Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 25, 2010
Can mobile payment adoption define the "end game" for technology investment?
Payment cards in the United States have been stuck for years in a chicken-and-egg quandary when it comes to chip technology. Merchants are reluctant to invest in developing the technology until consumer demand for it is there. But without the technology, it may be that consumer demand just won't be there. Add to this the competing forces that are at play: various stakeholders are pulled in different directions—contact versus contactless technology—and the cost of capital for technological investment is borne disproportionately among these stakeholders.
At the same time, we hear anecdotal evidence that losses from payment card fraud are on the rise. As we've described in previous posts, like this one, this trend could change the paradigm, spurring those in the industry to invest in more fraud-resilient, smart-card technologies. With this pressure, it's inevitable that payments card will shift from magnetic strip to chip card technology. But the problem is that chip card technology is constantly evolving, and those stakeholders bearing the costs for investment in new computer chips and terminal hardware infrastructure want some assurance that their investments are sound before they choose which technology path to follow, contact, or contactless.
In the interest of promoting global interoperability as well as battling magnetic-strip payment card fraud, now may be the time for an industry dialogue on a strategy for investment in smart technology. One question we should be asking ourselves in this discussion is, should we avoid investing in contact card technology if contactless mobile payments represent the end game?
Smart card basics: Contact versus contactless
Contact and contactless smart cards are so named because of the way that the embedded computer chip communicates with a terminal at a merchant's point-of-sale or at an ATM. In the case of contact technology, the data stored in the embedded computer chip is transferred to the reader when the card physically touches the reader. With a contactless card, the data is transferred using some type of radio frequency transmission such as near-field-communication (NFC) technology, which is the current contactless card technology standard. NFC technology, of course, precludes the need for a physical connection between the card and the reader. The user can use it in a variety of devices, including the mobile phone. Importantly, contactless technology in the chip can work with the phone itself to authenticate the user and thereby reduce payments fraud.
Countries that rely on smart card payments are using various combinations of contact and contactless payments that conform to certain security standards and specifications to protect consumers and merchants from payments fraud. To encourage consumer adoption, some issuers have introduced dual-interface cards, with both contact and contactless functionality, so that consumers can use either card at the point-of-sale terminal. This approach, with a dual-interface card, optimizes utility for consumers as retail payments evolve to the mobile channel, potentially empowering both the use of contact cards and contactless mobile payments.
The outlook for contactless mobile payments
Although the evolution of mobile payments in the United States has so far been slow, merchants are introducing new pilots with increasing frequency, and many industry stakeholders want to accelerate the deployment of a universal contactless mobile payments infrastructure. Moreover, U.S. consumers are relying more and more on their mobile phones for new and unexpected applications, which points to a good chance of success for mobile-based payments and related activities in the future. In fact, according to a report from the Pew Research Center, 85 percent of American adults today own a mobile phone, more than any other device.
Building consensus in the face of market forces
The recent deployment of contactless card payments in global markets is contributing to the establishment of an infrastructure for contactless mobile. In essence, here in the United States, we can go in either direction, contact or contactless. However, in a world where all stakeholders shared the same fully transparent information and vision for the future, could it be possible to leapfrog spending our investment dollars on contact cards and readers and instead use capital on contactless technology? We can avoid the costs for interim technology solutions if industry stakeholders can agree on a future direction despite the different economic incentives and costs demanded. Really, if NFC deployment is the ultimate endgame for mobile payments, bypassing the investment in contact technology as an interim step is a viable, if not ambitious, consideration.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
October 18, 2010
Fighting back: Good news on the law enforcement front
I've noticed that blogs by their nature tend to focus on pointing out problems, this blog included. But I think it's also important to identify progress and celebrate victory in a society that appears to approach every topic from a negative angle. So here goes!
In the past, we've reported on all kinds of complications and issues in the cooperative efforts necessary to catch bad actors intent on defrauding folks in the payments space. This includes the sometimes difficult efforts of government and law enforcement to work together across borders. In the past few months, though, we've seen some significant accomplishments with respect to industry collaboration to address payments-related crimes.
First, we reported some time ago that a rift between the European Union and the FBI had resulted in the European Parliament's rescinding the FBI's access to the wire transaction data of SWIFT—short for the Society for Worldwide Interbank Financial Telecommunication. In late June 2010, the European Union, via the European Council, signed with little fanfare a new five-year contract with the United States, allowing U.S. authorities to continue sharing European bank data for the purpose of counterterrorism. The key to the renewal was the promise of stronger controls over data privacy and the presence of a third-party overseer to make sure that data provided to U.S. authorities were accurately maintained and procedures existed to manage redress if a person's private data was abused. This five-year deal ensures that the global fight to address the financial aspects of terror activities can proceed aggressively.
Second, we've spent some time in this space talking about the growing problem of corporate account takeovers over the Internet, in addition to traditional identity theft forays, particularly from foreign sources. We've also described the complexity of U.S. and foreign law enforcement authorities working together to apprehend instigators of such schemes. In the last few weeks, however, we've been delighted to see a spate of successes by European and U.S. authorities—often working together—that will send a message to perpetrators who may believe that they are free to conduct crime in cyberspace.
In partnership with Slovenian Criminal Police and the Spanish Guardia Civil, the FBI announced in July that a two-year investigation into European-based fraud activity had resulted in the arrest of the operators of the Mariposa Botnet, quickly followed by the arrest in Slovenia of the Botnet's creator, who was code-named "Iserdo." All parties lauded the value of the strong law enforcement partnerships present in this effort.
In August, U.S. and French authorities worked together to arrest a notorious cybercriminal owning the moniker of "BadB." Otherwise known as Vladislav Horohorin, BadB had been targeted by the U.S. Secret Service for some time. He was arrested by French authorities while traveling in France. If extradited to the United States, Horohorin faces up to 12 years in prison.
In September, U.S. and British authorities made what seems to be well-coordinated announcements concerning the wide-ranging arrests of Eastern European cybercriminals engaged in hacking and account takeover activities of British and U.S. small businesses. U.K. officials announced that the Metropolitan Police's e-crime Unit arrested in a predawn raid 11 individuals on charges of fraud and money-laundering activities that netted close to $40 million dollars. This announcement was followed by an announcement from the New York U.S. Attorney's office that they had issued 60 arrest warrants and made 20 arrests for U.S.-based perpetrators involved in similar account takeover schemes. At least 37 of the individuals involved were so-called "money mules," hired by overseas criminals to open bank accounts and deposit funds stolen from businesses, then wire the funds overseas after keeping a nice fee. This effort featured extraordinary cooperation among the U.S. Attorney's Office for the Southern District of New York, the FBI, the New York Police Department, the Department of State Diplomatic Security Service, the New York Office of Homeland Security Investigation, and the U.S. Secret Service. The gang appears to have stolen at least $4.2 million from small businesses and security brokers in the United States.
At any rate, our hats are off to the various law enforcement authorities who successfully participated in these actions. We look forward to more such efforts as a growing deterrent to those who use cyberspace as a playground for financial crime. Mr. Horohorin may have plenty of company during his stay in the United States.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Fighting back: Good news on the law enforcement front:
October 12, 2010
New study examines the effectiveness of U.S. payments security
As everyday citizens, we are all responsible for understanding the threat of identity theft and its potential to facilitate payments fraud. The proliferation of identity theft is not solely a by-product of the high-tech world in which we live; it has been around from time immemorial. In the pre-Internet era, identity theft and payments fraud were more commonly committed by a "familiar"—a family member or someone with access to the victim's home, office, or mailbox. This type of white-collar crime still exists today, of course, and its success rate, measured in terms of the number of fraud attempts that result in a monetary loss, remains high. But today's identity theft schemes are more complex and involve larger-scale data breaches, so they pose a more significant threat to the retail payments industry and demand stronger security management techniques.
This evolution has created the need for more sophisticated compliance initiatives to keep identity and payment information secure. Retailers are on the first line of defense, in many respects, since they are the receivers and keepers of payment card data used to facilitate purchases at the point of sale.
So, along those lines, how is the retail industry faring? A new study from Verizon—released Oct. 4—reports on how well the U.S. retail sector keeps payment card data secure.
PCI security compliance: A first line of defense
There is an industry-organized defense procedure, or set of procedures, created to guard against large-scale thefts of payment card data. This procedure is called the Payment Card Industry Data Security Standard, or PCI-DSS for short. The Verizon report notes a high correlation between an organization's PCI compliance and its resistance to data breaches.
Most large retail enterprises in the United States claim compliance with PCI-DSS, and they have their operational systems periodically audited to ensure continued compliance. Although many of the largest retailers are compliant—with some, like Heartland, even working now to go above and beyond the minimum requirements—the Verizon study reveals just how far U.S. retailers are from full PCI-DSS compliance.
The following table summarizes the findings of the Verizon report for PCI compliance rates.
Meeting the challenge—and going above and beyond
The study concludes that complying with PCI is a complex challenge for many retailers, but the outlook is good—the retail sector is heading in the right direction. On average, it reports, organizations meet 81 percent of the procedures required by PCI, and 75 percent of organizations meet at least 70 percent of the testing procedures required.
Some industry experts even contend that PCI-DSS compliance in and of itself is not enough, which is why Heartland Payment Systems—one of the largest U.S. card processors, and which in 2009 suffered a serious data breach—is raising the bar and requiring its merchants to use additional security measures for data encryption. All data messages must be encrypted when in transit and when at rest in temporary storage along the way. For now, organizations responsible for storing and transmitting this data will continue to be challenged with the responsibility for safeguarding its data from breaches that facilitate identity theft and payment fraud.
By guest blogger Dan Littman, Economist, Federal Reserve Bank of Cleveland
October 4, 2010
Has existing regulation of money services businesses kept pace with their enhanced financial services options?
Most businesses that meet the definition of money services business (MSB) offer financial services such as wire transfers, currency exchange, check cashing, traveler's checks, money orders, or stored-value cards. In the past, MSBs mostly served consumers without an established banking relationship—that is, the unbanked. Today, consumers with established banking relationships may also use these services on occasion because the MSBs sometimes offer cheaper services, such as wire transfers, than banks do.
Well-established MSBs such as Western Union and MoneyGram have provided the traditional services—wire transfers, currency exchange, check cashing, and so on—for years. Over the past few years, MSBs have rapidly grown and expanded their financial services offerings with options such as Internet-directed services for person-to-person (P2P) and person-to-business (P2B) payments, stored-value products, and, most recently, mobile money transfer service, which permits users to send funds cross-border and domestically using their mobile phone.
But are these expanded financial services within the coverage of the existing regulatory framework for MSBs? Are there new money laundering risks with the introduction of new financial services options not previously anticipated by the existing regulatory framework?
Conforming MSB regulation to mirror MSBs enhanced services
Although states have regulated check cashers and money transmitters for years, regulation of these nonbank financial institutions has not been uniform. The Uniform Money Services Act (UMSA) was adopted in an effort to provide a framework to deal with money laundering issues unique to nondepository providers of financial services. UMSA applies to businesses that provide money services and requires that MSBs be licensed, maintain extensive records of their transactions, and submit to audits. Although some MSBs may only offer one or more of the services listed above, all MSBs are subject to the provisions of UMSA because of the interrelated group of services they offer and because they are not regulated in the same manner as depositary institutions.
UMSA expanded existing MSB regulatory coverage to include what was considered at the time a new type of payment service: Internet-based service. It was believed that this new type of financial service posed the same concerns as did traditional financial services, such as wire transfers and check cashing, for example.
A patchwork of regulation
MSB compliance is a complex patchwork of regulations that involve federal restrictions on money laundering as well as state consumer protection mandates. MSBs are required to follow Bank Secrecy Act/Anti-money Laundering (BSA/AML) regulations that require them to file "Currency Transaction Reports," implement AML programs, and file "Suspicious Activity Reports." The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has delegated authority to the IRS to examine MSBs for compliance with BSA requirements. State agencies may evaluate MSBs for compliance with BSA, though they may not directly enforce the BSA. Generally, State agencies are charged with enforcing their own MSB state statutes and regulations, which sometimes may impose requirements that overlap with the BSA.
Navigating through MSB regulations
In 2009, FinCEN conducted outreach meetings with some of the largest MSBs in an effort to better understand how MSBs navigate through these numerous regulations. The meetings resulted in the production of a report that stated that as MSBs navigate through these regulations, they place significant emphasis on agent oversight and compliance, value their reputation and consumer trust as the core objective of their business models, and feel that being in compliance with BSA regulations is consistent with their business model. The results of this report do not certify that the participating MSBs were in compliance with MSB regulations.
In the last year, legislation was proposed that would centralize MSB anti-money laundering compliance with the Treasury and authorize that office to recognize a self-regulatory organization similar to the private nonprofit Financial Industry Regulatory Authority (FINRA) that regulates broker dealers. The goal of the bill is to bring about uniform registration and supervision of MSBs without preempting state laws.
MSBs play a vital role in domestic and foreign economies, particularly by providing the needed financial services that facilitate the transmission of money to foreign countries. Establishing uniform legislation may strengthen the continued work of combating money laundering and help prevent the use of MSBs as channels for money laundering or other illicit activities.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Has existing regulation of money services businesses kept pace with their enhanced financial services options?:
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud