Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
December 28, 2009
Mobile money transfers: Benign P2P or hawala money?
Informal value transfer systems (IVTS) such as traditional trade and barter have existed since the beginning of time and still serve legitimate purposes today. While informal payments may provide benefits such as improved reliability and convenience to users over formal systems, they may also create regulatory and risk management challenges. Person-to-person (P2P) payments via the mobile phone, also known as mobile money transfers (MMT), represent an innovation with the potential for use in informal channels as nonbanks, many of which are start-up firms, extend services in a cross-border enviroment.
IVTS were defined by Nikos Passas to describe "any network or mechanism that can be used to transfer funds or value from place to place either without leaving a formal paper trail of the entire transaction or without going through regulated financial institutions." One of those systems is hawala, which has its origins in classical Islamic law and is mentioned in texts of Islamic jurisprudence as early as the eighth century. Hawala drew interest from the U.S. government after 9/11 because payments are exchanged on the honor system without a paper trail. With this arrangement, it could be difficult to determine if a transfer of funds was for legitimate purposes.
In addition to hawala, Passas identified other important IVTS to include gift and money transfer services via Internet sites, Internet-based payments and transfers, and stored value cards, such as prepaid telephone cards, to name a few. IVTS systems and mechanisms range from basic and traditional exchanges to modern and sophisticated ones.
Passas' initial work predated the recent developments in the mobile payments channel and certainly came before the growth in mobile enabled P2P and the use of prepaid airtime for remittances, as described in an earlier edition of Portals and Rails. When P2P payments are conducted by mobile carriers in a bank-agnostic ecosystem, do they potentially represent a more sophisticated, modern-day informal payment system?
MMT: The fastest-growing mobile payment
P2P payments represent possibly the fastest form of financial transaction enabled by mobile phones, driven by the steady growth in remittance markets, the ubiquity of cell phones themselves, and the desirability for an electronic P2P payment alternative in developed countries like the United States. Research firm Gartner recently identified mobile money transfer as the first of the top 10 consumer mobile applications in 2012, made possible by developments in smart handsets like the iPhone. Separately, ABI research predicts that almost three times as many consumers worldwide will use mobile phones to conduct P2P payments than those who will use them to conduct mobile banking functions by the end of 2011.
Formal versus informal
GSMA (Global System Mobile Association), the alliance of mobile network operators, launched the Mobile Money Transfer Programme initiative to promote the mobile channel and formalize international remittances. With low barriers to entry, roaming capacity, and a growing unbanked market in developed countries, start-up firms may offer informal MMT services, including international and domestic P2P in cross-border markets to expand their customer reach and network opportunities. While informal payment systems can provide means for legal transactions, the lack of transparency could potentially provide bad actors the opportunity for money laundering and other financial crimes.
Nonbanks, like telecom firms and others, are rapidly entering the financial services arena, creating an uncertain regulatory environment as laws and regulations vary from country to country. Will mobile P2P innovation permit service offerings that are characterized as informal payments with the potential for misconduct? Will violators of money-laundering laws go undetected as stored-value mechanisms move from the plastic card to the mobile device? These questions will no doubt be the focus for regulators in many markets going forward as they attempt to understand both the operational and regulatory risks money transfer services have the potential to introduce.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
December 21, 2009
"Money mules" carry load for global cybercriminals
In November, Portals and Rails explored the industry implications of hacking attacks that have resulted in fraudulent funds transfers using online banking interfaces. This week, Portals and Rails revisits this topic, focusing on the tactics these fraudsters use to dupe unsuspecting individuals and organizations.
The FDIC released a special alert on October 29, warning financial institutions of an uptick in schemes to recruit individuals to receive and transmit unauthorized electronic funds transfers (EFTs) from deposit accounts to individuals overseas. These funds transfer agents, also referred to as "money mules," are solicited online by criminals who have gained unauthorized access to the account of a business or consumer. Typically, the criminal will originate unauthorized EFTs from the victim's account to the money mule's deposit account. The money mule is then instructed to quickly withdraw the cash and wire it overseas minus a "commission" of from 8 to 10 percent.
Fraudsters perpetrate work-at-home scams using online job postings and social networking sites
A common hiring tactic for money mules are work-at-home jobs or other seemingly legitimate positions. Fraudsters will use online job search Web sites and social networking sites to persuade individuals to receive and forward stolen funds. According to the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), victims are often hired to "process payments," "transfer funds," or "reship products." Other victims sign up to be "mystery shoppers" where they receive fraudulent checks with instructions to cash the checks and wire the funds to "test" the performance of a money service business.
The job scams also provide the criminal an opportunity to commit identity theft against the money mule. The personal information provided on the "employment" application (e.g., Social Security number or bank account information) may be used to open credit cards, post online auctions, etc., in the money mule's name and possibly commit additional crimes.
Sophisticated fraudsters use malicious code and money mules to conduct unauthorized funds transfers
An FBI alert issued last month describes how fraudsters are increasingly using malicious code to conduct unauthorized ACH transfers with the help of money mules. Many of these cases involve exploiting the online banking credentials belonging to small and midsized businesses, municipal governments, and school districts.
A typical scenario involves a "spear phishing" e-mail being sent to someone within the company with either an infected attachment or directing the recipient to an infected website. Spear phishing is a phishing attack that targets a specific person and deceptively appears to come from an individual or organization that the potential victim would normally receive e-mails from. The email recipient would usually have authorization to make funds transfers on behalf of the company.
Once the recipient opened the attachment or visited the Web site, malware (malicious software code) containing a key logger would be installed on the recipient's computer. The key logger captures the keystrokes of the recipient's business or corporate bank account login information. Once this information is compromised, the perpetrator either creates another user account with the stolen login or directly initiates funds transfers through either ACH or wire transfer by assuming the legitimate user's identity. The transactions are typically in increments less than $10,000 to avoid currency transaction reporting. Money mules play an important role in these schemes by helping to facilitate the unauthorized transfer of funds.
Small and midsized businesses lose millions to online banking scams
Reportedly, small to midsized businesses in the United States have lost $40 million to online banking fraud since 2004. FBI analysis has found that the main threat from these schemes is not merely the malware but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider. In most cases, the victims' accounts were held at local community banks and credit unions, some of which used third-party service providers to process ACH transactions.
Many believe that the uptick in these types of fraudulent payment activities directly relate to the decline in the economy. Consequently, financial institutions, businesses, and consumers have to be vigilant in looking for signs of this activity. The Federal Financial Institutions Examinations Council (FFIEC) provides guidance to financial institutions and technology service providers on authentication in an Internet banking environment. Money mule activity in particular is addressed by the Bank Secrecy Act and Anti-Money Laundering regulations. There are also resources available to consumers and businesses on how to protect themselves from these types of online scams.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference "Money mules" carry load for global cybercriminals:
December 14, 2009
Consumer preference for opt-in guides Fed rule on overdraft protection
A recent report by the Center for Responsible Lending found that more than 50 million Americans overdrew their checking account at least once over a 12-month period, with 27 million accountholders incurring five or more overdrafts of nonsufficient funds (NSF) fees. The costs to consumers for overdrafts are significant, with many instances of fees exceeding the amount withdrawn. ATM and one-time debit card transactions have been a key driver behind the growth in the volume and cost of overdraft fees. Point-of-sale/debit overdraft transactions accounted for 41 percent of surveyed institutions' NSF transactions, according to an FDIC study. These POS/debit NSF transactions had a median dollar value of $20, while the median overdraft charge assessed by banks was $27.
To address high overdraft costs, last month the Federal Reserve Board issued a final rule amending Regulation E, which will provide greater consumer protection by limiting the fees financial institutions can charge consumers for paying overdrafts on ATM and most debit card transactions.
The new rule essentially eliminates a common practice by financial institutions of automatically enrolling consumers in overdraft services. In fact, the aforementioned FDIC study found that 75 percent of banks automatically enrolled customers in automated overdraft programs. Starting on July 1, 2010, financial institutions will have to provide a notice explaining its overdraft service and fees for ATM and one-time debit card transactions before the consumer can accept it. The rule includes a model form that institutions may use to satisfy the notice requirement.
Public comments and consumer testing help inform final revisions
The Board's final revisions to Regulation E were informed by comments received on its January 2009 Regulation E proposal and results of consumer testing. The Board received more than 20,700 comment letters (including 16,000 form letters) on its January 2009 proposal, the majority of which were submitted by individual consumers. In addition, the Board engaged a consultant to conduct consumer testing on a model disclosure notice that would effectively communicate information to consumers about how their overdrafts would be handled by the bank, what fees they could be potentially charged, and what choices they had related to overdrafts.
Consumer advocates, members of Congress, federal and state regulators, and the overwhelming majority of individual consumers who commented favored the opt-in provision because they felt that the harm to consumers from overdraft fees outweighed the benefits from permitting the payment of ATM and debit card overdrafts. In contrast, the majority of industry commenters contended that the opt-out approach was better because it provided consumers with the benefits of overdraft services with fewer disruptions to the consumer and bank operations.
In the end the Board determined that an opt-in approach to permitting overdrafts was the best decision for consumers. This decision was based partly on the Board's consumer testing, which indicated that consumers prefer to have transactions declined than incur fees for overdrafts.
Certain types of transactions not covered by the rule
Other types of transactions are not covered by the rule, including withdrawal by check, ACH, and recurring debit. The Board determined that with respect to checks, the payment of overdrafts may be preferable to having the check returned for NSF and paying the return fees charged by the bank and merchant. In addition, participants in the Board’s consumer testing generally indicated that they were more likely to pay important bills using checks, ACH, and recurring debits. Debit cards were primarily used on a one-time basis for discretionary purchases.
Opting in is not requirement for other services
Consumers who do not accept an institution's overdraft service cannot be treated differently than those who opt in. For example, institutions are prohibited from declining payment of overdrafts of other types of transactions (e.g., checks and ACH) because the consumer did not opt in to that institution's overdraft service for ATM and one-time debit card transactions. The institutions are also required to provide those customers with the same account terms, conditions, and features that they provide to consumers who do elect to take the service.
Overdraft fee income for banks and credit unions rose 35 percent in the last two years. Although not a panacea, the Board's overdraft rules provide greater protection for consumers in navigating their personal finances. Ultimately, an informed consumer is the best consumer protection.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
December 7, 2009
If nonbanks drive payment innovation, will banks pay for the risk management?
Nonbanks are driving significant investment in the retail payments space today, a healthy signal to the economy that contrasts starkly to some other economic sectors, and a sign that innovation in payments businesses and technologies is alive and well. This continuing and dynamic evolution is changing the retail payments landscape in new and unexpected ways, such that all industry stakeholders will need to consider risk issues in a new light as well.
What does this spell for the role of financial institutions as retail payments service providers going forward? More importantly, how will industry stakeholders ensure integrity in retail payments systems more generally?
Venture capital and M&A activity for nonbanks
The venture capital community has demonstrated a continued interest in payment technology start-up companies, particularly in the mobile information technology market. Investment banking firm Updata Advisors recently published research reporting that out of the 16 deals the firm tracked in the third quarter of 2009 in the financial technology sector, six fell into the payments subsector. Updata also reports that it believes that new payment technology providers "with their roots in social networking technology will be prime candidates for future acquisitions by larger merchants that do not want to spend on their own R&D."
The migration from traditional to smart phones is helping drive these trends, with a number of venture capital funds investing in start-ups involved in developing smart phone applications (apps). Consider the $150 million BlackberryPartners Fund launched in 2008 by RIM, RBS, and Thomson Reuters to focus on mobile phone apps and services. Mpower Mobile, a firm that provides person-to-person (P2P) services and remittances, recently announced it had received a second round of investment to fund further technology developments such as debit and credit card functionality for mobile phones.
On the M&A front, Mint, a two-year-old, privately held personal finance service, agreed to be acquired by Intuit for $170 million in September 2009. Mint derived its revenue by directing subscribers to online financial products and services from participating institutions. Just this week, American Express announced it would acquire Revolution Money, a recently established alternative payment network, for $300 million.
Economic volatility may hinder banks' investment in payment technology
While tech firm investment in alternative payments is active and highly publicized, the same cannot be said of the banking sector. Established banks saddled with legacy payment system investments have had to balance new technology investment with existing costs while competing with de novo financial institutions.
While new bank charters flourished at the economic peak years of 2005 and 2006, the following years witnessed the largest rash of bank failures in decades. According to the FDIC report of failed banks, more than 100 institutions have been closed in 2009 alone. The turmoil in the financial services sector suggests that prospects for significant bank investments in payment-related technology may be hindered for some time. This effect was described with regard to payments risk management investments in an earlier Portals and Rails post.
Will risk controls take a back seat to innovation?
The take-away from these environmentals is that nonbanks continue to drive technology investment opportunities, which in turn lead to the development of alternative forms of retail payments. The current economic environment may impede participation on behalf of the banking industry, where risk management and regulatory compliance are much more commonplace.
Within the telecom industry, by contrast, there are consortia worldwide discussing how to manage risk in mobile payments in a cross-border environment as bank-agnostic start-up firms provide new mobile remittance and money transfer services. If financial institutions are not part of that conversation on the front end, how will they address risk management and compliance issues with security and identity theft or money laundering? How will the solutions that arise from discussions on risk outside of financial institutions be implemented in a banking environment, and who will assume that responsibility?
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud