Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 29, 2010
Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks
ACH volumes have grown rapidly over the past decade, as the network has expanded beyond prearranged, recurring payments between known and trusted parties to include converted checks and one-time transactions originated over the Internet or by telephone. New ACH services have heightened concerns about risk because of the potential associated growth in ACH returns for reasons such as insufficient funds, presentment to closed accounts, and unauthorized transactions, to name just a few. To gauge the level of risk in a financial institution’s ACH origination business, it may seem reasonable to use the rate of these returned items as a possible benchmark. If an ACH originator's return rate is consistently below the industry average, we should be confident that its ACH risk management practices are generally sound, shouldn't we?
Not necessarily, according to a new Federal Reserve study. The researchers—Olivier Armantier, Michele Braun, and Dennis Kuo of the New York Fed and Ron Feldman, Mark Lueck, and Richard Todd of the Minneapolis Fed—recently conducted a study using FedACH data to look at ways to improve the benchmarks used to monitor ACH returns to shed some light on today's ACH risk environment. The study held some interesting and noteworthy findings.
Average return rates are not necessarily a good benchmark for measuring risk
The Federal Reserve study shows that about 75 percent of all consumer debit originators were below the FedACH average for consumer debit return rates during spring 2006. This large percentage stems from the fact that the average is elevated by a small number of very large originators who also have higher return rates. Consequently, some originators who fall below the average may still have rates significant enough to deserve attention. In short, while average return rates are almost the only benchmark currently available, they do not provide the most effective proxy for assessing ACH return risk management.
Better benchmarks could be constructed
The Fed study illustrates how more informative benchmarks could be computed by exploiting the ACH transactions data. The authors used FedACH data on all consumer debit forward and return items originated for a period in mid-2006. By developing a methodology that matched about 90 percent of return items to their original forward item, they could tabulate rich sets of statistics, covering the whole distribution of ACH return rates, not just the average. Their analysis tabulates return rate distributions for several individual standard entry class (SEC) codes, as well as the overall distribution of ACH transaction types, leading to the following additional results:
- Size doesn't matter much. ACH return rates for small and large originators are not very different for most SEC codes. In fact, overall and for most types of consumer debits, the median small originator has a slightly lower return rate than the median large originator, when size is measured by deposits. Return rates were also not strongly related to the originating depository financial institution's volume of originations. Thus, it would be a mistake to read deposit size or institution size as a proxy for sophistication in managing the quality of ACH originations.
- TEL and WEB are both risky, but in different ways. The average return rates for both telephone-initiated transactions (SEC code TEL) and web-initiated transactions (SEC code WEB) were high relative to most other types of consumer debits, but in different ways. TEL risks were higher across the board, so that well-below-median TEL return rates were still high compared to typical consumer debit return rates. By contrast, most WEB originators experienced lower returns on WEB than on consumer debits generally. However, a minority of WEB originators with significant volumes and very high return rates pulled the average return rate for WEB somewhat above the average return rate of all consumer debits.
- Returns come fast and are mostly the result of insufficient funds. In mid-2006, more than 98 percent of all returns occurred within five days of origination, with more than 70 percent returned due to insufficient funds. For the small minority of returns that take more than five days, authorization issues predominate.
Better benchmarks can help banks manage ACH risk
Using and customizing the type of analysis done in the Fed study has the potential to help originating banks better understand risks and therefore more efficiently deter fraud. For example, both originating banks and bank regulators could analyze the distribution of return rates and reason codes by bank peer group to gain a better sense of an individual institution's risk management practices. At the broadest level, linking returns to forward items can efficiently provide a rich array of benchmarks to help originators better monitor their ACH returns and enhance the quality of information they provide to their boards of directors. Similarly, by going beyond the average return rate concept, regulators could use the approaches adopted in the Fed study to better supervise ACH originators, or industry associations could use them to improve industry standards. In short, the sun could be setting on the days of taking false comfort from the Lake Woebegonish achievement of a below-average return rate.
By guest blogger Richard M. Todd, vice president, Community Affairs and Banking and Policy Studies at the Minneapolis Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks:
June 21, 2010
Will the migration to mobile payments be tempered by potential money laundering risks?
Generally, mechanisms that hold value, store it, and transfer it anonymously create a potential money laundering risk. The mobile phone in the United States today is slowly beginning to function as a conduit for payments while possibly providing users a certain degree of anonymity. Researchers predict that almost half of all mobile phone users worldwide will migrate to mobile payments by 2014.
Mobile phones serve as a means for accessing financial services, and, in some parts of the globe, mobile payments are providing access to financial services where traditional banks could not. Arguably, monitoring the movement of money via mobile transactions, particularly with a prepaid mobile, can be challenging. According to a senior trial attorney with the Department of Justice, users who provide false identification at the time of purchase or service providers who maintain poor records thwart the mechanisms that could track the origination or transfer of funds, making the mobile payments channel vulnerable to use by money launderers. In fact, the Bureau of International Narcotics and Law Enforcement Affairs of the U.S. Department of State released an article identifying the potential for mobile payments to be used as vehicles for money laundering.
But how much do we know about the money laundering risks potentially associated with mobile payments?
Emerging payments technology: Smurfing goes digital
Money laundering is generally described as having three sequential elements: placement, layering, and integration. However, not all money laundering transactions involve all three elements. Keeping up with shrewd money launderers who look for ways to exploit the payments system can be challenging. Smurfing is one basic technique of money laundering. Essentially, criminals move large sums of money by breaking the funds down into smaller amounts to avoid triggering currency reporting requirements and thereby lessen the risk of detection by authorities. Smurfing requires some ingenuity, but mostly it requires a small army of people, or smurfs, willing to go from one bank to the next to make the small, daily deposits.
In recent years, a variation of smurfing known as digital value smurfing (DVS) has emerged. DVS also involves the breakdown of large sums of money into smaller sums, but the money launderer moves the money electronically. DVS is considered the next generation of smurfing because as the shift from paper to electronic payments grows, digital smurfers can exchange cash for digital value in the form of stored value cards or possibly stored value on the mobile phone. Unlike traditional smurfing, which requires multiple smurfs to move numerous sums of money between financial institutions, a single smurf can do all the work by operating with multiple accounts, including mobile payment bank accounts, prepaid mobile phone accounts, or Internet payment accounts.
If smurfers are able to transfer stored value funds from one mobile phone to another or to other devices without using a bank for the transfer, they would bypass financial reporting requirements. They could also seriously hamper law enforcement's and the banks' monitoring and detection efforts. Could this convergence of financial services and telecommunications impede anti-money laundering efforts?
Making mobile payments more secure
Responding to the global growth in mobile payments, some vendors are providing improved security solutions for mobile money transfers, while other service providers have set limits on the number and amounts of mobile payment transactions and sources of funding and have employed comprehensive "know your customer" programs. Money laundering detection and prevention is an ongoing and difficult undertaking, one that must keep pace with advances in technology that promote fast and efficient movement of funds.
The rapid global growth of mobile payments presents ostensible opportunities for the adoption and enforcement of anti-money laundering compliance requirements in the mobile space. On May 26, 2010, a bill was introduced that would institute an identification requirement for the purchase of prepaid mobile devices, closing the anonymity gap and enhancing the monitoring and detection of potential payments activities. Examining the potential for money laundering risks in mobile payments is the best way to ensure that this new payments channel is not abused, all the while permitting its continued growth and adoption.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
June 14, 2010
Boston and Atlanta Feds cohost mobile payments industry roundtable meeting
It is an established fact that the United States lags Asian and African countries in embracing mobile payments technology. The question is why. To examine the reasons for the lag, the Atlanta Fed's Retail Payments Risk Forum and the Boston Fed's Consumer Payments Research Center convened a meeting on January 27 and 28 of key industry stakeholders involved in the emerging mobile payments industry. The group engaged in a cross-industry dialogue to develop a mutual understanding of industry direction and a noncompetitive strategy to address barriers to adoption of mobile payments. Ultimately, the group sought to answer this question: "If mobile payments can function effectively and efficiently in Africa and Asia, why not in developed countries like the United States?" (Portals and Rails examined the same topic in its April 5 blog, "Consumer confidence the key to U.S. mobile payments future.")
Below is a summary of the meeting's discussion.
Drivers of and barriers to adoption
The United States has been slow to adopt mobile payments technology primarily because many existing payment alternatives are available and because a variety of different entrepreneural business models and pilot rollouts are currently under way. Many new proprietary services lack uniformity, so do not encourage trust and do not attain the critical mass necessary to succeed. Furthermore, the true state of consumer demand is clouded with conflicting perceptions concerning security and the value proposition for mobile payments. Industry participants need to understand exactly what consumers want in mobile payments, whose perceived value may in turn rely on some added feature or functionality rather than just the payment itself.
The transit industry—which is moving to contactless, card-based fare payments systems—has some of this additional functionality. These systems are being modified to allow use for the purchase of nontransit goods and services at merchants' point-of-sale locations that accept the major card brands. This trend is noteworthy because it leverages the transit system’s existing network to expand the payment functionality of the transit card to an open-loop environment.
Similarly, contactless technology, also known as near field communication (NFC), is finding its way into mobile payments, where the phone, as opposed to the card, is the form factor enabled with the chip technology. However, few chip-enabled mobile devices are available on the market today. Some vendors are offering peripheral devices, such as NFC stickers that adhere to the mobile phone, until more handset makers embed the technology in the phone itself. While this strategy provides a plausible interim solution, it also has the potential to confuse the market and delay the goal of full NFC deployment and adoption.
Merchants represent a key variable in the adoption equation. Because the capital investment in contactless point-of-sale equipment is expensive, merchants may delay investment decisions necessary for contactless payments via cards or mobile devices until they are certain of widespread adoption and use. Additional incentives such as mobile coupons or loyalty reward programs may be needed to create a viable business case for NFC payments.
Industry roles and responsibilities
A number of key topics arose out of the discussion surrounding industry roles and responsibilities.
- Customer ownership: The mobile payments environment is evolving to include a wide range of players—many new to financial services—who share the customer relationship in some way. Consequently, as mobile business models emerge, complications may arise in the sharing of customer data and revenue. No one group in the mobile ecosystem totally owns the customer, although some may bear more responsibility and liability than others, depending on the business model and infrastructure. Ultimately, customer ownership may be defined by the consumer's perception of ownership and who the consumer believes has committed an error in a payments transaction. It will be important for industry stakeholders to discuss scenarios in which customer protection and privacy are at stake, and decide which party will assume responsibility in the payment chain when something goes wrong. It will also be important for stakeholders to agree on collective customer data sharing in order to optimize fraud reduction efforts.
- Security: Security is a complex issue in the context of roles and responsibilities. For example, who is responsible for provisioning security for transactions that expand across the mobile space from the phone, to the carrier, to the processor, to the bank, and finally to settlement? While strong encryption methods exist for protecting user data during transmission, complexities may arise when different parties begin to share data in order to execute a payment transaction.
- Regulatory environment: The U.S. banking industry is highly regulated and guided by well-defined standards. The telecom industry, on the other hand, has a different regulatory environment, one that is focused on nonfinancial risk issues. The establishment of a trusted service manager may ultimately serve the role of facilitator to manage and bring together different industry participants.
- Gaps in oversight: With regard to the regulatory front, gaps may emerge in oversight for the conjoined telecom and banking industries, making it important for industry participants to work with regulators to identify oversight roles and close gaps in advance of widespread deployment. In that context, the Fed is interested in ensuring the integrity of emerging payments systems without taking any action that might stifle innovation and efficiency.
The meeting concluded on the theme that industry participants should work collaboratively to develop a uniform system to provide a common user experience that is safe and secure. While competition often fosters innovation, the industry should address interoperability and common standards in a cooperative rather than competitive context. Meeting participants agreed on broad actions intended to address adoption barriers and establish a viable mobile payments infrastructure. The meeting summary is available on the Boston and Atlanta Fed websites.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Boston and Atlanta Feds cohost mobile payments industry roundtable meeting:
June 7, 2010
Remotely created checks: Banks of first deposit provide front line of defense
Almost everyone has authorized a draft transaction from a checking account, whether to expedite a payment to a creditor, purchase an item via telephone or Internet, or compensate a merchant for the return of an initial paper check due to insufficient funds. The payee remotely creates these preauthorized drafts, or remotely created checks (RCCs), under the authority of the accountholder but without the accountholder's signature. This lack of signature makes RCCs vulnerable to fraud.
How can the payments industry balance the legitimacy and convenience of an RCC with the risk management challenges it presents? Staff at the Atlanta Fed's Retail Payments Risk Forum explored this question and other challenging issues in a recently published concept paper, "An Examination of Remotely Created Checks."
Risk management challenges: RCCs are hard to monitor
RCCs, like traditional checks, can be sent forward for collection through the banking system or processed electronically by converting the paper check into an electronic file acceptable to image-exchange networks. Electronic-only RCCs can also be presented for payment and sent forward for clearing, and in some instances can be converted and processed as an ACH debit item and cleared through the ACH network. RCCs that exist in this format may easily bypass detection because, when they are sent forward for clearing, they appear in a format indistinguishable from files of images captured from paper checks.
Distinguishing electronic-only RCCs from paper RCCs converted to an electronic image is crucial to understanding and appropriately applying the new RCC warranty and presentment claims. Yet reliable data on the prevalence of RCCs as well as the true magnitude of fraud perpetrated through this payment channel is difficult to quantify because, as stated above, RCCs are indistinguishable from files of images from paper checks.
Risk management concerns and applicable due diligence protocols
In 2005, Regulation CC was amended to addressed RCC's unique attributes and the risks and challenges that accompany them. Ultimately, Regulation CC altered the final payment rule by shifting liability for unauthorized RCCs from the paying bank to the bank of first deposit. The change in liability structure also altered presentment and transfer warranties.
Risk management concerns for the bank of first deposit are substantial due to the inherent risk of unauthorized RCC transactions. Often, reported incidents of RCC fraud are tied to poor internal controls and due diligence practices of banks, particularly with their "know your customer" programs.
The Office of the Comptroller of the Currency (OCC) issued updated guidance in 2008 suggesting that account relationships with third-party payment processors are the riskiest for a bank that accepts RCCs as deposits. The guidance was intended to serve as a supplement to existing risk management practices while enhancing underwriting and monitoring of entities that process payments for telemarketers and other merchants.
Depository banks may be best poised to manage the unique risk of RCCs
Some experts firmly believe that RCCs provide consumers the important benefit of avoiding late fees by facilitating the expedited payment of a bill, while others oppose the use of RCCs because their risks outweigh any benefits they may provide. Rather than prohibit their use, exploring improved ways to manage RCCs may preclude the need for new laws or regulations.
Only the bank of first deposit possesses the information necessary to manage RCCs, and only the bank of first deposit has a financial incentive for mitigating RCC fraud. By creating comprehensive risk management practices, beginning with account relationship agreements, the bank of first deposit could detail the quantity of RCCs it will accept, the quality of the images, and the permissible percentage of returns it will accept as RCCs. The institution with the most to lose has the most to gain by policing its own payments activities, while identifying, monitoring, and controlling RCC fraud risk.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Remotely created checks: Banks of first deposit provide front line of defense:
June 1, 2010
Mobile P2P money: Contemplating new risks while analyzing adoption potential
Cell phone ubiquity and the growth of wireless networks are helping the world's poor to transcend from informal, cash-based societies to societies with more efficient and safer payments systems. The recent success of mobile operator-led payments services in emerging markets is galvanizing market experimentation in developed countries such as the United States.
Technology ripe for advance of mobile P2P
Mobile network operators and other nonbank firms are beginning to offer mobile-enabled payments transfer services in cross-border environments, using "agents" such as the corner store to accept cash deposits and accommodate withdrawals in lieu of traditional bank branches. These money transfer services, including both domestic and cross-border person-to-person (P2P) payments, are shifting to the mobile channel, providing consumers efficient, electronic alternatives to paper-based P2P payments. However, improved carrier roaming capacity and increased transaction activity may create opportunities for money laundering abuses and other unforeseen financial crimes. As new mobile financial services such as mobile P2P gain acceptance in markets throughout the world, how will industry participants plan for new and unanticipated risks?
The potential for market adoption
According to CGAP—or the Consultative Group to Assist the Poor—more than a billion people worldwide lack access to traditional financial services, but they do have mobile phones. This ubiquity has the potential to extend even more financial services to unbanked peoples throughout the world. In fact, a 2007 survey conducted by the GSM Association found that respondents expected the number of subscribers using mobile domestic money transfers to grow more rapidly for developed markets than for developing markets. These results imply that consumers in developed markets are interested in electronic P2P payment options and would be willing to conduct them via the mobile device.
The game changer when we think about payment adoption is the ability of the cell phone to execute domestic transfers in addition to international exchanges. This expanded functionality may fulfill the needs of mainstream consumers, as well as the unbanked, by giving them a convenient, cheap, and efficient alternative to writing checks or going to an ATM for a cash withdrawal for low-value exchanges.
The risk environment
In emerging markets, the risks of money laundering, identity theft, and other fraud are very real—they are merely eclipsed by the risks inherent in informal, cash-based systems, such as theft and extortion and possibly more violent crimes. So consumers in these countries where mobile payments are successful are arguably better off today despite the new risks introduced. However, this may not be the case in the United States, where we have a vast array of secure payment alternatives in place already. If convenience ultimately leads to adoption here, as it has abroad, what risks will P2P mobile money introduce, and how will we manage them?
The risks inherent in all retail payments systems are also present in the mobile space, including money laundering, privacy and security, consumer protection, fraud, and credit and liquidity risks. However, the mobile environment adds a dimension of complexity that makes quantifying risk more difficult. Participants in the payments value chain are increasingly disintermediated and outside the traditional legacy banking environment where the regulatory and legal governances are well established. In addition, there are other risks more unique to telecom firms that financial institutions and their regulators lack experience in detecting and monitoring. Finally, the regulatory domains governing banking and telecommunications are accustomed to operating independently and autonomously from one another and may be challenged to work collaboratively.
Implications for the United States
Domestic and international mobile money transfers are gaining adoption in world markets whose participants are likely to transact with U.S. consumers as wireless carriers provide services cross-border. Today, evidence in support of U.S. consumer demand is inconclusive because of the limited availability of P2P services and limited user experience. However, prevalence in offerings may not be the appropriate benchmark for determining whether discussions on risk management and payment system integrity are important going forward, as risk exposure may not be directly correlated to the rate of adoption. In order to protect the integrity and ensure continued security of retail payments systems in the United States, all participants in the emerging mobile payments industry should engage in proactive dialogue on emerging risk issues inherent in mobile money transfers.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud