Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 21, 2019
Looking for Partners in Safer Payments
The Federal Reserve Bank of Atlanta is currently identifying financial technology companies (fintechs) involved in payments. Our goal is to build relationships with these companies so we can understand their issues and challenges.
The Federal Reserve's mission for payments is to ensure an effective and efficient system. In pursuing this mission, the Atlanta Fed focuses on the accessibility, integrity, and confidentiality of payments. We play a significant role in this mission by virtue of being an operator of ACH and check clearing as well as a payments researcher.
We are also at the center of an important regional hub of fintech activity. In Georgia, there are 120 fintech companies employing more than 38,000 workers. According to the Technology Association of Georgia, the top 20 Georgia-based fintech companies generate $72 billion in revenues annually, and 70 percent of all domestic card transactions flow through Georgia-based fintechs, earning this region the nickname of "Transaction Alley."
In addition, venture capital investment in fintech contributes to Atlanta being ranked as the 13th most important fintech hub in the world and fourth in the United States (behind San Francisco, New York, and Chicago), according to the University of Cambridge's 2018 Global Fintech Hub Index .
Given our expertise, our role in payments toward furthering the Federal Reserve’s mission, and our location, the Atlanta Fed, in partnership with fintech companies in Transaction Alley, has a unique opportunity to have a real impact on advancing safety in this innovative payments space.
Fintechs in payments aim to produce useful and profitable payments-related products and services but may lack awareness of consumer compliance and rights or the importance of development practices that culminate in safe and secure products and services. Our work will focus on safer payments innovation for payments used by consumers.
The Atlanta Fed is also interested in experimenting with innovative technology used by fintech companies where we believe the technology could solve our business problems or be beneficial to us. This experimentation will give us first-hand experience and deep knowledge of fintech-developed technology and therefore an understanding of the contribution and impact the technology has on the payments ecosystem.
Through this work, we hope also to advance economic mobility and resilience, another priority for the Atlanta Fed. Our desire is to engage fintechs with products or solutions that provide low-cost, accessible options to advance financial inclusion and improve consumers' financial health.
Together with the payments fintech industry, we can bring clarity regarding the impact of fintech solutions on the payments system. So we encourage the fintech payment innovators to partner with the Atlanta Fed to understand payments risk and create safer payments solutions.
Get in touch with me at Mary.Kepler@atl.frb.org to start the conversation.
October 15, 2019
The Range of Un-Friendly Fraud
My colleague Doug King recently penned a call to action in a Take On Payments post on friendly fraud. That post was the first we'd written about this issue in more than four years. But the feedback we received about the post echoed our concern that these disputes are becoming more frequent and expanding into new scenarios that clearly indicate that, at least to the merchant community, this type of fraud is anything but friendly.
Further research into this problem indicates a range of reasons for a cardholder to dispute a transaction. The spectrum runs from a well-intentioned misunderstanding to a premeditated effort to avoid paying for the goods or services. Below are some common friendly fraud scenarios.
Merchant description or error: A cardholder may be confused when a company descriptor in the transaction detail does not match the company name they are familiar with, so disputes a legitimate transaction. Sometimes this happens, as Doug described in his post, if a parent company name is used rather than the d/b/a name, which frequently occurs with online international transactions. Or sometimes the final transaction amount differs from the amount the cardholder thought he or she was supposed to pay because, for example, there was a miscalculation of sales tax or delivery charges. In most cases, the cardholder, upon seeing all the transaction details, remembers the transaction and withdraws the dispute.
Family usage: Family members sometimes use another family member's payment card without permission. For example, a child might use a parent's card to purchase online gaming credits or features, or a sibling might purchase gasoline, clothing, or something else. With ecommerce transactions, many merchants resort to "electronic fingerprinting" of the device used in the transaction to capture the device ID, IP address, and other details for further documentation. Hopefully, with this additional information provided to the cardholder, the cardholder will do some detective work to determine if the transaction should be honored.
Refunds or buyer's remorse: A cardholder with second thoughts about a nonrefundable purchase might deny that they made the transaction—perhaps a store's return policy deadline has passed or the cardholder just doesn't want the trouble of going through the refund process. To help combat this type of chargeback, the card brands all have "compelling evidence" chargeback documentation rules. These rules allow the merchant to provide additional documentation for certain disputes proving that the cardholder either participated in the transaction, actually received the goods or services, or benefited from the transaction. Merchants must be selective about which of these disputes to contest, depending on the transaction amount, the availability of supplemental evidence, and resource costs to collect and provide such evidence.
Criminal theft: A cardholder who understands the chargeback regulations may use them against a merchant, having purchased an item or service with no intention of making payment. The cardholder may falsely claim that goods were never delivered. Some colleagues and I recently spoke with a business owner who operates several casual dining restaurants. Because of a technology interoperability issue with the restaurant management software, the restaurant has not been able to implement EMV chip readers. The owner said that some patrons became aware of the absence of these readers and spread the word to others, to the point that the losses have become significant. Because of the EMV chip liability shift rules, the owner is considered noncompliant and has no defense against the chargebacks.
All these types of friendly fraud are almost impossible to detect upfront, especially those toward the more benign end of the range. For a merchant, having reasonable return policies and fully disclosing them and hiring exceptional customer service representatives will take them a long way with some of the disputes. But to defend themselves from the determined criminal, merchants' or card issuers' only recourse may be keeping a file listing cardholder accounts suspected of repeated friendly fraud claims.
What techniques do you think are most effective in combatting friendly fraud?
October 7, 2019
Payments Webinar October 10: Cash in the 21st Century
As I write this, I am drinking my morning cup of joe. For me, that means half caf/half decaf, then cut in half with microwaved nonfat milk. (Slurp.)
Day in, day out, I want it just that way. No sugar for me. Nonfat milk, not 2 percent. Black only when I open the door to an empty fridge.
Odds are, you're like me when it comes to coffee and payments. Your habits—and mine—are sticky. We've found something that works for us and—day in, day out—we take our coffees and choose to pay the same way. These are our preferences.
What happens when we change our minds about what we prefer? Shaun O'Brien at the San Francisco Fed has been looking into the relationship between our stated preferences for making in-person purchases and the payment instruments we use in the moment.
In an economic model that incorporates consumer demographics, household income, transaction characteristics, and the payee, Shaun finds that, over time, a change in stated preference eventually results in an increased probability of using a newly preferred payment instrument.
Note that word eventually.
For example, say I stated a preference for cash in 2016 and then switched to a stated overall preference for debit card in 2017. It might not be until 2018 that you would start to see a small change in my mix of payments, with relatively less use of cash and more of debit. Like a coffee habit, my preferred payments habit is slow to change. (Keep in mind that, as I have blogged previously, preference is one of a number of factors that are important, including, for example, what a payee is willing to accept.)
Whatever your morning beverage, I hope you'll join Shaun, the Atlanta Fed's Oz Shy, and me for the next Talk About Payments webinar, October 10, 2019.
We'll look at current data from the Survey and Diary of Consumer Payment Choice and new research—including Shaun's findings reported above—to investigate the 5 Ws and also the How of cash:
- WHAT is happening with cash?
- WHO uses cash?
- WHERE do consumers use cash?
- WHEN do consumers use cash?
- WHAT might cause cash users to switch to another payment method?
- HOW do consumers get cash?
This webinar is open to the public but you must register in advance to participate. (Registration is free.) You can register online. Once registered, you will receive a confirmation email with login and call-in information.
Date: Thursday, October 10, 2019
Time: 1–2 p.m. (ET)
September 30, 2019
"Insuring" Ransomware Will Continue to Flourish
Making predictions is a dangerous game. More than two years ago, I predicted that 2017 and 2018 would be the Years of Ransomware. And while I am not willing to admit that I completely missed out on that prediction, it does appear to be a bit short-sighted. If I could go back to May 2017, I would also include 2019 in my prediction. According to the insurance firm Beazley, ransomware attack notifications from clients increased by 105 percent in the first quarter of this year compared to the first quarter of 2018, and the average ransom demand increased to $225,000 from $116,000 during the same period. My colleague Dave Lott wrote two blogs in July highlighting the changing nature of ransomware attacks and suggesting ways to avoid them or minimize their impact.
In just the few weeks since Dave's posts were published, ransomware attacks have continued to flourish. On August 16, 22 Texas municipalities and agencies were hit by an apparent coordinated attack. On August 26, a cloud management provider for the dental industry was stricken with ransomware, impacting approximately 400 of its dental clients. And over Labor Day weekend, a small Pennsylvania school district was attacked.
In both of his posts, Dave noted that law enforcement officials urge ransomware victims not to pay ransom because doing so encourages criminals to continue. Moreover, there is no guarantee that they will send the decryption keys. Ultimately, the decision of whether or not to pay a ransom lies with the organization that has been attacked and its unique situation. The ransom payment dilemma was recently featured in the Wall Street Journal's September 18 Cybersecurity Journal Reports section. Two cybersecurity experts debated whether or not cities affected by ransomware should succumb to the criminals' demands for payment.
But now an interesting twist in ransom payments has emerged: who is making the ransom payment, the attacked organization or an insurance company?
In his last ransomware blog, Dave wrote that entities should evaluate their "cybersecurity insurance policy in terms of its ransomware coverage." This brings us to an interesting question: Are insurers making ransom payments on behalf of their clients under cybersecurity insurance policies? The answer is yes. So this begs a couple of other questions: Will insurers paying ransoms on behalf of ransomware victims guarantee that ransomware attacks will continue? And could they lead to larger ransoms? I believe the answer to both questions is a resounding yes. It's not my place to debate whether or not insurers should be in the business of paying ransoms, but continuing the practice could cause ransomware attacks to continue to flourish.
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud