Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 24, 2009
Transparency: Seeing through International ACH
There are andecdotal reports that some financial institutions are treating their preparatory efforts for the new international ACH transaction (IAT) rule and format like a Y2K event. However, they shouldn’t lose sight of the fact that the industry stands to reap substantial benefits from the new rule, largely because of improved transparency in the ACH network. As you may be aware, the new IAT rule and format go into effect on Sept. 18, 2009. NACHA, the rulemaking body for the ACH network, has conducted extensive industry outreach to provide education on the new rule and format.
In many respects, the change in the international ACH transaction format is attributable to the Office of Foreign Assets Control (OFAC). OFAC administers and enforces economic and trade sanctions in accordance with U.S. foreign policy and national security goals against targeted foreign entities such as international drug traffickers, terrorists, and other threats. Beginning in the late 1990s, OFAC began to have concerns about abuses from terrorists in cross-border ACH transactions. OFAC had reason to believe that we needed better safeguards for our financial system, especially after 9/11. The ACH network today is increasingly vulnerable to potential abuse with respect to the international cross-border movement of funds because of the expanded use of the ACH for one-off transactions from the practice of recurring transactions between known and trusted parties, as well as the speed and efficiency of the ACH network in general.
To address their concerns, OFAC worked with NACHA to construct a payment format that would permit sufficient information to identify parties to the cross-border transaction. In 2004 NACHA began working with OFAC on a proposed rule change for international ACH transactions and a new format that would include the data elements from the Bank Secrecy Act’s (BSA) “travel rule.” Essentially, the BSA travel rule includes more robust information about the payment originator and beneficiary so that a financial institution can review the transaction for OFAC compliance. When the IAT rule goes into effect, all transactions that meet the new definition of international ACH transactions made via the ACH Network will be required to use the IAT SEC code.
The IAT code will make it easier for financial institutions to identify international payments in the ACH network since currently many transactions are mistakenly coded as domestic. This mistake occurs because today many international payments are introduced into the U.S. ACH network through domestic correspondent relationships and are then inadvertently transmitted as domestic transactions. So the new code will make it easier for financial institutions to identify these payments and comply with their OFAC obligations, which incidentally, have not changed. IAT really creates more transparency in two significant ways: by identifying the transaction as international and by revealing all parties to the cross-border transaction. In the end, transparency in retail payment systems is a good thing and should help the banking industry combat fraud and other abuses in the ACH network.By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Transparency: Seeing through International ACH:
July 13, 2009
Consumer complaints may be “canary in a coal mine” for payments risk
For many years in the coal mining industry, a caged canary would be brought into the mines to detect whether toxic gases were present. The canary served as an early warning system of potential danger for the miners. Similarly, consumer complaints data could serve as a harbinger of potential risks in payments for law enforcement and other industry professionals.
Several regulatory agencies receive fraud-related complaints from consumers, including those involving financial institutions. Some of the consumer complaint databases are shared among agencies to help better facilitate fraud investigations and to track trends and developments in consumer fraud activity.
One example is the Federal Trade Commission’s (FTC) Consumer Sentinel Network (Sentinel), a secure online database of consumer complaints that is only available to law enforcement. In addition to storing FTC complaints, the Sentinel also includes complaints filed with more than 100 different U.S. and Canadian federal, state, and nongovernmental organizations. Among the leading partners and data contributors are the Internet Crime Complaint Center, Better Business Bureaus, Canada’s Phone Busters, the U.S. Postal Inspection Service, the Identity Theft Assistance Center, and the National Fraud Information Center.
Established in 1997 to collect fraud and identity theft complaints, the Sentinel database was expanded in 2008 to include complaints about credit reports, debt collection, mortgages, and lending, among other subjects. According to the 2008 Consumer Sentinel Network Data Book, the database has more than 7.2 million complaints.
FTC complaints provide insight into consumer fraud trends
The Sentinel received a total of 1.2 million complaints during calendar year 2008. Of the 30 complaint categories, identity theft ranked first with 26 percent of the overall complaints. Credit card fraud (20 percent) was the most common form of reported identity theft, the majority of which involved new accounts (12.3 percent). Another significant category of identity theft reported by consumers was bank fraud (11 percent). Although identity theft bank fraud, which includes fraud involving checking and savings accounts and electronic fund transfers, has declined since 2006, the most common type continues to be electronic fund transfers.
|January 1 - December 31, 2008
Top 10 Consumer Sentinel Network Complaint Categories
|2||Third Party and Creditor Debt Collection||104,642||9%|
|3||Shop-at-Home and Catalog Sales||52,615||4%|
|5||Foreign Money Offers and Counterfeit Check Scams||38,505||3%|
|6||Credit Bureaus, Information Furnishers, and Report Users||34,940||3%|
|7||Prizes, Sweepstakes, and Lotteries||33,340||3%|
|8||Television and Electronic Media||25,930||2%|
|9||Banks and Lenders||22,890||2%|
|10||Telecom Equipment and Mobile Services||22,387||2%|
|Source: Federal Trade Commission|
The data also give some indication of the preferred payment channel for consumer fraud. In 2008, for those fraud complaints where the consumer reported the method of payment, credit cards was the most common (35 percent) followed by wire transfer (24 percent), bank account debit (19 percent), and check (10 percent). The rankings have been consistent over the past two years, but credit cards have increased from 30 percent and 33 percent for 2006 and 2007, respectively.
Consumer complaint databases can be an important resource in detecting fraud issues
FTC Sentinel data only gives a snapshot of the consumer fraud and risk issues occurring in the payments system. A consumer who has a problem involving an account held at a financial institution may file a complaint with the appropriate bank regulator. The Retail Payments Risk Forum is currently analyzing consumer complaints filed with the Federal Reserve Consumer Help over a four-year period to track whether there are trends that may indicate underlying payments risks. At the very least, the consumer complaints data may provide leading indicators of areas where we may need to focus our attention with research and/or education.
By Jennifer Grier, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 6, 2009
Remotely created checks: Distinguishing the good from the bad
There are no hard numbers to quantify that remotely created checks (RCCs) pose greater risks than other payment types. However, there are known instances of RCC fraud, the impact of which can be significant. So the depository banks liable for RCCs may want to keep a vigilant eye on the situation.
What are RCCs?
These are checks that are not created by the paying bank and do not include the account holder's signature. In lieu of an actual signature, the check's signature block typically contains the account holder's printed name or standard language indicating authorization. RCCs have been used for recurring transactions, such as insurance premium payments, for quite some time. This solution offers consumers an alternative to the hassle of manually writing out checks each month. More recently, RCCs have also been used in nonrecurring transactions, such as purchases or bill payments made over the telephone or Internet. Though a useful form of payment, RCCs introduce risk into the retail payments system.
What are the risks?
As stated above, RCCs do not require a signature for authorization. As a result, they are vulnerable to misuse by fraudsters who can, for example, use an RCC to debit a victim's account without receiving proper authorization or delivering the goods or services. The risk of fraudulent RCCs is amplified in one-time purchase scenarios where the merchant is relatively unknown to the customer.
To address the fraud risk of RCCs, in July 2006 the Federal Reserve modified the liability structure for this particular type of check. The liability for unauthorized RCCs shifted from the paying bank to the depositary bank, which must now warrant to the collecting and paying banks that the RCC presented has been properly authorized. The Federal Reserve's amendment provides economic incentive for the depositary bank to perform additional vigilance when accepting RCCs given the warranties they must make. Since the depositary bank maintains the relationship with the bank customer depositing the RCCs, it is in the best position to mitigate the fraud risk. The challenge is that banks cannot readily identify RCCs in an automated fashion through the existing MICR line format. Generally, review of incoming RCCs requires manual intervention.
How pervasive are they?
In light of this identification challenge, the Fed applied a modified definition of RCCs to a sample of check transactions in order to establish a reasonable estimation of the volume of RCCs. As a result, the Federal Reserve's 2007 Check Sample Study concluded that less than 1 percent (0.95) of the checks sampled were RCCs. It is unclear how accurate this result is when considering the regulatory definition, but it is probably fair to say that RCCs are only a very small portion of check volumes overall. Moreover, the analysis did not discern within that estimate the number of illegitimate RCCs. It is the cases of misuse that have prompted some to call for a ban of RCCs altogether. While there is anecdotal information and well-publicized cases (such as the 2008 Wachovia case) highlighting abuses committed using RCCs, there is a lack of concrete data reflecting the portion of RCCs that are fraudulent or returned for other reasons.
RCCs represent a relatively small subset of checks overall. However, applying the Check Sample Study methodology and results of the Federal Reserve's overall 2007 Payments Study, the number of RCCs in 2006 alone would still have represented approximately 286 million items.
We know that some portion of these RCCs represent fraudulent cases where the payment was never authorized. However, we also know that when it does occur the consequences may be substantial in terms of adverse consumer impact. Therefore, despite the lack of complete data, it is unwise to allow RCCs and the known misuses to fall completely off the radar.
By Crystal D. Carroll, senior payments risk analyst of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Remotely created checks: Distinguishing the good from the bad:
- Making the Choice to Use Cash
- We Are Thankful For...
- Will Payments Be Getting REAL?
- Financial Solutions for the Younger Generation
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud