About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

January 16, 2018


Not Just a Card-Not-Present Problem

In 2012, I published a paper that looked at trends in card fraud in several countries that had adopted or were in the later stages of adopting EMV chip cards. The United States is now in the process of adopting EMV, so I am refreshing that paper with an eye towards fraud trends in what are now mature EMV markets. Payments experts know that card-not-present (CNP) fraud will continue to pose challenges that EMV chip cards do not solve, but are there other challenges lurking in these markets that the U.S. payments industry should note?

Although I'm still gathering data, one particular data point from the United Kingdom—lost and stolen fraud—already has me intrigued. In 2016, losses from this type of fraud stood at more than £96 million (about $130 million), up from more than £44 million (about $60 million) in 2010, a 117 percent increase. In 2010, lost and stolen fraud accounted for 12 percent of overall card fraud in that country. By the end of 2016, it had become 16 percent of card fraud. It is now the second leading type of fraud in the United Kingdom, though it still falls far behind CNP fraud, which accounts for 70 percent.

Remember that in the United Kingdom, PIN usage was adopted to mitigate lost and stolen card fraud at the same time that EMV chip cards were implemented. Yet lost and stolen card fraud is up significantly. According to Financial Fraud Action UK, fraudsters are getting their hands on the PINs—a static data element—through distraction tactics and scams. Other factors, such as the proliferation of contactless transactions and those that have no cardholder verification method, could also be drivers of this fraud, as could an increase of reports of lost or stolen fraud that is actually first-party, or "friendly," fraud. EMV has proven to be an effective tool to authenticate cards, but authenticating an individual using a card, even in a card-present environment, remains a challenge.

The lost and stolen fraud figures out of the United Kingdom lead me to believe that cardholder authentication isn't just a CNP problem. Furthermore, the decades-old PIN solution for the card-present environment is now showing signs of weakness. At the same time, to reduce customer friction, many card networks are eliminating signature verification and relying on data analytics to authenticate transactions. Is this a perfect storm for lost and stolen card fraud? Is it the foreshadowing of the emergence of biometrics, or some lesser known technology? Or will I find that this problem is isolated and should not worry us in the United States?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

January 16, 2018 in authentication , cards , chip-and-pin , debit cards , EMV , fraud , payments | Permalink | Comments ( 0)

January 8, 2018


Consolidated Mobile Banking and Payments Survey Results Published

In earlier posts, we published highlights of the 2016 Mobile Banking and Payments Survey of Financial Institutions in the Sixth District results as well as a supplement showing the results by financial institution (FI) asset size. The survey was designed to determine the level and type of mobile financial services that FIs offered and to find out what plans FIs had to offer new services.

Six other Federal Reserve Banks also conducted the survey in their districts, and we've combined all the data into a single report. Marianne Crowe and Elisa Tavilla of the Boston Fed's Payment Strategies group led the team that consolidated the data. The report—now available on the Boston Fed's website—addresses mobile banking and payment services from the perspective of the FI. The report offers additional value with its inclusion of a large number of small banks and credit unions (under $500 million in assets), a group from which data are often difficult to obtain.

Consolidated-survey-respondents-by-asset-size

The seven districts participating were Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond. A total of 706 FIs responded.

Here are some of the key learnings from survey responses regarding mobile banking:

  • Retail mobile banking offerings are approaching ubiquity across financial institutions in the United States. Eighty-nine percent of respondents currently offer mobile banking services to consumers, and 97 percent plan to offer these services by 2018.
  • By the end of 2018, 77 percent of bank and 47 percent of credit union respondents will be providing mobile banking services to nonconsumers including commercial and small businesses, government agencies, educational entities, and nonprofits. Commercial and small businesses will be the most prevalent.
  • Among FIs offering and tracking business mobile banking adoption, more than half still have adoption rates of less than 5 percent.
  • The most important mobile banking security concern that respondents cited is the consumer's lack of protective behavior. In response, FIs have implemented a range of mitigating controls. To enhance security and help change consumer behavior, more than 80 percent of respondents support inactivity timeouts and multi-factor authentication (MFA) as well as mobile alerts.

And here are some important findings regarding mobile payments:

  • Implementation of mobile payment services is growing as FIs respond to competitive pressure and industry momentum. In addition to the 24 percent already offering mobile payments, 40 percent plan to do so within two years. However, the current offering level fell substantially short of the expected 57 percent predicted by the responses to the 2014 survey.
  • Mobile wallet implementations are increasing steadily, with Apple Pay as the current leader.
  • Enrollment and usage remain low. Eighty-one percent of the respondents had fewer than 5 percent of their customers enrolled and actively using their mobile payment services.
  • Asset size makes a difference in many areas: larger FIs have greater resources to expend on new services, implementations, and security technologies and controls.
  • Banks and credit unions often differ in approaches and strategies for mobile payments.

We will conduct the survey again this year and are eager to see how the mobile banking and payments landscape has changed. If you have any questions about the survey results, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

January 8, 2018 in banks and banking , mobile banking , mobile payments , payments study | Permalink | Comments ( 0)

January 2, 2018


2017 Year-End Review

In December 2013, the Retail Payments Risk Forum began an annual tradition of authoring an end-of-year post highlighting what we consider to be the most significant payment topics or events of the year. We continued that tradition this year, but we changed our platform, instead covering our top events in our Talk About Payments webinar series. Watch a recording of the webinar's presentation.

We encourage you to listen to the webinar, during which we discussed in more detail the following key payment stories of 2017:

  • Fraud schemes
  • Data breaches
  • Chip migration
  • Payments security
  • Same-day ACH–phase II
  • Person-to-person payments
  • Fintech
  • Mobile payments
  • Virtual currency/Distributed ledger

As we begin 2018, we in the Risk Forum look forward to continuing our efforts to mitigate payments risks through industry collaboration and convening. We will also continue to offer our insights using multiple platforms, including this weekly blog and our quarterly webinar series, Talk About Payments. As always, we value your feedback and comments, so do not hesitate to reach out to any of the Risk Forum team members.

Best wishes for a happy, and fraud-free, new year from all of us at the Retail Payments Risk Forum!

Photo of Mary Kepler
Mary Kepler
Photo of Julius Weyman
Julius Weyman
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Washington
Photo of Steven Cordray
Steven Cordray

 

January 2, 2018 in chip-and-pin , mobile banking , mobile payments | Permalink | Comments ( 0)

December 18, 2017


Training Workers for Payments Jobs

Do you boast, or at least talk, about your work in payments at social events? When I tell someone in a social setting that I work in payments, they either move on, after a polite pause, to meet the next person, or they take a deep breath and ask, “What does that entail?” What is most humbling is when I overhear my husband trying to explain my job. And what has been the most entertaining was when a four-year old asked me to perform an interpretive dance representing my occupation—a payments Nutcracker, if you will. Whatever the circumstance, you have to be ready to engage and convey excitement about all things payments to keep our workforce thriving. The industry is growing so rapidly that many employers are struggling to fill positions.

Many people I meet assume I am a mathematician when I talk about my work in payments. While I do own a calculator, I tell them, people in the payments workforce have diverse skill sets that go above and beyond using calculators. This diversity becomes more important every day, as technology keeps growing and changing. Ultimately, the majority of the population may not care how payments work, and they may not care to see an interpretive dance about payments. But there are dedicated, skilled professionals who, thankfully, perform their payments-related jobs safely and efficiently. And we need more of them.

The payments industry is growing. Fintechs alone account for a good portion of this growth. According to an industry research firm, venture capital-backed fintech companies globally raised a total of $5.2 billion in the second quarter of this year—–a 19 percent increase from last year. U.S. fintech funding saw a 58 percent rise, to $1.9 billion in the second quarter this year compared to $1.2 billion in the first quarter.

We need a more robust pipeline of available workers to support the growth in the industry. We need to both cultivate new talent and attract available skilled talent. This task can be daunting given the range of jobs available in the industry that transcend traditional educational curriculums.

Here are just a very few of many inspiring workforce training initiatives supporting industry growth today:

  • FinTech Atlanta, along with the University System of Georgia and other colleges and universities in Georgia, launched a FinTech Degree and Certificate Programs to create needed talent to fuel the fintech workforce.
  • NACHA, with the regional payments associations, has launched a Payments Risk Professional accreditation program. The program brings together skills for managing risk combined with knowledge in payment services, whether for financial institutions, solution providers, processors, businesses, or other end users.
  • Workforce Innovation Hub, sponsored by Accenture and affiliated with Atlanta's City of Refuge, provides nonprofit technical education options to lift the underemployed and underprivileged. The IT training program teaches software and application development, IT support, web development, graphic design, and more—all skills that can be put to use in payments and fintechs.
  • Some professional development programs work with military veterans, offering career opportunities and education resources that can help prepare them for careers in the payments industry. One example is First Data Salutes; another is Syracuse University's Institute for Veterans and Military Families (IVMF) and its affiliated program Entrepreneurs Bootcamp for Veterans with Disabilities.

Be a payments ambassador at your next social event and talk about your favorite payments initiative. It is up to you to decide if you want to perform an interpretive dance of your payments job—but it's up to all of us to keep our workforce growing at pace with the industry.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

December 18, 2017 in financial services , payments | Permalink | Comments ( 0)

December 11, 2017


Fintechs and the Psychology of Trust

In the 14th century, Chaucer used the word trust to mean "virtual certainty and well-grounded hope." Since then, psychologists have described trust as an essential ingredient for social functioning, which, in turn, affects many economic variables. So how do we define trust in the 21st century, in the age of the internet? In particular, how do fintechs, relative newcomers in the financial services industry and not yet coalesced into an industry, gain the trust of the public? Would they more effectively gain that trust by relying on banks to hold them to certain standards, or by coming together to create their own?

In 2004, social psychologists Hans-Werver Bierhoff and Bernd Vornefeld, in "The Social Psychology of Trust with Applications in the Internet," wrote about trust in relation to technology and systems. They observed that "trust and risk are complementary terms. Risk is generally based on mistrust, whereas trust is associated with less doubts about security." They further explained that trust in technology and systems is based on whether an individual believes the system's security is guaranteed. Psychologically speaking, when companies show customers they care about the security of their information, customers have increased confidence in the company and the overall system. Understanding this provides insight into the development of certification authorities, third-party verification processes, and standardized levels of security.

To understand how fintechs might gain the trust of consumers and the financial industry, it's worth taking a step back, to look at how traditional financial services, before the internet and fintechs, used principles similar to those outlined by Bierhoff and Vornefeld. Take, for example, the following list of efforts the industry has taken to garner trust (this list is by no means comprehensive):

  • FDIC-insured depository institutions must advertise FDIC membership.
  • All financial institutions (FI) must undergo regulator supervision and examination.
  • FIs must get U.S. Patriot Act Certifications from any foreign banks that they maintain a correspondent account with.
  • Organizations with payment card data must comply with the PCI Standards Council's security standards and audit requirements.
  • Organizations processing ACH can have NACHA membership but must follow NACHA Operating Rules and undergo annual audits and risk assessments.
  • The Accredited Standards Committee X9 Financial Industry Standards Inc. has developed international as well as domestic standards for FIs.
  • The International Organization for Standardization has also developed international standards for financial services.
  • The American National Standards Institute provides membership options and develops standards and accreditation for financial services.

FIs have often been an integral part of the standards creation process. To the extent that these standards and requirements also affect fintechs, shouldn't fintechs also have a seat at the table? In addition, regulatory agencies have given us an additional overarching "virtual certainty' that FIs are adhering to the agreed-upon standards. Who will provide that oversight—and virtual certainty—for the fintechs?

The issue of privacy further adds to the confusion surrounding fintechs. The Gramm-Leach-Bliley Act (GLBA) of 1999 requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of customer information. Further, the Federal Trade Commission's (FTC) Safeguards Rule requires FIs to have measures in place to keep customer information secure, and to comply with certain limitations on disclosure of nonpublic personal information. It's not clear that the GLBA's and FTC's definition of "financial institution" includes fintechs.

So, how will new entrants to financial services build trust? Will fintechs adopt the same standards, certifications, and verifications so they can influence assessments of risk versus security? What oversight will provide overarching virtual certainty that new systems are secure? And in the case of privacy, will fintechs identify themselves as FIs under the law? Or will it be up to a fintech's partnering financial institution to supervise compliance? As fintechs continue to blaze new trails, we will need clear directives as to which existing trust guarantees (certifications, verifications, and standards) apply to them and who will enforce those expectations.

As Bierhoff and Vornefeld conclude, "it is an empirical question how the balance between trust and distrust relates to successful use of the Internet." Although Chaucer was born a little too soon for internet access, he might agree.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

December 11, 2017 in banks and banking , financial services , innovation , mobile banking | Permalink | Comments ( 0)

December 4, 2017


What Will the Fintech Regulatory Environment Look Like in 2018?

As we prepare to put a bow on 2017 and begin to look forward to 2018, I can’t help but observe that fintech was one of the bigger topics in the banking and payments communities this year. (Be sure to sign up for our December 14 Talk About Payments webinar to see if fintech made our top 10 newsworthy list for 2017.) Many industry observers would likely agree that it will continue to garner a lot of attention in the upcoming year, as financial institutions (FI) will continue to partner with fintech companies to deliver client-friendly solutions.

No doubt, fintech solutions are making our daily lives easier, whether they are helping us deposit a check with our mobile phones or activating fund transfers with a voice command in a mobile banking application. But at what cost to consumers? To date, the direct costs, such as fees, have been minimal. However, are there hidden costs such as the loss of data privacy that could potentially have negative consequences for not only consumers but also FIs? And what, from a regulatory perspective, is being done to mitigate these potential negative consequences?

Early in the year, there was a splash in the regulatory environment for fintechs. The Office of the Comptroller of the Currency (OCC) began offering limited-purpose bank charters to fintech companies. This charter became the subject of heated debates and discussions—and even lawsuits, by the Conference of State Bank Supervisors and the New York Department of Financial Services. To date, the OCC has not formally begun accepting applications for this charter.

So where will the fintech regulatory environment take us in 2018?

Will it continue to be up to the FIs to perform due diligence on fintech companies, much as they do for third-party service providers? Will regulatory agencies offer FIs additional guidance or due diligence frameworks for fintechs, over and above what they do for traditional third-party service providers? Will one of the regulatory agencies decide that the role of fintech companies in financial services is becoming so important that the companies should be subject to examinations like financial institutions get? Finally, will U.S. regulatory agencies create sandboxes to allow fintechs and FIs to launch products on a limited scale, such as has taken place in the United Kingdom and Australia?

The Risk Forum will continue to closely monitor the fintech industry in 2018. We would enjoy hearing from our readers about how they see the regulatory environment for fintechs evolving.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

December 4, 2017 in banks and banking , financial services , innovation , mobile banking , regulations , regulators , third-party service provider | Permalink | Comments ( 0)

November 27, 2017


How Intelligent Is Artificial Intelligence?

At the recent Money20/20 conference, sessions on artificial intelligence (AI) joined those on friction in regulatory and technological innovation in dominating the agenda. A number of panels highlighted the competitive advantages AI tools offer companies. It didn't matter if the topic was consumer marketing, fraud prevention, or product development—AI was the buzzword. One speaker noted the social good that could come from such technology, pointing to the work of a Stanford research team trying to identify individuals with a strong likelihood of developing diabetes by running an automated review of photographic images of their eyes. Another panel discussed the privacy and ethical issues around the use of artificial intelligence.

But do any of these applications marketed as AI pass Alan Turing's 1950s now-famous Turing test defining true artificial intelligence? Turing was regarded as the father of computer science. It was his efforts during World War II that led a cryptographic team to break the Enigma code used by the Germans, as featured in the 2014 movie The Imitation Game. Turing once said, "A computer would deserve to be called intelligent if it could deceive a human into believing that it was human." An annual competition held since 1991, aims to award a solid 18-karat gold medal and a monetary prize of $100,000 for the first computer whose responses are indistinguishable from a real human's. To date, no one has received the gold medal, but every year, a bronze medal and smaller cash prize are given to the "most humanlike."

Incidentally, many vendors seem to use artificial intelligence as a synonym for the terms deep learning and machine learning. Is this usage of AI mostly marketing hype for the neural network technology developed in the mid-1960s, now greatly improved thanks to the substantial increase in computing power? A 2016 Forbes article by Bernard Marr provides a good overview of the different terms and their applications.

My opinion is that none of the tools in the market today meet the threshold of true artificial intelligence based on Turing's criteria. That isn't to say the lack of this achievement should diminish the benefits that have already emerged and will continue to be generated in the future. Computing technology certainly has advanced to be able to handle complex mathematical and programmed instructions at a much faster rate than a human.

What are your thoughts?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

November 27, 2017 in emerging payments , innovation , payments | Permalink | Comments ( 0)

November 20, 2017


Webinar: Key Payment Events in 2017

This year has been an exciting one for the payments industry. Topics such as block chain and distributed ledger, card-not-present fraud, and chip-card migration continued to be in the news, and new subjects such as behavioral biometrics and machine learning/artificial intelligence made their way into the spotlight.

In the past, the Retail Payments Risk Forum team has coauthored a year-end post identifying what they believed to have been the major payment events of the year. This year, we are doing something a little bit different and hope you will like the change. Taking advantage of our new webinar series, Talk About Payments, the RPRF team will be sharing our perspectives through a round table discussion in a live webinar. We encourage financial institutions, retailers, payments processors, law enforcement, academia, and other payments system stakeholders to participate in this webinar. Participants will be able to submit questions during the webinar.

The webinar will be held on Thursday, December 14, from 1 to 2 p.m. (ET). Participation in the webinar is complimentary, but you must register in advance. To register, click on the TAP webinar link. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks.

We look forward to you joining us on December 14 and sharing your perspectives on the major payment events that took place in 2017.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 20, 2017 in banks and banking , biometrics , emerging payments , EMV , innovation | Permalink | Comments ( 0)

November 13, 2017


The Future of Wearables

My wife and I took our children to a Florida theme park for their recent fall break. While I would love to spend the next few paragraphs opining on why I think our school calendar is crazy or giving a review of the most phenomenal ride that I have ever experienced, it doesn't really fit the mission or purpose of Take On Payments. Fortunately, the trip did provide some fodder and thought for a blog post, thanks to a much-discussed and written-about wearable NFC—or near-field-communication—device that the theme park offers.

These bands were introduced in 2013 to create an awesome customer experience. This experience is much bigger than a payment platform and has absolutely nothing to do with a rewards program around which so many mobile wallet and payment applications are being developed. The band's functionality certainly includes payments, but the device also replaces room keys, park entry cards, and ride-specific tickets known as fast passes. As an additional feature, it is waterproof, which proves handy for a trip to the water park. I was able to spend the week without ever having anything in my pockets (yes, I even left my phone in the room). My wife commented how fantastic it would be to take the NFC band experience outside of the park because it was just so easy and convenient.

Ease and convenience–isn't that what a lot of us are after? If you have to give me something to get me to open an application and tap my phone in place of a payment card, is that really providing ease and convenience? I am now 100 percent convinced that rewards programs aren't going to drive mobile commerce to any significant degree. Experiences that provide ease and convenience will drive mobile commerce. Hello, mobile order-ahead. Hello, grocery delivery. And hello, wearable of the future.

It isn't hard to imagine a wearable device, like an open-loop band, transforming our lives. After my theme park experience, I long for the day when a wearable will be the key to my vehicle—which I won't have to drive, either—and to my house, my communication device, and my payment device (or wallet). Of course, we'll have to consider the security issues. Even the bands incorporate PINs and fingerprint biometrics in some cases to ensure that the legitimate customer is the one wearing the band.

Is this day really so far-fetched? I can already order a pizza through a connected speaker, initiate a call from the driver's seat of my car without touching my phone, or tap my phone to pay for a hamburger. The more I think about these possibilities, I have to ask myself, is it crazy to question whether or not using mobile phones for payments just might become obsolete before long? Or maybe mobile phones will provide that band functionality?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

November 13, 2017 in banks and banking , innovation | Permalink | Comments ( 0)

November 6, 2017


My Fingertips, My Data

I am not a user of old-style financial services. While I remember learning how to balance a checkbook, I never had to do it, since I never had checks. Recently, my financial adviser suggested several mobile applications that could help me manage my finances in a way that made sense to me. I researched them, evaluated a few, and decided which one I thought would be the best. I'm always excited to try new apps, hopeful that this one will be the one that will simplify my life.

As I clicked through the process of opening an account with my new financial management app, I entered the name of my financial institution (FI), where I have several accounts: checking, savings, money market, and line of credit. The app identified my credit union (which has over $5 billion in assets and ranks among the top 25) and entered my online banking credentials—and then I was brought up short. The app was asking for my routing and account number. As I said, I don't own any checks and I don't know how to find this information on my credit union's mobile app. (I do know where to find it using an internet browser.) I stopped creating my account at this point and have yet to finish it up.

I later discovered that if I banked with one of the larger banks, for which custom APIs have been negotiated, I would not have been asked for a routing and account number. I would have simply entered my online login details, and I'd be managing my finances with my fingertips already. I started digging into why my credit union doesn't have full interoperability.

In the United States, banking is a closed system. APIs are built as custom integrations, with each financial institution having to consent for third parties to access customer data. However, many FIs haven't been approached, or integration is bottlenecked at the core processor level. It is bottlenecked because if they deny access to customer data (which some do), the FI has no choice in the matter.

New Consumer Financial Protection Bureau (CFPB) guidance on data sharing and aggregation addresses the accessibility and ownership issue. The upshot of the CFPB's guidance is that consumers own their financial data and FIs should allow sharing of the data with third-party companies. But should doesn't equal will or can.

The CFPB guidance, though not a rule, is in the same vein as the European Union's PSD2 (or Directive on Payments Services II) regulation, whereby FIs must provide access to account information with the consumer's permission. This platform, which represents an open banking approach, standardizes APIs that banks can proactively make available to third parties for plug-and-play development.

While open banking is a regulatory requirement in Europe, market competition is driving North American banks to be very interested in implementing open banking here. An Accenture survey recently found that 60 percent of North American banks already have an open banking strategy, compared to 74 percent of European banks.

It is no surprise that bankers are becoming more comfortable with the shift-in-ownership concept. FIs have been increasingly sharing their customers' data with third parties. Consumer data are what fuel organizations like credit agencies, payment fraud databases, identity and authentication solutions, and anomaly detection services, to name a few. As these ownership theories change, we will also need to see new approaches to security. What are your thoughts about open banking?

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

November 6, 2017 in banks and banking , data security , emerging payments , innovation , mobile banking | Permalink | Comments ( 0)

Google Search



Recent Posts


Archives


Categories


Powered by TypePad