About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

July 24, 2017


FIDO Tightens Authentication's Leash

Our blog often covers user authentication challenges confronting financial institutions and merchants. We feel this topic is essential given that consumers are increasingly going online to make payments and their passwords tend to be weak. Financial institutions and merchants face a difficult balancing act. They must be confident that their authentication tools effectively confirm the legitimacy of the individual attempting a transaction, but they also have to make sure these tools don't create a bad experience for the customer.

A meeting in 2009 between a fingerprint-sensor manufacturer and a global, third-party payment provider to fingerprint-enable online payments quickly turned into a conversation on how to develop an industry standard for the general use of biometrics to identify online users. Ultimately, this meeting led to the formation of the FIDO (Fast IDentity Online) Alliance in 2012. FIDO currently has a global membership of more than 250 companies and agencies spanning the payments, mobile, PC, and transaction security industries.

FIDO's principal effort has been to develop a set of specifications and certifications covering consumer devices, mobile and web applications, and biometric authentication methods for e-commerce applications. Products certified to these authentication specs reduce password dependence, transaction friction, and stolen password attacks such as phishing, man-in-the middle attacks, and transaction replays.

FIDO initially focused on mobile devices—which allow authentication with the fingerprint sensor, microphone, and camera—and developed the Universal Authentication Framework. This framework provides enhanced security using public-key cryptography, with the keys and biometric templates remaining on the mobile device. The user goes through a device registration process that creates the biometric template and a cryptographic key pair on the device and registers only the public key with the online service. To perform a transaction, the customer uses one of the phone's biometric sensors to unlock the private key on the device.

To expand these strong cryptographic authentication capabilities to second-factor use cases on the web, FIDO established a second set of specifications known as FIDO U2F, or Universal Second Factor protocol. With this protocol, the user inserts a certified U2F device, also known as a security key, into a device's USB port or uses the device's Bluetooth or near-field communication features. The application running in a FIDO-compliant web browser first challenges the user for a password and then authenticates the user with the cryptographic private key on the U2F device.

Authentication of customers, especially on a remote basis, will always be a challenge as criminals find more and more ways to spoof identities. The industry's efforts to increase the security of remote payments remain ongoing and the cooperative work demonstrated by groups such as the FIDO Alliance plays an important part in that effort.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 24, 2017 in banks and banking , biometrics , consumer fraud , consumer protection , identity theft , innovation , mobile payments | Permalink | Comments ( 0)

July 17, 2017


Staging the ATM

As the installation of the first automated teller machine (ATM) recently reached its 50th anniversary (48 years since the first U.S. installation), the core functionality of the present-day ATMs has changed very little. They remain primarily designed to provide customers with cash at their convenience, but now most full-function ATMs also accept deposits with image capture and currency counting capability. Sure, the machines of today are much more technologically sophisticated and reliable than the initial ones that were more mechanical in operation. The industry, however, has undergone some major changes.

Accessed by a magnetic stripe or chip card and authenticated using a PIN, the ATM has served consumers and financial institutions well. The 2016 Federal Reserve Payment Study showed that ATM withdrawal volume remained flat from 2012 through 2015 at approximately 5.8 billion transactions valued at $700 billion, or an average transaction value of $122.

Banks in a number of South American and Asian-Pacific countries have installed biometric sensors in their ATMs either to eliminate the need for payment cards and PINs or to serve as an additional authentication factor. However, a couple of major U.S. banks have taken a different path in a quest to eliminate the payment card and PIN; they have developed a staged transaction process using the customer's mobile phone. While there are some variations from bank to bank, the process generally works as follows:

  • The customer opens the mobile banking application using the normal authentication process.
  • The customer selects the ATM withdrawal option then identifies the ATM location and amount of withdrawal.
  • When at the designated ATM, the customer selects the function button on the ATM for a cardless transaction.
  • The next step depends on the particular bank.
    • Some banks display a 2D barcode on the ATM screen, which the mobile phone's camera reads to validate the transaction and dispense the requested amount of cash.
    • Other banks, to complete the transaction, may require the customer to enter both the normal payment card PIN and a numeric token value that the application sent to their phone when they made the transaction selection.

This technology offers banks a number of financial benefits over biometric readers. The barcode or token process requires only software development within the mobile banking application and ATM, so banks don't have to purchase, install, and maintain biometric hardware sensors. A drawback is that only the ATMs of the customer's own financial institution supports the staged transaction. In addition, card readers will have to remain a key component of ATMs to service customers of other banks as well as the bank's own customers who wish to continue to use their cards. Because criminals continue to insert card-skimming devices and cameras to capture card data and customer PINs—an industry-wide and global problem—the new functionality will only minimize, not prevent, such fraudulent activity.

Many financial institutions seem to be making a concerted effort to migrate customers from payment card-based transactions to options such as mobile pay wallets and now staged ATM transactions. Mobile wallet adoption rates by consumers have been low to date, so it will be interesting to see if the adoption rate of cardless ATM transactions will be any different. What do you think?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 17, 2017 in banks and banking , innovation | Permalink | Comments ( 0)

July 10, 2017


Can Migrants Teach Us Anything about Millennials?

While attending a recent conference, I became involved in a discussion regarding millennials and their alleged rejection of banks. The other people in this conversation thought that this millennial mindset is negatively affecting banks and other financial institutions (FIs). One person cited a Goldman Sachs report that said 53 percent of millennials surveyed indicated they have no need for a bank in the near future. Another mentioned the Millennial Disruption Index, which found that 71 percent of millennials would prefer to go to the dentist than listen to what banks are saying.

It would come as no surprise to those who know me or have read some of my previous blogs on similar topics that I was the outlier in the conversation. And after reading Inter-American Dialogue's May 2017 report, On the Cusp of Change: Migrants’ Use of the Internet for Remittance Transfers, I feel as strongly as ever that this generation will, in fact, need banking relationships.

While the survey behind the report focused on migrants' use of remittance transfers, Inter-American Dialogue also surveyed migrants on bank account ownership. The survey found that over 70 percent of Mexican migrants in the United States own a bank account, up from only 29 percent in 2005. The report concludes, with support from additional survey data, that bank account ownership is predominantly a function of years being in the United States; those migrants here for 10 years or longer are much likelier to own a bank account.

While millennials may not need traditional FI products today as they wait longer to purchase homes and start families than did previous generations, I believe the day will come when they find they need FIs. Only then will we know whether that wait is shorter or longer than the 10 years it takes for most Mexican migrants to establish banking relationships. Millennials have a host of alternative financial products to choose from—and to ignore—but so do migrant workers. Yet we know that, eventually, most migrant workers recognize they need banks.

I am not suggesting that financial institutions simply wait for millennials to realize their need for a banking relationship. FIs should be actively pursuing new products or developing strategies to attract millennials to traditional products. As millennials establish themselves and grow more prosperous, I believe they will realize banking relationships are extremely important to that process. The notion that millennials never need banks is one that I am not buying (not even with my bitcoins). Are you?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 10, 2017 in banks and banking , innovation | Permalink | Comments ( 0)

June 26, 2017


Responsible Innovation, Part 2: Do Community Financial Institutions Need Faster Payments?

In my last post, I introduced themes from a summit that the Retail Payments Risk Forum cohosted with the United Kingdom's Department for International Trade. The summit gathered payments industry participants to discuss faster payments and their effects on community financial institutions (FIs). This post, the second of three in a series, tackles the question of whether community FIs and their customers actually have an appetite for increasing the speed of payments.

A summit attendee from WesPay, a membership-based payments association in the United States, presented the findings of a survey of 430 U.S. FIs about current payments initiatives. An important discovery was that awareness and adoption of faster payments solutions remains low, as the responses to two survey questions indicate:

  • For same-day ACH, a majority (57 percent) indicated that the first phase—faster credits—"has had no measurable impact on our customers'/members' transactions."
  • When asked about the Federal Reserve Faster Payment Task Force, 34 percent of respondents indicated they were unaware of the initiative, and 46 percent indicated they had only high-level knowledge.

Responses to another of WesPay's survey questions suggest that, although there may be low awareness of many current initiatives, many financial institutions are recognizing that faster payments are inevitable. A majority (60 percent) agreed that faster payments initiatives are "an important development in the industry. However, our institution will be watching to see which platform becomes the standard."

NACHA's representative presented statistics from phase one of same-day ACH, with reminders about the phases to come.

  • Same-day ACH reached a total of 13 million transactions in the first three months (launched September 23, 2016).
  • Phase 2 will allow for direct debits to clear on the same day (to launch September 15, 2017).
  • Phase 3 will mandate funds availability for same-day items by 5 p.m. local time (to launch March 16, 2018).
  • The current transaction limit is $25,000, and international ACH is not eligible.

Results of a study by ACI Worldwide, a global payments processor, look a little different from WesPay's survey results. The study looked at small to medium-size enterprises to gauge real-time payments demand. For the U.S. respondents, the research revealed that:

  • Fifty-one percent are frustrated by delays in receiving payments.
  • Forty-two percent are frustrated by outgoing payments-delivery timeframes.
  • Sixty-five percent would consider switching banks for real-time payments.

We don't know yet what U.S. adoption rates will be, but Faster Payments Scheme Ltd. (FPS) in the United Kingdom already has a story to tell. U.K. panelists attending the summit at the Atlanta Fed stated that FPS has had constant adoption growth due to cultural change and customer expectations.

  • FPS reached a total of 19 million transactions in the first three months (launched May 27, 2008).
  • The FPS transaction limit increased in 2010 from £10k to £100k, and then to £250k in 2015.
  • On April 2014, Paym, a mobile payments service provider, launched, using FPS. Paym handles person-to-person and small business payments, similar to Zelle in the United States, which started up in June 2017, using ACH.
  • FPS had a total volume of 1.4 billion items in 2016.

For payment networks offering new solutions, community FIs are the critical mass that ensures adoption. Their participation will require practical benefits with a lot of support before they are willing to commit. Some community FIs might be forced to adopt new systems because everyone else has. Will new networks in the United States contest same-day ACH, which already has the advantage of ubiquity? Likely, as options develop, so will customer culture and expectations.

In the final installment of this "Responsible Innovation" series, I will look at future impacts of faster payments.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 26, 2017 in ACH , banks and banking , financial services | Permalink | Comments ( 0)

June 19, 2017


Calculating Fraud: Part 2

Part 1 of this two-part series outlined an approach for whittling down credit card transactions to the value or number of authorized and settled payments as the denominator for calculating a fraud rate. This post reviews the elements needed to quantify the numerator.

To summarize from the previous post, when analyzing credit card fraud rates, you should consider what is being measured and compared. To calculate a fraud rate based on value or number, you need a fraud tally in the numerator and a comparison payment tally in the denominator. The formula works out as follows:

Fraud Rate = Numerator
                      Denominator

Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.

Before calculating the numerator value, you must first decide what types of fraud to include in the measurement. One stratification method divides fraud into the following two categories:

  • First-party payments fraud results when a dishonest but seemingly legitimate consumer exploits a merchant or financial institution (FI). That is, the legitimate cardholder authorizes a credit card transaction as part of a scam. One manifestation of this is "friendly fraud," whereby a consumer purchases items online and then falsely claims not to receive the merchandise.
  • Third-party payments fraud occurs when a legitimate cardholder does not authorize goods or services purchased with his or her credit card. Besides the victimized cardholder, the other two parties to the transaction are the fraudster and the unsuspecting merchant or FI.

Sometimes no clear delineation between first-party and third-party fraud exists. For example, a valid cardholder may authorize a payment in collusion with a merchant to commit fraud.

The 2016 Federal Reserve Payments Study used only third-party unauthorized transactions that were cleared and settled in tabulating fraud. The study measured and counted fraud as having occurred regardless of whether a subsequent recovery or chargeback occurred. Survey results had to be adjusted because some card networks report gross fraud while others report net fraud, after recoveries and chargebacks. Furthermore, the study made no effort to determine which party, if any, in the payment chain may ultimately bear the loss. Finally, the study did not measure attempted fraud.

Excluding first-party payments fraud
The study excluded first-party fraud due to the greater ambiguity around identifying and measuring it along with the idea that it is difficult to eliminate, given that controls are relatively limited. One control option would be to place repeat offenders on a negative list that, unfortunately, might not be shared with other parties. As a result of excluding first-party fraud, the study focused on fraud specific to the characteristics of the payment instrument being used.

Paraphrasing from page 30 of the 2013 Federal Reserve Payments Study, first-party fraud, while important, is an account-relationship type of fraud and typically would not be included as unauthorized third-party payments fraud because the card or account holder is by definition authorized to make payments. Consequently, first-party fraud can occur no matter how secure the payment method.

As with tallying payments, you could follow a similar process for tallying fraudulent payments for other types of cards payments, with more questionnaire definitions and wording changes needed for other instruments such as ACH and checks.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

June 19, 2017 in ACH , cards , checks , debit cards , fraud | Permalink | Comments ( 0)

June 12, 2017


Watching Your Behavior

Customer authentication has been at the core of the Retail Payments Risk Forum's payments risk education efforts from the beginning. We've stressed not only that there are legal and regulatory requirements for certain parties to "know your customer," but also that it is in the best interest of merchants and issuers to be sure that the party on the other end of a given transaction is who he or she claims to be and is authorized to perform that transaction. After all, if you allow a fraudster in, you have to expect that you or someone else will be defrauded. That said, we also know that performing this authentication, especially remotely, has several challenges.

The recently released 2017 Identity Fraud Study from Javelin Strategy & Research estimated that account takeover (ATO) fraud losses in 2016 amounted to $2.3 billion—a 61 percent increase over 2015's losses. (ATO fraud occurs when an unauthorized individual performs fraudulent transactions through a victim's account.) Additionally, new-account fraud on deposit and credit accounts has increased significantly and generated several public warnings from the FBI.

In payments, the balancing act between imposing additional customer authentication requirements and maintaining a positive, low-friction customer experience has always been a challenge. Retailers, especially online merchants, have been reluctant to add authentication modalities in their checkout process for fear that customers will abandon their shopping carts and move their purchase to another merchant with lower security requirements. Some merchants have recently introduced physical biometrics modalities such as fingerprint or facial recognition for online orders through mobile phones. Although these modalities have gained a high acceptance rate, they still require the consumer to actively participate in the authentication process.

Enter behavioral biometrics for online transactions. Behavioral biometrics develops a pattern of a user's unique, identifiable attributes from when the user is online at a merchant's website or using the merchant's proprietary mobile app. Attributes measured include such elements as typing speed, pressure on the keyboard, use of keyboard shortcuts, mouse movement, phone orientation, and screen navigation. Coupled with device fingerprinting for the customer's desktop, laptop, tablet, or mobile phone, behavioral biometrics gives the merchant and issuer a higher level of confidence in the customer's authenticity. Another benefit is that behavioral biometrics is passive—it is performed without the user's involvement, which eliminates additional friction in the overall customer experience. Proponents claim that while it takes several sessions to develop a strong user profile, they can often spot fraudsters' attempts because fraudsters often exhibit certain recognizable traits.

Behavioral biometrics is still fairly new to the market but over the last couple of years, some major online retailers have adopted it as an additional authentication tool. Like any of the physical biometric modalities, no single behavioral authentication methodology is a silver bullet, and multi-factor authentication is still recommended for moderate- and higher-risk transactions.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 12, 2017 in authentication , banks and banking , consumer fraud , fraud , mobile banking , payments | Permalink | Comments ( 0)

June 5, 2017


Responsible Innovation Part 1: Can Community Banks Remain Competitive?

The Atlanta Fed's Retail Payments Risk Forum recently co-hosted a summit with the United Kingdom's Department for International Trade to discuss faster payments and their effects on community financial institutions (FIs). In a series of three posts, I will share summaries of the lessons and implications that payments industry stakeholders discussed at the summit. A major theme of these discussions was whether community FIs can remain competitive independent of how they access a faster payments network. This post tackles this theme.

What networks were discussed at the summit?
United States United Kingdom
ACH (NACHA) ACH (Bacs)
Real-Time Payments (The Clearing House) Faster Payments (Faster Payments Scheme Ltd.)

The Faster Payments Scheme, or FPS, opened in the United Kingdom in 2008. The summit was a good opportunity to hear first-hand from one community banker's experience with the still-new system. A panelist from the first retail community bank to join the FPS discussed how access options played a role in the bank's ability to compete with large FIs.

  • In the beginning, the only way a community bank could access the FPS was through a sponsoring bank.
  • This option was expensive, hindering, and much like a newborn baby who needed attention all day and night (even on weekends), according to the panelist.
  • The FPS sends messages 24/7, in near-real time, but her bank's access model often caused a delay of 15 to 30 minutes, making the bank less than competitive.
  • Last year, the bank was able to join as a "Direct Participant" under the New Access Model,, an experience that the panelist compared to parenting a toddler who allows her to sleep through the night, even as it runs 24/7/365. The new model was also much more affordable and provided her community bank the near-real time model larger banks received. (The New Access Model that gives payment service providers and community FIs direct connection began in 2014, six years after the FPS began.)
  • The panelist did note a serious obstacle to this access model for the smaller banks: the onerous 12-month certification process to become a Direct Participant is tailored to large banks. The process required significant resources and strained other areas of her bank. She suggested that the certification take a risk-based approach.

Two developments on the way may affect future access options: (1) plans are set to consolidate Bacs, FPS, and Cheque; and (2) the Bank of England plans to grant settlement services to nonbank payment service providers.

The United States is facing a similar challenge: community FIs will have to choose how to access faster payment systems. Some community FIs have begun to offer same-day ACH and will likely consider real-time payments later this year.

Representatives from the Clearing House's Real-Time Payments initiative shared some details on their access model:

  • FIs of all sizes will be able to connect directly or through third-party service providers.
  • Regional payments associations will play an important role as they collectively represent all U.S. financial institutions plus third-party processors.
  • The speed will be the same for all participants.
  • Indirect participation will not be available.
  • Payments can be made 24/7/365.

While direct access is available for both same-day ACH and Real-Time Payments, some FIs may choose to use a sponsor or correspondent access model. To remain competitive, community FIs will have to understand the advantages and limitations that each access model provides.

The next installment in this series will discuss the U.S. market appetite for faster payments; the one after that will look at the impacts of adoption.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 5, 2017 in banks and banking , financial services , innovation | Permalink | Comments ( 0)

May 22, 2017


The Year(s) of Ransomware

I remember, as a child, despising the neighborhood kid who would always say, "I told you so." Well, let's move ahead some 30-odd years to the WannaCry ransomware attack—I now feel like that despised child. You see, on March 29 of this year, I emailed the following note to my colleagues in the Risk Forum:

Just a few high-level and interesting notes from the conference.… 2017 & 2018 will be the Year of Ransomware (I can elaborate on this when we are all together—pretty fascinating business models developed here).

Too bad I kept my thoughts to our little group here at the Atlanta Fed and didn't get the message out to the masses (or at least to our Take on Payments readers) prior to the WannaCry ransomware attack that began on May 12. So why did I (and still do) think 2017 and 2018 will both be the "Year of Ransomware"?

Those who know me know that I am not a very technical person. I see things more strategically than technically and usually sprint away from conversations that become technical. After viewing a demonstration on how to launch a ransomware attack, I was shocked to learn that hardly any technical expertise is required to pull off an attack. This is all made possible by the "pretty fascinating business models" that I referred to in my note, business models known as Ransomware as a Service (RaaS).

I'd always envisioned that serious technical code writing capabilities would be a requirement for developing the code to send the malicious files involved in ransomware. And while coding is needed, that is where the RaaS comes into play. You pay someone else to create the malicious code, which you then use to launch a ransomware attack. And to make the attack even more successful, there are simple tools available that allow you to not only test the code against the market-leading antivirus software detection programs but also to tweak the code embedded in the malicious file to ensure that none of the antivirus software programs will detect it. Antivirus software protects users only from known malicious code, which is the reason the software must be constantly updated.

With the undetectable code in hand, you can now launch a ransomware attack through either an embedded file or a link within a phishing email or social media post to a legitimate-appearing, but malicious, website. And this costs little or nothing up front! The cost for the RaaS is only realized once a successful attack occurs, with a portion of the collected ransom paid to the RaaS provider.

Which brings me back to why I think ransomware attacks will continue to escalate, leading to 2017 and 2018 becoming "The Year(s) of Ransomware." They are simple to execute, low cost, and proving to be highly lucrative. (According to the FBI, an estimated $209 million was paid in ransom in the first quarter of 2016.) Expect a future blog post on how to plan for and defend against attacks.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 22, 2017 in fraud , malware | Permalink | Comments ( 0)

May 15, 2017


What Canada Knows That We Don't

In a previous post, I made reference to the pending release of a Bank of Canada study on the costs of point-of-sale payments in Canada. Last month, the study was released. This study covers cash as well as debit and credit card payments. It's a fascinating read that highlights what little comprehensive knowledge we have about comparable costs of payments in the United States.

The scope of the study was limited to the following parties in the payment chain:

  • Bank of Canada and Royal Canadian Mint (prints and distributes currency)
  • Financial institutions (FIs) and infrastructure providers (includes cash transport companies, payment networks and payment card acquirers)
  • Retailers (covers retail trade, accommodation, food services, and personal service providers)
  • Consumers

As background, the study categorizes costs of payments from the parties above into social (or resource) and private costs. Social costs include all internal and outsourced costs to parties outside the scope of the study. Excluded are transfer fees paid among parties within the scope of the study (for example, fees paid by retailers to FIs serving as card acquirers). This exclusion avoids overstating total social costs since fees paid to one party in the payments chain are revenue to another party in the payments chain. With this adjustment, aggregating social costs across all parties reflects the total resources expended for the entire country to facilitate payments. True or private costing from a particular party in the payment chain is simply the sum of its social costs plus any transfer fees paid to other parties within the scope of the study. Knowing private costs provides insight into which payment instruments are preferred from a costing perspective.

Here are some selected highlights from the study:

  • Total annual social costs clocked in at 15.3 billion (Can$), which comprises 0.78 percent of Canada's gross domestic product (GDP). In comparison, a paper from the Kansas City Fed highlights GDP figures ranging from 0.5 percent to 0.9 percent for other developed countries. Unfortunately, no comparable comprehensive study has been conducted in the United States. Using indirect approaches based on assumptions, some sources have estimated that the cost of the payments system in the United States could be as high as 2 percent of GDP. Unfortunately, we don't have any definitive sources on what the figure really is.
  • Below are the average social costs, transfer fees, and private costs (that is, sum of social costs and transfer fees) per transaction across the payment chain (in Can¢) by payment instrument.

    Table-one


    We can see that transfer fees among the parties in the payments chain are relatively minimal for cash. Consumers proportionally pay higher transfer fees for debit card payments due to transaction fees paid to FIs. Transfer fees that retailers pay are proportionally high for debit cards and significantly higher for credit cards. Based on private costs alone, credit cards costs are less costly to consumers, while retailers incur the highest cost in accepting credit cards. These findings are generally consistent with studies conducted in other countries.
  • Lastly, the study further subdivides costs into fixed costs and variable costs based on the number of payments and by the value of payments. Along with the number and value of payments, costing components in Canadian dollars are itemized below:

    Table-two


    The proportion of variable costs to overall costs for cash, debit cards and credit cards comprise 55 percent, 64 percent, and 64 percent, respectively.

Because of the central and significant role payments play in any economy, many current payments policy questions circulate around payments—in particular the costs associated with adopting and accepting various payment methods, fraud experience and prevention, and compliance with security standards and requirements. What are your views on the value of a comprehensive cost survey in this country?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

 

May 15, 2017 in banks and banking , cards , debit cards , payments | Permalink | Comments ( 0)

May 8, 2017


Calculating Fraud: Part 1

When analyzing payments fraud rates, we have to consider what is being measured and compared. Should we measure fraud attempts that might have been thwarted—fraud that penetrated the system but might not necessarily have resulted in a loss—or fraud losses? Whatever the measure, it is important that the definition of what is included in the numerator and denominator be consistent to properly represent a fraud rate.

In calculating a fraud rate based on value or number, a fraud tally is needed in the numerator and a comparison payment tally in the denominator. The formula works out as follows:

Fraud Rate = Numerator
                     Denominator

Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.

This post offers a process for tallying payments for the denominator. Part 2 of this series will focus on tallying the numerator, basing its approach on the process that the Federal Reserve Payments Study 2016 used. That process includes fraud that initially cleared and settled, not attempts, and does not exclude losses subsequently recovered.

The Fed’s 2016 payments study offers a method for whittling down all payment transactions to a subset of transactions suitable for calculating a fraud rate. Below is an extract, with clarifying commentary, from one of the study’s questionnaires, which asked card networks for both the value and number of payments.

Chart-one2

At first blush, totals for value or number under questions 1, 2, 3, and 4 could conceivably be used to provide a comparison tally for fraud. However, we should rule out the total from question 1 since the definition includes declined authorizations, making it unnecessarily broad. Question 2, "total authorized transactions," has the disadvantage of including pre-authorization only (authorized but not settled). While some of these transactions could have been initiated as part of a fraud attempt, they were never settled and consequently posed no opportunity for the fraudster to take off with ill-gotten gains. On balance, the preferred measure for payments is the result of question 3, which measures "net, authorized, and settled transactions." Unlike "net, purchased transactions" under question 4, this measure has the benefit of not excluding some of the fraud captured by chargebacks under question 3b.1. Other types of fraud are not covered under chargebacks, including when card issuers elect to absorb losses on low-value payments to avoid the costs of submitting a chargeback.

We could follow a similar process for tallying payments for ACH and checks, with adjustments to account for potential fraud resulting from the lack of an authorization system like that for cards, which requests authorization from the paying bank.

Part 2 of this series, which covers the process for calculating the numerator, will appear in June.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

May 8, 2017 in ACH , checks , debit cards , fraud | Permalink | Comments ( 0)

Google Search



Recent Posts


August 2017


Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Archives


Categories


Powered by TypePad