Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 7, 2014
Learning from Experience to Handle Suspicious Payment Transactions
In a post earlier this year, we addressed the difficulty of identifying and tracking remotely created checks (RCCs) in the payments stream. Electronic payment orders (EPOs), which are electronic images of "checks" that never exist in paper form, are another payment vehicle difficult to identify and track. EPOs can be created by the payee as an image of an RCC, or created and electronically signed by the payer.
Financial institutions have to address all suspicious payment transactions, whether they occur with traditional payments, like checks and ACH or these new variants, the RCCs and EPOs. Institutions rely on a variety of ways to become aware of suspicious payment transactions:
- The institution's anomaly detection processes highlight transaction patterns that are atypical for a customer.
- A bank customer contacts the bank after identifying an unauthorized transaction on the bank statement.
- Consumer complaints about a business suddenly increase.
- Another institution contacts the bank with concerns about a particular business.
- The bank becomes aware of legal actions taken against a business.
- Returns for a business's payment transactions increase.
Regardless of payment type, institutions can apply the simple approach in this diagram to handling suspicious payment transactions.
When an institution becomes aware of suspicious transactions, its first step is to take care of the customer. This may include returning transactions, placing stop payments, monitoring account activity, addressing security protocols, or changing authentication tools.
The next step would be to reach out to other institutions, law enforcement, and regulators. Other institutions may not be aware of the issue and can assist with resolving the customer’s concern and addressing the underlying cause of the problem. Support for information sharing between financial institutions includes the safe harbor provisions within Section 314(b) of the U.S. Patriot Act. Submitting suspicious activity reports, or SARs, and contacting appropriate law enforcement such as the local police or FBI enables law enforcement to address fraudulent behavior, monitor the extent of the fraud, and address areas of concern that are affecting multiple institutions. Information-sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, are other important avenues.
Critical to the approach is the importance of the affected institution consistently adjusting its identification processes based on its experiences with suspicious transactions. For example, if the anomaly detection system has default settings for origination volume or return rates, and the institution learns that those settings were ineffective in identifying a problem, then the institution should adjust the settings.
As the payments industry continues to evolve, with newer payment types such as RCCs and EPOs, criminals will find new ways to use them to their benefit. And as perpetrators of fraudulent payments adjust their approaches, a financial institution must also be a "learning" institution and adjust its approach to identifying the suspicious payments.
How often does your institution adjust its processes for handling suspicious transactions based on current fraud experiences?
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Learning from Experience to Handle Suspicious Payment Transactions:
January 6, 2014
When It Comes to RCCs, Can We Make the Invisible Visible?
In May 2013, the Federal Trade Commission (FTC) issued a proposal for public comment to amend the telemarketing sales rule to prohibit telemarketers from using certain payment types, including remotely created checks (RCCs). The proposal addressed attributes of RCCs that make their use susceptible to abuse. RCCs, sometimes referred to as demand drafts, are checks that payees issue rather than the consumer or the consumer’s bank, and are not signed by the consumer. The attributes the proposal addresses include the difficulty of distinguishing RCCs from check images, the absence of reliable data on the volume of RCCs and returns, and the lack of centralized fraud monitoring. Together, these attributes make RCCs relatively invisible.
RCCs usually garner attention only when a law enforcement case uncovers their use in fraud, typically when consumers are victimized by unfair and deceptive practices. Still, RCCs are not just a tool for committing fraud—they are used for legitimate purposes and are frequently authorized by consumers as payments for credit cards, charitable donations, and insurance premiums. At times, banks originate the RCCs themselves or on behalf of the payee, so in these instances, the bank monitors returns, identifies issues, and manages them.
In other payment methods, including ACH transactions and cards, the ability to recognize the payment, track volume and returns, and monitor fraud centrally have proven to be beneficial in addressing fraud. For example, ACH operators have data on forward entries and returns for ACH transactions that enable ACH participants to identify and address issues proactively. Adding these layers of data to enable identification and monitoring of RCCs would prove equally beneficial to the depository and paying banks, as well as regulators and law enforcement to potentially identify and address RCC fraud more directly.
How can the industry improve the identification and tracking of RCCs? One option could be to develop some kind of technology that would distinguish between RCCs and check images with a high degree of accuracy. Another option could be to approve a standard for an identifier in the MICR (short for magnetic ink character recognition) line to indicate that this document is an RCC.
Some industry participants have pursued the MICR line identifier in the past, but these efforts did not gain traction within the industry. However, it may be an idea whose time has come given the concerns that regulators and law enforcement officials are raising about the "invisibility" of RCCs. A MICR line identifier would also allow for centralized fraud monitoring. For instance, depository banks could report periodically to their primary regulator on RCC returns. This reporting would provide information to regulators and law enforcement on possible fraud and support banks in their efforts to mitigate improper RCC usage.
Does your institution see value in making RCCs visible in the processing stream and quantifying their use?
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference When It Comes to RCCs, Can We Make the Invisible Visible?:
June 7, 2010
Remotely created checks: Banks of first deposit provide front line of defense
Almost everyone has authorized a draft transaction from a checking account, whether to expedite a payment to a creditor, purchase an item via telephone or Internet, or compensate a merchant for the return of an initial paper check due to insufficient funds. The payee remotely creates these preauthorized drafts, or remotely created checks (RCCs), under the authority of the accountholder but without the accountholder's signature. This lack of signature makes RCCs vulnerable to fraud.
How can the payments industry balance the legitimacy and convenience of an RCC with the risk management challenges it presents? Staff at the Atlanta Fed's Retail Payments Risk Forum explored this question and other challenging issues in a recently published concept paper, "An Examination of Remotely Created Checks."
Risk management challenges: RCCs are hard to monitor
RCCs, like traditional checks, can be sent forward for collection through the banking system or processed electronically by converting the paper check into an electronic file acceptable to image-exchange networks. Electronic-only RCCs can also be presented for payment and sent forward for clearing, and in some instances can be converted and processed as an ACH debit item and cleared through the ACH network. RCCs that exist in this format may easily bypass detection because, when they are sent forward for clearing, they appear in a format indistinguishable from files of images captured from paper checks.
Distinguishing electronic-only RCCs from paper RCCs converted to an electronic image is crucial to understanding and appropriately applying the new RCC warranty and presentment claims. Yet reliable data on the prevalence of RCCs as well as the true magnitude of fraud perpetrated through this payment channel is difficult to quantify because, as stated above, RCCs are indistinguishable from files of images from paper checks.
Risk management concerns and applicable due diligence protocols
In 2005, Regulation CC was amended to addressed RCC's unique attributes and the risks and challenges that accompany them. Ultimately, Regulation CC altered the final payment rule by shifting liability for unauthorized RCCs from the paying bank to the bank of first deposit. The change in liability structure also altered presentment and transfer warranties.
Risk management concerns for the bank of first deposit are substantial due to the inherent risk of unauthorized RCC transactions. Often, reported incidents of RCC fraud are tied to poor internal controls and due diligence practices of banks, particularly with their "know your customer" programs.
The Office of the Comptroller of the Currency (OCC) issued updated guidance in 2008 suggesting that account relationships with third-party payment processors are the riskiest for a bank that accepts RCCs as deposits. The guidance was intended to serve as a supplement to existing risk management practices while enhancing underwriting and monitoring of entities that process payments for telemarketers and other merchants.
Depository banks may be best poised to manage the unique risk of RCCs
Some experts firmly believe that RCCs provide consumers the important benefit of avoiding late fees by facilitating the expedited payment of a bill, while others oppose the use of RCCs because their risks outweigh any benefits they may provide. Rather than prohibit their use, exploring improved ways to manage RCCs may preclude the need for new laws or regulations.
Only the bank of first deposit possesses the information necessary to manage RCCs, and only the bank of first deposit has a financial incentive for mitigating RCC fraud. By creating comprehensive risk management practices, beginning with account relationship agreements, the bank of first deposit could detail the quantity of RCCs it will accept, the quality of the images, and the permissible percentage of returns it will accept as RCCs. The institution with the most to lose has the most to gain by policing its own payments activities, while identifying, monitoring, and controlling RCC fraud risk.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Remotely created checks: Banks of first deposit provide front line of defense:
May 10, 2010
Going all digital with the check: Check 21, ACH, or an electronic payment order?
Today's continued decline in paper check volumes can be explained in part by the expanding diversification of electronic payment instruments. As part of this transition over the past five years, the Federal Reserve Banks (FRB) reduced their number of paper check processing operations from 45 to one in response to declining paper check volumes. The diminished significance of paper checks and technological advances in the payments arena have given rise to the idea of a new type of check: an all-digital check, i.e., one never having taken paper form.
A concept paper published by a payments research group at the Federal Reserve Bank of Chicago was the first to espouse this idea. The paper advances the idea that this new kind of check could help complete the transformation of the check from paper to electronic form altogether by doing away with the need to write the paper check in the first place. The new check-like payment, termed electronic payment order (EPO), is designed to allow consumers to write a check digitally on a smart phone or other computer device and then send that digital check to the payee who, in turn, sends the image on electronically to his or her bank for deposit. The EPO would clear and settle through the same electronic check processing channels that all other imaged checks do.
The appeal of an all-digital check
In recent months, the EPO paper has received considerable attention. One example is a recent article in the American Banker that portrays the EPO as an efficient and innovative payment product. Although the EPO may function like and contain the same information as a traditional check, the EPO may have benefits beyond those fully explored in the paper.
A possible benefit is the EPO's potential to replace remotely created checks. Since the EPO requires a digital signature signifying intent and authentication—two elements that remotely created checks lack—it may be less subject to fraud because the digital signature establishes more trust and predictability than does a remotely created check. On the other hand, the payee of an EPO transaction is still subject to the possibility that the payer has insufficient funds to cover the EPO.
Fundamental legal and regulatory issues
New electronic payments mechanisms typically raise numerous legal and regulatory issues, such as acceptable methods of payment authorization, information protection, and methods for settling disputes. The all-digital check concept is no different. While it has been reported that the FRB has endorsed the EPO practice, it actually has not, particularly because the specific body of laws and regulations that govern an EPO are uncertain and remain to be addressed.
By being entirely electronic, the EPO achieves the goal of eliminating the paper check, and it therefore makes check law literally inapplicable. Conceptually, the authors of the paper foresee the EPO existing under current check law through agreement while using traditional electronic check clearing channels. Some opine that to the extent that check law may be made to apply by agreement, then an EPO, as a matter of law, would not be subject to the Electronic Funds Transfer Act (EFTA) and Regulation E, as checks are precluded from coverage under EFTA. Others contend, however, that Regulation E should apply, since it regulates all electronically initiated transactions. But no known official determination to that effect exists.
The Chicago Fed's EPO paper acknowledges this paradigm and ultimately rests its legal standing on an agreement-based approach (i.e., where existing law would otherwise have addressed these legal and regulatory issues, parties agreeing to exchange EPOs will privately agree to a set of specific terms and conditions tailored to the new product). Whether an agreement-based approach can provide sufficient "legal" framework and do all that is necessary to make an EPO function as a traditional check but in all-digital form remains to be seen.
An alternative to the all-digital proposal: Credit-push transaction
The check clearing system operates on a debit-pull basis; that is, the payee has to deposit the check as an order to pull funds from the payer's checking account. An alternative proposal to the all-digital check could be a mechanism under which a check no longer operates as a debit pull but instead as a credit-push electronic payment. In this scenario, and in its simplest form, the accountholder would instruct the bank to transfer funds electronically from his or her account to the payee's bank account, thereby limiting the payee’s involvement and reducing the chain of transfers that otherwise occurs with traditional checks.
This alternative approach functions fundamentally like a cashier's check and mirrors payment rails available today from most home banking systems that can be accessed from a smart phone or home PC. Furthermore, the legal and regulatory framework for credit-push transactions is far more certain. For business EFTs, Uniform Commercial Code Article 4A would apply, and EFTA and Regulation E would apply for consumer EFTs. In addition, because the payer’s bank transmits the transaction, the payee can be certain that funds are good upon receipt.
The payments system as established provides an infrastructure for transferring money from one entity in the economy to another. An efficient payments system is one that allows instant confirmation of a transaction and does so in a secure environment. In the months ahead, key payments system participants will determine whether the concept of the EPO will ever be implemented or whether a different approach to traveling the "last mile" of check electronification is best. In any case, challenges remain, and streamlining and simplifying the transaction while addressing the legal and regulatory implications will be big factors in determining the outcome.
By Rich Oliver, executive vice president, and Ana Cavazos-Wright, payments risk analyst, both in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Going all digital with the check: Check 21, ACH, or an electronic payment order?:
July 6, 2009
Remotely created checks: Distinguishing the good from the bad
There are no hard numbers to quantify that remotely created checks (RCCs) pose greater risks than other payment types. However, there are known instances of RCC fraud, the impact of which can be significant. So the depository banks liable for RCCs may want to keep a vigilant eye on the situation.
What are RCCs?
These are checks that are not created by the paying bank and do not include the account holder's signature. In lieu of an actual signature, the check's signature block typically contains the account holder's printed name or standard language indicating authorization. RCCs have been used for recurring transactions, such as insurance premium payments, for quite some time. This solution offers consumers an alternative to the hassle of manually writing out checks each month. More recently, RCCs have also been used in nonrecurring transactions, such as purchases or bill payments made over the telephone or Internet. Though a useful form of payment, RCCs introduce risk into the retail payments system.
What are the risks?
As stated above, RCCs do not require a signature for authorization. As a result, they are vulnerable to misuse by fraudsters who can, for example, use an RCC to debit a victim's account without receiving proper authorization or delivering the goods or services. The risk of fraudulent RCCs is amplified in one-time purchase scenarios where the merchant is relatively unknown to the customer.
To address the fraud risk of RCCs, in July 2006 the Federal Reserve modified the liability structure for this particular type of check. The liability for unauthorized RCCs shifted from the paying bank to the depositary bank, which must now warrant to the collecting and paying banks that the RCC presented has been properly authorized. The Federal Reserve's amendment provides economic incentive for the depositary bank to perform additional vigilance when accepting RCCs given the warranties they must make. Since the depositary bank maintains the relationship with the bank customer depositing the RCCs, it is in the best position to mitigate the fraud risk. The challenge is that banks cannot readily identify RCCs in an automated fashion through the existing MICR line format. Generally, review of incoming RCCs requires manual intervention.
How pervasive are they?
In light of this identification challenge, the Fed applied a modified definition of RCCs to a sample of check transactions in order to establish a reasonable estimation of the volume of RCCs. As a result, the Federal Reserve's 2007 Check Sample Study concluded that less than 1 percent (0.95) of the checks sampled were RCCs. It is unclear how accurate this result is when considering the regulatory definition, but it is probably fair to say that RCCs are only a very small portion of check volumes overall. Moreover, the analysis did not discern within that estimate the number of illegitimate RCCs. It is the cases of misuse that have prompted some to call for a ban of RCCs altogether. While there is anecdotal information and well-publicized cases (such as the 2008 Wachovia case) highlighting abuses committed using RCCs, there is a lack of concrete data reflecting the portion of RCCs that are fraudulent or returned for other reasons.
RCCs represent a relatively small subset of checks overall. However, applying the Check Sample Study methodology and results of the Federal Reserve's overall 2007 Payments Study, the number of RCCs in 2006 alone would still have represented approximately 286 million items.
We know that some portion of these RCCs represent fraudulent cases where the payment was never authorized. However, we also know that when it does occur the consequences may be substantial in terms of adverse consumer impact. Therefore, despite the lack of complete data, it is unwise to allow RCCs and the known misuses to fall completely off the radar.
By Crystal D. Carroll, senior payments risk analyst of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Remotely created checks: Distinguishing the good from the bad:
May 19, 2009
State attorneys general shine light on gray areas of payments risk
When considering due diligence standards in payments relationships, banks and others may want to look beyond bank regulators, legal requirements, and NACHA rules to also include considerations developed out of the work of state attorneys general. During the last several years, state attorneys general have found their way into the payments risk management space as they have sought to inhibit merchants from evading taxes, promoting internet tobacco sales to minors, and other illegal behaviors. In their pursuit of wrongdoers, states have investigated the payments processors who aggregate and/or initiate ACH payments or remotely created checks, and the banks who accept these items through their account relationships as well. In doing so, these states have negotiated settlement agreements, which include due diligence policies for banks and payment processors. The results of these efforts may raise interesting questions as to whether or not existing regulatory guidance, NACHA rules, or legal requirements are sufficiently specific or clear standing alone.
One instance is instructive. Beginning in 2006, the states of California, Idaho, and New York began to investigate Internet tobacco sales activities in violation of various state laws. These investigations led to negotiated settlements with ECHO Inc., a payments processor, and with First Regional Bank, a California-based financial institution. These settlements included detailed requirements for the processor and the bank to perform due diligence on their customers (or, for the bank, their customers' customers). In particular, First Regional Bank was required to institute a "Tobacco Policy" under which the bank would perform specific steps to ensure it did not permit illegal tobacco sales activity to be facilitated using payments originated via its accounts. As an example, the bank's policy would include terminating accounts with any processor who failed to terminate processing for any customer who a) switched ACH activity to "demand drafts" (presumably focused on remotely created checks) once notified of a problem or b) offered "demand drafts" as a means to avoid ACH return scrutiny. This provision highlights a particular concern with illegal activity, including frauds, switching between ACH payments, and remotely created checks to avoid the network scrutiny instituted by the ACH operators and NACHA.
The efforts of the states, such as in the example above, raise potential questions about the specificity and clarity of the guidelines issued by the banking regulators, such as those issued by the OCC and FDIC with regard to payments processor relationships. The bank supervisors promote banks taking a risk-based view of due diligence requirements rather than prescribing specific actions. NACHA rules require commercially reasonable standards generally, suggest contracts should be in place with third-party senders, and make clear the ODFI bears the responsibility for the items it introduces into he ACH network but do not otherwise prescribe due diligence standards for processor relationships.
Subject to the principles-based standards described in supervisory guidance, NACHA rules, and other considerations, banks and even payments processors themselves might want to consider the standards included in state attorney general settlements in developing their own due diligence policies.
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference State attorneys general shine light on gray areas of payments risk:
- What Would Happen If the Lights Went Out for a Long, Long Time?
- Improving Customer Authentication: Is the PIN Past Its Prime?
- Follow the Money!
- Mobile Financial Services Are Still Growing
- Be Careful, Be Very Careful
- "I want to be alone; I just want to be alone"
- Combat Gear for Tax Season
- Same-Day ACH: A Call to Action
- Continuing Education in Mobile Payments Security
- The Insider on the Outside
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud