberry. In the show, Andy got credit for the town's sterling record, and rightly so—he had good judgment and instincts. However, in my opinion, some of the best episodes highlighted Andy's secret weapon, a fourth entity on the police force—the average citizen. Individual responsibility that rolled up into collective ownership for the town underpinned Mayberry's enviable crime record. Sometimes it was Floyd the Barber (and town gossip) who gave Andy the advance warning he needed. Other times it was Gomer at the gas station or Andy's son, Opie, who provided folksy wisdom or insight that ended up being the difference between triumph and tragedy.
For payments to attain Mayberry's covetable crime rate, the citizens—that is, the consumers—have to be fully empowered, thoroughly educated, and roundly encouraged to vigorously participate in their own security. In my opinion, payments are at least partially plagued by moral hazard that owes to blanket consumer liability protections in some instances with a seeming bias for more of that, not less. At the very least, we should question our experience, revisiting and debating the matter of balance between reasonable consumer protection versus the notion of applying blanket coverage, irrespective of consumer choice and action. I see no scenario where dread over what will descend on the payment landscape next abates, not until safety consciousness among users has become more deeply rooted and the culture stabilized in a place where ownership for our well-being is a duty embraced by all, all the time.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
August 22, 2016
As with Nuclear Disarmament, So with ACH: Trust, but Verify
During his remarks at the signing of a nuclear disarmament treaty with the U.S.S.R. in 1987, President Ronald Reagan drew upon the old Russian maxim, "Doveryai, no proveryai," or "Trust, but verify." As with disarmament, businesses and others that originate automated clearing house (ACH) payments should be offered some way to verify an account, something more than hope and a prayer that the payment recipient's routing/transit number and account number are correct and that the recipient is an owner of the account.
The lack of efficient account validation options is a common complaint against the ACH. Surveys that NACHA conducted in 2012 and 2015 attest that account validation, as judged by a majority of respondents, is ACH's chief improvement need. Failing to perform account validation creates different levels of risk, depending on the payment application, whether a credit is pushed or debit is pulled and whether it is a recurring or one-time payment.
On July 19, NACHA's Payments Innovation Alliance and Board Advisory Group released two papers reviewing and critiquing existing methods for verifying bank accounts by financial institutions and businesses. The papers also suggest that a remedy to the account validation problem may be in the offing.
In both papers, NACHA defined account validation as follows:
A service wherein a business or financial institution can validate the accuracy of the account information received from a consumer or business, and the ability of that account to receive electronic payments.
Following are the various methods that NACHA identifies—and that I've complemented with my own research—that are used today to validate accounts:
- Manual validation—A consumer's check verifies the account and identification verifies the consumer's identity. Alternatively, the originator can call the recipient's bank to confirm account details, assuming the bank is willing to provide the information, though it is risky for the bank to share such information over the phone.
- ACH validation, via a zero-dollar prenote verification payment—If the account number is incorrect, the recipient's bank responds within three business days, though this timeframe can be shortened by using same-day ACH. As the papers state, this is a "no news is good news" form of verification. NACHA is exploring opportunities to improve the prenote process beginning in late 2016.
- Challenge deposit validation—Typically, two micro-deposits of random amounts are made to the recipient's account and subsequently verified by the accountholder to the payment originator. Even if the account is successfully verified, the originator may subsequently be unable to debit the account because that account blocks debit payments. To identify debit blocked accounts, some originators debit the bank account equal to the micro-deposits. This method is fraught with a high abandonment rate by the consumer due to the hassle of verifying the deposits. One large online originator says that about 30 percent of consumers selecting the deposit validation method fail to verify the payment amounts. This method can take from five to seven business days—though, as with prenoting, the process can be expedited by using same-day ACH.
- Instant validation—The customer logs into his or her bank from the company's website to establish ownership of the account. The same online originator said that 25 percent of its customers selected this validation method over deposit validation. Many consumers hesitate to use this method because the use of a third party increases the chance their banking credentials will be compromised.
- Validation services—Service providers with access to a large number of accounts, offer scoring services that simulate or predict the likelihood an account number is "good." Though improving, these service offerings are limited for non-financial institution originators.
A solution to the problem may be in store through the World Wide Web Consortium and others working to develop a standardized application programming interface, or API, for account validation. This would allow payment originators or their service providers restricted access to bank data to verify accounts using a universal, standardized process while protecting banking credentials. Let's hope that key stakeholders rally around this important initiative and push for a speedy implementation so that we carry through with a new maxim of "Trust, but truly verify."
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- FFIEC Weighs In On Mobile Channel Risks
- Cash: Reports of Its Pending Death Are Greatly Exaggerated
- The 411 on Banning the RCC
- Surviving the Emerging Payments Providers
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud