Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« April 2010 | Main | June 2010 »

May 24, 2010

Bank revenues and fraud detection: A marriage made in heaven?

Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.

The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.

Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.

The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.

Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

May 24, 2010 in account takeovers, banks and banking, malware, wire transfer fraud | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven?:


Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.

Posted by: richard oliver | May 24, 2010 at 02:13 PM

The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.

It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.

Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.

Posted by: Rob | May 24, 2010 at 01:49 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 17, 2010

New Payments Spotlight podcast on mobile payments and banking

Play Play podcast: Mobile Payments and Banking (MP3 7:58)       TranscriptTranscript

Hardly a day goes by without an announcement or press release about a new mobile payments application. Although U.S. consumers have not readily embraced mobile banking and payments services, we must consider legal and regulatory questions if an eventual uptick in consumer adoption is to occur. For example, what are the implications of mobile financial services on consumer protection laws? What are the risks to the consumer, if any, when telecoms and other private companies are involved in payments clearing and settlement?

We explored these issues in our interview with Mark Budnitz, a law professor at Georgia State University's college of law and a member of the Retail Payments Risk Forum's Advisory Group. Budnitz lectures widely on payments systems before groups such as the American Bar Association and specializes in consumer protection with a special interest in electronic payments systems. This interview is our latest installment in the Payments Spotlight series, which features recorded interviews with experts in the payments industry on relevant risk and fraud issues.

Among the topics discussed in the podcast is the increased interest in mobile financial services in the United States. Recent consumer demand for access to smart phone applications that simplify everyday activities has prompted financial institutions to explore offering mobile financial services. Banks and nonbanks are entering this emerging ecosystem. Software developers, phone manufacturers, telecoms, and others are all looking for ways to participate in the mobile payments and banking value chain.

Consumer protection is a consideration with adoption of mobile payments
Budnitz also expressed his concerns about the implications of mobile payments and banking for consumer protection laws. One example he provided was the potential confusion consumers may face when trying to resolve billing disputes. He noted that the Electronic Funds Transfer Act (EFTA) typically covers error resolution for consumer electronic funds transfers involving a financial institution, but it is not always clear what law applies when a telecom or private company is involved in payments processing.

For now, Budnitz said, consumer protection laws generally regulate the consumer-card issuer and the consumer-merchant relationship but not the multiple relationships among consumers, telecoms, nonbank private companies, and others that are potentially present in the mobile payments world. This omission presents a valid consumer concern and explains consumers' hesitancy with fully adopting mobile banking and payments and how that hesitancy has affected the pace of growth in the United States.

Privacy and security concerns take center stage with consumers
Another concern raised with mobile banking and payments is the potential privacy and security risks. As Budnitz described, "Mobile financial services offer companies new avenues for invading privacy." These companies are able to collect data about consumers that they can sell to other companies.

Surveys have shown that security concerns are a major factor inhibiting consumer acceptance of mobile banking. For example, a 2008 Javelin Strategy & Research study on mobile banking security found that 47 percent of consumers surveyed did not use mobile banking because of security concerns. Furthermore, the survey found that consumers' top fear is having hackers steal sensitive banking data (73 percent) despite available mobile encryption and authentication tools.

Addressing gaps in regulatory and legal infrastructure for mobile commerce
As with most innovation, there is a potential that the legal and regulatory infrastructure will lag behind the development of new mobile banking products and services. Budnitz suggested that the federal regulatory agencies should work cooperatively to anticipate new developments and quickly respond. One way they could respond to a problem is with regulation or interagency guidance. However, he cautioned that the agencies must strike the delicate balance of making regulation that is not so specific that it stifles innovation and not so vague that it is easily misunderstood by consumers and businesses.

Consumer adoption of mobile payments in the United States will partly hinge on addressing the lingering concerns that consumers have about data privacy and security. Budnitz contends that having strong consumer laws in place benefits both consumers and the mobile financial services industry. Consumers who have greater confidence in the system will more readily embrace mobile payments, thereby building the demand needed to make it an attractive business investment.

By Jennifer Grier, senior payments risk analyst at the Atlanta Fed

May 17, 2010 in consumer fraud, consumer protection, mobile payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 10, 2010

Going all digital with the check: Check 21, ACH, or an electronic payment order?

Today's continued decline in paper check volumes can be explained in part by the expanding diversification of electronic payment instruments. As part of this transition over the past five years, the Federal Reserve Banks (FRB) reduced their number of paper check processing operations from 45 to one in response to declining paper check volumes. The diminished significance of paper checks and technological advances in the payments arena have given rise to the idea of a new type of check: an all-digital check, i.e., one never having taken paper form.

A concept paper published by a payments research group at the Federal Reserve Bank of Chicago was the first to espouse this idea. The paper advances the idea that this new kind of check could help complete the transformation of the check from paper to electronic form altogether by doing away with the need to write the paper check in the first place. The new check-like payment, termed electronic payment order (EPO), is designed to allow consumers to write a check digitally on a smart phone or other computer device and then send that digital check to the payee who, in turn, sends the image on electronically to his or her bank for deposit. The EPO would clear and settle through the same electronic check processing channels that all other imaged checks do.

The appeal of an all-digital check
In recent months, the EPO paper has received considerable attention. One example is a recent article in the American Banker that portrays the EPO as an efficient and innovative payment product. Although the EPO may function like and contain the same information as a traditional check, the EPO may have benefits beyond those fully explored in the paper.

A possible benefit is the EPO's potential to replace remotely created checks. Since the EPO requires a digital signature signifying intent and authentication—two elements that remotely created checks lack—it may be less subject to fraud because the digital signature establishes more trust and predictability than does a remotely created check. On the other hand, the payee of an EPO transaction is still subject to the possibility that the payer has insufficient funds to cover the EPO.

Fundamental legal and regulatory issues
New electronic payments mechanisms typically raise numerous legal and regulatory issues, such as acceptable methods of payment authorization, information protection, and methods for settling disputes. The all-digital check concept is no different. While it has been reported that the FRB has endorsed the EPO practice, it actually has not, particularly because the specific body of laws and regulations that govern an EPO are uncertain and remain to be addressed.

By being entirely electronic, the EPO achieves the goal of eliminating the paper check, and it therefore makes check law literally inapplicable. Conceptually, the authors of the paper foresee the EPO existing under current check law through agreement while using traditional electronic check clearing channels. Some opine that to the extent that check law may be made to apply by agreement, then an EPO, as a matter of law, would not be subject to the Electronic Funds Transfer Act (EFTA) and Regulation E, as checks are precluded from coverage under EFTA. Others contend, however, that Regulation E should apply, since it regulates all electronically initiated transactions. But no known official determination to that effect exists.

The Chicago Fed's EPO paper acknowledges this paradigm and ultimately rests its legal standing on an agreement-based approach (i.e., where existing law would otherwise have addressed these legal and regulatory issues, parties agreeing to exchange EPOs will privately agree to a set of specific terms and conditions tailored to the new product). Whether an agreement-based approach can provide sufficient "legal" framework and do all that is necessary to make an EPO function as a traditional check but in all-digital form remains to be seen.

An alternative to the all-digital proposal: Credit-push transaction
The check clearing system operates on a debit-pull basis; that is, the payee has to deposit the check as an order to pull funds from the payer's checking account. An alternative proposal to the all-digital check could be a mechanism under which a check no longer operates as a debit pull but instead as a credit-push electronic payment. In this scenario, and in its simplest form, the accountholder would instruct the bank to transfer funds electronically from his or her account to the payee's bank account, thereby limiting the payee’s involvement and reducing the chain of transfers that otherwise occurs with traditional checks.

This alternative approach functions fundamentally like a cashier's check and mirrors payment rails available today from most home banking systems that can be accessed from a smart phone or home PC. Furthermore, the legal and regulatory framework for credit-push transactions is far more certain. For business EFTs, Uniform Commercial Code Article 4A would apply, and EFTA and Regulation E would apply for consumer EFTs. In addition, because the payer’s bank transmits the transaction, the payee can be certain that funds are good upon receipt.

The payments system as established provides an infrastructure for transferring money from one entity in the economy to another. An efficient payments system is one that allows instant confirmation of a transaction and does so in a secure environment. In the months ahead, key payments system participants will determine whether the concept of the EPO will ever be implemented or whether a different approach to traveling the "last mile" of check electronification is best. In any case, challenges remain, and streamlining and simplifying the transaction while addressing the legal and regulatory implications will be big factors in determining the outcome.

By Rich Oliver, executive vice president, and Ana Cavazos-Wright, payments risk analyst, both in the Retail Payments Risk Forum at the Atlanta Fed

May 10, 2010 in remotely created checks | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Going all digital with the check: Check 21, ACH, or an electronic payment order?:


Dave, thanks for the comment. As we research the idea of a credit push electronic check, we will have to consider how to get the payee's information in the ACH payment, clearly a key. Stay tuned as we may write a paper on this idea since it does have some attractive tradeoffs in terms of certainty of payment to the merchant or company and can flow through check rules since it is not drawn on a consumer checking account. Could this be a reverse UPIC transaction?

Posted by: richard oliver | May 24, 2010 at 02:24 PM

Rich, the credit-push transaction exists today through online bill payment systems. One issue with it is there is no universal payee database -- if the payee is large enough, it will likely be in the bank's (or the bank's service provider's) payee database; but for smaller payees the payer would need to know R/T and account number information in order for the payment to be electronic. This is a disadvantage vs. a cashier's check.

There was an early FSTC project on e-check (1993 timeframe) -- it was an entirely digital check -- very interesting technology. I'm not sure why it never took off, maybe the rise of consumer debit cards in that same timeframe was part of it.

Posted by: dave fortney | May 12, 2010 at 03:23 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 3, 2010

Decisions on overdraft control have implications in defense against fraud

The latest missile out of Washington as it pertains to bank practices and consumer discontent relates to restrictions on bank overdraft policies. The discontent centers around the ways that banks have rolled out overdraft "services" and fees that have resulted in overdraft charges becoming an estimated $38 billion revenue source for the industry's fee-starved payments portfolio. In fact, complaints about such practices are moving into the court system across America, even as Washington attempts to address the issue from a legal/regulatory standpoint.

In November 2009, the Fed issued a new regulation that would require banks to fully disclose overdraft policies and gain specific consent from consumers to charge fees for ATM- or debit card-based overdrafts that the bank pays. These rules go into effect later this year. Meanwhile, some members of Congress who are not satisfied with the extent of the Fed ruling are proposing more restrictive legislation that may also specify the order in which transactions are applied to the account balance, limit the number of overdraft charges in a period, and possibly extend restrictions to other types of overdrafts, such as those stemming from check writing.

In the wake of these moves, Bank of America (B of A) announced that it would change its policies on ATM and debit card transactions to a default mode whereby the bank will reject such online transactions if the account balance is insufficient to cover the charge. In other words, customers can select offered overdraft services and associated fees if they want to avoid having transactions rejected, but if they don't opt in, the bank will reject overdraft transactions. Now, I must admit that I naively thought that absent my enrollment in a specific overdraft plan, any ATM or online debit card transaction that I initiated that overdrew my account would automatically be rejected. I don't have the money—enough said! Apparently, I was wrong by several billion dollars. I applaud the move that B of A is taking, and they will apparently join Citibank with this stance.

How fraud figures in
While the focus of all this turmoil has been on the avoidance of exaggerated fees, I began to consider the overdraft issue from a personal perspective. What approach to overdraft would be best for me, given my income and lifestyle? More specifically, what would also be the best option given the various types of payments fraud and ID theft we hear about every day on the news? In other words, could my choice as a consumer on overdraft plans better protect me from fraud or thwart the efforts of those bad actors intent on stealing my money?

We have all heard stories about fraudsters skimming card numbers at ATMs using a special device inserted into the card reader slot. We know that databases containing account information have been compromised. We also know that crooks are creating counterfeit checks. Similarly, fraud schemes have been documented that involve remotely created checks and transactions that flow through the ACH and wire transfer networks. So, the source of a fraudulent transaction can come from many payment channels.

Of course, I realize that overdraft services have no effect on detecting or rejecting fraudulent transactions if I have sufficient funds in the account to cover the transaction. If, however, I do not keep excessive balances on hand and if a crook acts reasonably by trying to make a fraudulent transaction worthwhile (a few hundred dollars as opposed to a few dollars), it is not unreasonable to think that a fraudulent transaction could overdraft an account. If an overdraft plan is in place, the transaction would go through, the balance would be covered from another source, and I may be charged a potentially significant overdraft fee. I would then appeal the fee by claiming the item that caused the overdraft was fraudulent. In the case of an electronic transaction consistent with the protections afforded by Reg E, I could also return the item as unauthorized and recoup my funds.

On the other hand, if I selected the default practice being implemented by B of A, the bank would reject the fraudulent item if it promised to overdraw my account. I may not be charged a fee, and no paperwork is in my future. Further, in the case of an online transaction, the crook would be frustrated when the transaction is disallowed. Of course, I would have to bear the stigma of embarrassment if I institute a transaction at the point of sale that does overdraft my account because I am a terrible bookkeeper and I have not enrolled in the protection plan. But on balance, I am willing to risk that infrequent possibility as a tradeoff for the similarly infrequent possibility that I might frustrate a criminal. Other folks who are forced to live paycheck to paycheck may be better served by opting into an overdraft program, but everyone should make this decision in light of not only their personal financial situation but also the reality of payments fraud. The bottom line is to consider whether the choice you make on overdraft plans may have a collateral benefit in the area of fraud protection.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

May 3, 2010 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Decisions on overdraft control have implications in defense against fraud:


Rich, Nice post -- I like the connection b/w fraud and overdraft policies. An attempted overdraft should be a fraud indicator in a bank's real-time fraud monitoring system, especially for a customer who rarely if ever overdrafts his/her account.

Mobile alerts also have a big role in this cycle.

Good seeing you in Seattle.

Posted by: Dave Fortney | May 7, 2010 at 09:10 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad