Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 18, 2016
The 411 on Banning the RCC
Are you proficient in recognizing phone scams? One that I've frequently experienced is when the caller tells me I've won a cruise and all I have to do is pay the taxes. To help combat phone fraud, the Federal Trade Commission (FTC) amended the Telemarketing Sales Rule. Part of the amendment prohibits payment types commonly used in deceptive and abusive telemarketing practices. Effective June 13, 2016, telemarketers can't ask for payment by cash-to-cash money transfers, PINs from cash reload cards, or bank account information, which would allow them to create a remotely created check (RCC). Fraudsters prefer RCCs because reversals are more difficult, notes the FTC. In particular, RCCs sail quickly through the clearing and settlement process making for easy collection by fraudsters and clunky adjustment processes for financial institutions.
Financial institutions (FIs) are the gatekeepers to payment systems and, with the amendment to the rule, have a new risk for what their customers do. FIs have always had the compliance risk of understanding their customer's business. As an FI, how would you know if you had a telemarketing customer already on board or one attempting to apply today? Further, how would you know if a current customer is accepting payment via RCC, since RCCs look like traditional checks? If you have third-party processors as customers, these questions become more difficult. Then, the risk is to identify if your customer's customer is a telemarketer processing banned payments through your bank.
Most agreements between FIs and business customers typically include a clause binding their customers to process payments in compliance with applicable laws of the United States. What additional steps should FIs take to manage the risks that apply to different industries and different payment types?
There are limited ways to identify RCCs because such items are cleared like traditional checks. Effective November 2015, the standards for the MICR (magnetic ink character recognition) line were changed to include a "6" in a certain position in the line to indicate an RCC. This is a standard and not a requirement. But if the 6 is used, that is one way to identify an RCC. If the standard is not used, nothing uniquely identifies an item as an RCC unless one examines the signature block on the check, since RCCs have no signature. An FI or a processor may not have the ability to look at every item included in every deposit, but could have random testing in place to attempt to identify the illegal use of RCCs.
Another indicator of deceptive practices by a business customer is anomalies in return rates. A large number of adjustments may signal that abuses are taking place. An RCC is often confused with an ACH entry and some telemarketers may convert their RCCs to ACH to spread out alarming return rates.
It will be all hands on deck to stop abusive RCC practices, but the FTC has charted the course with its new rulemaking.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 6, 2015
What Can Parenting Teach Us about Data Security?
My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.
As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.
However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.
In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference What Can Parenting Teach Us about Data Security?:
March 16, 2015
Squeezing the Fraud Balloon
A number of our posts over the last year have discussed the U.S. migration to EMV (chip) cards. As we've mentioned, one of the primary motivations for the migration has been the ease with which fraudsters in our magnetic-stripe environment can create counterfeit payment cards. Other posts have mentioned that ubiquitous tenant of the criminal world—the person always on the lookout for the weakest link or the easiest target. And that criminal does not close up shop and go away in the chip-card world. There is clear evidence from other countries that criminals, after an EMV migration, look for, and find, other targets of opportunity—just as when you squeeze a balloon, you're constricting the middle, but both ends simultaneously expand.
One major area that criminals target post-EMV is online commerce, an activity referred to as card-not-present (CNP) fraud. However, criminals also target two other areas, according to speakers at the recent 2015 BAI Payments Connect conference: checks and account applications. Well before the EMV card liability shift occurs in the United States (October 1, 2015), a number of financial institutions have reported a marked increase in counterfeit checks and duplicate-item fraud, usually by way of the mobile deposit capture service. In many cases, the fraud takes place on accounts that have been open for more than six months, long enough to allow the criminal to have established an apparent pattern of "normalcy," although there are reports of newly opened accounts being used as well.
Canadian financial institutions report that fraudulent applications for credit and checking accounts have increased as much as 300 percent since that country's EMV liability shift. Criminals are opening checking accounts to perpetrate overall identity theft fraud as well as to create conduits for future counterfeit check or kiting fraud. And they're submitting fraudulent credit applications to purchase automobiles or other merchandise that they can then sell easily.
The time to examine and improve your fraud detection capabilities across all the channels customers use is now. Financial institutions should already be evaluating their check acceptance processes and account activity parameters to spot problem accounts early. Likewise, financial institutions should make sure their KYC, or know-your-customer, processes and tools are adequate to handle the additional threat that the credit and account application channel may experience. Be proactive to prevent the fraud in the first place while ensuring you have the proper detection capabilities to react quickly to potential fraudulent attempts. If we want to constrict the balloon of fraud, we're going to have to constrict the whole thing with consistent, equal pressure.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Squeezing the Fraud Balloon:
December 2, 2013
Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?
An excessive number of consumer complaints or returns and chargebacks—these are among several red flags that could indicate that a third-party payment processor is engaged in fraud. And who better to take notice of these red flags than financial institutions? That's the thinking of many regulators, including the Financial Crimes Enforcement Network (FinCEN) when it released its October 2012 advisory on risk associated with third-party payment processors. In that advisory, FinCEN stressed the importance of financial institutions performing due diligence and monitoring their third-party payment processors.
The role of financial institution as gatekeeper was a major topic at the Atlanta Fed's October 30 Executive Fraud Forum, where a panel of industry leaders discussed the evolving role of third -party payment processors in the retail payments space. Representatives from the U.S. Department of Justice's Consumer Protection Branch and U.S. Secret Service, while they recognized the benefits of payment processors, highlighted case studies demonstrating the need for institutions to adjust their due diligence and monitoring to recognize attendant risks. They also stressed the importance of collaboration between institutions and law enforcement agencies in protecting consumers and keeping fraudsters away from payment processing.
Judy Long, who is the executive vice president and chief operating officer at First Citizens National Bank, also noted the gatekeeping role that institutions have with regard to the payments networks. Because banks are highly regulated entities whose primary objective is safety and soundness, she noted, they are in the best position to be the underwriters of payment processors.
As part of her discussion, Long mentioned some important practices for financial institutions in managing payment processor relationships.
- Because the board of directors plays a critical role in determining the institution's risk tolerance by approving its policies and procedures, it must make itself knowledgeable about the risk factors involved with third-party payment processors.
- The institution should have as an integral part of its policies underwriting guidelines that set limits for customers.
- The institution must monitor customers by examining return rates and consumer complaints, providing ongoing customer calling programs, and not just knowing its customer but also its customers' customers.
- Agreements should clearly explain the terms and conditions for how the institution will conduct business with a customer. These agreements protect both the institution and its customers.
For more details on this topic, watch this interview with Judy Long. You can also view the presentations from the Executive Fraud Forum on the event webpage.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?:
September 7, 2010
Is KYC DOA? The tribulations of trying to know your customer
Based on recent nightly news coverage, it appears that armed robbery has entered a new era of "brazenness," as robbers seem to commit their crimes without the cover of a disguise, despite the growing omnipresence of security cameras. I seem to recall that in the good old days of TV westerns, the robbers always wore disguises—at least they covered their faces with bandanas. Unfortunately, in the world of cybercrime, the disguises are still a basic part of the uniform as bad actors go about the business of laundering money, financing terrorists, and committing general computer crimes.
Increasingly in the wake of the Sept. 11 attacks, the responsibility for wrestling with detecting criminal financial activity lies with banks, subject to the provisions of Section 326 of the Patriot Act. In essence, the Patriot Act extended the earlier requirements of the Bank Secrecy Act to place financial institutions in the center of a process to know more and more about their account holders. Generally described as the "Know Your Customer" (or KYC) provisions of the act, Section 326 requires financial institutions (now broadly defined to include everything from traditional banks to gambling casinos) to gather, record, and report a great deal of specific information about their business and consumer customers.
Customers have reacted to this heightened information-gathering process with some frustration, yet it is simply the consequence of the global village in which we now live. The standards for such information gathering are cataloged in the Customer Identification Program (CIP) requirements of the Patriot Act, but many institutions, in an effort to protect their bank's financial welfare and avoid criticism from regulators about adhering to the letter of the law only, have extended their programs into the area of customer due diligence (CDD). CDD embraces broader information gathering that may frequently seem intrusive to the customer. For example, CDD may ask customers to describe the nature of transactions flowing through their accounts so that the bank can establish a risk rating for the accounts. However, in today's reality of global cybercrime, have we come to the point where even extended CDD may not be sufficient?
The emergence of third parties in the payments arena
This question is accentuated by the increasing roles of third parties in the payments system. Many third parties are legitimately engaged in providing services and technology support to businesses and banks alike in order to facilitate a more efficient use of the payments system. For example, some companies offer ACH or electronic check origination services to smaller businesses that cannot easily afford the acquisition of in-house systems to accomplish certain payment functions. While it is reasonable to assume that a bank can perform due diligence reviews on such third parties, history has been a harsh teacher in revealing that the third party (the bank's customer) can be well intentioned, but some of the companies they provide services to (the customer's customer) may be less honorable. Consequently, we talk in the trade of the fact that banks must now know their customer's customer (KYCC).
It turns out that this is not an easy thing to do. Nor is it easy to tell their customer's customer how to do it. For instance, many of the customer's customers may be startup companies, entrepreneurs pursuing the dream, or relatively small niche businesses. Some such firms start legitimately and intentionally act innocently until such time that they are positioned to commit significant fraud. In other words, the robbery suspects in cyber space do wear bandanas and they do disguise themselves so that no one can make an easy determination in advance as to their trustworthiness. In fact, they do it so well that we must ask, "Is KYC dead on arrival?" in this modern world of payments.
It is increasingly apparent that the answer is, "No, KYC isn't dead, but neither is it enough." A good KYC plan is better than no plan and is needed to comply with the Patriot Act, but we cannot possibly expect such a plan to be foolproof. Instead, we need to anticipate the possibility of a rogue player and complement KYC with other controls. Ultimately, this means that noncard transaction processing systems need to begin to adopt many of the practices used in card systems, including data forensics to detect and address potentially fraudulent behavior before it happens or as soon after it happens as possible.
In addition, it may be time for the industry, working with regulators, to examine the growing importance and risk profiles of nonbank entities engaged in the payments space. Most of today's fraudsters fall outside of the regulatory purview of bank supervisors and examiners, leaving the field to agencies such as the Federal Trade Commission. In 1850, the Pinkerton Agency was formed to assist the government in finding and arresting bank robbers. Perhaps we need a modern-day cyber version of the Pinkertons, armed with powerful networked computers to reach out and oversee the operations of a bank's customer's customer on behalf of regulators and law enforcement bodies everywhere. At any rate, a fresh look at this topic couldn't hurt.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Is KYC DOA? The tribulations of trying to know your customer:
- Calculating Fraud: Part 2
- Watching Your Behavior
- Responsible Innovation Part 1: Can Community Banks Remain Competitive?
- The Year(s) of Ransomware
- What Canada Knows That We Don't
- Calculating Fraud: Part 1
- Additional Authentication: Is the Protection Worth the Hassle?
- Would Consumers Ever Give Up Their Passwords?
- Will the Password Ever Die? Part 1
- Catch Me If You Can
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud