Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 29, 2010
Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models
The folks engaging in the early stages of the mobile payments industry have coined the term "mobile ecosystem" to describe the environment into which they are trying to merge the traditional roles of telecommunications with those of payments and banking. While some in this fledgling industry are already becoming disenchanted with the grandeur of the "ecosystem" terminology, the concept does suggest a useful model for thinking about the challenges faced in this new arena.
A few weeks ago I received a new issue of National Geographic that contained a fantastic article (and even more fantastic pictures) of the unique ecosystem of the African island nation of Madagascar. The ecosystem of this large island, located off the southeastern coast of Africa, has yielded an extraordinary collection of plants and animals that live in a tropical setting interrupted by some truly anguished geological formations. The local ecosystem is, of course, actually a collection of subsystems (plants, animals, climate, topography, etc.) that have adapted over time to work seamlessly together. For example, large families of lemurs leap fearlessly and safely among knife-sharp rock formations because their hands and feet have developed coarse, leather-like padding over thousands of years.
In the mobile ecosystem, we see a similar makeup of subsystems that must work together. The technology and operational components, while not trivial, are clearly achievable, and many are in place today. The challenges that lie ahead, however, are in the sub-ecosystems of law, regulation, data security, data privacy, customer care, and profitability. Depending on the nature of some of the mobile payment solution alternatives, the banking and the telecommunications industries find themselves wondering if they can coexist on the same island. Is there enough value to the customer to generate the revenue necessary to fund a mobile payments initiative? Who gets or shares the revenue? Who is responsible for data security and authentication, and how does that credential or certainty get passed along the mobile payment supply chain? Who resolves the customer's problem if a mistake is made? What consumer protection rights exist in case of error or fraud, and do those rights change depending on whether a traditional payments system is used to settle the transaction? Are proven models in other countries transportable, or are the characteristics of the economics and user base too different?
With respect to customer care and protection, I recently asked an audience of representatives from the full span of the mobile payment value chain, "Who owns the customer in a mobile transaction?" Gratifyingly, they agreed they all did. However, the true ownership response may ultimately depend on the nature of the transaction and agreement on who is liable if anything goes wrong. Take the case of a person-to-person payment initiated by Consumer A (Barbara Buyer) to Consumer B (Gloria Girl Scout's Mom) for payment of six boxes of Girl Scout cookies (three Thin Mints and three Trefoils). In a telephone-based clearing model, Barbara would enter the requisite $21 in the payment instruction and designate the phone number of Gloria's mom in the recipient field, and both their phone bills would be adjusted accordingly. Now suppose that Barbara was distracted by her daughter's chiding that she really wanted Samoas and carelessly entered $210. Since the payment never went through the payment system, Barbara Buyer cannot rely on traditional banking regulatory protections or problem resolution processes. She must resolve the problem with her phone provider, who has already credited Gloria's mom. Alternately, given PayPal's March 16 announcement of an iPhone app to send money to another person, PayPal's resolution procedures could be in play.
If, however, Barbara's phone company clears the transaction through a mobile service ACH backend, or Barbara pays Gloria's mom through a P2P service offered by her bank, the error resolution process is likely through normal banking customer service channels, and the adjustment process may be managed differently, assuming an adjustment process is contractually spelled out in either case. In reality, Barbara would probably get Gloria's mom to write her a check for $189 to straighten things out. While this may seem like a trivial example, it does dramatize some of the issues that must be worked out in the new ecosystem of mobile payments to make such services work effectively for the customer's benefit.
Given these difficult challenges, it seems likely that various models will initially emerge within alliance groups (one phone company, one or more application providers, a few partner banks, etc.) before they begin to converge into one or more universal market models. Along the way, one hopes that the key participants can collaborate to anticipate the types of risk issues that could arrive in the real world so that the consumer's experience turns out to be one that encourages growth. In the age of e-mailing, twittering, and facebooking, it is increasingly clear to me that mobile banking and mobile payments are in our future and that they will be a very attractive service to some key sectors of our population. However, they will be extremely slow to develop if critical mass issues such as those mentioned above are not resolved up front. In fact, this would be a good place for banks to try new, customer-friendly approaches to consumer education and disclosure that match the payment channel being used and the customer demographic.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models:
March 22, 2010
Can mass transit agencies drive the business case for contactless payments?
While smart cards have replaced magnetic strip cards for point-of-sale and ATM transactions in most other countries, the United States has been slow to adopt chip-driven technology despite improved security for transacting payments. For example, one form of smart cards, the EMV (Europay, MasterCard, Visa) chip and PIN-based card programs, is gaining wide acceptance outside the United States.
But one U.S. industry has found a way to make sense out of contactless payments—the mass transit sector. Transit providers in major cities are moving from proprietary coin and paper-based systems to card-based systems, advancing the use of contactless cards. A discussion paper authored by the Philadelphia Federal Reserve Bank's Payment Cards Center analyzes the influence of the transit industry on electronic payments and suggests that transit's adoption of contactless card payments is likely to drive increased use of electronic payments overall. In fact, the paper describes a potential future system in which transit also acts as an "open-platform merchant" capable of accepting open-loop major card company-sponsored credit and debit cards.
Will contactless adoption achieve sufficient critical mass necessary to transition to the magnetic stripe? As with other emerging payments, future network effects are difficult to predict, and both sides of the argument can be compelling.
The benefits: Contactless technologies fight fraud
Proponents of contactless payments assert their superior benefits. First of all, their high transaction speeds support mass transit applications, but more importantly, contactless technologies are more resistant to fraud. Magnetic strip cards are vulnerable to counterfeiting because the information contained in the strip can be skimmed at the reader location and then cloned, thereby permitting unauthorized use. In contrast, the near-field chip technology used in contactless smart cards is difficult to duplicate and promotes a more sophisticated and secure processing environment. Another advantage of contactless technology is its higher memory capacity than magnetic which can be used to promote improved identity authentication at the merchant's point of sale.
Credit card fraud plummeted for point-of-sale transactions in the United Kingdom after chip cards were deployed. According to the U.K. Card Association's January 2010 release of new card and banking fraud figures, the success of chip and PIN has reduced counterfeit card fraud losses to their lowest level since 1999. While fraud in online channels increased in response to smart card deployment, as fraudsters moved to more vulnerable environments, this latest report cited a decrease in card-not-present fraud. A loss of 19 percent is purported to be the first year-on-year decrease and is attributed to the use of more sophisticated fraud screening detection tools by banks and merchants.
|Annual plastic card fraud losses on UK-issued cards 2005 to 2009|
|Card Fraud Type (on UK-issued credit and debit cards)||2005||2006||2007||2008||2009||+/-(08/09)|
|Phone, Internet, and mail-order fraud (card-not-present fraud)||£183.2m||£212.7m||£290.5m||£328.4m||£266.4m||-19%|
|Counterfeit fraud (skimmed/cloned)||£96.8m||£98.6m||£144.3m||£169.8m||£80.9m||-52%|
|Fraud on lost or stolen cards||£89.0m||£68.5m||£56.2m||£54.1m||£47.9m||-11%|
|Card ID theft||£30.5m||£31.9m||£34.1m||£47.4m||£38.2m||-20%|
|Contained within this total:||UK retail face-to-face transactions||£135.9m||£72.1m||£73.0m||£98.5m||£72.1m||-27%|
|UK cash machine fraud||£65.8m||£62.0m||£35.0m||£45.7m||£36.7m||-20%|
|Source: UKCARDS Association: http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/922|
Economic reality—for now
If the industry is concerned with fraud, and contactless payments are more secure, why is the United States resistant to change? The answer lies in the "chicken-and-egg" problem, as adoption relies on the need for contemporaneous adoption by both merchants and consumers. Consumers are accustomed to swiping their cards and may not realize their payment cards are enabled with smart technology in addition to the mag stripe. Merchants want safer payments but remain hesitant to invest in contactless hardware technology because of concerns that more advanced alternatives could follow in the near-term, forcing them to allocate additional capital. While millions of chip cards have been issued in the United States, the cost of hardware deployment at the point of sale represents a hurdle to widespread adoption.
Overcoming hurdles in the transit industry
According to ContactlessNews a number of transit providers are working with the major card networks to trial the issuance of credit and debit cards. One noteworthy example is the Utah Transit Authority of Salt Lake City, which has employed a system on an open-payment network. The Utah transit system accepts major contactless cards such as Visa payWave, MasterCard PayPass, and American Express ExpressPay. Contactless has proven beneficial in the transit sector as collection efficiencies have driven down operational costs and created convenience for the consumer by eliminating the need to purchase fare media from station agents, often through a a card-based payment. Whether or not this positive consumer experience in transit can drive more wide-scale adoption in the United States is certain to be a hot debate topic for some time to come.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
March 15, 2010
Global challenge: Catching crooks while protecting privacy
As I watched the Winter Olympics unfold in Vancouver, I marveled at the stories of athletes who had gained citizenship in other countries in order to pursue their dreams. A Canadian moguls skier moved to Australia (which I kind of get) and a Japanese pairs figure skater fled to Russia (which I don't get). In both cases, their renationalization was rewarded with Olympic medals, and in both cases, I was reminded of how completely we have merged into a one-world family and a one-world economy.
Amidst this clear and widely embraced trend to global industrialization and trade, we find that our payments systems lag miserably behind. Certainly this is not because of the lack of availability of technology to wire us together; in fact, both good guys and bad guys use the Internet to order and ship goods and services, as well as commit fraud, across the globe in minutes. And, certainly, this is not because of trade practices. As I found out from Linda Coven, a senior executive at the Silicon Valley Bank in California, a technology firm born in the Silicon Valley becomes a global firm the minute they put up their Web site. Even a modest-sized bank such as hers can develop the expertise and partnerships to help such companies cope with the financial aspects of worldwide markets.
The fly in the international payments ointment is the complex web of regulatory and law enforcement regimens that quite naturally do not as yet mesh. In fact, this can still be a problem domestically, no less globally. The global version of this dilemma gained center stage on February 2010 when the folks at the European Parliament voted to reject the interim EU-US agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programs (TFTP). These programs were established by the U.S. Treasury in the wake of the September 11, 2001, attacks. The TFTP allows the Treasury law enforcement agencies to issue administrative subpoenas for terrorist-related data, including the records of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the world's largest network for banking transactions. Privacy laws and liabilities were cited as the major stumbling block in this reversal of form from previous agreements. Efforts by SWIFT to implement new technology to separate their databases into geographical segments may still allow some access to data involving a U.S. institution, but the EU ruling could ultimately impede law enforcement activities aimed at catching criminals that make today's global payments world a bit of the wild, wild West.
For those who feel that today's regulatory/law enforcement climate borders on paranoia, I would counter that in the face of global terrorism and money laundering there may be ample reason for paranoia. It is clear that cross-border payments applications deserve greater scrutiny to make sure they are not vehicles for financing dangerous and unsavory organizations. Strong compliance policies and screening practices are even more critical in this environment than they are domestically. Nevertheless, we see once again the incongruent goals of catching criminals and preserving privacy. In cases where cooperation and trust have been established there have been great successes. Internet corporate takeover rings have been stymied and Nigerian-based fraudulent check schemes have been terminated to the benefit of numerous domestic corporations and consumers.
Building a team
At the Retail Payments Risk Forum, we are working with various parties to find ways to synthesize the conflicting goals of privacy and enforcement to create a more directed and timely approach to catching the bad guys. As we progress, we will have to be ever-mindful of the fact that the next step will be to use our domestic examples as templates for solving the same problems internationally. Useful new work groups and task forces have been established here in the United States, such as the Interagency Payments Fraud Working Group under the current co-chairmanship of the Justice Department and the Federal Reserve Board, that are directed at better cooperation between law enforcement and the bank/non-bank regulatory community. Extending such collaboration into the international arena needs to become a priority for our industry if we are truly going to mitigate payments risk and catch offenders. It is no secret that this will be a difficult challenge, but fighting cyber crime is no longer a domestic issue here in the States or anywhere else. While we cast aside old norms in the payments and technology areas to do business across borders, we must also be open and innovative in regulatory and law enforcement circles if we are to have any chance of keeping up with criminals.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Global challenge: Catching crooks while protecting privacy:
March 8, 2010
Smooth landings for payments call for a checklist
This week's blog features an interview with Devon Marsh, senior vice president and treasury management risk manager at Wells Fargo Bank, N.A. We asked Devon about his thoughts on managing risk in electronic retail payments today.
Devon, retail payments are growing increasingly more complex, creating challenges for risk managers in financial institutions. We know that many of the traditional "tried and true" control processes can still be effective in today's changing environment and understand you are a proponent of compliance checklists as a primary risk management tool for your bank. Tell us a little more about why you value the checklist process.
In more than 1,000 landings as a naval aviator, I never once made a gear-up landing. I don't think I even came close to forgetting the landing gear, but I didn't take any chances. I used a checklist every time I landed. The checklist was necessary not because lowering the landing gear is difficult to remember—of course the gear needs to be down to land! It was necessary because any discrete task—even an important one—can be easy to forget. For this reason we see pilots use checklists all the time on television and in movies to ensure completion of important tasks. We even probably consider the use of checklists to be a defining characteristic of a cockpit environment. But aviation is not the only field in which people can benefit from checklists.
I recently read a new book titled The Checklist Manifesto, by Dr. Atul Gawande. Dr. Gawande is a surgeon and regular contributor to The New Yorker magazine. He has written two previous books based on the practice of medicine that provide useful lessons on risk management and process improvement. His new book offers compelling statistical evidence on how the use of simple checklists cuts down on critical errors.
A key example in The Checklist Manifesto recounts the development of a checklist to guide the procedure for inserting a central intravenous line in intensive care patients. The steps include elementary items such as handwashing. Because its content was so basic, the checklist was initially met with scorn by many practitioners. Nevertheless, consistent use of the checklist dramatically reduced central line infection rates and deaths in ICU wards where it was implemented.
This example seems particularly relevant in financial services since significant problems are often avoided through simple yet proactive control processes. Can you draw some parallels to a checklist that might be effective in ACH processing and describe how it might work?
That's right. Errors in payment processing seldom cost lives the way medical errors might, but they can be as costly as a lost or damaged aircraft. For this reason, I believe the checklist concept has great applicability for many of the risks we address in processing payments. For example, an electronic payment checklist for ACH might help payment originators comply with rules and regulations, avoid human errors, and reduce fraud. A basic electronic payment checklist might include 10 steps.
|Electronic Payment Checklist|
|1. Authenticate the receiver or requester.|
|2. Confirm validity of authorization.|
|3. Verify account number of receiver or beneficiary.|
|4. Verify routing number of receiver or beneficiary.|
|5. Confirm effective date of transaction.|
|6. Confirm payment-related information.|
|7. Confirm sufficient funds in funding account.|
|8. Obtain internal approval for transaction.|
|9. Initiate transaction.|
|10. Confirm transaction.|
Some of the steps are required by rule or by law, while others are simply necessary to route the transaction appropriately. When any one of the steps goes wrong, the resulting error decreases the efficiency of the payment process. It can even cause the entire transaction to be misrouted, possibly without an opportunity for recovery. The eighth step in this checklist is particularly important because it represents a traditional fraud mitigation method called "dual control." This traditional method has proven effective in mitigating the risk that outside entities will attempt to initiate or change a company's transactions by using the credentials of internal employees.
The final step in the checklist, confirming the transaction, is one that is frequently overlooked. It makes sure the financial institution receives the transaction that the initiator intended. This step is critical to ensure a payment has been positively handed off to the next participant in the processing flow.
It is interesting that such a simple control mechanism can still be effective. Why do you think some of the steps you’ve outlined in this checklist get overlooked?
Its utility rests on the fact that creating an ACH transaction involves a series of steps, any one of which can be missed or performed incorrectly. Consistent use of a checklist may help those who initiate payments to ensure each transaction complies with rules, is free of processing errors, and is received by the intended recipient. Financial institutions should consider sharing compliance checklists with customers who initiate payments through the ACH. In the world of payments, these are the elements of a smooth landing.
March 1, 2010
Mobile remote capture: Is there a consumer market for on-the-go deposits?
In the last six months, there has been a growing buzz about a few banks that have launched or tested applications that allow their customers to make deposits by taking a picture of a physical check (front and back) with a mobile phone. The photo is converted to a digital image that is encrypted and transmitted to the bank for processing. For security and privacy purposes, no information is stored on the mobile device.
Mobile capture is just the latest innovation in remote deposit capture (RDC) designed to make the service more affordable and convenient for a broader customer base. As with most new payments technologies, risk figures to have a role in how rapidly this innovation is embraced, as I'll discuss below.
The RDC market had generally consisted of large commercial customers with an established banking relationship. However, when RDC vendors tweaked the technology to allow the use of the flatbed scanners typically used in the home, it opened the door for banks to offer a low-cost RDC solution targeted to small businesses and consumers.
Consumer capture initially adopted by credit unions
USAA Federal Savings Bank was the first bank to offer consumer capture in 2006. USAA serves a membership primarily comprised of military personnel and their families who are often deployed far from its sole branch office in San Antonio, Texas. The launch of its Deposit@Home® consumer capture service allowed its customers to make deposits from anywhere in the world using a scanner and Internet connection. Other credit unions have since followed suit with consumer capture products that offer another self-service channel for their customers, much like ATMs and online banking.
In researching a recent paper on consumer capture, I found that several factors make consumer capture an attractive product offering to credit unions. First, credit unions typically have a small branch network, and often their members are geographically dispersed across the country. Second, the disproportionately high per-item processing costs of deposits for credit unions because of their remote customer base make a compelling business case for consumer capture. Third, credit unions may have less concern about fraud issues with consumer capture because they have a "trusted" customer base.
Mobile applications reinvent consumer capture
In August 2009, USAA took the lead again in consumer capture by launching Deposit@MobileTM, a remote capture service for its mobile banking application for Apple's iPhone. In its first six weeks, a reported 270,000 members installed the updated iPhone application, and approximately 40,000 of them used the software to deposit more than 100,000 checks worth a total of $61 million. Within five months, USAA customers deposited more than $300 million using their iPhones. Last month, USAA announced a mobile application for the Android operating platform.
Not surprisingly, the USAA experience has piqued the interest of other banks to either test or consider a mobile capture application. Another driving factor is the ubiquitous nature of the cell phone in the United States, as well as the particular influence of the iPhone. A Javelin study found that iPhone users are one-and-a-half times likelier to use their mobile device to log into a bank account than all other smartphone users. There is also evidence that mobile banking customers are interested in mobile capture technology. According to the Mercatus Mobile RDC Adoption Research study conducted last year, close to two-thirds of today’s mobile banking customers are likely to adopt mobile remote deposit capture if the technology is offered by their banks.
Will concern about the potential fraud risk slow bank adoption?
While some are excited by the potential this technology has for buoying the use of mobile applications in banking, others are more concerned about the potential fraud and compliance risk this service presents to banks. Although the Federal Financial Institutions Examination Council (FFIEC) RDC Risk Management Guidance broadly covers RDC performed at any location, there still appears to be lingering concern about mobile capture. In fact, a recent Celent survey of U.S. banks found that the most common reason cited for not adopting mobile capture technology by the majority of respondents was concerns over risk and compliance.
Currently, there is still a small minority of banks offering mobile capture. For those banks sitting on the sidelines, the question is how long they will have to wait before feeling pressure from their competitors, as well as from customers who demand the functionality. As aptly described by an USAA executive, "Going to the bank to deposit a check soon may be as antiquated as black-and-white TVs."
By Jennifer Grier, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Mobile remote capture: Is there a consumer market for on-the-go deposits?:
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud