About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

June 12, 2017


Watching Your Behavior

Customer authentication has been at the core of the Retail Payments Risk Forum's payments risk education efforts from the beginning. We've stressed not only that there are legal and regulatory requirements for certain parties to "know your customer," but also that it is in the best interest of merchants and issuers to be sure that the party on the other end of a given transaction is who he or she claims to be and is authorized to perform that transaction. After all, if you allow a fraudster in, you have to expect that you or someone else will be defrauded. That said, we also know that performing this authentication, especially remotely, has several challenges.

The recently released 2017 Identity Fraud Study from Javelin Strategy & Research estimated that account takeover (ATO) fraud losses in 2016 amounted to $2.3 billion—a 61 percent increase over 2015's losses. (ATO fraud occurs when an unauthorized individual performs fraudulent transactions through a victim's account.) Additionally, new-account fraud on deposit and credit accounts has increased significantly and generated several public warnings from the FBI.

In payments, the balancing act between imposing additional customer authentication requirements and maintaining a positive, low-friction customer experience has always been a challenge. Retailers, especially online merchants, have been reluctant to add authentication modalities in their checkout process for fear that customers will abandon their shopping carts and move their purchase to another merchant with lower security requirements. Some merchants have recently introduced physical biometrics modalities such as fingerprint or facial recognition for online orders through mobile phones. Although these modalities have gained a high acceptance rate, they still require the consumer to actively participate in the authentication process.

Enter behavioral biometrics for online transactions. Behavioral biometrics develops a pattern of a user's unique, identifiable attributes from when the user is online at a merchant's website or using the merchant's proprietary mobile app. Attributes measured include such elements as typing speed, pressure on the keyboard, use of keyboard shortcuts, mouse movement, phone orientation, and screen navigation. Coupled with device fingerprinting for the customer's desktop, laptop, tablet, or mobile phone, behavioral biometrics gives the merchant and issuer a higher level of confidence in the customer's authenticity. Another benefit is that behavioral biometrics is passive—it is performed without the user's involvement, which eliminates additional friction in the overall customer experience. Proponents claim that while it takes several sessions to develop a strong user profile, they can often spot fraudsters' attempts because fraudsters often exhibit certain recognizable traits.

Behavioral biometrics is still fairly new to the market but over the last couple of years, some major online retailers have adopted it as an additional authentication tool. Like any of the physical biometric modalities, no single behavioral authentication methodology is a silver bullet, and multi-factor authentication is still recommended for moderate- and higher-risk transactions.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 12, 2017 in authentication, banks and banking, consumer fraud, fraud, mobile banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 15, 2017


What Canada Knows That We Don't

In a previous post, I made reference to the pending release of a Bank of Canada study on the costs of point-of-sale payments in Canada. Last month, the study was released. This study covers cash as well as debit and credit card payments. It's a fascinating read that highlights what little comprehensive knowledge we have about comparable costs of payments in the United States.

The scope of the study was limited to the following parties in the payment chain:

  • Bank of Canada and Royal Canadian Mint (prints and distributes currency)
  • Financial institutions (FIs) and infrastructure providers (includes cash transport companies, payment networks and payment card acquirers)
  • Retailers (covers retail trade, accommodation, food services, and personal service providers)
  • Consumers

As background, the study categorizes costs of payments from the parties above into social (or resource) and private costs. Social costs include all internal and outsourced costs to parties outside the scope of the study. Excluded are transfer fees paid among parties within the scope of the study (for example, fees paid by retailers to FIs serving as card acquirers). This exclusion avoids overstating total social costs since fees paid to one party in the payments chain are revenue to another party in the payments chain. With this adjustment, aggregating social costs across all parties reflects the total resources expended for the entire country to facilitate payments. True or private costing from a particular party in the payment chain is simply the sum of its social costs plus any transfer fees paid to other parties within the scope of the study. Knowing private costs provides insight into which payment instruments are preferred from a costing perspective.

Here are some selected highlights from the study:

  • Total annual social costs clocked in at 15.3 billion (Can$), which comprises 0.78 percent of Canada's gross domestic product (GDP). In comparison, a paper from the Kansas City Fed highlights GDP figures ranging from 0.5 percent to 0.9 percent for other developed countries. Unfortunately, no comparable comprehensive study has been conducted in the United States. Using indirect approaches based on assumptions, some sources have estimated that the cost of the payments system in the United States could be as high as 2 percent of GDP. Unfortunately, we don't have any definitive sources on what the figure really is.
  • Below are the average social costs, transfer fees, and private costs (that is, sum of social costs and transfer fees) per transaction across the payment chain (in Can¢) by payment instrument.

    Table-one


    We can see that transfer fees among the parties in the payments chain are relatively minimal for cash. Consumers proportionally pay higher transfer fees for debit card payments due to transaction fees paid to FIs. Transfer fees that retailers pay are proportionally high for debit cards and significantly higher for credit cards. Based on private costs alone, credit cards costs are less costly to consumers, while retailers incur the highest cost in accepting credit cards. These findings are generally consistent with studies conducted in other countries.
  • Lastly, the study further subdivides costs into fixed costs and variable costs based on the number of payments and by the value of payments. Along with the number and value of payments, costing components in Canadian dollars are itemized below:

    Table-two


    The proportion of variable costs to overall costs for cash, debit cards and credit cards comprise 55 percent, 64 percent, and 64 percent, respectively.

Because of the central and significant role payments play in any economy, many current payments policy questions circulate around payments—in particular the costs associated with adopting and accepting various payment methods, fraud experience and prevention, and compliance with security standards and requirements. What are your views on the value of a comprehensive cost survey in this country?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

 

May 15, 2017 in banks and banking, cards, debit cards, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 6, 2017


ACH: No Trace Left Behind

In my payments research role, I believe that one problem with ACH is the lack of any definitive method for identifying a payment and any associated return, dishonored return, or contested-dishonored return using only the existing 15-digit trace number. Ideally, the trace number alone should facilitate the correct retrieval of payment or return details even if other payments contain duplicate payment details, such as for recurring payments.

This PDF file contains an image that outlines the complex web of relationships that can be used to trace back returns to the original payment. Without the benefit of a unique trace number, the identification of the original payment could involve using common data elements to minimize misidentifying the payment.

A unique trace number would offer the following advantages:

  • Unambiguously identify a specific payment
  • Facilitate tracking features similar to what is available from package delivery services such as transmittal, settlement and receipt date/time, and similar tracking of any associated return(s)
  • Enhance risk-monitoring capability
  • Simplify reconciliation and auditing
  • Flag or prevent a return from settling before its associated forward payment
  • Identify "orphan" returns sent across the public network when the original payment was sent privately between financial institutions (FI)
  • Link together forward and return payments for certain international payment applications that are not possible today

Under NACHA rules, the FI originating the payment assigns a unique 15-digit trace number; the trace number's uniqueness is necessary to differentiate each payment in the batch. Uniqueness is not mandated across payments in other batches in the same payments file. Consequently, a trace number could be repeated in multiple payment files on the same day or across many days—and, even more troublesome, within the same payments file. NACHA strives for uniqueness by mating the trace number with an associated batch number, transmission (file creation) date, and a file ID modifier. Unfortunately, any return of a payment only passes along the original trace number without the benefit of the mated data.

A possible solution that could overcome the current limitations of the trace number would be a one-time-use, ACH-operator-assigned, 15-character alphanumeric trace number. When the originating network operator receives a file, the operator would replace the FI trace number with a unique trace number that he or she would forward to the receiving FI. Any return sent back to the originating FI would have the unique operator trace number converted back to the original FI trace number. For convenience, a cross-reference file associating operator trace numbers with FI trace numbers could help facilitate non-network communication between originating and receiving banks.

Operators could guarantee uniqueness by allowing an operator trace number to contain digits and upper and lowercase letters. Expanding to a 62-character set results in over 3.5 trillion distinct values using the last seven characters of the trace number (the first eight characters are the originating FI's routing and transit number). Further requiring at least one non-numeric character allows differentiation with FI numeric-only trace numbers.

What are your views on the benefits and disadvantages of non-repeatable trace numbers?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

February 6, 2017 in ACH, payments | Permalink

Comments

If the unique trace number could be assigned on the FI side, it would eliminate the extra step of forwarding of a unique number (which has its own chance of failing to forward) and some possible non-repudiation risks.

Perhaps this could be done by assigning each FI their own identifier, and pair that identifier with a unique number which is never used across batches, file IDs or dates. (A unique ID which is never reused since the FI Identifier would always make it unique across all FIs).

This would mean changes on the FI side and so some analysis would have to be done to find the cost benefits for NACHA, FI and FRS.

Posted by: B. Guhanick | February 8, 2017 at 09:40 AM

I like this idea. It would also make it extremely easy for an FI to research a transaction within their records by using the unique trace number. You are looking at around 20 billion transactions per year so the 3.5 trillion should easily cover the 6 year record retention requirement.

Posted by: David L Payne | February 7, 2017 at 06:58 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 30, 2017


Pssst…Have You Heard about PSD2?

No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.

The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:

  • Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.
  • Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.
  • Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.
  • Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.

While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed



_______________________________________

* Final rules are expected to be published in January 2017.


January 30, 2017 in emerging payments, mobile payments, payments, payments risk, payments systems, regulations, regulators, risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 17, 2017


Expanding Cybersecurity

Payments people start biting their nails when they hear "share more with more." They have been conditioned to keep payments information from ever being shared. But that is in the context of protecting legitimate payments system users from losing money while a fraudulent party benefits. At 7,000 members, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is currently the largest financial services trade association in the world. I attended their Fall Summit last October, a month fittingly designated National Cybersecurity Awareness Month, and heard plenty about sharing. The mission of FS-ISAC is always strength in sharing; this year's summit focused on expanding the trust.

Payments people are used to looking for fraud by way of chargebacks and returns, one payment-channel silo at a time. Shhh. Don't let ACH people share information with wire people, and vice versa—the risk department will let us know if there is an issue. Of course, payments fraud is an ever-increasing battle, and we must remain vigilant. However, who is prepared to recognize payment events that from a bird's-eye view may look legitimate but, when analyzed, point to a threat of mass destruction?

Recent distributed denial-of-service (DDoSs) attacks highlight the scale of network bandwidth that can be unleashed on connected systems. Payments are just that, a network of systems that connect every aspect of our economy. There are countless examples of services or goods not being rendered when payments aren't received. Liquidity failures do tend to cause a state of panic. Even attacking one specific sector such as payroll processing on the first of the month could lead to disaster. As my colleague pointed out in a July 2016 blog, cash is alive and well, but payments systems today rely totally on telecommunications, which rely on our power grid.

Admiral James Stavridis, the keynote speaker at the FS-ISAC Summit, echoed the importance of expanding trust, along with the need to increase the resiliency of the nation in the event of a cyber-incident. Stavridis provided many encouraging solutions, one being that it is time for a cyber-force branch of the military. The United States Air Force was formed as a separate branch of the military in September 1947 under the National Security Act of 1947 as aerial warfare advanced. Stavridis proposed that now is the time for us to consider that cyber-incidents could be used as weapons of mass destruction. He applauded the current combat against cybercrime, yet encouraged new thought on what could be in store and how quickly it could arrive.

How do payments people continue down the path of protecting individual players while simultaneously protecting the nation from a crippling cyber-incident? It could be just a matter of whom you invite to the table. As I saw with attendance at the FS-ISAC Summit, the cybersecurity conversation needs to include diverse skill sets. There has been a trend in moving information security departments away from their information technology partners and under the risk and compliance umbrella so they can remain unbiased when scrutinizing payment transaction red flags and other systems. Additionally, legal barriers are being reevaluated to ensure that law enforcement can access information, most notably by FinCEN expanding Suspicious Activity Report requirements to include cyber events.

And, more deeply about whom we are trusting at the table, are we actually expanding the information shared? Could we make correlations by looking at payment volumes together with cyber activity and reports of fraud?

There is a growing sense that payment security equates to cybersecurity and national security. With Stavridis and others promoting the movement for "expanding the trust," new ideas continue to emerge. Hopefully, the technologies and strategies that are made to wow us (for example, the internet-of-things, machine learning, and the distributed ledger) can also serve to unite and protect us.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

January 17, 2017 in cybercrime, payments, payments risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 14, 2016


"Good, Better, Best" in Understanding Merchant Payments

The marketing mantra "Good, Better, Best" from Sears in selling different grades of merchandise at different price points might serve as a guide for segmenting quality levels of information needed in understanding merchant payments. While attending several merchant-focused conferences and trade shows this year, I began thinking about this mantra in relation to the dearth of even "good," rigorous information on the payments experience of the important retail trade sector of our economy. Payment information such as person-present and remote payments, successful and unsuccessful fraud attempts, use of technology, cost of acceptance, and other information by type of payment instrument is simply not widely available. In cases where some information exists, it isn't representative of the entire retail industry.

Currently, there is a wealth of information available on payments for the overall economy through the previous and pending release of the latest Federal Reserve's Triennial Payments Study, the first of which was compiled in 2000. But the focus of this study is the broader landscape, with individual sectors of the economy not examined in detail. Today, the Fed continues to collect and publish aggregate survey information from payments providers (including some private-label card issuance information from retail merchants) via the payments study and from consumers via surveys conducted by the Consumer Payment Research Center at the Federal Reserve Bank of Boston. However, there is no major representative survey of quantitative payments information about businesses, of which merchants are a critical part since so many payments are made by consumers for purchase of goods/services.

How important is the retail trade sector to the economy? Using figures from the U.S. Census Bureau, these charts show the 1.2 million businesses engaged in retail, accommodation, and food services. Collectively, the businesses employ 27 million people and produce annual sales of $5.4 trillion. More to the point, the lion's share of retail payment transactions are thought to be accepted via this sector of the economy, making it the sector to be impacted the most by payment economics and policy.

Pie-chart-one-top-large
(enlarge)

Pie-chart-two-bottom-large
(enlarge)

Many government entities, including the Reserve Bank of Australia, have surveyed merchants in their own countries. The Bank of Canada has a report due next year; the European Commission surveyed 10 European Union (EU) states; and the European Central Bank surveyed 13 EU states. Colleagues of mine at the Federal Reserve Bank of Kansas City offer a comprehensive review and compelling case for "Measuring the Costs of Retail Payment Methods" here in the United States.

Below are some of the benefits of conducting a merchant study in the United States. Doing so could

  • Narrow the gap in tracking merchant payments and payment fraud information compared with other developed countries.
  • Offer detailed breakouts of point-of-sale and remote payments that provide information on fraud and other losses prevented and actual losses incurred.
  • Help identify efficiency-improving changes in retail payments and strengthen the understanding of payments end to end for a sector with high impact in payments.
  • Contribute to social welfare analyses by providing more facts about merchant benefits, costs, and fraud risks associated with different payment methods.

Perhaps we should apply the mantra of retail and move from good or better to best. Perhaps we should aspire to doing the best reporting we can muster for this important sector of our economy. What are your views on the value of such an undertaking?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

November 14, 2016 in payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 19, 2016


Mobile Banking and Payments—What's Changed?

This week, the Federal Reserve Banks of Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond are launching an online mobile banking and payments survey to financial institutions based in their respective districts. The purpose of the survey is to achieve better understanding of the status of mobile banking and payments initiatives, products, and services that financial institutions offer in the various regions of the country. The results of the survey at the individual district level should be available to participants by mid-December; a consolidated report for all the districts will be published in early 2017.

The last survey, which had 625 participants, was conducted in the fall of 2014. That was before the launch of the various major mobile wallets operating today, so it will be interesting to see what level of impact these wallets have had on the mobile payments activity of financial institutions. You can find the results of the 2014 Sixth District survey on our website. This survey effort complements the 2016 Consumer and Mobile Financial Services survey conducted by the Federal Reserve Board's Division of Consumer and Community Affairs.

First designed by the Federal Reserve Bank of Boston in 2008, the survey has been updated over the years to reflect the many changes that have taken place in the mobile landscape in the United States. Similar to past surveys, the 2016 survey looks to capture:

  • Number of banks and credit unions offering mobile banking and payment services
  • Types of mobile services offered or planned
  • Mobile technology platforms supported
  • Features of mobile services offered or planned
  • Benefits and business drivers associated with mobile services
  • Consumer and business adoption/usage of mobile services
  • Barriers to providing mobile services
  • Future plans related to mobile payment services

If your financial institution is based in one of the participating districts and has not received an invitation to participate in this year's survey, please contact your district's Federal Reserve Bank. For the Sixth District, you can contact me via email or at 404-498-7529. You can also contact me if you need assistance in locating your district's lead survey coordinator.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 19, 2016 in banks and banking, financial services, mobile banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 27, 2016


Between a Rock and a Hard Place?

Customer education encouraging safe payments practices has always been viewed by staff at the Retail Payments Risk Forum as a vital element in mitigating payments-related fraud. We have stressed this need time and time again in our posts as well as our numerous speaking engagements at payments-related conferences and events.

Financial institutions (FIs) have generally been identified as the group that should bear this responsibility as they own the account relationship, but with more intermediaries in the payments process, I think that others should also be involved. The advent of mobile banking and payments has introduced even more challenges since the financial institution doesn't get involved in the acquisition of the mobile device as that is normally handled by the mobile network sales representatives. My personal experience with these sales representatives is that once the device sale is done, they are more interested in selling me accessories or upgrading my data plan than they are teaching me about selecting and setting strong passwords or preventing malware and viruses from finding their way into my phone.

When I raise this issue with others, all too often I hear a pessimistic chorus that getting consumers to adopt strong security practices will always be a losing battle for FIs. They say that consumers will always choose convenience over security—that is, until they fall victim to fraud. And forget about any other player in the ecosystem taking on the education responsibility because if they have no liability for fraud losses, why direct funds to education when they could be deployed elsewhere?

The impact of fraud on a consumer's relationship with his or her financial institution has never been greater. We read every day about the increasing economic importance of the Gen Y or millennial segment. With an estimated 80 million people, they represent the largest segment of our country's bankable population. A late 2015 study by FICO on millennial banking habits revealed that 29 percent of respondents indicated that they would close all their accounts with a financial institution if one of those accounts experienced fraud. To make matters worse, one quarter of the survey participants indicated they would write a negative post on social media about their financial institution if they experienced a fraud incident.

So are financial institutions in a no-win situation? A ray of hope emerges from the same FICO study, which states that 41 percent of the millennials surveyed indicated that they recommended their FI to friends, colleagues, or family members after a positively handled fraud incident. Studies have consistently shown that payment security is a key concern of all customers, not just millennials. So although it may not seem fair that financial institutions have to shoulder most of the security education effort, the impact of not doing so could be significant. Perhaps it is time for a coordinated payments industry campaign to encourage consumers to adopt safer and more secure banking practices.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 27, 2016 in banks and banking, financial services, payments, risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 23, 2016


What Would Happen If the Lights Went Out for a Long, Long Time?

In 1859, a massive geomagnetic solar storm known as the Carrington Event caused extensive damage to telegraph systems and other nascent electrical devices worldwide. Telegraph lines sparked and telegraph operators could send and receive messages without the use of electric batteries. The Northern Lights lit up the sky in all of North America. Though not widely reported, on July 23, 2012 a massive cloud of solar material similar in magnitude to the Carrington storm erupted off the sun's surface, radiating out at 7.5 million miles per hour. Fortunately the impact of the solar storm missed Earth by nine days because of the Earth's orbit position.

One report estimates that a Carrington-level storm today could result in power outages affecting as many as 20–40 million Americans for a duration ranging from 16 days to two years at an economic cost of up to 2.5 trillion dollars. A research paper in Space Weather estimated the odds of a Carrington-level storm at about 12 percent over the next 10 years. Early warning of such a storm is possible since satellites can detect impending storms and have the potential to provide a minimum one-day warning before it hits Earth.

So what would happen if the lights went out in much of the United States because of such a cataclysmic event? One could anticipate serious disruption of electronic payments such as ACH, cards, and wire transfers in the affected areas and beyond. What would one do to facilitate commerce in such an emergency? Well, cash and, to a lesser degree, checks could come to the fore. Use of checks would be problematic given the electronification of checks, high risk of fraud, and overdrawn accounts if banking systems are not up and running. Cash would have fewer problems if it were on hand to distribute to the affected population. Perhaps cash accompanied by ration books could be used to mitigate hoarding.

For a low-probability extreme-impact event that results in cash becoming the only way, among existing payment instruments, for commerce to take place, what contingency plans are in place to ensure that consumers and businesses can obtain cash? Since the contingency systems we have in place to handle a future Hurricane Katrina or Hurricane Sandy are likely not sufficient for an extreme event of nationwide scale, some of the issues that need to be resolved include:

  • How does one ensure that sufficient cash is on hand during an emergency?
  • How is cash going to be distributed and accounted for along the supply chain with ATMs and bank offices and their core systems inoperable due to no electricity?

Addressing these questions and others involves a monumental effort, and I don't have a ready answer. Fortunately, cash solves the problem for small-scale, low-value payments during a long-term power outage. That is, during the immediate, in-person exchange, it is an instrument that doesn't require electricity, communication networks, or computers.

This and other major calamities have always made me concerned about the push in some quarters for a full transition to electronic payments at the expense of payments less reliant on electricity and our communication networks. As an engineer by training, it is in my nature to wonder what can go awry if failsafe systems aren't in place when the unexpected happens.

With the possibility of a catastrophic event in our lifetime, would you rather have cash in hand or a card/mobile app? As for me, I'm going to the bank to cash out my accounts and then on to the hardware store to buy a gas-powered electric generator. Just kidding, though I think serious consideration and appreciation is needed for the contingency aspects of cash when things invariably go awry.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail  Payments Risk  Forum at the Atlanta Fed

May 23, 2016 in ACH, cards, checks, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 30, 2015


Half Full or Half Empty?

My colleagues and I in the Retail Payments Risk Forum participate as speakers or attendees in what sometimes seems to be a nonstop stream of banking and payments conferences that run from mid-September to mid-November. This effort is part of our mission to support the education of the stakeholders in the payments ecosystem with a focus on payments risk. We also use the opportunity to network with other attendees and vendors to stay on top of the latest developments and market solutions that are being deployed to combat payments fraud. These events also give us a chance to provide our perspective on trends and key issues involving payment risk.

At a recent fraud conference, I was on a panel discussing fraud trends and key threat vectors. The moderator of the panel revealed some results from Information Security Media Group's 2014 Faces of Fraud survey of financial institutions (FIs). There was a specific question about whether FIs had seen a change in the level of losses from account takeover fraud since the Federal Financial Institutions Examination Council issued its supplemental guidance on Internet banking authentication in 2011. That guidance directed financial institutions to evaluate "new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks." The survey results are shown in the chart below.

graphic-chart

Source: 2014 Faces of Fraud Survey, Information Security Media Group

While the moderator and some of the other panelists seemed to focus on the 20 percent who said they had seen an increase in fraud, I had the perspective of the glass being half full by the 55 percent who indicated that the fraud had stayed about the same or decreased. Given the certainty that the number and magnitude of data breaches have increased and that the number of attempts by criminals to commit some sort of payment fraud through account takeovers was significantly up, I opined that since the fraud levels for the majority of the FIs had stayed at the same level or declined should be considered as a victory.

Certainly, I am not saying the tide has turned and the criminals are on their way to retirement, but I think the payments industry stakeholders should take some pride that its efforts to combat payment fraud are making some progress through the continuing development and deployment of anti-fraud tools. Am I being too Pollyannaish?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 30, 2015 in banks and banking, crime, cybercrime, fraud, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


October 2017


Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Archives


Categories


Powered by TypePad