Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 7, 2016
Card Chargebacks: Sorting Out the Facts
For years, I have heard conflicting statements by card issuers and acquiring merchants about the impact of chargebacks on their businesses. A chargeback is a demand by a card issuer for a merchant to make the issuer whole for the loss of a disputed transaction by a cardholder. Because of consumer liability protections afforded under various regulations and the card brand's liability rules, the issuer or the merchant typically incurs the final loss. The issuer initiates a chargeback when a cardholder disputes a transaction on the statement—for one of a variety of reasons—if the issuer believes the merchant is financially liable under the particular card network's operating rules. Merchants may accept the chargeback and assume the loss, or they may dispute it if they believe they were in compliance with the network rules.
The debate over the amount of chargeback losses to merchants has continued over the years because of a lack of independent research, but all that has changed with a study published in January by my colleagues at the Federal Reserve Bank of Kansas City. Senior economists Fumiko Hayashi and Rick Sullivan along with risk specialist Zach Markiewicz examined chargeback and sales data from October 2013 through September 2014 from selected merchant acquirers who process more than 20 percent of network-branded card transactions in the United States. While the study examines the full chargeback landscape of four-party networks (Visa and MasterCard) and three-party networks (American Express and Discover), the focus of this post is on their findings related to card fraud—both card present (CP) and card not present (CNP)—for the four-party networks. PIN debit transaction chargebacks were not included in this study.
Some of the study's key findings are:
- Overall, merchants incur 70–80 percent of all chargeback losses.
- Fraud is the most common chargeback reason and accounts for approximately 50 percent of total chargebacks in value.
- The average value of a fraud chargeback was $200, compared to $56 for the average sales transaction. Clearly, the criminals are going after higher-dollar value goods.
- The merchant loss rate in the CNP channel of 14.17 basis points (bps) is significantly higher than the 1.02 bps loss rate for the CP channel.
- As the chart shows, the merchant categories incurring the highest fraud rates were the travel and department store categories. Grocery stores had the lowest.
As previous posts have noted, the Federal Reserve is making a concerted effort to collect fraud data for non-cash payment channels to develop a holistic view and understanding of fraud trends. The Kansas City Fed is looking to repeat its study in the near future, when it will also include PIN debit transaction chargebacks. As our payments system evolves and user payment preferences change, it is vital for payments system stakeholders to be able to determine how these changes are affecting fraud losses being sustained by the various stakeholders.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 11, 2013
Is Growing Fraud Really a Catalyst for EMV?
My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.
In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?
I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.
Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.
It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:
July 23, 2012
The debate on credit card surcharges
Late Friday the 13th, Visa and MasterCard announced that they, along with several major issuers, reached a $7.25 billion class-action settlement with U.S. merchants. In addition to being party to the largest monetary antitrust settlement in U.S. history, the networks agreed to permit retailers to impose a surcharge on credit transactions subject to a cap and a level playing field with other general purpose card competitors. Previously, the no-surcharge rule (NSR) had been a staple for both MasterCard and Visa, ultimately prohibiting merchants from charging consumers more to pay with credit cards. Merchants claim that because of the NSR, all consumers, regardless of their payment method, incurred higher costs. Now, in theory, merchants should be able to lower their prices and pass along the costs of a credit card transaction only to those consumers paying with a credit card.
Theory versus practice
However, in the payment card market, theory and practice can differ. Look no further than the Durbin Amendment. In theory, Congress intended for this legislation to benefit consumers, assuming that merchants would pass along their savings through lower prices. However, the debate continues whether merchants who received interchange relief—some actually experienced increased rates and are in fact passing along these costs to consumers—are really passing on the savings.
Should the settlement be finalized, I believe we will see another debate about whether the consumer actually benefits, as with the Durbin Amendment. Will many merchants actually choose to impose a surcharge on credit-card-paying consumers? Will the surcharging merchants actually drop prices from their current levels or simply add a surcharge on top of existing prices? Will networks lower the effective interchange rates thus making it less costly for consumers to use credit cards should merchants choose to actually surcharge?
Will credit card surcharging take place in the United States?
Again, we have to look at theory versus practice. In theory, the surcharging provision seems like a win for merchants, but in practice, will the surcharge provision have any impact at the point of sale? And what will prevent surcharging from being put into widespread practice in the United States?
For starters, 10 states with 40 percent of the U.S. population—including California, Florida, New York, and Texas—currently prohibit retailers from charging customers a fee for using a credit card. Keeping the consumer in mind, remember the backlash that one bank experienced when it proposed a new debit card fee? Will any merchant that attempts to implement a surcharge—actual implementation of a surcharge with various types of cards and payment environments is worthy of an entire discussion itself—face similar scrutiny?
I also wonder: if a merchant chooses to charge consumers a fee for using a credit card, would the fee and the merchant then fall under the authority of the Consumer Financial Protection Bureau? The surcharging debate around this potential settlement and ultimate outcome will no doubt be interesting moving forward.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The debate on credit card surcharges:
August 2, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:
September 28, 2009
Coordinating roles in mobile payments--who will we trust?
The concept of mobile payments is beginning to gain some traction as the industry grapples with environmental complexities—namely the myriad participants in the mobile payments arena, the mulitiple channels for a mobile payment to follow, and the ever-present questions about security. Who can be trusted to intercede among the various entities with an interest in the payments process? While a number of roles in the mobile payments arena are taking shape, the least known and possibly the most confusing is the concept of the trusted service manager (TSM). However, this role is also possibly the most critical to establishing a secure and trusted environment for mobile payments. So what exactly is a TSM and what are its responsibilities?
Complex environment for mobile payments
While anecdotes sometimes dismiss the anticipated speed to market of mobile payments as industry hype, the fact is that the ubiquity of the mobile phone is driving the convergence of telecom and payments. This convergence creates a far more complex environment for payments than ever before. Telecom participants and financial institutions have different regulatory and legal frameworks and distinctly different risk exposure, for example. Furthermore, the U.S. mobile payments environment will leverage existing payment channels, such as the automated clearinghouse (ACH) and the card networks. No one knows if the industry and market will ultimately prefer a particular channel. The result is an array of business models with a vast number of unrelated players with competing interests for customer revenue.
Stakeholders in the mobile payments business model
In addition to the traditional payments model that includes the customer, financial institutions, and perhaps payment processors, the developing mobile payments ecosystem also includes large groups of mobile network operators and handset makers who have no previous payments life cycle experience. For payment system interoperability, all participants must agree to operate under uniform technical operating and security standards. In this context, the role of a TSM is to manage collaboration among the various stakeholders.
Role of the TSM
The concept of the TSM was introduced by the Global System for Mobile Communications Association (GSM) in 2007 in an effort to improve interoperability among various and unrelated proprietary mobile networks. The core function of the TSM is to serve as a neutral and independent middleman between financial institutions, payment network operators, customers, and the mobile network operators.
Responsibilites envisioned for the TSM include managing contractual relationships with the large number of mobile network operators (MNOs) as well as acting as a single point of contact for banks and other payment service providers to communicate with customers they share with the MNOs and handset makers. The key to the TSM’s success clearly is the financial wherewithal to inspire trust on behalf of the other payment participants and to support agreements with a large number of partners. Finally, the TSM should also provide the oversight for various systems among participants to ensure secure transmission of payments and personal data in the transaction.
Who should fill the role?
While the need for a TSM is recognized, there is no consensus on who should fill that role. MNOs, payment network operators, and financial institutions lack the economic incentives to form alliances with other participants in the payment ecosystem because of their competing interests for customer revenue. Whether the role is filled by a consortium of existing players or by a new entity yet to be formed will depend on an ability to fulfill these critical responsibilities from a position of neutrality and independence.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Coordinating roles in mobile payments--who will we trust?:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud