Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

September 19, 2016


Mobile Banking and Payments—What's Changed?

This week, the Federal Reserve Banks of Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond are launching an online mobile banking and payments survey to financial institutions based in their respective districts. The purpose of the survey is to achieve better understanding of the status of mobile banking and payments initiatives, products, and services that financial institutions offer in the various regions of the country. The results of the survey at the individual district level should be available to participants by mid-December; a consolidated report for all the districts will be published in early 2017.

The last survey, which had 625 participants, was conducted in the fall of 2014. That was before the launch of the various major mobile wallets operating today, so it will be interesting to see what level of impact these wallets have had on the mobile payments activity of financial institutions. You can find the results of the 2014 Sixth District survey on our website. This survey effort complements the 2016 Consumer and Mobile Financial Services survey conducted by the Federal Reserve Board's Division of Consumer and Community Affairs.

First designed by the Federal Reserve Bank of Boston in 2008, the survey has been updated over the years to reflect the many changes that have taken place in the mobile landscape in the United States. Similar to past surveys, the 2016 survey looks to capture:

  • Number of banks and credit unions offering mobile banking and payment services
  • Types of mobile services offered or planned
  • Mobile technology platforms supported
  • Features of mobile services offered or planned
  • Benefits and business drivers associated with mobile services
  • Consumer and business adoption/usage of mobile services
  • Barriers to providing mobile services
  • Future plans related to mobile payment services

If your financial institution is based in one of the participating districts and has not received an invitation to participate in this year's survey, please contact your district's Federal Reserve Bank. For the Sixth District, you can contact me via email or at 404-498-7529. You can also contact me if you need assistance in locating your district's lead survey coordinator.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 19, 2016 in banks and banking, financial services, mobile banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 12, 2016


Risk Mitigation Isn't Just for Banks

My summer in Atlanta wouldn't be complete without "shooting the Hooch." Friends and family gather upriver on the Chattahoochee River, bringing rafts, tubes, or kayaks for a chance to beat the pervasive southern heat. This year, towards the end of our two-hour float, we came upon Diving Rock, a crowded swimming hole where people stop to watch cliff jumpers. A jumper can choose either a 20- or a 30-foot freefall into the river below. As the family's "chief risk officer," when my eight-year-old son asked me if he could jump, I quickly assessed the inherent and residual risks of such an activity at this location. I concluded that our family was risk-averse in this situation and there would be no jumping.

Conversely, when my son asked if he could play tackle football, I decided we had an appetite for this type of risk. I don't want to detail all of the risk factors compared to the mitigation controls that went into my assessments and ultimate decisions. But looking at these two personal examples made me wonder: in a business context, who else is faced with important risk decisions? And who, besides banks, should be conducting constant risk assessments for their organization?

A tax preparer faces fines and, in extreme cases, jail time for filing returns with errors. Those who receive return-related penalties can also face suspension or expulsion of themselves or their entire firm, or other enforcement action by the IRS. Can a tax preparer be held liable for filing returns with errors even if unaware that the taxpayer was acting illegally? The tax preparer is held to the reasonable person standard, so if it is something he or she should have known, yes. But if the client omitted pertinent details, the tax preparer might have no way of knowing. Since the consequences are severe, should the tax preparer dig deeper and try to catch fraudulent client activity prior to submitting a return or keep blinders on?

I pay for monthly parking at a city garage. This week I found out that they monitor my activity closely with the access card I use. They know whether or not my car is in or out of the garage. They have triple-factor authentication to prevent parking space fraud. In order to get in or out, you need the weight of a vehicle at the gate with an authorized access card and the correct in and out record on the card in order to be provided pass through.

Doesn't it stand to reason that all organizations—whether they're responsible for tax preparation, parking space provision, or payment network access—in pursuit of success, whatever that is for them, should conduct assessments and implement mitigation controls in order to understand how customers engage in their services, especially if they can be held liable for those activities? Should payment services be any different and if so to what extent?

Photo of Jessica Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 12, 2016 in banks and banking, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 1, 2016


FFIEC Weighs In On Mobile Channel Risks

In late April, the Federal Financial Institutions Examination Council (FFIEC) released new guidance regarding mobile banking and mobile payments risk management strategies. Titled "Appendix E: Mobile Financial Services," the document becomes part of the FFIEC's Information Technology Examination Handbook. While the handbook is for examiners to use to "determine the inherent risk and adequacy of controls at an institution or third party providing MFS" (for mobile financial services), it can also be a useful tool for financial institutions to better understand the expectations that examiners will have when conducting an exam of an institution's MFS offering.

Consistent with examiners' focus on third-party relationships for the last several years, the document points out that MFS often involves engagement with third parties and that the responsibilities of the parties in those relationships must be clearly documented and their compliance closely managed. Other key areas the document reviews include:

  • Mobile application development, maintenance, security, and attack threats
  • Enrollment controls to authenticate the customer's identity and the payment credentials they are adding to a mobile wallet
  • Authentication and authorization, emphasizing that financial institutions should not use mobile payment applications that rely on single-factor methods of authentication.
  • Customer education efforts to support the adoption of strong security practices in the usage of their mobile devices

The document also identifies and reviews strategic, operational, compliance, and reputation risk issues for the various elements of a financial institution's MFS offering. The final section of the document outlines an examiner's work plan for reviewing an MFS program with seven key objectives. I believe that it would be time well spent for the institution's MFS team to assume the role of examiner and use the work plan as a checklist to help effectively identify and manage the risks associated with an MFS program.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 1, 2016 in bank supervision, banks and banking, financial services, mobile banking, mobile payments, regulations, regulators, third-party service provider | Permalink

Comments

Looking forward to welcoming David Lott to our upcoming Next Money Tampa Bay meetup.

David will be our keynote on Wednesday, Sept 21, 2016 6:00 ~ 8:00 PM

Tampa Bay Wave Venture Center
500 East Kennedy Boulevard 3rd FL
Tampa Florida 33602

All are welcome to attend RSVP at

https://www.meetup.com/NextMoneyTPA/events/233171815/

Posted by: Bruce Burke | August 6, 2016 at 05:22 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 11, 2016


Surviving the Emerging Payments Providers

Predictions abound that emerging companies will dominate the remittance and person-to-person (P2P) payments space and financial institutions will be relegated to being a bystander. While I am not sold on their eventual dominance, I do think that emerging companies are creating positive changes. These changes have included new business models for financial institutions and traditional remittance providers who are able to offer their existing and prospective customers new, efficient payment choices. And as recently released financial and transaction figures show, some traditional players embracing change are poised to remain in their leadership positions.

I recently saw a speaker who said that one particular emerging digital remittance provider is the largest digital remittance business in the United States. However, I think the honor of the largest digital remittance transfer provider goes to a long-term remittance incumbent, Western Union. Though payments volume data are not available, revenue data do provide us with some insight into the size of these providers. According to Western Union's 2015 annual report, its digital money transfer services generated $274 million in revenues in 2015. As a point of comparison, three emerging companies (Xoom, Worldremit, and TransferWise) had combined revenues of $230 million. Though Western Union's online service represents only 6.3 percent of its consumer-to-consumer revenues, the segment grew by 26 percent in 2015.

In June, Chase announced changes to its digital P2P solution that will allow Chase customers to send and receive money in real time through ClearXchange with customers of Bank of America, U.S. Bank, and several other financial institutions. Chase's digital P2P solution has been a feature on the Chase mobile application and online banking website for several years now and was used in 2015 to send $20 billion in P2P payments. As a point of reference, the wildly popular emerging mobile and online P2P provider, Venmo, reported $1 billion in transfers during the month of January, up 250 percent from the prior January. With the additional reach of ClearXchange participants, Chase customers will now be able to digitally send and receive payments to 65 percent of the digital banking population in the United States, placing it in a position to experience significant growth to its digital solution.

With both remittances and P2P payments, online and mobile channels are seizing share from traditional channels. Even though the in-person agent model in remittances and P2P payments via cash and checks will remain a viable solution for many consumers, today's growth is being driven by digital models.

No doubt emerging players are threatening traditional companies for remittance and P2P dollars. However, financial institutions and established money transmitters are evolving, and based on the numbers, remain valuable payments providers. Given this environment, financial institutions and traditional remittance providers that don't evolve to embrace the digital remittance and P2P economy are at serious risk of losing share. And the threat isn't just coming from emerging companies. In fact, you can call me a traditionalist, but I think evolving traditional financial institutions and remittance providers are positioning themselves to remain the dominant providers of P2P and remittance payments.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 11, 2016 in banks and banking, emerging payments, financial services | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 27, 2016


Between a Rock and a Hard Place?

Customer education encouraging safe payments practices has always been viewed by staff at the Retail Payments Risk Forum as a vital element in mitigating payments-related fraud. We have stressed this need time and time again in our posts as well as our numerous speaking engagements at payments-related conferences and events.

Financial institutions (FIs) have generally been identified as the group that should bear this responsibility as they own the account relationship, but with more intermediaries in the payments process, I think that others should also be involved. The advent of mobile banking and payments has introduced even more challenges since the financial institution doesn't get involved in the acquisition of the mobile device as that is normally handled by the mobile network sales representatives. My personal experience with these sales representatives is that once the device sale is done, they are more interested in selling me accessories or upgrading my data plan than they are teaching me about selecting and setting strong passwords or preventing malware and viruses from finding their way into my phone.

When I raise this issue with others, all too often I hear a pessimistic chorus that getting consumers to adopt strong security practices will always be a losing battle for FIs. They say that consumers will always choose convenience over security—that is, until they fall victim to fraud. And forget about any other player in the ecosystem taking on the education responsibility because if they have no liability for fraud losses, why direct funds to education when they could be deployed elsewhere?

The impact of fraud on a consumer's relationship with his or her financial institution has never been greater. We read every day about the increasing economic importance of the Gen Y or millennial segment. With an estimated 80 million people, they represent the largest segment of our country's bankable population. A late 2015 study by FICO on millennial banking habits revealed that 29 percent of respondents indicated that they would close all their accounts with a financial institution if one of those accounts experienced fraud. To make matters worse, one quarter of the survey participants indicated they would write a negative post on social media about their financial institution if they experienced a fraud incident.

So are financial institutions in a no-win situation? A ray of hope emerges from the same FICO study, which states that 41 percent of the millennials surveyed indicated that they recommended their FI to friends, colleagues, or family members after a positively handled fraud incident. Studies have consistently shown that payment security is a key concern of all customers, not just millennials. So although it may not seem fair that financial institutions have to shoulder most of the security education effort, the impact of not doing so could be significant. Perhaps it is time for a coordinated payments industry campaign to encourage consumers to adopt safer and more secure banking practices.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 27, 2016 in banks and banking, financial services, payments, risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 20, 2016


There's an App for That!

Few would question that mobile phones have had a considerable influence in our everyday activities. They provide a level of convenience and connectivity that also generates benefits to our personal safety and the security of our banking accounts and other assets. The Pew Research Center estimates that almost two-thirds of adults in the United States own a smartphone and 15 percent use them as their primary online access device either because they do not have broadband access at their home or have few other online options.

In recent blogs, I highlighted some key findings from the Federal Reserve Board of Governors' recently released Consumers and Mobile Financial Services 2016 report. The report includes a section of questions that probe how consumers use their mobile phones in financial decision making. Within the past year, 62 percent of mobile banking users with smartphones responded that they checked their balance before they made a large purchase. The power of that information is demonstrated in that for those who checked their balance or available credit, half didn't make a purchase as a result of having that information.

Forty-five percent of smartphone owners use their phone for comparison shopping at retail stores. Forty-one percent reported they use their phones to obtain product information while shopping at retail stores, and 28 percent use a barcode scanning application for price comparisons.

Though smartphone owners value the convenience phones bring to financial decision making, security and safety are primary concerns. A little more than half of the mobile banking users take advantage of the feature of receiving some type of alert from their financial institution. The most common alert cited was for a low balance, but 36 percent reported they also receive fraud alerts.

Later this year, a number of the Federal Reserve districts, including the Sixth District, will be conducting a survey of the financial institutions in their districts about the mobile banking and mobile payments services they offer. The Sixth District participated in this effort in 2014; you can find the results here. It will be interesting to see the changes that have taken place over the last two years, especially in light of the launch of the various mobile wallets, so stay tuned.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 20, 2016 in banks and banking, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 30, 2015


Half Full or Half Empty?

My colleagues and I in the Retail Payments Risk Forum participate as speakers or attendees in what sometimes seems to be a nonstop stream of banking and payments conferences that run from mid-September to mid-November. This effort is part of our mission to support the education of the stakeholders in the payments ecosystem with a focus on payments risk. We also use the opportunity to network with other attendees and vendors to stay on top of the latest developments and market solutions that are being deployed to combat payments fraud. These events also give us a chance to provide our perspective on trends and key issues involving payment risk.

At a recent fraud conference, I was on a panel discussing fraud trends and key threat vectors. The moderator of the panel revealed some results from Information Security Media Group's 2014 Faces of Fraud survey of financial institutions (FIs). There was a specific question about whether FIs had seen a change in the level of losses from account takeover fraud since the Federal Financial Institutions Examination Council issued its supplemental guidance on Internet banking authentication in 2011. That guidance directed financial institutions to evaluate "new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks." The survey results are shown in the chart below.

graphic-chart

Source: 2014 Faces of Fraud Survey, Information Security Media Group

While the moderator and some of the other panelists seemed to focus on the 20 percent who said they had seen an increase in fraud, I had the perspective of the glass being half full by the 55 percent who indicated that the fraud had stayed about the same or decreased. Given the certainty that the number and magnitude of data breaches have increased and that the number of attempts by criminals to commit some sort of payment fraud through account takeovers was significantly up, I opined that since the fraud levels for the majority of the FIs had stayed at the same level or declined should be considered as a victory.

Certainly, I am not saying the tide has turned and the criminals are on their way to retirement, but I think the payments industry stakeholders should take some pride that its efforts to combat payment fraud are making some progress through the continuing development and deployment of anti-fraud tools. Am I being too Pollyannaish?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 30, 2015 in banks and banking, crime, cybercrime, fraud, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 16, 2015


Is It Bigger Than a Bread Box?

The answer is yes and no. A payment card in physical form clearly is not bigger than a bread box, but it certainly is a symbol of something bigger. The card is an access device to an account. It could be a birthday gift to my favorite Italian restaurant, a debit card issued by my bank, a general purpose reloadable prepaid card purchased at my local pharmacy, or a card accessing a credit line, and the list goes on. You can't just say, “I used a plastic card to pay for my Italian dinner” and have someone know exactly which card type was used.

Let's play the classic 20-questions game, Take On Payments-style. I'll be thinking of a type of financial account, and you guess the type of account based on the 20 features below. Good luck!

  1. Allows you to earn interest on your account balance.
  2. Offers a loyalty program at selected merchants.
  3. Has no annual or monthly fee.
  4. Can be used at any domestic ATM.
  5. Can be used to pay bills.
  6. Allows person-to-person money transfers.
  7. Offers customer service 24/7.
  8. Offers cash-back rewards.
  9. Is usable for purchases in-person (POS) or online.
  10. Protects against unauthorized purchases and fraud.
  11. Allows access to account information via online or mobile application.
  12. Has budgeting features.
  13. Connects you to more than one account and allows you to manage multiple accounts under one main account.
  14. Issues mobile alerts.
  15. Has optional plastic card; can be all-virtual management.
  16. Offers mobile check deposit.
  17. Allows stop payments on previously scheduled transactions.
  18. Offers the ability to cover some purchase transactions over the account balance.
  19. Accepts direct deposit via ACH for payroll or other deposits.
  20. Allows you to order checks on the account and pay bills with a check.

Which account type did you guess? If I were to tell you that what I had thought of was a prepaid account, would you be surprised? I was thinking of prepaid as bigger than a bread box. It's not a card, or payment channel; it is an account type. Payment transactions are sent to and from a prepaid account just like a checking account. The financial institution and program manager determine the account name and features, and where accounts can be opened.

However, the payments industry needs to be careful that marketing differences don't lead to the misperception that these accounts are fundamentally different from checking accounts. If we let perceptions cloud the true purpose these accounts serve—it is essentially a transaction account, just sold differently—then regulations and risk controls may not address the actual risks. It is inconsistent to regulate transaction accounts offering the same services based on how the account was opened and the type of organization servicing the account, unless the regulation is addressing the actual risk injected at those points. In order for consumer protections and compliance to be achieved consistently, risk controls and regulations should address the operational aspects of these transaction accounts, rather than the marketing name assigned to it.

Photo of Jessica J. Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 16, 2015 in banks and banking, prepaid | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 9, 2015


Is the Payment Franchise Up for Grabs?

I have lost count on the number of discussions at payment conferences over the last few years on this topic of financial institutions (FI) losing the payment franchise to various new payment start-ups and business models. This very topic was the focus of a session at the Code/Mobile conference in October that featured executives from Chase and PayPal debating "Will Banks Eat Payments, or Will Payments Eat The Banks?" This idea was stuck on my mind while I was recently reading Fidelity National Information Service's 2015 Consumer Banking Index Report. This report reveals the findings from a survey of a thousand household decision makers who ranked 18 attributes according to their importance and according to the respondents' perception of how well banks perform. I readily admit that one shouldn't read too much into the results of a single survey, but the results in the payments and product-related category really grabbed my attention.

blog-visual

Consumer expectations for their financial institution to provide digital payment options through more innovative products than other financial institutions scored extremely low in the importance category. Digital payments ranked as the 14th out of 18 attributes in importance, and delivering leading-edge products was the least important attribute surveyed. Though the importance of these two attributes was significantly lower than security and reliability attributes, consumers rated the performance of their financial institution on these two attributes favorably.

My interpretation of the survey is that consumers aren't expecting much from their FI when it comes to delivering digital payments and innovative products yet the FIs are exceeding these light expectations. The survey does not cover whether consumers place importance on others—say, non-bank payment providers—offering innovative products and payment options and how they are delivering on consumers' expectations.

If consumers expect non-FIs to provide digital payment options, then perhaps FIs are in danger of losing the payments franchise. Maybe consumers don't place a lot of importance on digital payment options because they are satisfied with the options their FIs provide and so the risk to FIs losing the payment franchise to non-FIs is low.

It's possible that the consumer falls somewhere in the middle of the two scenarios above. They may be pleased with the offerings of their FIs, which offer ubiquity and are not highly differentiated, so their expectations for options are low. The non-FI payments space is fragmented with new payment options being developed and deployed at a rapid pace that will take time for consumers to digest. Should consumers realize that any of these offerings present a significant improvement in the payments experience, they may raise their expectations for their FIs. This would suggest that the non-FI providers haven't fully delivered on a compelling, ubiquitous, and widely adopted offering yet.

I believe FIs remain firmly entrenched in the payment space today. However, the level of investment and innovation taking place in the industry should capture the FIs' attention. Consumers, me included, are a finicky bunch when it comes to expectations, and these expectations can change almost instantly with the amount of innovation occurring today. I see no reason why the digital payments arena would be any different, and FIs that fail to realize this as they consider future payment options risk a declining share of the payment franchise.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 9, 2015 in banks and banking, innovation, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 4, 2014


Fishing for Your Private Data

fishing Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.

Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.

In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.

In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.

Photo of Deborah Shaw

August 4, 2014 in banks and banking, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dfaf641970d

Listed below are links to blogs that reference Fishing for Your Private Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


September 2016


Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Archives


Categories


Powered by TypePad