Retail Payments Risk Forum
Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
Take On Payments
June 24, 2013
The Forgotten Check
The paper check—remember those things that came 25 to a packet along with a vinyl cover? You could get them in basic solid colors, with floral designs, monogrammed, or even with your favorite sports team or your pet's picture. You would have to actually sit and write out all that information and even had to record the amount you needed twice, once in figures and once spelled out. (Does "fifty" have an "e" or not?) If you had the style that contained a duplicate to help you remember checks you’ve written to record in the register, you had to press down hard and put the divider in so the duplicate on the next check wouldn’t pick up the writing. It's no wonder that, when electronic bill payment and other alternative payment methods came along, they were so widely and quickly accepted.
Over the last three decades, there has been an ever-decreasing use of checks, especially by consumers. Aided by the advent of Check 21, image capture, and ACH conversion, volumes have decreased to the point that by 2010, the Federal Reserve System had consolidated its 45 check processing centers to a single operation at the Atlanta Fed. Still, despite the rapid decline in volume on the consumer side, the check remains a key payment instrument for commercial customers.
Despite physical security enhancements such as watermarks and holographs and services such as positive pay to detect unauthorized checks, the low-technology aspects of the paper check make it an appealing target to the less-sophisticated criminal. With knowledge of the routing-transit number and account number, criminals can quickly create a counterfeit check displaying high-quality graphics. Since signatures are generally checked only on a random basis and on extremely large dollar items by the drawee bank due to bulk filing process, passing "bad paper" at a number of locations in a short period of time can result in sizeable losses. Based on the Financial Crimes Enforcement Network's 2012 SAR [Suspicious Activity Report] Activity Review—By the Numbers, the number of check-fraud SARs increased 6 percent over 2011 and represented the largest category of fraud-related SARs in 2012.
While much of the risk management effort these days is focused on electronic payments, be sure not to forget about the paper check. It is obvious the crooks haven't.
By Dave Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Forgotten Check:
October 17, 2011
As payments system evolves, "funny" money is still no laughing matter
Counterfeit money in the United States has been in circulation since colonial America. During the Revolutionary War, counterfeiting of Continental American money became so rampant that the currency became worthless. Hence, the phrase "not worth a Continental" was born. Counterfeiting continued after the country's independence from the British, so the government established the U.S. Secret Service in 1865 to suppress it. It was only later that the agency was also tasked with the highly visible and publicized mission of protecting national leaders, most notably the president, and visiting foreign leaders.
Since the establishment of the Secret Service, payment types have advanced from paper bills to checks and card-based payments. Alongside the advancement of our nation's payment methods, the security features of each payment type are evolving to combat attempts at counterfeiting. Yet today, 111 years after the Secret Service was established, counterfeiting remains a threat to the U.S. payments system. This blog examines the security technological advances currently deployed and those in development to fight counterfeiting schemes in consumer payments.
In 1865, approximately one-third of all currency in circulation was counterfeit. Today, counterfeit currency is estimated to represent only 3/100ths of 1 percent of total currency—yet the crime of counterfeiting currency remains popular. According to its Fiscal Year 2010 Annual Report, the Secret Service made more than 3,000 domestic and international arrests for counterfeiting offenses in 2010, resulting in the removal of more than $261 million in counterfeit currency from circulation. This amount is an increase of more than 150 percent from the 2008 level of $103 million. Continued advancements in computer and printing technologies aid counterfeiters in producing hard-to-detect counterfeit bills. It is also important to note that counterfeit bills do not have to be perfect. These bills just need to be good enough for the counterfeiters to exchange once to another party to be deemed successful.
To mitigate the production of counterfeit currency and to help detect it, the U.S. Department of the Treasury constantly enhances paper currency's security features. Newer features such as color-shifting ink, watermarks, and security threads have made paper currency more difficult for criminals to counterfeit accurately.
Much like paper currency, checks became an important payment instrument in the United States following the Revolutionary War. And as is the case with paper currency, checks are also a common target for counterfeiters. Even as check usage continues to decline, check fraud continues to increase and remains one of the largest threats to businesses today, according to the 2011 AFP Payments Fraud and Control Survey: Report of Survey Results. Also according to this report, the counterfeiting of nonpayroll checks using an organization's MICR line data remains the most widely used technique to commit check fraud.
Since the first credit card was introduced in the United States in 1958, card-enabled debit and credit payments have become many consumers' preferred payment methods. But just as payments migrated from paper to electronic methods such as debit and credit cards, counterfeiting fraud schemes have shifted from paper as well. Today's payments fraud-related headlines are flooded with stories of card-skimming schemes to produce counterfeit cards. Fraudsters are using skimming devices on point-of-sale (POS) terminals and at ATMs to capture card numbers. As my colleague Cynthia Merritt previously discussed in an earlier post, these skimming devices are becoming more sophisticated. According to Verizon's 2011 Data Breach Investigations Report, tampering of ATMs and POS terminals accounted for 98 percent of physical data breaches in 2010. The report notes that these tampering attacks, which have been occurring for years, are on the rise.
Despite the continued evolution of payment types and their corresponding security features, counterfeiters persist in finding ways to harm the payments system, regardless of payment type. Although the industry can and should strive to eliminate the success of counterfeiters, history shows us that the task is all but impossible. It will be very interesting to see the effect that new security enhancements as they develop will have on counterfeiting trends in the United States. For me, I am eagerly anticipating the effect that dynamic data chip-enabled transactions will have on the skimming and counterfeiting of payment cards should the industry adopt the technology.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference As payments system evolves, "funny" money is still no laughing matter:
May 2, 2011
The check's in the mail, but it might be fraudulent
Amid the constant hubbub of emerging fraud schemes, research shows us that criminals are rational consumers of the nth degree. They instinctively move to the path of least resistance. While the exciting and glamorous fraud topics today involve wire fraud, account takeovers, ID theft, and skimming, the results of the Association for Financial Professionals' (AFP) annual corporate fraud survey remind us that the most fraud vulnerable instrument available today is the paper check. Why? Because check fraud is a decidedly low-tech practice whose ingredients include a bit of thievery, a good copying machine, and possibly, but not necessarily, some magnetic ink.
Corporate experiences with check fraud
The AFP's study tabulated survey results from around 400 public, private, nonprofit, and government organizations across a wide range of sizes. Over 70 percent of the respondents reported that they had been the victim of fraud in 2010. Of those, 93 percent reported fraud involving checks, compared to 25 percent with ACH debit fraud and 23 percent with consumer card fraud. Moreover, of the fraudulent methods used, checks also experienced the highest rate of increase, with 30 percent of organizations reporting an increase in check fraud. And check fraud accounted for 53 percent of the reporting organizations’ financial losses. Interestingly, while actual fraud losses were deemed to be modest in total dollar terms, 84 percent of the respondents had made efforts to protect themselves against check fraud by implementing positive pay controls on their corporate accounts; 53 percent had implemented payee positive pay.
Bank experiences with check fraud
The corporate responses synchronized well with the results of the American Bankers Association's (ABA) last deposit account fraud survey in 2009. At that time, 80 percent of respondent banks reported check fraud losses totaling over $1 billion, which is 23 percent higher than losses experienced with debit/ATM cards. Interestingly, there seems to be little evidence in the ABA report or elsewhere to indicate that check fraud stems from abuse of new technology. At the outset of the implementation of the Check 21 legislation, many industry pundits forecasted that losses would climb as a result of widespread implementation of remote deposit capture (RDC) technology, but it appears such has not been the case. In fact, several large banks, emboldened by the experiences of pioneers such as USAA, have even extended remote capture into the homes of their depositors who are armed with the latest in RDC technology—the smart phone.
Yet, there are growing concerns within the industry that the "gild may be off the lily," as the bad guys learn more about the opportunities. A friend and Sunday school classmate of mine who works for a large national bank reported to me that they had been beset over the past few weeks with an interesting scheme involving new account fraud and checks. Individuals have been opening new accounts and obtaining a debit/ATM card at the outset. After making a modest deposit of good funds to open the account, the new customer then used their ATM card to deposit several counterfeit checks at ATM locations. Per the bank’s policy, some or all funds were made available to the customer immediately (depending on the dollar amount of the check). The customer took advantage of that fact, withdrew the maximum amount possible the next day, before the return deadlines, and then walked away (well, one actually complained because not all funds were made available, but that’s another story, involving criminal indignation).
The unit cost of fraud and fee revenue deliberations
The upshot of all this is that there is a lesson to be learned. Just because we see checks as a diminishing-use instrument doesn't mean we should let our guard down whether we are a consumer, a corporation, or a bank. In tough economic times, a billion-dollar loss to the banking industry is still an expensive ticket. Having just wrapped up the Federal Reserve's 2010 Retail Payments Study, I was interested in exploring fraud from a slightly different angle by looking at the average fraud per check written in the United States. While not all industry surveys align perfectly with respect to samples, time frames, response levels, and so forth, they are close enough to produce some interesting observations. Further, such a calculation might help us understand what the actual "fraud tax" is on checks as banks consider future check service fee issues.
The 2009 ABA study estimated that 760,955 cases of check fraud took place in the 2008 reporting year, with actual losses estimated at $1.024 billion. Compare these numbers to 561,306 cases and $969 million in the 2006 study and 616,469 cases and $677 million in the 2003 study. The concurrent Fed payments studies in 2004, 2007, and 2010 estimated the number of checks written in the United States at 37.6, 33.1, and 27.8 billion, respectively. Doing the math reveals that the per-item cost of fraud losses has gone from $.018 to $.029 to $.036 (unadjusted for inflation). Said differently, the unit cost of fraud for every check written has doubled in six years to 3.6 cents per item even as aggregate check volume has fallen by 26 percent. By the way, this figure represents the costs of fraud losses, not the total cost of fraud management for the check world.
In summary, while the industry debates the issue of the cost of fraud management in the Durbin debit card interchange regulation, perhaps similar scrutiny should be applied to the cost of fraud management in the check world as check volume diminishes. Somewhere out there is an opportunity to adopt an overall fraud management fee strategy as yet another arrow in the quiver of strategically leading customers to payments choices that make sense for the bottom line of a bank.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference The check's in the mail, but it might be fraudulent:
August 2, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:
February 22, 2010
Check fraud: Old problem, new approach?
Despite signs of declining check volume and ongoing predictions of checks' imminent demise, check fraud is a growing problem. Industry experts estimate that check fraud will cost billions in 2010. The question now is whether this fraud can be thwarted with traditional mitigation efforts or if something new is needed.
One explanation for the continued proliferation of check fraud is technology. Fraudsters today have increased access to check paper stock, high-quality color printers, and scanners that facilitate the creation of a near-perfect document that can pass for a real check. Industry experts state that compromised online banking accounts also contribute to check fraud because fraudsters are able to view cleared check images which are then used to extract sequence numbers and other pertinent data for subsequent replication.
Recent studies reveal check fraud's persistence
Last month, the Financial Crimes Enforcement Network (FinCEN) released its Suspicious Activity Report (SAR) filings for mid-year. The report revealed that during the first six months of 2009, SAR filings for suspected check fraud increased for all industries required to file SARs under the Bank Secrecy Act (BSA). A breakdown for each industry revealed that SAR filings by depository institutions increased by 19 percent for check fraud and by 36 percent for suspected counterfeit checks. SAR filings by money services businesses for traveler's check fraud increased by 76 percent.
Similarly, the 2009 AFP Payments Fraud and Control Survey found check fraud dominated the overall payments fraud landscape for those surveyed in 2008. The results underscored the importance of specific fraud control measures to mitigate risk and reduce exposure to losses. Of those who responded to the AFP survey, 91 percent indicated they had experienced actual or attempted check fraud.
Types of Fraud Resulting from Using Checks
(Percent of organizations that suffered check fraud in 2008)
|In percentages:||All respondents||Revenue greater than $1 billion||Revenue less than $1 billion|
|Counterfeit checks (other than payroll) with the organization's MICR line data||72||75||68|
|Payee name alteration on checks issued||59||63||50|
|Other||7||5||12||Source: 2009 AFP Payments Fraud and Control Survey, p. 13, available at: http://www.afponline.org/pub/pdf/2009_Payments_Fraud_Survey.pdf.|
Are yesterday's best practices today's best approach?
Check fraud is a decades-old problem that shows persistent signs of survival. Preventive efforts to mitigate check fraud risk range from ceasing all use of checks to using advanced software systems that offer automatic check stock and signature verification and can detect even the most sophisticated counterfeit checks. But can new approaches to check fraud enable a bank's loss prevention team to catch and prevent more check fraud? Or is the fight against check fraud best won through traditional and well-established risk-management practices?
One well-known method for business customers to combat check fraud is through the use of a tool known as positive pay. This bank service allows a company to send to its paying bank an electronic file of check payment information, which the bank then matches against the information provided by its business customer. The paying bank pays checks that match the information provided and dishonors those that do not. Other bank services available to combat check fraud include ACH debit blocks and filters. An ACH debit block works like a stop payment order by automatically returning all ACH debits and credits that, for example, exceed preset dollar limits established by the bank customer. The bank customer can also set filters to permit fund transfers to only preapproved payees.
While there is no "one-size-fits-all" solution, well-established risk-management practices have proven time and again to be successful mitigators of fraud risk. The back-to-basic tools such as segregation of duties, dual controls, and timely reconciliations are just some of the risk-management tools best known for their effectiveness at combating check fraud.
Where do we go from here?
While acknowledging that nothing is impervious, the combination of both new and old techniques can contribute significantly to solving some of the challenges that check fraud presents. Armed with an arsenal of tools, financial institutions can be well-equipped to monitor and maintain a high level of account security effectively.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.
TrackBack URL for this entry:
Listed below are links to blogs that reference Check fraud: Old problem, new approach?:
- The Social Benefits of Biometrics
- The Five-Star That Flops
- ACH: No Trace Left Behind
- Pssst…Have You Heard about PSD2?
- Mobile Banking and Payments Survey Results
- Expanding Cybersecurity
- The Year in Review
- Why U.S. Card Fraud Is Now Present and Accounted For
- Making Sense of Dollars, Part II
- Making Sense of Dollars, Part I
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud