Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

August 17, 2015


Pigskin and Payments

For those who know me well, they know that I find August to be the slowest-moving month of the year. It's not because of the oppressive southern heat and humidity, but rather it's my anticipation for football season. To help speed along the "dog days of summer," I generally read my fair share of prognostication publications. Alongside the predictions, improving player safety has become a key discussion topic as the season approaches.

Armed with data showing an increase in injuries as well as long-term negative effects from playing the sport, football's governing bodies on both the collegiate and professional levels are instituting rule changes to make the game safer. Equipment manufacturers are introducing new gear to improve safety and individual teams are adding new experts to their medical staffs all in the name of player safety.

Ironically, while there is a focus on improving player safety, football players continue to get stronger and faster aided by advancements in nutrition and workout regimes. As player strength and speed improves, this contact sport becomes more vicious and dangerous. And as a fan, I'll admit that I find watching a game featuring stronger and faster players more exciting. I do not want to see players injured, but at the same time I enjoy the excitement that comes with hard tackles and big hits.

Does this state of football sound at all like the current state of the U.S. payments industry? To make payments safer, public and private entities are leading literally hundreds of initiatives across various payments rails. Network rule changes are taking place and new technologies are being harnessed all in an effort to better secure payments. At the same time, start-ups, established payment companies, payment associations, and the Federal Reserve are collaborating to improve the speed of payments.

It's hard not to get excited about the possibilities of faster payments, from important just-in-time supplier payments to simple repayments for borrowing money from a friend or family member. However, can securing payments better derail the speed of payments? By way of example and personal experience, my more secure EMV (chip) credit card has clearly reduced the speed at the point-of-sale for my card payment transactions.

But just as player strength and speed has evolved alongside safety through rule-making and technology (think about leather football helmets here), I think we have seen the same progression within the payments industry. I think football remains as exciting as ever, and the payments expert in me is clearly excited about the future of payments.

Speed and safety are not to be viewed as mutually exclusive, and I am confident that the payments industry supports this view. In both football and payments, elements of risk will exist, regardless of safety measures in place. Finding the right balance between speed and safety should be the goal in order to maintain an exciting football game or efficient payments system. I can't wait to see what lies ahead on the gridiron and within the payments industry.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 17, 2015 in emerging payments, EMV, fraud, innovation, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 03, 2015


Friendly Fraud: Nothing to Smile About (Part 2)

Last week's post discussed the increasing frequency of friendly fraud and the problems it presents for e-commerce merchants. A transaction that could be classified as friendly fraud might actually be one the customer just forget about, or one involving a family member using the customer's card without permission, or one with the customer actually not receiving the goods. So the merchant really can't just assume the customer is out to commit fraud and take an aggressive approach in dealing with the customer. The merchant would probably then have lost the customer's business altogether. But with the burden of proof on the merchant, the merchant must adopt a number of best practices to help minimize losses.

A company that works with merchants to both prevent chargeback disputes and respond to them has published a detailed guide (the site requires e-mail registration for access to the guide) to help merchants deal with friendly fraud. The following list includes some of the guide's best practices:

  • Promote a clear and fair refund policy that encourages customers to contact the merchant directly instead of the card issuer.
  • Make sure that the name of the business is on all billing statements—clearly, to avoid confusion.
  • Ensure that the customer communication channels—such as a call center or e-mail—are accessible.
  • Be responsive to customer inquiries.
  • Clearly communicate shipping charges and delivery timeframes to avoid misunderstandings about the total cost or delivery date of orders.
  • Always obtain the card security code and use address validation services. For larger-value purchases, consider the use of delivery confirmation and other validation services.
  • With digital goods or services, consider using a secondary verification tool—an activation code or purchase confirmation page—to ascertain that the customer received the goods.
  • When there is a chargeback, make every effort to contact the customer directly to attempt to resolve the matter. While the contact may not resolve this particular situation, it may offer a lesson that might help prevent future chargebacks from other customers.
  • Keep a database of customers who initiate chargebacks that appear fraudulent. Research shows that customers who deliberately defraud merchants and succeed at it are very likely to do it again.

As with all efforts to fight payments fraud, merchants must study their own customer base. They should identify their particular risks and then employ the practices that will help them best mitigate their fraud losses.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 3, 2015 in cards, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 27, 2015


Friendly Fraud: Nothing to Smile About (Part 1)

Friendly fraud (also referred to as chargeback fraud or first-party fraud) occurs when someone makes an online purchase then later requests a chargeback from the bank. The person has received the goods or services, but claims they were defective or the transaction never authorized. Sometimes this happens because of buyer's remorse—the customer just doesn't want to have to explain his or her regret to the merchant, preferring to initiate a chargeback and let the bank resolve it with the merchant. Sometimes the buyer's remorse comes from a child making purchases, particularly digital goods, using the parent's card, or when a merchant's refund time limit has passed but the cardholder still wants to be reimbursed.

While there certainly can be legitimate disputes, friendly fraud is becoming a growing problem for e-commerce merchants. Not only are the merchants out the cost of the goods or services, but they also incur administrative costs and fees from the card-issuing bank. Companies selling digital goods, office supplies, or electronics—as well as auction sites—seem to be the most frequent targets of friendly fraud, but other types of businesses can also be affected.

One of the main difficulties merchants experience in combating this fraud is predicting or recognizing when it first occurs, since it often occurs on the account of a "good" customer. And with these remote purchases, the merchant is at a disadvantage in determining if a legitimate cardholder made the purchase or the goods were actually received by the cardholder.

Because the burden of proof is on the merchant, the merchant community has started to implement a number of tactics to help reduce this increasing problem. In our next installment on this topic, we will discuss some of those tactics.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 27, 2015 in cards, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 29, 2015


The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 26, 2015


Tackling Fraud with Data

As the dust settles on the 2014 retail holiday season, it isn't surprising to learn that e-commerce was once again the winner. ComScore reported that online holiday spending through December 21 was $48.3 billion, a 15 percent increase over 2013. And there is nothing to suggest that this growth trajectory will flatten. While these trends are encouraging for online retailers' sales departments, they must be challenging for their fraud and loss prevention teams. According to the 2013 Federal Reserve Payments Study, card-not-present fraud rates were approximately three times higher than card-present fraud rates in 2012.

Just before the holiday shopping season, CyberSource released its 15th Annual Online Fraud Management Benchmark Study This 2014 study reveals that merchants improved order conversion through lower rejection rates while keeping their fraud losses stable. Naturally, I was curious about the tools that yielded these results and wondered to what extent they might have changed. Using CyberSource's 2012 study to compare, I found some surprises.

In 2012, validation tools were used the most—79 percent of merchants used a card verification number and 77 percent used address verification. Of the merchants who did not use these tools, 81 percent indicated they planned to implement a card verification number and 61 percent planned to use address verification. While merchants can implement these tools with little cost, their effectiveness, according to the surveyed merchants, is limited.

Given the 2014 report's positive findings, coupled with the expected very high use of card verification numbers and address verification reported in 2012, I was expecting merchants to rate the effectiveness of these tools higher. Interestingly, even though these validation tools remained the most prominent, their usage did not increase as expected, despite the number ofmerchants who planned to implement them following the 2012 study. And there was not a significant increase in their reported effectiveness.

Here's what did change: the use of proprietary data tools such as customer order history, in-house positive and negative lists, and company-specific fraud scoring models. Purchase device tracking tools, such as fingerprinting, also saw an increase in usage, though not as large of an increase as the proprietary data tools. And it is these tools that, generally speaking, are rated as the most effective fraud management tools by the merchants surveyed.

The 2014 study highlighted improved fraud management. I have several of my own highlights. Merchants appear to be more apt and capable of leveraging their own data today than the preceding several years. And they are finding that using this data is more effective in combating fraud than traditional validation services. I think it's important to note that only two tools (device fingerprinting and a fraud scoring model) were selected by more than 50 percent of merchants as most effective. Even though traditional validation services are still highly used and useful, no single tool is a panacea for fraud management. A layered approach using multiple tools and data elements is critical for success. I suspect this trend of merchants using their own customer data to manage CNP fraud will continue. I also expect that data-centric tools will become more effective as merchants become more sophisticated with data analysis.

What is your view on the future role of proprietary data in CNP fraud management?

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


January 26, 2015 in cards, fraud, online banking fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c73f1e40970b

Listed below are links to blogs that reference Tackling Fraud with Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 29, 2014


Let's Talk Token, Part II: Distinguishing Attributes

Several weeks ago, Portals and Rails embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. Since writing the first post, payment tokens has jumped front and center in the payments community when Apple introduced Apple Pay, which uses tokenization. Also, the Mobile Payments Industry Workgroup just released a detailed white paper recounting their recent meeting on the current tokenization landscape in the United States.

In today's installment, we look at some distinguishing attributes of the end-to-end token initiatives currently under way and consider their impact on mitigating risk in payments transactions.

  • Token format: Common ground exists in the payments industry in terms of the token format. The end-to-end token solution relies on the creation of a token, known as a device account number (DAN), to initiate a payment in place of the original primary account number (PAN). To mitigate operational risks and make use of existing messaging rules and applications associated with the payment transaction, it is imperative that the format of the DAN preserves the format structure of the PAN. This means that DAN generation should be as random as possible, even while preserving the original PAN format structures to maintain basic card or account validation rules associated with the PAN.

  • Token type: Payment tokens can be dynamic or static. Dynamic tokens are valid either for a single transaction or for a limited number of transactions occurring in a very short time. By the time a fraudster intercepts a dynamic token, it has likely already expired, so the fraudster can’t use it. However, there is a slight down side to dynamic tokens—they can work against loyalty programs as well as some back-end fraud detection systems. Because each transaction has a different DAN, merchants and processors cannot consolidate multiple transaction information for an individual cardholder.

    On the other hand, static tokens are multi-use, so they allow merchants to connect the token user with past transactions. But given their multi-use nature, they are not as secure as dynamic tokens. For additional security, each transaction with a static token can include an additional element: a uniquely generated cryptogram.

  • Device coverage: Tokens can be created and stored either on a secure element on a mobile phone or in a cloud. Much industry discussion focuses on which approach is more secure, but the approach also has an impact on device access to the token. Storing a token only on secure elements limits tokens to mobile phones, a situation that does not address the significant volume of card-not-present payments that consumers conduct on computers and other devices. Alternatively, storing a token in a cloud would allow any connected device (mobile, tablet, laptop, or computer) to access the token, so all e-commerce transactions would be covered.

  • Token service provider: A number of parties can play the critical provider role. The provider is ultimately responsible for generating and issuing the DAN, maintaining the DAN vault, and mapping the DAN to the PAN for presentment to the issuer that ultimately authorizes the transaction. A network, issuer, processor, or another third-party provider can perform this role. We can make a case for any of these parties to play the role, but the critical risk mitigation factor to note is that the merchant should never see the PAN, thereby preventing a breach of payment card data within their systems.

To date, a standards body controlled by the largest global card networks and a company representing the largest global banks has driven most of the payment tokenization standardization efforts. Although these organizations have advocated for public discussions and input in an open environment, some critics argue that the management of standards development should be left to an open-standards body such as X9 or ISO. Tokenization efforts and standards will continue to evolve as tokenization may play a critical role in mitigating payment risk in the future. Still, security challenges will remain even with its adoption. In the next installment of this tokenization series, we will examine risks that that a tokenized payments environment won't resolve, and risks that will be all new.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


September 29, 2014 in authentication, fraud, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c6e9606d970b

Listed below are links to blogs that reference Let's Talk Token, Part II: Distinguishing Attributes:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 04, 2014


Fishing for Your Private Data

fishing Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.

Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.

In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.

In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.

Photo of Deborah Shaw

August 4, 2014 in banks and banking, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dfaf641970d

Listed below are links to blogs that reference Fishing for Your Private Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 14, 2014


Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5119e4e38970c

Listed below are links to blogs that reference Danger Ahead! ATM Cash-Outs:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 07, 2014


Learning from Experience to Handle Suspicious Payment Transactions

In a post earlier this year, we addressed the difficulty of identifying and tracking remotely created checks (RCCs) in the payments stream. Electronic payment orders (EPOs), which are electronic images of "checks" that never exist in paper form, are another payment vehicle difficult to identify and track. EPOs can be created by the payee as an image of an RCC, or created and electronically signed by the payer.

Financial institutions have to address all suspicious payment transactions, whether they occur with traditional payments, like checks and ACH or these new variants, the RCCs and EPOs. Institutions rely on a variety of ways to become aware of suspicious payment transactions:

  • The institution's anomaly detection processes highlight transaction patterns that are atypical for a customer.
  • A bank customer contacts the bank after identifying an unauthorized transaction on the bank statement.
  • Consumer complaints about a business suddenly increase.
  • Another institution contacts the bank with concerns about a particular business.
  • The bank becomes aware of legal actions taken against a business.
  • Returns for a business's payment transactions increase.

Regardless of payment type, institutions can apply the simple approach in this diagram to handling suspicious payment transactions.

diagram on handling suspicious payment transactions

When an institution becomes aware of suspicious transactions, its first step is to take care of the customer. This may include returning transactions, placing stop payments, monitoring account activity, addressing security protocols, or changing authentication tools.

The next step would be to reach out to other institutions, law enforcement, and regulators. Other institutions may not be aware of the issue and can assist with resolving the customer’s concern and addressing the underlying cause of the problem. Support for information sharing between financial institutions includes the safe harbor provisions within Section 314(b) of the U.S. Patriot Act. Submitting suspicious activity reports, or SARs, and contacting appropriate law enforcement such as the local police or FBI enables law enforcement to address fraudulent behavior, monitor the extent of the fraud, and address areas of concern that are affecting multiple institutions. Information-sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, are other important avenues.

Critical to the approach is the importance of the affected institution consistently adjusting its identification processes based on its experiences with suspicious transactions. For example, if the anomaly detection system has default settings for origination volume or return rates, and the institution learns that those settings were ineffective in identifying a problem, then the institution should adjust the settings.

As the payments industry continues to evolve, with newer payment types such as RCCs and EPOs, criminals will find new ways to use them to their benefit. And as perpetrators of fraudulent payments adjust their approaches, a financial institution must also be a "learning" institution and adjust its approach to identifying the suspicious payments.

How often does your institution adjust its processes for handling suspicious transactions based on current fraud experiences?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 7, 2014 in fraud, payments, remotely created checks | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73da3dd6d970d

Listed below are links to blogs that reference Learning from Experience to Handle Suspicious Payment Transactions:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 06, 2014


When It Comes to RCCs, Can We Make the Invisible Visible?

In May 2013, the Federal Trade Commission (FTC) issued a proposal for public comment to amend the telemarketing sales rule to prohibit telemarketers from using certain payment types, including remotely created checks (RCCs). The proposal addressed attributes of RCCs that make their use susceptible to abuse. RCCs, sometimes referred to as demand drafts, are checks that payees issue rather than the consumer or the consumer’s bank, and are not signed by the consumer. The attributes the proposal addresses include the difficulty of distinguishing RCCs from check images, the absence of reliable data on the volume of RCCs and returns, and the lack of centralized fraud monitoring. Together, these attributes make RCCs relatively invisible.

RCCs usually garner attention only when a law enforcement case uncovers their use in fraud, typically when consumers are victimized by unfair and deceptive practices. Still, RCCs are not just a tool for committing fraud—they are used for legitimate purposes and are frequently authorized by consumers as payments for credit cards, charitable donations, and insurance premiums. At times, banks originate the RCCs themselves or on behalf of the payee, so in these instances, the bank monitors returns, identifies issues, and manages them.

In other payment methods, including ACH transactions and cards, the ability to recognize the payment, track volume and returns, and monitor fraud centrally have proven to be beneficial in addressing fraud. For example, ACH operators have data on forward entries and returns for ACH transactions that enable ACH participants to identify and address issues proactively. Adding these layers of data to enable identification and monitoring of RCCs would prove equally beneficial to the depository and paying banks, as well as regulators and law enforcement to potentially identify and address RCC fraud more directly.

How can the industry improve the identification and tracking of RCCs? One option could be to develop some kind of technology that would distinguish between RCCs and check images with a high degree of accuracy. Another option could be to approve a standard for an identifier in the MICR (short for magnetic ink character recognition) line to indicate that this document is an RCC.

Some industry participants have pursued the MICR line identifier in the past, but these efforts did not gain traction within the industry. However, it may be an idea whose time has come given the concerns that regulators and law enforcement officials are raising about the "invisibility" of RCCs. A MICR line identifier would also allow for centralized fraud monitoring. For instance, depository banks could report periodically to their primary regulator on RCC returns. This reporting would provide information to regulators and law enforcement on possible fraud and support banks in their efforts to mitigate improper RCC usage.

Does your institution see value in making RCCs visible in the processing stream and quantifying their use?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 6, 2014 in fraud, regulations, remotely created checks | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b0450ee36970d

Listed below are links to blogs that reference When It Comes to RCCs, Can We Make the Invisible Visible?:

Comments

Another consideration for financial institutions is the liability difference for electronic RCC vs. 'traditional' RCC. eRCC are never printed therefore not allowing the Federal Reserve to provide Check 21 warranties. This method puts all of the liability on the Bank of First Deposit. Normal liability is incurred for the traditional RCC.

Posted by: Brad Smith | January 06, 2014 at 03:40 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


August 2015


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Archives


Categories


Powered by TypePad