Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« October 2009 | Main | December 2009 »

November 30, 2009

KC Fed conference asks 'What's the future role for central banks in retail payments?'

On November 9–10, 2009, our colleagues at the Kansas City Fed hosted an international conference titled "The Changing Retail Payments Landscape: What Role for Central Banks?" This conference had a mixed format of paper presentations with discussants and more traditional panels of relevant experts from a range of perspectives. The conference offered a timely and unique opportunity to explore by international comparisons the roles that central banks and other public authorities can/should/should not play in various aspects of retail payments markets.

Themes of the event overall were described as follows:

"Retail payments systems around the world have entered a period of dramatic change. This conference explored the changing retail payments landscape and assessed the extent to which central bank payments policies should correspondingly be altered. The conference brought together three principal audiences—industry participants, policy makers, and academics—for an exchange of views and thoughts.
Questions addressed included: How do payments markets differ from other markets? How do consumer preferences affect industry outcomes? Are payments markets sufficiently competitive and safe? If not, what private and public policies would be beneficial? Should central bank policies to ensure smoothly functioning payments systems be adapted in light of the dynamic changes underway? More specifically, what role should central banks play as operators and overseers in the retail payments system of the future?"

Links to the papers and other presentations are available on conference Web site. Until the full conference summary and transcript are made available, we recommend to our readers that they start with a high-level summary of the discussions from the perspective of Bruce Summers.

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed

November 30, 2009 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference KC Fed conference asks 'What's the future role for central banks in retail payments?':


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 23, 2009

Banks run more than just security risk with single-factor authentication

As described in a previous Portals and Rails post, various reports have indicated that business customers' online banking credentials are being compromised and the fraudsters are performing unauthorized EFT transactions using either the ACH or wire transfers to move money out of these accounts.

This recent phenomenon could be seen as part of a larger issue for security on the Web, prompting some to consider whether online banking security standards are adequate.

While a lot has been written on how this fraud happens, not much has focused on what happens next. The criminal side of this is fairly cut and dry. Law enforcement tries to track down the fraudsters and bring them to justice. If the FBI, Secret Service, or other agencies are able to track them down, apprehend them, and a conviction is made, the fraudsters spend some time in jail. The civil side of this is a little more complicated.

One civil case that has gotten some recent attention is the Shames-Yeakel case filed in federal court in Illinois. Marsha and Michael Shames-Yeakel had $26,500 stolen when an unknown person gained online access to the Shames-Yeakels' bank accounts by using Ms. Shames-Yeakel's username and password. The thief manipulated a line of credit and subsequently wired the funds out of the Shames-Yeakel's business account to Hawaii and then off to a bank in Austria. While there is probably a good joke about yodeling while playing the ukulele buried in all of this, the Shames-Yeakels are not laughing. In fact, the hills are alive with litigation.

The plaintiffs first turned to their bank, who indicated that under the bank's online banking agreement, the plaintiffs were responsible for the lost funds. They next turned to the Office of Thrift Supervision (OTS), the bank's primary regulator, seeking protections under Regulation E and Regulation Z. The OTS found that these regulations did not apply as they were applicable to consumer loans and lines of credit.

Ultimately, the Shames-Yeakels sued their bank. The legal viability of their claims was considered by the Court in its Aug. 21, 2009, ruling on the bank's motion for summary judgment.

While the court's opinion addressed a number of legal claims, it is the court’s ruling on the plaintiff’s negligence claim that bankers should pay close attention to. The basis of this claim is that the bank and its third-party Internet banking service provider did not follow the Federal Financial Institutions Examinations Council (FFIEC's) updated 2005 guidance on authentication in an Internet banking environment. At the time of the incident, the bank had user name and password access to their online banking system. The FFIEC's guidance does not require banks to use dual-factor or multi-factor authentication for these accounts, but it does state that the federal regulatory agencies consider single-factor authentication, like user name and password, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. In essence, the court indicated that while the facts must still be weighed by a jury, it declined to dismiss a negligence claim that the bank had breached a duty under Indiana law to protect the confidential information of its customers by failing to implement more robust security systems. The court stated: "In light of [the bank's] apparent delay in complying with FFIEC security standards, a reasonable finder of facts could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."

Vulnerabilities Disclosures Affecting Web Applications

Another case to keep an eye on was filed in Maine this past September. The case involves a Maine based construction company, Patco, who is suing its bank for $588,000; the same amount of money that was stolen from Patco's account over the course of an eight day period in May. Similar to the Shames-Yeakel case, Patco is claiming that the bank failed to provide commercially reasonable protection because only a single-factor authentication system for its online banking system was in place. While no action has been taken as of yet, it will be interesting to see if the state court in Maine agrees that with the U.S. District Court in Illinois, allowing this negligence claim to move forward.

By guest blogger Michael T. Stewart, assistant vice president at the Boston Fed

November 23, 2009 in ACH, fraud, identity theft | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 16, 2009

Threats to online banking security may alter payment choice

During the last several months, a variety of government agencies, industry organizations, and the media have alerted banks, their customers, and the public to hacking attacks resulting in fraudulent funds transfers using online banking interfaces. These attacks particularly affected commercial bank accounts. For example, the Federal Deposit Insurance Corporation (FDIC) issued an alert regarding this form of attack earlier this year. Both the FDIC and the FBI have recently issued alerts referring to how this hacker attack is being used in conjunction with "money mule" schemes to attempt to hide the fraudulent funds transfers.

In one variety of these attacks, hackers using phishing techniques direct people to spoofed Web sites where malware Trojans are then downloaded to the affected computer. This malware then allows the hacker to infiltrate online banking connections in a manner that can circumvent the customer authentication mechanisms put in place by banks. In simple terms, hackers have figured out how to "hitchhike" on a computer's secure online connection to a bank account and thereby initiate fraudulent funds transfers out of the account. We found a recorded webinar describing how this technique can work using the "Zeus" malware.

Multifactor authentication of the customer has been referenced but not required by bank regulatory guidance as a means banks should consider in protecting online banking systems generally. The guidance does not make technology-specific recommendations but leaves room for banks to make their own risk assessments regarding appropriate security means.

The recent events described above have now raised significant questions about the effectiveness and sufficiency of reliance on multifactor customer authentication as a means to keep fraudulent transactions out of payment networks accessible through online banking systems.

Some view this as another variant of the "whack-a-mole" problem, in which you might smack down one threat but another one just pops up quickly. In other words, we should not throw the baby out with the bath water by disregarding multifactor customer authentication as an effective method to mitigate fraud. Others have suggested the industry should rethink online banking security entirely by investing in systems that authenticate transactions instead of customers, as is common in card transaction security systems. Others suggest systems that provide out-of-band confirmations of transactions (by phone or by text) to avoid overreliance on the online banking channel alone for security.

While banks consider online banking security investments, their customers are increasingly faced with choices about their own use of these systems as they exist today. Some suggest standalone computers running open source operating systems as a security measure. Bank customers can make further use of "positive pay" arrangements with their banks and can better monitor their account activity daily. Each of these and other available security techniques brings new costs and "frictions" to online banking users. We considered the economic tradeoffs between privacy, data security, and fraud prevention in a prior Portals and Rails post.

At one extreme, some smaller commercial customers of banks may decide not to accept these added costs and instead opt out of online banking access to electronic funds transfer systems altogether if they feel unprotected in this environment. They might even choose to fall back to manual check payments. Is this choice an overreaction or a rational one?

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed

November 16, 2009 in bank supervision, law enforcement | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Threats to online banking security may alter payment choice:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 9, 2009

Will interchange provide the driver for disruptive payments innovation?

Many start-up payment providers have emerged recently with an eye on competing with traditional credit and debit card networks by undercutting interchange fees. Will the ongoing public debate concerning interchange fees help drive their success?

The use of both debit and credit cards has been rising rapidly in the United States in recent years as an electronic alternative to paper checks and cash. However, recent credit card legislation as well as an ongoing debate concerning interchange fees could influence the direction of that growth.

In simplified terms, interchange fees represent the costs paid by merchants to their banks for processing card transactions. The card-issuing bank may also use revenue earned from interchange fees to fund loyalty rewards to attract customers. Recently merchants have contended that the interchange costs they pay for card transactions have become excessively high. Given the universal acceptance of the major card networks, merchants contend they have few meaningful alternatives for consumers to transact payments, especially at the point of sale. On the other hand, card companies indicate that interchange fees are fair compensation for providing a valuable service to merchants.

So how do card issuers earn revenue on cards? This example shows a breakdown of issuer revenue in 2004. In this example, interchange represents 18 percent of the card issuer’s total revenue.

Various trends and policy debates regarding interchange fees and card revenue sources appear to be a factor in the development of innovative point of sale payment methods that seek to compete directly against card networks.

Growth in card use has increased payment processing costs for merchants
The Federal Reserve Board published a staff research paper in May 2009 titled Interchange Fees and Payment Card Networks: Economics, Industry Developments, and Policy Issues. This report considers the economics underlying interchange fees and the background for understanding the interchange fee debate. Merchants argue that recent increases in fee rates, along with transaction volume growth, have increased their card acceptance costs substantially.

According to this report, an argument in favor of interchange fees is that they support the universal acceptance of cards through the strength and efficiency of the card networks. The standard fee, set by the card networks, is established in a way that balances merchant costs with the economic benefits merchants realize through the value of the network. Further, consumer adoption is driven partly by consumer protections associated with the use of cards. Overall, merchants who accept cards may realize increased sales, particularly for large value transactions relying upon credit.

Another factor: The impact of credit card legislation
Recently passed credit card legislation limits or prohibits certain fee and interest charges imposed on credit cards. As a result, some expect card issuers to limit or even to eliminate loyalty reward programs and raise interest rates and fees for more creditworthy card holders. While it remains to be seen, these kinds of effects could alter the economics of card networks, potentially opening up avenues for new competition.

Will these developments create opportunities for innovators of payment alternatives at the point of sale?
Companies such as Revolution Money and Tempo, among others, are working to establish independent point-of-sale payment systems from the established card networks with alternative transaction pricing models. Both companies are offering cards (Revolution issues credit and Tempo “decoupled” ACH debit) that compete partly by bypassing the interchange fees of the major card networks. In addition, successful online payments providers like Paypal and others are reportedly looking to compete at the merchant locale as well. In all these examples, competitors will face the classic "network effect" problem in that success requires adoption by both consumers and merchants. The success of these business models at the point of sale remains to be seen and may depend on those very merchants that complain about the current interchange system.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

November 9, 2009 in interchange, payments | Permalink


Over the last 7 years credit card companies have increased interchange (transaction) fees about 300%!

It's one thing to have a fee to use a card, I think we can all agree that makes sense. When you have increased your fees 300% in such a short period in time, something is wrong.

300% has been more than the cost of oil and healthcare in the past 7 years!

My hope is that the Fed will set a limit on these excessive fees.

Check out (link removed). That is where I got this info.

Posted by: Bill | November 10, 2009 at 09:40 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 2, 2009

Payments Spotlight Podcast: WACHA's Gilmeister discusses commercial account takeovers and other emerging risks

Play Play (MP3 7:58)       TranscriptTranscript

We invite you to listen to an interview with Mary Gilmeister, President of the Wisconsin Automated Clearinghouse Association (WACHA) and a member of the Retail Payments Risk Forum’s Advisory Group. Launched in August 2009, this is the second iteration of the Retail Payments Risk Forum’s Payments Spotlight podcast series.

In this interview, Ms. Gilmeister touches upon the following topics:

  • The roles of regional payments associations like WACHA,
  • thoughts on managing the emerging risk of commercial account takeovers which result in fraudulent ACH transfers,
  • protecting the elderly from financial fraud,
  • the role of the NACHA Risk Management Advisory Group, and
  • new risk issues in the emerging payments environment.

If you have not already, we also invite you to give a listen to the first installment of Payments Spotlight, which featured a conversation with Woody Tyner, payments strategist at BB&T Bank in North Carolina.

We hope that you will not only check out this installment but also tune in on a regular basis as we feature other leading thinkers and practitioners representing a wide array of perspectives. You can listen to the Payments Spotlight podcast using any computer audio software that will play MP3 files. To subscribe to the podcast series directly, go to the Atlanta Fed podcast page, click on the "SUBSCRIBE" button next to Payments Spotlight, and follow the instructions for adding the series to your aggregator. You can also follow the series by staying tuned to Portals and Rails, where we will post information about new podcasts as they become available.

Let us know what you think!

November 2, 2009 in emerging payments, fraud, payments, risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad