Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 19, 2019
Acute Audit Appendicitis
My son came home from school the other day and told me that his friend’s kidney had "popped." With great concern and further investigation, I found out that his friend had suffered from appendicitis but had since recovered. Luckily, fifth grade boys and most of the human race can get along fine without an appendix. And, as it turns out, there is another type of appendix people can live without: Appendix Eight—Audit Requirements—in the NACHA Operating Rules. NACHA members recently voted to cut this part out.
But wait—don’t celebrate too soon. The change doesn’t eliminate the requirement to conduct an annual ACH rules compliance audit. Rather, members voted to modify "the Rules to provide financial institutions [FI] and third-party service providers with greater flexibility in conducting annual Rules compliance audits." Specifically, the change—which was effective January 1, 2019—affected the following areas of the NACHA Operating Rules:
- Article One, Subsection 1.2.2 (Audits of Rules Compliance): Consolidates the core audit requirements described within Appendix Eight under the general obligation of participating DFIs and third-party service providers/senders to conduct an audit.
- Appendix Eight (Rule Compliance Audit Requirements): Eliminates the current language contained within Appendix Eight; combines relevant provisions with the general audit obligation required under Article One, Subsection 1.2.2.
FIs and ACH payment processors must still conduct, either internally or outsourced, an annual audit of their compliance with the ACH rules each year. They also must retain adequate proof of completion for no less than six years and may, during that term, need to provide proof to NACHA or a regulator. And they will have to adjust their audit methodologies to ensure that they comply with all relevant rules rather than just rely on the former Appendix Eight checklist.
The new audit process necessitates a risk-based approach, which is a strategy regulators have been encouraging in recent years. With so many emerging technologies, products, and services in the payments industry, FIs and ACH payment processors can no longer take a one-size-fits-all approach for compliance. They also no longer have a single access point to ACH—rather, they must consider many access points when auditing for Rules compliance.
These institutions may not have previously had to take into account other areas that touch payments. For example, the risk-based audit doesn’t explore just the deposit operations department; it analyzes how the whole enterprise interacts with ACH systems. Additionally, it may need to include loan operations, online account opening, person-to-person (P2P) products, investment management, and other new digital channels.
Life without Appendix Eight will be an adjustment, but its removal won’t be fatal. I think ACH participants will recover quickly and be even healthier—embracing the new risk-based compliance model will likely strengthen enterprise risk management and promote increased safety and stability in our payment systems.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 11, 2019
AI and Privacy: Achieving Coexistence
In a post early last year, I raised the issue of privacy rights in the use of big data. After attending the AI (artificial intelligence) Summit in New York City in December, I believe it is necessary to expand that call to the wider spectrum of technology that is under the banner of AI, including machine learning. There is no question that increased computing power, reduced costs, and improved developer skills have made machine learning programs more affordable and powerful. As discussed at the conference, the various facets of AI technology have reached far past financial services and fraud detection into numerous aspects of our life, including product marketing, health care, and public safety.
In May 2018, the White House announced the creation of the Select Committee on Artificial Intelligence. The main mission of the committee is "to improve the coordination of Federal efforts related to AI to ensure continued U.S. leadership in this field." It will operate under the National Science and Technology Committee and will have senior research and development officials from key governmental agencies. The White House's Office of Science and Technology Policy will oversee the committee.
Soon after, Congress established the National Security Commission on Artificial Intelligence in Title II, Section 238 of the 2019 John McCain National Defense Authorization Act. While the commission is independent, it operates within the executive branch. Composed of 15 members appointed by Congress and the Secretaries of Defense and Commerce—including representatives from Silicon Valley, academia, and NASA—the commission's aim is to "review advances in artificial intelligence, related machine learning developments, and associated technologies." It is also charged with looking at technologies that keep the United States competitive and considering the legal and ethical risks.
While the United States wants to retain its leadership position in AI, it cannot overlook AI's privacy and ethical implications. A national privacy advocacy group, EPIC (or the Electronic Privacy Information Center), has been lobbying hard to ensure that both the Select Committee on Artificial Intelligence and the National Security Commission on Artificial Intelligence obtain public input. EPIC has asked these groups to adopt the 12 Universal Guidelines for Artificial Intelligence released in October 2018 at the International Data Protection and Privacy Commissioners Conference in Brussels.
These guidelines, which I will discuss in more detail in a future post, are based on existing regulatory guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. They call out that any AI system with the potential to impact an individual's rights should have accountability and transparency and that humans should retain control over such systems.
As the strict privacy and data protection elements of the European Union's General Data Privacy Regulation take hold in Europe and spread to other parts of the world, I believe that privacy and ethical elements will gain a brighter spotlight and AI will be a major topic of discussion in 2019. What do you think?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 4, 2019
So, How Often Do You Dip?
Remember how s-l-o-w dipping your payment card seemed when you were shopping back in 2015? Molasses? Honey? The dregs of the ketchup bottle? These days, I'm dipping more—that is, inserting my card into a chip reader—and complaining about it less. (I don't have a contactless card, so tapping isn't yet an option for me.) I still think swiping is faster, but familiarity means that dipping bugs me less. And it's become rare for me to encounter a jerry-rigged chip reader with the insert slot blocked by cardboard or duct tape, forcing me to swipe instead.
Turns out my shopping experiences—dipping more—line up with new data released by the Federal Reserve Payments Study in December 2018. The study reports some information on how in-person general-purpose card payments were authenticated in the United States in 2017.
For the first time, more than half of these payments by value were chip-authenticated in 2017. In contrast, just three percent of general-purpose card payments used chips in 2015—hence, my lack of familiarity with dipping back in the day. Because contactless chip cards were in use before the EMV-based dipping method began to take off in 2015, these data are an approximation of the increasing use of dipping, not an exact measure.
The chart below is based on figure 8 in the Federal Reserve Payments Study: 2018 Annual Supplement; it shows the substantial uptake in chip authentication at the point of sale from 2016 to 2017. (Check out the supplement for more detail.)
By number, more than 40 percent of general-purpose card payments were chip-authenticated. By card type, credit card payments are most likely to be chip-authenticated and prepaid card payments are least likely to be chip-authenticated (see the chart below). Prepaid cards are less likely to be chip-enabled, certainly a factor in the low shares of chip authentication, in part because of a business decision not to go to the expense of adding chips to low-value cards.
By this time next year, my view of dipping could have changed again. A large card issuer has announced that all its credit cards will be tap-to-pay (that is, contactless) by mid-2019, so it's possible that my dipping will go the way of swiping.
For me, it feels more natural and faster to insert a chip card than it did a year ago. How about you?
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 28, 2019
A Cryptocurrency Primer
Every day, my newsfeed is full of stories about cryptocurrency, blockchain, and distributed ledger technology. I even see stories on how we can create our own digital currency, a notion that conjures up for me visions of my face on a coin, just like suffragette Susan B. Anthony. Could my own digital currency, known hereafter as the NEDNote, become a reality? My husband is a software engineer, so the technical piece is covered, but maybe offering a primer on the history of cryptocurrency and its confusing and rapidly changing nomenclature is the best place to start before I launch the NEDNote into the cryptographic biosphere.
The concept of virtual currency as a substitute for fiat currency dates back to the 1980s, with David Chaum being credited with introducing digital cash. (Fiat currency, often referred to in cryptocurrency discussions, is legal tender backed by a government or central bank.) Although early attempts at virtual currencies were made in the late ’90s, the anonymous white paper published in 2009 under the pseudonym Satoshi Nakamoto is credited for creating the first decentralized cryptocurrency, Bitcoin, and the blockchain database. And with that paper, a new lexicon began to emerge, some of which I define here.
- Cryptocurrency, short for cryptographic currency, is a subset of digital currency.
- Cryptography in the cryptocurrency world refers to the algorithms that encrypt data for transmission. In the analog world, think how the Navajo language was used to transmit secure messages during World War II.
- Distributed ledger technology (DLT) refers to the infrastructure that allows a repeated digital copy of data to be available at multiple locations. With DLT, transactions take place over a peer-to-peer network, and do not require the use of a central administrator to govern or validate the transaction, but rather employ consensus algorithms to replicate the data across locations.
- Blockchain is a type of DLT that organizes records in blocks, which are then linked with cryptographic hashes to create the chain. Each block consists of these hashes, data, and a unique timestamp. Because no trusted source or authority exists for the blockchain, it is necessary that data somehow be validated before anything can be added.
- Validation protocols include “proof-of-work” and “proof-of-stake,” the two primary methods of validating transactions on a blockchain.
- Proof-of-work involves mining and timestamping, which are key validation computations. Mining both validates transactions and obtains new cryptocurrency. The mathematical calculations performed in the mining process build the hash function that links the block to the chain. Miners are rewarded with new cryptocurrency for their contributions to the validation process. Timestamping tracks historical changes made to the data contained in the block.
- Proof-of-stake employs a consensus method to determine ownership of the cryptocurrency. This method requires less computing power to complete than does proof-of-work validation but does not reward miners with new currency.
- A crypto wallet provider is a cryptocurrency storage service that is online (hot wallet) or offline (cold storage). Hot wallets are connected to the internet and are frequently hosted by an online exchange platform. Cold storage, which is not connected to the internet, is viewed as more secure.
For many years, my husband allowed the SETI Institute to harness the excess processing power of our home computers in the search for extraterrestrial intelligence, when we could have been mining for cryptocurrency and making the NEDNote a reality. In my next post, I’ll talk about how cryptocurrencies are exchanged and some of the associated risks.
By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed
- Acute Audit Appendicitis
- AI and Privacy: Achieving Coexistence
- So, How Often Do You Dip?
- A Cryptocurrency Primer
- Why Are Millennials So Risk-Averse?
- Hiding in Plain Sight
- A New You: Synthetic Identity Fraud
- Card Fraud Values Often above Average
- A Look in the Rearview Mirror of Payments for 2018
- Building Blocks for the Sandbox
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud