August 22, 2016
As with Nuclear Disarmament, So with ACH: Trust, but Verify
During his remarks at the signing of a nuclear disarmament treaty with the U.S.S.R. in 1987, President Ronald Reagan drew upon the old Russian maxim, "Doveryai, no proveryai," or "Trust, but verify." As with disarmament, businesses and others that originate automated clearing house (ACH) payments should be offered some way to verify an account, something more than hope and a prayer that the payment recipient's routing/transit number and account number are correct and that the recipient is an owner of the account.
The lack of efficient account validation options is a common complaint against the ACH. Surveys that NACHA conducted in 2012 and 2015 attest that account validation, as judged by a majority of respondents, is ACH's chief improvement need. Failing to perform account validation creates different levels of risk, depending on the payment application, whether a credit is pushed or debit is pulled and whether it is a recurring or one-time payment.
On July 19, NACHA's Payments Innovation Alliance and Board Advisory Group released two papers reviewing and critiquing existing methods for verifying bank accounts by financial institutions and businesses. The papers also suggest that a remedy to the account validation problem may be in the offing.
In both papers, NACHA defined account validation as follows:
A service wherein a business or financial institution can validate the accuracy of the account information received from a consumer or business, and the ability of that account to receive electronic payments.
Following are the various methods that NACHA identifies—and that I've complemented with my own research—that are used today to validate accounts:
- Manual validation—A consumer's check verifies the account and identification verifies the consumer's identity. Alternatively, the originator can call the recipient's bank to confirm account details, assuming the bank is willing to provide the information, though it is risky for the bank to share such information over the phone.
- ACH validation, via a zero-dollar prenote verification payment—If the account number is incorrect, the recipient's bank responds within three business days, though this timeframe can be shortened by using same-day ACH. As the papers state, this is a "no news is good news" form of verification. NACHA is exploring opportunities to improve the prenote process beginning in late 2016.
- Challenge deposit validation—Typically, two micro-deposits of random amounts are made to the recipient's account and subsequently verified by the accountholder to the payment originator. Even if the account is successfully verified, the originator may subsequently be unable to debit the account because that account blocks debit payments. To identify debit blocked accounts, some originators debit the bank account equal to the micro-deposits. This method is fraught with a high abandonment rate by the consumer due to the hassle of verifying the deposits. One large online originator says that about 30 percent of consumers selecting the deposit validation method fail to verify the payment amounts. This method can take from five to seven business days—though, as with prenoting, the process can be expedited by using same-day ACH.
- Instant validation—The customer logs into his or her bank from the company's website to establish ownership of the account. The same online originator said that 25 percent of its customers selected this validation method over deposit validation. Many consumers hesitate to use this method because the use of a third party increases the chance their banking credentials will be compromised.
- Validation services—Service providers with access to a large number of accounts, offer scoring services that simulate or predict the likelihood an account number is "good." Though improving, these service offerings are limited for non-financial institution originators.
A solution to the problem may be in store through the World Wide Web Consortium and others working to develop a standardized application programming interface, or API, for account validation. This would allow payment originators or their service providers restricted access to bank data to verify accounts using a universal, standardized process while protecting banking credentials. Let's hope that key stakeholders rally around this important initiative and push for a speedy implementation so that we carry through with a new maxim of "Trust, but truly verify."
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 15, 2016
The Personal Cost of Fraud
Last week's post by my colleague Doug King described the check fraud that took place after someone burglarized his wife's car and stole her wallet, including her driver's license and credit and debit cards. The frequency and magnitude of data breaches and constantly reading and researching payments fraud as part of my job have probably numbed me to the personal impact of fraud. When discussing the likelihood of becoming victims of some sort of identity theft fraud, we jokingly paraphrase the slogan in the South about termite infestations: "It's not a matter of if, it's a matter of when." Given the data breaches and information available through public records, we operate under the assumption that the criminal element has all the information they need to perpetrate fraud against us and, for those of us who haven't already been victimized, it is likely to happen in the near future. A pessimistic outlook for sure, but one I fear is realistic.
I still get frustrated when I see the many studies that show that, despite consumers' concern about the security and privacy of their transaction and personal information, the vast majority do not adopt strong security practices. They use easy-to-guess passwords or PINs and often use the same user ID and password for their various online accounts, from social media to online banking access. I believe that many financial institutions (FI) and ecommerce providers have passively supported this environment in that they often do not require customers to use stronger practices because they don't want to incur the customer service cost associated with password resets or customer abandonment. The lack of consistent password formatting structures adds to the confusion (some require special characters and others don't allow them).
I certainly don't hold myself out as the poster child for strong security, but our family has adopted a number of the recommended stronger security practices. These include using a simple compound password structure that creates a separate password for each application, creating a more complex password structure for financial applications, establishing filter rules designed to spot spam and phishing emails, and conducting a frequent review of financial accounts to spot unauthorized transactions.
While liability protection laws and regulations generally hold a consumer financially harmless, there clearly is a social and individual cost associated with fraud from the time spent dealing with law enforcement and FI representatives to the issue of not being able to access the funds fraudulently taken until reimbursement is made. Perhaps Doug's wife's requirement for her FI to provide a stronger level of authentication reflects a changing sense of the need by the general public for stronger security practices. I certainly hope so.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 8, 2016
When Fraud Hits Home: Questioning Today’s Authentication Methods
My wife was the recent victim of a vehicle burglary. Unfortunately, the bad guys got away with a wallet that included a driver's license along with several debit and credit cards. Since my wife is a cash-averse individual, I thought little harm, if any, would ensue since she reported the cards stolen within minutes of the crime taking place. What I thought could have been a simple stolen card scenario quickly escalated to a major assault on a demand deposit account (DDA) thanks, in large part, to authentication failures by the financial institutions involved.
Two days after the theft and with only a driver's license and a canceled debit card to identify the bank, the burglar, or an associate, was able to withdraw money from my wife's DDA by using a generic withdrawal slip found at most bank and credit union branches. They also cashed a counterfeit check drawn on another financial institution (FI) that, along with the bad check fee, was charged against my wife's account when the payor bank returned the check. While I am not sure whether the employees at the bank followed proper authentication protocols, there clearly was a breakdown as the thief was able to use the stolen driver's license to first obtain my wife's DDA number and then fraudulently withdraw funds.
While the breakdown in authentication is concerning, the FI's solution for improving authentication with my wife's new account is archaic—a password. The FI suggested that she open a new account and password-protect the account. When making an in-person transaction, she will be required to state the password before a transaction can be completed or account information revealed in addition to other authentication measures that were already in place.
My wife, not comfortable with the new proposed account set-up or with the failure in authentication on the old account, decided to seek a new FI relationship. Clearly she believed that a more technology-driven solution would have been substantially better from both a security and user standpoint than the proposed password solution. And this got me wondering. With all the efforts and investments in authentication technologies, why are passwords still being used for banking and payment transactions in 2016? What will it actually take to "kill the password," which we have been talking about for years? We are in the midst of a technology revolution, yet authentication methods from 2,000 years ago are still being suggested for use today as the primary means to protect money and assets.
In Singapore, the government has mandated two-factor authentication while allowing consumers to retain some choice in the authentication factor. In the United States, the Federal Financial Institutions Examination Council, or FFIEC, issued guidance in 2011 regarding the use of multi-factor authentication for Internet transactions. Is guidance concerning authentication enough? Without favoring any particular solution or technology, is it time to adopt better authentication methods in the United States? I am not advocating mandate like in Singapore, but my wife can give you more than 2,500 good reasons why it should be considered.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 1, 2016
FFIEC Weighs In On Mobile Channel Risks
In late April, the Federal Financial Institutions Examination Council (FFIEC) released new guidance regarding mobile banking and mobile payments risk management strategies. Titled "Appendix E: Mobile Financial Services," the document becomes part of the FFIEC's Information Technology Examination Handbook. While the handbook is for examiners to use to "determine the inherent risk and adequacy of controls at an institution or third party providing MFS" (for mobile financial services), it can also be a useful tool for financial institutions to better understand the expectations that examiners will have when conducting an exam of an institution's MFS offering.
Consistent with examiners' focus on third-party relationships for the last several years, the document points out that MFS often involves engagement with third parties and that the responsibilities of the parties in those relationships must be clearly documented and their compliance closely managed. Other key areas the document reviews include:
- Mobile application development, maintenance, security, and attack threats
- Enrollment controls to authenticate the customer's identity and the payment credentials they are adding to a mobile wallet
- Authentication and authorization, emphasizing that financial institutions should not use mobile payment applications that rely on single-factor methods of authentication.
- Customer education efforts to support the adoption of strong security practices in the usage of their mobile devices
The document also identifies and reviews strategic, operational, compliance, and reputation risk issues for the various elements of a financial institution's MFS offering. The final section of the document outlines an examiner's work plan for reviewing an MFS program with seven key objectives. I believe that it would be time well spent for the institution's MFS team to assume the role of examiner and use the work plan as a checklist to help effectively identify and manage the risks associated with an MFS program.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- FFIEC Weighs In On Mobile Channel Risks
- Cash: Reports of Its Pending Death Are Greatly Exaggerated
- The 411 on Banning the RCC
- Surviving the Emerging Payments Providers
- Between a Rock and a Hard Place?
- There's an App for That!
- What Is GPR Feeding On? Part 2 of 2
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud