Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 13, 2019
What Can We Learn about Fraud from the United Kingdom?
In many of my discussions around emerging payments, two topics generally always come up: contactless and real-time payments. And given my interest in payments fraud, the discussion usually steers into two questions: Will contactless payments result in increased card fraud? And do faster payments mean faster fraud? While only time and data will ultimately reveal those answers, we can look to the UK Finance's Fraud the Facts 2019 report for some insight into those questions since the United Kingdom is further along on their contactless and real-time payments journeys than we are.
In the United Kingdom, in-person contactless payments have not led to an increase in card fraud losses. Contactless POS payments, through either a mobile device or a card, represented 36 percent of all card transactions in 2018, yet they accounted for less than 3 percent of overall card fraud losses (and just under 28 percent of the face-to-face fraud losses). The fraud rate on contactless transactions has remained steady and low for three consecutive years at 2.7 basis points, or 2.7 pence (£0.027) for every £100 spent. This compares very favorably to the overall card fraud rate of 8.4 basis points, or 8.4 pence (£0.084) for every £100 spent. Fraud for contactless transactions has been mitigated in the United Kingdom through the establishment of floor limits above which a PIN is required, the requirement of PIN verification after a cumulative spend threshold is reached, and the implementation of a security feature that randomly requires cardholders to input a PIN during a transaction to prove that the cardholder is in fact in possession of the card.
The fraud situation for faster payments in the United Kingdom is not quite as rosy as that of contactless payments. Since 2017, UK Finance began reporting on authorized push payment (APP) fraud. In this type of fraud, which includes email account compromise, a victim is tricked into sending money from their bank account to a fraudster's account. In 2018, APP fraud represented 30 percent of the total reported fraud losses. And of the APP fraud, faster payments was used in 93 percent of the fraudulent transactions and 71 percent of the fraudulent value.
I can't claim that faster payments is driving APP fraud or leading to "faster fraud," but it is rather obvious that faster payments is the preferred payment method of fraudsters conducting APP fraud. This should be an alarm for the payments industry in the United States as we continue on our faster payments journey. To mitigate APP fraud with faster payments in the United Kingdom, the industry is working to implement a new-account name-checking service that Pay.UK has introduced. Confirmation of Payee checks the name associated with a routing and account number. This service is not a perfect solution—it won't help if the fraudster uses or opens an account under the name of the actual intended recipient. But it definitely will prevent fraud losses in cases where the account information does not match the name of the intended recipient, which is currently more often the case than not.
So as we continue moving toward contactless and faster payments in the United States, I think we can learn from those across the pond about the need for controls to mitigate fraud in these emerging payments. Floor limits for PINless transactions and velocity controls are part of the U.S. contactless payments experience, but what about faster payments? Does a name-checking service like the one being implemented in the United Kingdom make sense? What controls should be implemented to help prevent fraudsters from using faster payments to commit APP-related frauds, especially email account compromise?
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?
April 29, 2019
In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.
I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:
- The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
- The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
- In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.
I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).
When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.
What is your bank doing to educate the next gen of security ninjas?
April 22, 2019
The Prepaid Rule: All Jokes Aside
A payments compliance rule took effect this year on April Fools' Day, and it occurred to me that when a compliance deadline is approaching, you might not feel like joking around. The Prepaid Accounts Final Rule was issued a few years ago, in 2016, but after a number of postponements, its effective date is finally behind us.
The rule standardizes disclosures, error resolution procedures, consumer liability limits, and access to records. These changes are intended to provide comprehensive consumer protections for prepaid accounts under the Electronic Fund Transfer Act, or Regulation E. The rule is fairly comprehensive, but for the sake of brevity, I'm going to look at only a couple areas of the rule—those that stand out to me.
Consumers can now expect protections over their transaction accounts regardless of whether the account is offered directly by a traditional financial institution or by a third party, such as a fintech or merchant, as they make electronic payments (debit, prepaid, ACH). Also, fintech companies that allow consumers to store funds or are thinking about adding that ability may want to prepare themselves to be designated as prepaid services providers and therefore subject to the regulatory and licensing requirements that go along with that designation. To that point, I am not surprised to see several big names recently listed on the FinCen Money Service Business Registration as "Providers of prepaid access." (To see the list, scroll down the web page to the MSB registration form; on the MSB ACTIVITIES field, click the down arrow to open the dropdown list; select Provider of prepaid access and click the Submit button.)
Established prepaid issuers have long been preparing for the new prepaid rule despite the stops and starts of an effective date and the uncertainty about some of its key provisions. Because consumers open prepaid accounts in a variety of ways—from starting a new job to purchasing prepaid cards at a retail checkout lane—it can be difficult to accommodate the disclosure requirements, such as those for listing fees, that the prepaid rule prescribes. Most issuers have changed product packaging to accommodate the new disclosures. These changes required complicated logistics coordination for the prepaid supply chain to replace old, noncompliant inventory with new, compliant card packages. Some issuers are still grappling with how to list types of fees that may not apply to their particular account program.
Many issuers had already been providing some level of consumer protection from unauthorized transactions before the rule requirement took effect. Now there will be a standard expectation. Limited liability and error resolution benefits need apply only to customers who have successfully completed the identification and verification process, if there is one for their particular program. Regulation E's error resolution and limited liability requirements do not extend to prepaid accounts (other than payroll or government benefit accounts) that have not completed the verification process, one of the key revisions after the rule's initial issue.
The rule will change the way we categorize prepaid services. For instance, in the past, discussion around prepaid products focused on whether the product was open- or closed-loop, and whether it was reloadable or nonreloadable. While those characteristics still exist, they are not necessarily a determinant as to whether the rule applies to a particular product or not. There are clear exclusions for certain products like those that are marketed and labeled as gift cards, health care savings cards, or disaster relief cards. However, even if a product doesn't have "prepaid" on its label, it may still fall under Regulation E. Coverage extends to asset accounts that consumers can use to conduct transactions with multiple, unaffiliated merchants for goods or services, to pull cash from automated teller machines, or to make person-to-person transfers.
For both incumbents and those finding themselves new in prepaid, it has been no joke to prepare to comply with the new rule. Despite the extra burden, do you think we will look back on this milestone favorably in the future? I think the new prepaid rule will lead to strengthening trust and confidence in these products. The Consumer Financial Protection Bureau (CFPB) pledges to be vigilant in evaluating new rules. Moreover, the CFPB is required to submit a formal evaluation five years following a rule's effective date. The industry should be ready to help measure the rule's impact.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- What Can We Learn about Fraud from the United Kingdom?
- Business Email Compromise Moves Mainstream
- Next-Gen Security
- The Prepaid Rule: All Jokes Aside
- For Customer Education, Map Out the Long Journey
- Insuring Against Cyber Loss
- Contactless Cards: The Future King of Payments?
- Safeguarding Privacy and Ethics in AI
- The Patriots of the Payments Landscape
- Payments Webinar Explores a Fintech Talent Gap
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud