Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 20, 2019
Could Federal Privacy Law Happen in 2019?
Some payments people have suggested that this could be the year for mobile payments to take off. My take? Nah. I gave up on that thought several years ago, as I've made clear in some of my previous posts. I'm actually wondering if this will be the year that federal privacy legislation is enacted in the United States. The effects of the European Union's General Data Protection Regulation (GDPR) that took effect a year ago (see this Take on Payments post) are being felt in the United States and across the globe. The GDPR essentially has created a global standard for how companies should protect citizens' personal data and the rights of everyone to understand what data is being collected as well as how to opt out of this collection. While technically the GDPR applies only to EU citizens, even when traveling outside the European Union, most businesses have taken a cautious approach and are treating every transaction—financial or informational—that they process as something that could be covered under the GDPR.
A tangible impact of the GDPR in the United States is that the state of California has passed a data privacy law known as the California Consumer Privacy Act of 2018 (CCPA) that is partly patterned after the GDPR. The CCPA gives California residents five basic rights related to data privacy:
- The right to know what personal information a business has collected about them, where it was obtained, how it is being used, and whether it is being disclosed or sold to other parties and, if so, to whom it is being disclosed or sold
- The right to access that personal information free of charge up to two times within a 12-month period
- The right to opt out of allowing a business to sell their personal information to third parties
- The right to have a business delete their personal information, except for information that is required to effect a transaction or comply with other regulatory requirements.
- The right to receive equal service and pricing from a business, even if they have exercised their privacy rights under the CCPA.
According to the National Conference of State Legislatures (NCSL) 17 states have mandated that their governmental websites and access portals state privacy policies and procedures. Additionally, other states have privacy laws related to privacy, such as children's online privacy, the monitoring of employee email, and e-reader policies.
Take On Payments has previously discussed the numerous efforts to introduce federal legislation regarding privacy and data breach notification with little traction. So why do I think change is in the air? The growing trend of states implementing privacy legislation is putting pressure on Congress to take action in order to have a consistent national policy and process that businesses operating across state lines can understand and follow.
What do you think?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
-payments">Retail Payments Risk Forum at the Atlanta Fed
May 13, 2019
What Can We Learn about Fraud from the United Kingdom?
In many of my discussions around emerging payments, two topics generally always come up: contactless and real-time payments. And given my interest in payments fraud, the discussion usually steers into two questions: Will contactless payments result in increased card fraud? And do faster payments mean faster fraud? While only time and data will ultimately reveal those answers, we can look to the UK Finance's Fraud the Facts 2019 report for some insight into those questions since the United Kingdom is further along on their contactless and real-time payments journeys than we are.
In the United Kingdom, in-person contactless payments have not led to an increase in card fraud losses. Contactless POS payments, through either a mobile device or a card, represented 36 percent of all card transactions in 2018, yet they accounted for less than 3 percent of overall card fraud losses (and just under 28 percent of the face-to-face fraud losses). The fraud rate on contactless transactions has remained steady and low for three consecutive years at 2.7 basis points, or 2.7 pence (£0.027) for every £100 spent. This compares very favorably to the overall card fraud rate of 8.4 basis points, or 8.4 pence (£0.084) for every £100 spent. Fraud for contactless transactions has been mitigated in the United Kingdom through the establishment of floor limits above which a PIN is required, the requirement of PIN verification after a cumulative spend threshold is reached, and the implementation of a security feature that randomly requires cardholders to input a PIN during a transaction to prove that the cardholder is in fact in possession of the card.
The fraud situation for faster payments in the United Kingdom is not quite as rosy as that of contactless payments. Since 2017, UK Finance began reporting on authorized push payment (APP) fraud. In this type of fraud, which includes email account compromise, a victim is tricked into sending money from their bank account to a fraudster's account. In 2018, APP fraud represented 30 percent of the total reported fraud losses. And of the APP fraud, faster payments was used in 93 percent of the fraudulent transactions and 71 percent of the fraudulent value.
I can't claim that faster payments is driving APP fraud or leading to "faster fraud," but it is rather obvious that faster payments is the preferred payment method of fraudsters conducting APP fraud. This should be an alarm for the payments industry in the United States as we continue on our faster payments journey. To mitigate APP fraud with faster payments in the United Kingdom, the industry is working to implement a new-account name-checking service that Pay.UK has introduced. Confirmation of Payee checks the name associated with a routing and account number. This service is not a perfect solution—it won't help if the fraudster uses or opens an account under the name of the actual intended recipient. But it definitely will prevent fraud losses in cases where the account information does not match the name of the intended recipient, which is currently more often the case than not.
So as we continue moving toward contactless and faster payments in the United States, I think we can learn from those across the pond about the need for controls to mitigate fraud in these emerging payments. Floor limits for PINless transactions and velocity controls are part of the U.S. contactless payments experience, but what about faster payments? Does a name-checking service like the one being implemented in the United Kingdom make sense? What controls should be implemented to help prevent fraudsters from using faster payments to commit APP-related frauds, especially email account compromise?
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?
April 29, 2019
In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.
I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:
- The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
- The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
- In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.
I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).
When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.
What is your bank doing to educate the next gen of security ninjas?
- Could Federal Privacy Law Happen in 2019?
- What Can We Learn about Fraud from the United Kingdom?
- Business Email Compromise Moves Mainstream
- Next-Gen Security
- The Prepaid Rule: All Jokes Aside
- For Customer Education, Map Out the Long Journey
- Insuring Against Cyber Loss
- Contactless Cards: The Future King of Payments?
- Safeguarding Privacy and Ethics in AI
- The Patriots of the Payments Landscape
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud