Take On Payments

August 1, 2016


FFIEC Weighs In On Mobile Channel Risks

In late April, the Federal Financial Institutions Examination Council (FFIEC) released new guidance regarding mobile banking and mobile payments risk management strategies. Titled "Appendix E: Mobile Financial Services," the document becomes part of the FFIEC's Information Technology Examination Handbook. While the handbook is for examiners to use to "determine the inherent risk and adequacy of controls at an institution or third party providing MFS" (for mobile financial services), it can also be a useful tool for financial institutions to better understand the expectations that examiners will have when conducting an exam of an institution's MFS offering.

Consistent with examiners' focus on third-party relationships for the last several years, the document points out that MFS often involves engagement with third parties and that the responsibilities of the parties in those relationships must be clearly documented and their compliance closely managed. Other key areas the document reviews include:

  • Mobile application development, maintenance, security, and attack threats
  • Enrollment controls to authenticate the customer's identity and the payment credentials they are adding to a mobile wallet
  • Authentication and authorization, emphasizing that financial institutions should not use mobile payment applications that rely on single-factor methods of authentication.
  • Customer education efforts to support the adoption of strong security practices in the usage of their mobile devices

The document also identifies and reviews strategic, operational, compliance, and reputation risk issues for the various elements of a financial institution's MFS offering. The final section of the document outlines an examiner's work plan for reviewing an MFS program with seven key objectives. I believe that it would be time well spent for the institution's MFS team to assume the role of examiner and use the work plan as a checklist to help effectively identify and manage the risks associated with an MFS program.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 1, 2016 in bank supervision, banks and banking, financial services, mobile banking, mobile payments, regulations, regulators, third-party service provider | Permalink

Comments

Looking forward to welcoming David Lott to our upcoming Next Money Tampa Bay meetup.

David will be our keynote on Wednesday, Sept 21, 2016 6:00 ~ 8:00 PM

Tampa Bay Wave Venture Center
500 East Kennedy Boulevard 3rd FL
Tampa Florida 33602

All are welcome to attend RSVP at

https://www.meetup.com/NextMoneyTPA/events/233171815/

Posted by: Bruce Burke | August 6, 2016 at 05:22 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 20, 2016


There's an App for That!

Few would question that mobile phones have had a considerable influence in our everyday activities. They provide a level of convenience and connectivity that also generates benefits to our personal safety and the security of our banking accounts and other assets. The Pew Research Center estimates that almost two-thirds of adults in the United States own a smartphone and 15 percent use them as their primary online access device either because they do not have broadband access at their home or have few other online options.

In recent blogs, I highlighted some key findings from the Federal Reserve Board of Governors' recently released Consumers and Mobile Financial Services 2016 report. The report includes a section of questions that probe how consumers use their mobile phones in financial decision making. Within the past year, 62 percent of mobile banking users with smartphones responded that they checked their balance before they made a large purchase. The power of that information is demonstrated in that for those who checked their balance or available credit, half didn't make a purchase as a result of having that information.

Forty-five percent of smartphone owners use their phone for comparison shopping at retail stores. Forty-one percent reported they use their phones to obtain product information while shopping at retail stores, and 28 percent use a barcode scanning application for price comparisons.

Though smartphone owners value the convenience phones bring to financial decision making, security and safety are primary concerns. A little more than half of the mobile banking users take advantage of the feature of receiving some type of alert from their financial institution. The most common alert cited was for a low balance, but 36 percent reported they also receive fraud alerts.

Later this year, a number of the Federal Reserve districts, including the Sixth District, will be conducting a survey of the financial institutions in their districts about the mobile banking and mobile payments services they offer. The Sixth District participated in this effort in 2014; you can find the results here. It will be interesting to see the changes that have taken place over the last two years, especially in light of the launch of the various mobile wallets, so stay tuned.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 20, 2016 in banks and banking, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 6, 2016


Mobile Security and Privacy

In an earlier post, I provided some of the top-line findings from the Federal Reserve Board of Governors' recently released Consumers and Mobile Financial Services 2016 report. Safety and risk continue to be cited by consumers as significant barriers to their adoption of mobile banking and other new payment technology. Many consumers either don't believe that the mobile banking channel is safe or they don't understand the security features that are part of the mobile technology. The research effort probed these issues in greater detail to better understand consumer perspectives.

One of the first questions in this area asked how safe a person's personal information is when using mobile banking. As the table shows, while there has been steady positive movement over the last three years in getting many consumers to feel their personal information is safe, there remains a great challenge. A decrease of only two percentage points (42 percent in 2015 compared to a high of 44 percent in 2014) in those who believe their personal information is "somewhat unsafe" or "very unsafe" doesn't signify much advancement in the safety education efforts for these folks.

Q. How safe do you believe people's personal information is when they use mobile banking?

table-one

In a separate survey question, a slightly higher percentage of respondents (46 percent) believed that their personal information was "very unsafe" or "somewhat unsafe" when conducting a mobile point-of-service transaction at a store.

With 15 percent of the respondents indicating they "don't know," the survey illustrates the need for additional education about the security aspects of mobile banking and payment technology. The research showed that among those with mobile phones and bank accounts, mobile banking users had more confidence in the security of mobile banking transactions than non-users. Only 3 percent of mobile banking users thought that their personal information was "very unsafe" when they use mobile banking, compared to 28 percent for non-users.

When mobile phone users were probed about their specific security concerns about using their mobile phone for banking or payments, their most common response was that they were concerned about all of the listed security risks. For those who chose one specific reason, they most frequently cited fears about the phone being hacked or the data being intercepted, followed by concerns about their phone being lost or stolen.

On a positive note, consumers appear to be adopting more secure mobile phone practices. The percentage of smartphone users who password-protect their phone increased to 70 percent in 2015 from 61 percent in 2013. One-third of the smartphone owners were using antimalware software or applications to protect their phone, and a similar share used an app or service to help them locate, remotely access, erase, or disable their phone in the event it is lost or stolen.

Additionally, consumers are recognizing the need for improved authentication with their banking service provider. Seventy-four percent of smartphone owners indicated they either "strongly agree" or "agree" that they would be willing to undergo additional authentication steps when they were logging in to their mobile banking service.

Other important findings are contained in the research report, so be sure to give it a good read.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 6, 2016 in malware, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 2, 2016


Mobile Financial Services Are Still Growing

The Federal Reserve Board's Division of Consumer and Community Affairs (DCCA) recently released its Consumers and Mobile Financial Services 2016 report. This annual research effort began in 2011 to measure the adoption and usage of mobile banking and payment activities by consumers and the use of mobile technology in making financial decisions. The latest survey was fielded in November 2015 with a respondent base of 2,510 adults age 18 and over, of which 1,064 had participated in both the 2013 and 2014 surveys.

Key adoption and usage findings from the survey include:

  • The major barriers to mobile payment adoption remain the same as in previous studies—satisfaction with current methods of payment and concerns about security.
  • Convenience is the most common reason given by the respondents for adopting mobile banking.
  • Perhaps reflecting a positive effect of mobile phone security education, 70 percent of smartphone users indicated they password-protect their phone and 78 percent indicated they download applications only from their primary application store.
  • Mobile phone penetration has remained consistent over the last three years at 87 percent of the U.S. population, although smartphones now account for 77 percent of mobile phones versus 61 percent in 2013.
  • Ownership of smartphones is higher for Hispanics than for non-Hispanic whites in this survey.
  • Usage of mobile banking services by those with mobile phones increased to 43 percent from 33 percent in 2013. Smartphone owners showed a higher usage rate of mobile banking, at 53 percent, but this rate was essentially flat from 2014.
  • While usage of mobile banking has generally increased every year for each age group, younger consumers have consistently been the most likely users while the older segment has been the least likely, as the table shows:

chart-1

  • The most common mobile banking activity is checking an account balance or making a specific transaction, followed by transferring money between accounts and receiving an account alert.
  • Despite the strong usage of mobile banking, more than 80 percent of smartphone owners with a bank account visited a branch or used an ATM over the last 12 months, while only 29 percent called their banks.
  • Mobile payment activity still lags mobile banking activity. Only 24 percent of mobile phone owners had made a mobile payment over the last 12 months, compared to 43 percent of mobile phone owners with a bank account who used mobile banking. The study found that there is no clear relationship between mobile payment usage and income or education level. As in previous surveys, minorities make mobile payments at a higher rate than white, non-Hispanic consumers.

Additional findings from the survey as to security and privacy and the use of the phone in making financial decisions will be highlighted in future blogs. This survey provides valuable data in the ongoing evolution and adoption of mobile banking services and I hope you will read it in detail.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 2, 2016 in mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 28, 2016


Continuing Education in Mobile Payments Security

Just over a year ago, I wrote a post raising the question of which stakeholder or stakeholders in the payments ecosystem had the responsibility for educating consumers regarding payments security. As new payment technologies such as mobile devices, wearables, and the Internet of things gain acceptance and increased usage, who is stepping up not only to teach consumers how to use the devices but also how to do so in a safe and secure manner?

Since it is generally financial institutions that have the greatest financial risk for payment transactions because of the protective liability legislation that exists in the United States, this responsibility has fallen largely to them. However, this educational effort has become increasingly difficult since consumers generally acquire these new products at retail outlets or mobile carrier stores, where the financial institution has no direct contact with the consumer.

The Consumer Federation of America (CFA) recently continued its ongoing efforts to provide educational information to consumers with the release of a guide to mobile payments. The guide is comprehensive, covering issues such as privacy, security of the mobile device, the dangers of malware, error resolution, and dispute procedures for mobile payments, and concludes with a humorous animated video that recaps some of the risks with mobile phones if they are not secured and used properly.

As an example, in its section on privacy, the guide offers the following tips:

  • Read the privacy policies of the companies whose services you are using to make mobile payments and the companies that you are paying.
  • If you don't like a company's privacy policy, take your business elsewhere.
  • Don't voluntarily provide information that is not necessary to use a product or service or make a payment.
  • Take advantage of the controls that you may be given over the collection and use of your personal information.
  • Since mobile payments, like all electronic payments, leave a trail, if there are transactions that you would prefer to make anonymously, pay with cash.

Kudos to the CFA for its work on this effort. I hope you will read the guide and spread the word about the availability of this valuable resource. It is through the combined efforts of the payments stakeholders that we can work to improve the knowledge level of all parties involved and promote secure usage.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 28, 2016 in consumer protection, innovation, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 16, 2016


Changing How We Pay Online in 2016

Over the past few years, I've done the majority of my Christmas shopping online through my laptop or mobile device. This year, I did 100 percent of my shopping online due to an accident that left me mostly immobile. Though shopping online was certainly easier for me than trying to get out in the hustle and bustle of the December shopping madness, the payment experience for some of my transactions was as painful as my leg injury.

I have been hearing for years how the mobile phone is going to replace my wallet, and one reason is that our phones are increasingly with us while our wallets are not. Yet I never leave my house or office without my wallet unless I forget it. In fact, I forget my mobile phone more often than my wallet, but apparently I'm an exception. However, I realized that when I'm home, I am rarely with my wallet. Out of habit, I leave my wallet sitting on a shelf in the closet. This habit never created issues for me until recently.

Except for websites that have my card on file, I am almost always required to enter my card information (account number, expiration date, and maybe the card security code). The expiration or CVV2 are still required even for some of my card-on-file transactions. While it's always been something of a hassle to go get my card information from my closet, I never gave much thought to the friction of the experience—that is, until my left leg was temporarily rendered useless and making it to my wallet in the closet became difficult. When my wife wasn't around to get my wallet, my cart abandonment rate pushed 100 percent.

Then I discovered how easy it is to use online digital wallets. And I tried a lot of them—PayPal, American Express Checkout (actually more of a platform than a wallet), Visa Checkout, and MasterCard's MasterPass, to name a few. While each wallet has its pros and cons and merchant acceptance varies by wallet, I gained a greater appreciation for these transactions because of how easy it was not needing to physically have my card to enter the requested information for each transaction beyond the initial wallet setup. And I liked not having my card on file with a merchant. By the end of the shopping season, I had become a big fan of digital wallets.

Removing friction from the consumer experience is just one reason why many believe that mobile proximity payments will flourish. I never agreed with that reason (this was in a pre-EMV world though!) but it is a big reason why I believe online commerce will experience a significant transformation in 2016 with both merchant and consumer adoption of digital wallets taking off this year.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 16, 2016 in mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 6, 2015


Growing, Growing, Gone!

As we've blogged before, check writing has been steadily declining as electronic payments have grown. For example, the number of checks written in 2012 was 21 billion, down from 27.8 billion in 2009, according to the 2013 Federal Reserve Payments Study. We may be writing fewer checks than ever, but more than anything, we want the convenience of depositing our checks with mobile devices. A 2013 survey by ath Power Consulting found that mobile remote deposit capture (mRDC) is the "most sought-after mobile banking feature" among consumers. And financial institutions are answering this demand. According to 2014 surveys from Federal Reserve Banks (the Dallas Fed's, for example), about 48 percent of responding institutions are currently offering mobile capture and another 41 percent are planning to offer it within the next two years.

With mRDC in such demand, solutions providers and financial institutions should be investing in risk management strategies. But if check writing is a declining business, will mRDC risk management investments end up on the disabled list? Financial institutions must look at the potential losses and how they occur, evaluate the means to minimize these, and carefully weigh these factors against the dwindling check industry.

The mRDC channel faces two primary loss challenges: fraudulent items and duplicate check presentment. A fraudulent item might be an altered, forged, or counterfeit check; it can also be an intentional duplicate presentment. The other challenge occurs when a customer unintentionally presents a deposited item a second time. Research and anecdotal evidence suggest many duplicate presentments result from customer errors. These represent a growing customer education need. Financial institutions must find room in the allocated lineup and spending cap for fraud and duplicate detection enhancements.

Handling duplicate check presentments landed an all-star position on the agenda at most payments operation conferences this past year. Duplicate check presentments mean returns and adjustments, which in turn mean time and money for the financial institutions. When duplicate presentment involves more than one bank of first deposit, losses are often sustained from misunderstanding holder-in-due-course rights and return-versus-adjustment processes. Financial institutions often need to reconstruct what happened, analyze the facts, and possibly consult legal counsel.

But rather than handling these risks with expensive roster moves, considering the declining use of checks, financial institutions can meet the threat at the origin, through customer education and enforcement policies. Financial institutions that offer mRDC can make disclosed stipulations. For example, they can require that the original check be destroyed after confirmation, or that checks have a specific restrictive endorsement that includes "for mobile deposit only." Ultimately, if a consumer deposits a check twice, financial institutions can charge a fee or suspend service. In general, customers want to avoid fines, so they tend to play within the rules when fines are looming. If training customers is a home run in mitigation, then the grand slam is having detection systems that support the stipulations and rules put into place.

Photo of Douglas A. King By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 6, 2015 in checks, consumer protection, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 4, 2015


Keeping Up with the Criminals: Improving Customer Authentication

The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.

Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.

The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.

Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.

The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.

New_characteristics_table

The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 4, 2015 in authentication, biometrics, emerging payments, innovation, mobile banking, mobile payments, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d10cb742970c

Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 10, 2014


Virtual Currency Environment Still Fluid after Latest Rulings

The end of October was filled with multiple news-grabbing headlines reflecting the growing fears of Ebola, the exciting seven-game World Series, and the release of the first-ever college football playoff rankings. The launch of ApplePay also saw its fair share of headlines, but one piece of payments-related news might have flown a bit under the radar. On October 27, the United States Department of Treasury's Financial Crime Enforcement Network (FinCEN) issued two virtual currency administrative rulings stemming from its March 2013 guidance on regulations to persons administering, exchanging, or using virtual currencies.

The first administrative ruling involves a virtual currency trading platform that matches its customers' buy-and-sell orders for currencies. The company requesting this ruling stated that they operated the trading platform only and were not involved with money transmissions between it and any counterparty. FinCEN determined that money transmission does, in fact, occur between the platform operator and both the buyer and seller. Consequently, FinCEN said that this company and other virtual currency trading platform operators should be considered "exchangers" or "operators" and required to register as money transmitters subject to Bank Secrecy Act (BSA) requirements.

The second administrative ruling involves a company that enables virtual currency payments to merchants. This company receives payment in fiat currency from the buyer (or consumer) but transfers an equivalent amount of virtual currency to the seller (or merchant) using its own inventory of virtual currency to pay the merchant. This particular company asserted that it wasn"t an "exchanger" since it wasn't converting fiat currency to virtual currency because it was using its own reserve of virtual currency to pay merchants. However, FinCEN determined that this company, and similar companies, is a money transmitter because it accepts fiat currency from one party and transmits virtual currency to another party.

These two rulings confirm that if a virtual currency-related company's services allow for the movement of funds between two parties, that company will be viewed as a money transmitter and will be subject to BSA requirements as a registered money transmitter. As financial institutions consider business relationships with these types of companies, they should make sure that these companies are registered as money transmitters and have BSA programs in place.

The virtual currency regulatory environment continues to be fluid. For example, in his recent comments at the Money 2020 Conference, Benjamin Lawsky, superintendent of the New York Department of Financial Services, suggested that his office will soon be releasing its second draft of a proposed framework for virtual currency business operating in New York. Portals and Rails will continue to monitor this regulatory environment at the state and federal level.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 10, 2014 in currency, mobile banking, mobile payments, transmitters | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c7040946970b

Listed below are links to blogs that reference Virtual Currency Environment Still Fluid after Latest Rulings:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 14, 2014


Mobile Biometrics: Ready or Not, Here They Come

Apple's recent announcement about the release of its mobile wallet app—called Apple Pay—energized the mobile payments community. One reason for the spike of interest is Apple Pay's use of fingerprint biometrics as an additional layer of security in validating customers and their transactions. What may have gotten a little a little lost in the chatter that followed this announcement was another, related announcement. As reported in a September 19 FinExtra story, MasterCard (MC) announced it had completed a pilot project that used a combination of facial and voice recognition on a smartphone. MC said that the trial program—which involved MC employees around the globe conducting 14,000 transactions—had a successful validation rate of 98 percent.

The Apple and MC announcements together certainly show that the future of the additional security options on smartphones looks promising. As a recent post noted, consumer research has consistently found that consumers' largest concern about using mobile phones for financial transactions is security. But are biometric technologies ready for prime time? Will their application in the payments ecosystem really give payment providers more confidence that the person they are dealing with is not an imposter?

The latest generations of Apple and Android smartphones are equipped with fingerprint scanners, cameras, and microphones, which allow for the use of fingerprint, voice, and facial recognition. But limitations exist for each of the techniques. The Apple and Android fingerprint readers, for example, were compromised within days of their initial release. And facial and voice recognition applications work best in controlled conditions of lighting and with limited background noise—an unlikely environment for a smartphone user on the go.

But security experts agree that additional customer authentication methodologies—beyond the common user ID and password entry fields—increase the overall authenticity of transactions. Numerous companies are continuing to focus their research and development efforts on improving the reliability and use of their authentication products. So while there is no "one size fits all" authentication solution over the weak and easily compromised ID-and-password method, these biometric methods represent a step forward, and are likely to improve over time.

The Retail Payments Risk Forum is taking a close look at biometrics technology and its impact on the payments system. We are working on a paper assessing biometrics and authentication methodologies that will probably be released by the end of the year. We're planning a forum to be held this upcoming spring on mobile authentication technologies. And we're continuing to write posts on the topic in Portals and Rails.

Please feel free to contact us with your suggestions on biometric issues you would like to see us address in our continuing efforts.

Lott_david_01 By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 14, 2014 in authentication, biometrics, innovation, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07987236970d

Listed below are links to blogs that reference Mobile Biometrics: Ready or Not, Here They Come:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


August 2016


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad