Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« October 2010 | Main | December 2010 »

November 29, 2010

Prepaid in the mobile channel: Balancing financial inclusion and risk management

Payment services are coming to your mobile device—even though consumer adoption remains low in the United States, as are near-term prospects in light of reports about security concerns. Financial institutions, carriers, and others are experimenting with trial products and services to try to understand and respond to consumer demand for mobile services. Here in the U.S., the mobile device is emerging as an access device for legacy payment mechanisms like credit and debit cards or deposit account transfers. A viable payment mechanism for consumers to access via the mobile channel may be stored value, using the cell phone instead of a plastic card as the form factor. With the recent economic downturn, prepaid is emerging as an alternative to paper-based payments, allowing some consumers with limited access to credit to continue to participate in the electronic economy.

Some prepaid products carry potential risks because of the anonymity associated with them. The question we face is, how will we balance the potential risks of identity theft and money laundering as prepaid services shift to the mobile channel?

Recent growth in prepaid
Prepaid cards are growing in popularity, especially with the advent of reloadable, open-loop payroll cards that are branded by the major card networks and accepted at ATMs and merchants' points-of-sale. (Open-loop cards are those that consumers can redeem at different establishments. Closed-loop cards are those that the consumer can redeem at a specific establishment, which is also the issuing provider.) Since many carriers have offered prepaid airtime plans for years, the transition to a prepaid "mobile wallet" may be a seamless one. The mobile wallet is expected to operate the same way as a prepaid card, with monetary value loaded and stored on it. Because stored-value cards allow unbanked and underbanked consumers to participate in the electronic economy, their use is growing.

Open loop cards growing faster than closed loop
Enlarge Enlarge

Growing population of underbanked consumers
Financially mainstream consumers in the U.S. already have a multitude of safe, secure, and reliable payment choices, so they have little incentive to use their cell phones to access those payments. But a growing segment of the population is underserved by mainstream financial services. ("Underserved" individuals are those who may have a checking or savings account but rely on alternative financial services such as nonbank money orders, check-cashing services, payday loans, or pawn shops.) The increase of the underserved is in part a reflection of the weak economy, high unemployment, and reduced access to credit for many consumers. The FDIC estimates that 7.7 percent of U.S. households are unbanked and an additional 17.9 percent are underbanked.

It might be useful to compare the U.S. unbanked market to those in other countries where mobile payments and banking initiatives are in various stages of deployment.

Statistics on the unbanked populations in developed and emerging markets
Enlarge Enlarge

Emerging markets, such as sub-Saharan countries and India, with higher populations of consumers without access to traditional financial services are experiencing rapid adoption of mobile financial services. For example, the success of M-PESA, a mobile phone-based financial service offered by Kenya's Safaricom, has become a business model for other developing countries. In the three years since its inception, M-PESA's customer base has reached 9 million users.

Growth of M-PESA customer base
Enlarge Enlarge

Improving security and risk management of prepaid mobile
A number of improvements have been made in recent years in the way some prepaid cards—like payroll cards, for example—can be monitored. Open-loop cards that are branded by the major networks allow the owner to contact the issuing payment service provider if the payment card or device is lost or stolen. And many prepaid issuers will provide periodic statements detailing balances and fees. Still, concerns remain with gift cards and other closed-loop products that may not include the security features of the open-loop cards. In response to these concerns, FinCEN's proposed rulemaking should provide the industry with guidance on how to exercise oversight and control in prepaid transactions.

With respect to the mobile handset, technology is changing rapidly and the potential for improved security in the handset for authentication and identity credentialing looks promising. Given the ability for prepaid issuers to tighten the controls in card registration processes, the mobile device may be a more secure channel than today's card-based prepaid alternatives. In that case, we may see the prepaid services driving consumer confidence for more mobile-based financial services going forward.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

November 29, 2010 in identity theft, mobile payments, money laundering, prepaid | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 22, 2010

The continuing challenge of workplace fraud in financial services

Is it true that most economic crimes are committed by insiders? Yes, according to a worldwide study on workplace fraud that the Association of Certified Fraud Examiners' (ACFE) conducted. ACFE's study found that organizations lose an estimated 5 percent of annual revenues, or $2.9 trillion globally, to insider fraud. (A down economy probably sees even higher losses.) Banking and financial services are the industries that most commonly feel the impact of workplace fraud (see the table).

Industry of Victim Organizations by Frequency
Enlarge Enlarge

The study also said that the median loss caused by workplace fraud was $160,000, and nearly one-quarter of the frauds involved losses of at least $1 million (see the chart). Typically, the frauds lasted a median of 18 months before being detected.

Distribution of Dollar Loss
Enlarge Enlarge

Theft of electronic data and information increases
A separate report looking at international fraud trends found that companies are experiencing an increase in theft of information and electronic data compared with the physical theft of assets. The report noted that the financial services sector had the highest level of information and electronic data theft. The biggest problem for financial services was information theft (42 percent), followed by internal financial fraud (31 percent) and regulatory breaches (25 percent). According to the report, in the last twelve months, businesses lost almost $1.7 million per billion dollars in sales worldwide, compared with $1.4 million per billion dollars.

Common elements in workplace fraud: The fraud triangle
There are many reasons an employee might commit fraud. Experts regularly cite financial pressures as the primary motivation for committing workplace fraud. According to the ACFE study, employees who live beyond their financial means accounted for 43 percent of the workplace-fraud cases; employees with other money difficulties accounted for 36 percent.

Opportunity or ability to commit a fraud can also motivate someone to commit workplace fraud. It is also the area that an employer can best control through dual and internal controls.

Rationalization is another motivating factor, perhaps the most difficult one to pin down since it may not manifest itself outwardly. Rationalization is how a dishonest employee might justify his or her fraudulent actions. For example, the thief may take money with the intent initially to repay it, or may feel deserving of the stolen funds because he or she feels unappreciated or undervalued at work.

Having any or all three of these elements present (financial pressures, opportunity, and rationalization) creates what is known as the fraud triangle. Although the presence of any of these factors can increases the risk of workplace fraud, gaining a better understanding of how each one presents itself in the workplace can help deter fraud. Strengthening detection in any organization may entail going beyond applying sophisticated anti-fraud software and establishing a work culture that educates staff as another resource for detecting possible fraudulent activity. Staff can play a vital role in combating workplace fraud when provided an anonymous reporting channel and education on procedures and expectations for communicating known concerns or potential wrongdoing.

Combating workplace fraud
While we cannot eliminate workplace fraud entirely, awareness of known "red flags" may help identify workplace fraud in development or before material losses from the fraud are experienced. An effective system of internal checks and balances generally reduces an organization’s exposure to workplace fraud.

Weaknesses in internal controls may provide insiders' opportunities to access data that they can then use to perpetrate financial fraud. As workplace fraud becomes increasingly sophisticated, the exposure of financial services to workplace fraud will continue to be an ongoing challenge. However, having a better understanding of the common elements of workplace fraud may help prevent, detect, and deter it from occurring.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 22, 2010 in financial services, fraud, workplace fraud | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 15, 2010

Retail Payments Risk Forum publishes white paper on mobile payments

Everyone has a cell phone these days, and that ubiquity is paving the way for wide acceptance of mobile money person-to-person transfer services, also known as MMT. Emerging countries, where the mobile channel provides a safe, efficient environment for conducting financial transactions and improving financial inclusion, have been especially quick to adopt MMT. In contrast, mobile payment adoption in the United States has been slow, but many experts believe that, with more people acquiring smart phones and having access to all the applications that go with them, MMT is on the brink of becoming widely accepted.

As roaming agreements between wireless carriers and the globalization of commerce in general work together to render our world's geographic borders irrelevant, how quickly can we expect these services to migrate to the United States? More importantly, as various forms of electronic payment crimes emerge, what should the industry do to prepare for new mobile services in a cross-border environment?

To answer these questions, the Retail Payments Risk Forum recently published a white paper titled "Mobile money transfer services: The next phase in the evolution in person-to-person payments," which describes the current landscape for these services and examines the risk environment for mobile money for both developed and emerging countries as new business partnerships between bank and telecom firms take shape.

MMT has the potential to catalyze the mobile financial services market
Infrastructure developments to support MMTs could support the evolution of other financial services. According to the GSM Association, this infrastructure provides the basis for the concept of the mobile wallet, which will allow mobile phones users to conduct banking, proximity payments using the phone at a merchant's point-of-sale terminal, and remote mobile payments, including domestic and cross-border mobile transfers.


The mobile money risk environment
The risks inherent in all retail payments are also present in the mobile space, including money laundering, privacy and security, consumer protection, fraud, and credit and liquidity. As mobile financial services evolve, there will be a number of issues to consider for managing the new risks mobile phone-based payments stand to introduce. The emergence of more nonbank participants in the distribution of mobile payments, including telecom firms and their agents along with technology vendors, may create additional risk considerations for payment regulators. Since mobile technology-enabled payments do not require the face-to-face interaction that takes place with traditional banking, the resulting opaque, anonymous experience can also create more opportunity for criminal activity. This will be increasingly important in a future where mobile retail payments will occur rapidly and across geographic borders, potentially outside the purview of traditional regulatory oversight. Payments regulators have limited expertise and experience in identifying electronic payments crime in communication systems—so the potential for abuse is a real and imminent threat that is still abstract and not well understood in this early stage of the game.

Policy considerations for industry stakeholders, policymakers, and regulators
The integrity and safety of the world's retail payment systems rely on cooperative information sharing about service developments and potential gaps in regulation. A number of considerations should remain at the forefront of industry discussions.

  • The new mobile landscape will require dialogue between the regulatory authorities for financial services and telecom firms. Financial and telecom sector regulators will need a comprehensive understanding of the emerging risks in mobile payments with a collective eye toward the potential need to establish new regulatory concepts of electronic money regulation. This may demand a program for routine communication to ensure that regulators understand payment system risk issues and provide effective risk-based supervision for payment services providers.
  • An oversight infrastructure for mobile payments, including the financial services of telecom firms, should be established. This oversight might be established through a routinely convening workgroup representing applicable regulators or the creation of a new organization with expertise in the unique and dynamic risk issues in mobile services.
  • Cross-border mobile payments may require improved customer-data sharing on an international basis. The anticipated growth in mobile remittances may demand a new environment of international cooperation and sharing of customer data and analysis.
  • U.S. mobile payments services providers should be required to establish programs to mitigate the risk of money laundering. Mobile services will require new methods for detecting and monitoring data flows. All service providers, including telecoms, will need to establish risk management programs commensurate with the risk in their service offerings.
  • Converged regulatory authorities should examiner consumer protection risks for potential gaps in regulatory oversight. In the United States, it may be necessary to reexamine the applicability of Regulation E protections to stored-value payments as they become more prevalent in the mobile channel, in order to prevent consumer confusion in error resolution scenarios.

The experts are right in saying that mobile adoption still low. But the rapid pace of change means that industry stakeholders, and especially regulators, need to be forward-looking and anticipate where the winds of change will blow. A rearview mirror approach to addressing emerging risks in mobile payments can be modified with proactive thinking, dialogue, and global collaboration.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum


November 15, 2010 in mobile money transfer, mobile payments, money laundering, P2P, risk management | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 8, 2010

Proposed rule targets cross-border wire transfers

In its simplest terms, money laundering generally involves the creation of an intricate series of financial transactions designed to conceal the identity, source, and destination of illicitly obtained funds. The success or failure of the laundering process generally turns on whether the launderer successfully minimizes or eliminates the trail that would lead law enforcement to trace the illicit proceeds back to their illegal source.

One common method for laundering money is wire transfers, particularly cross-border wire transfers, as they permit funds to move instantaneously from one account to another within and among international financial institutions. The Financial Crimes Enforcement Network (FinCEN) recently took action to address the money laundering risks commonly associated with cross-border wire transfers by proposing more stringent reporting requirements for financial institutions.

Expanded reporting for cross-border wire transfers
On September 27, 2010, FinCEN issued a notice of proposed rulemaking that would lower the reporting threshold on cross-border electronic fund transfers (CBEFT) from $10,000 to $1,000. FinCEN based its proposed rule on the conclusions of two studies: Feasibility of a Cross-Border Electronic Funds Transfer Reporting System under the Bank Secrecy Act, and Implications and Benefits of Cross-Border Funds Transmittal Reporting. The proposed rule would also require certain depository institutions and money services businesses to provide records to FinCEN of certain cross-border electronic transmittals of funds. Banks directly transacting with foreign financial institutions would be required to report all cross-border wire transfers to FinCEN.

The proposal would also require financial institutions to report the taxpayer identification numbers (TIN) of individuals who make CBETFs. Banks would file a list of these numbers annually for all CBETFs, regardless of the amount. MSBs would file TINs for CBETFs of $3,000 or more.

Currently, financial institutions are subject only to reporting suspicious wire transfers and maintaining and making available upon request to FinCEN records of cross-border wire transfers. According to FinCEN, the proposed rule will most likely affect larger financial institutions that use centralized message systems like SWIFT (Society for Worldwide Interbank Financial Telecommunication), Fedwire, and CHIPS (Clearing House Interbank Payments System).

The challenge in monitoring cross-border wire transfers
Monitoring cross-border wire transfers can present unique challenges since their processing can sometimes involve several intermediary financial institutions before the intended funds are received by the beneficiary. Effectively monitoring these transfers for anti-money laundering purposes generally requires that banks and nonfinancial institutions be knowledgeable of an account's normal and reasonable activity so they are better armed to identify transactions that may fall outside a known pattern.

According to a paper by the Basel Committee on Banking Supervision, there is need for improved transparency in cross-border wires due to the variance with the existing wire structure, which has done little to enable institutions to report the difference between cross-border and domestic wire transfers. The paper states that existing messaging practices can impair an institution's risk management and compliance obligations.

The proposed cross-border wire transfer reporting requirements are intended to improve transparency by facilitating more information gathering and enhancing money laundering due diligence. The proposed rule may also further assist law enforcement with the arduous task of unraveling the launderers' intricate web of tracing laundered proceeds back to their illegal source. FinCEN estimates that the proposed rule will spur 500 million to 700 million new reports a year. Currently, financial institutions and MSBs file more than 15 million reports per year.

Containing existing loopholes
FinCEN indicates that the enhanced reporting requirements will help close certain loopholes in the existing wire transfer rules that are exploited for money laundering, terrorist financing, and tax evasion—for instance, money launderers often purposefully send funds in increments below the current reporting threshold and use multiple institutions to avoid detection. Nevertheless, it is hoped that heightened reporting of account activity will help law enforcement and regulatory authorities detect, mitigate, and investigate money laundering and other illicit financial crimes. Or will the increased reporting requirements only serve to flood FinCEN with massive amounts of wire transfer data? But that is the topic of a future post.

The proposed rule is open for comment until December 29, 2010.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 8, 2010 in cross-border wires, law enforcement, money laundering, money services business (MSB), regulators | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Proposed rule targets cross-border wire transfers:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 1, 2010

Beware of cybercrashers to your social network party

According to the Nielsen Company, the overall global traffic to social network sites grew nearly 30 percent in one year, from 244.2 million users in February 2009 to 314.5 million users in February 2010. In the United States alone, the average active social network audience grew 22.8 percent, from 115 million to 149 million during that same time period. If social networks are expanding this rapidly, can the growth of associated risks—specifically, data privacy—be far behind?

Percentage of Americans who own gadgets
Enlarge Enlarge

Establishing privacy parameters
Privacy is perhaps the most significant concern surrounding the use of online social networking sites. Recently, BBC Mobile reported that consumer confidence in social networking sites has been shaken as issues over privacy concerns have come to light. Results of an RSA 2010 Global Online Consumer Security Survey show that, even as thousands of individuals join social networking websites each day, nearly 65 percent of survey respondents indicated that they are less likely to interact or share information due to growing security concerns. Although most online social networking sites have privacy protections in place that allow users to establish their own level of security settings, online social networks are inherently public, which makes it difficult to secure nonpublic information. But if users are shielding their personal information through security settings, how, then, are hackers able to extract this information and steal their identities? Could the simple act of sharing, friending, or posting make it easier for hackers to attack a social network site and impersonate its users?

Facing incoming threats to social network sites
Corporations that use social networks as communication tools (or corporations whose employees use them without IT's authorization) are faced with significant security and compliance risks. In a survey that FaceTime conducted of IT groups, 14 percent of respondents reported that they've seen data leak through social networks. According to this study, Web 2.0 applications like instant messaging, Skype, and the chat functions within social networks can travel undetected through an organization's network, thus posing the risk that confidential information such as credit card details will leave the organization's control without authorization. Hackers use various means to attack social network sites, including phishing, spam, and malware. Their success is in part due to the trust users place in their networks. The study also notes that users are far more likely to click on a link from a friend on a social network site than in an e-mail.

Using small bits of information to gain entry
Gateway data, a term coined by Herbert Thompson a professor at Columbia University, refers to the confidential information harvested by cybercriminals from social networking sites. According to Thompson and researchers at Carnegie Mellon University, hackers can use such confidential information as someone's mother's maiden name—discovered from a social network site—to answer a challenge question and gain access to the person's account or personal financial data. Users of gateway data can also use these single pieces of information to trick the user into revealing even more sensitive information.

In a 2009 study, researchers from Carnegie Mellon University were able to deduce the Social Security numbers of millions of individuals just by sifting through fragments of data typically shared on social networks and other publicly available sources. Another study, this one by Consumer Reports, found that 52 percent of social network users disclose information that could leave them vulnerable to cybercriminals. Pieces of information such as a mother's maiden name, home address, or home or mobile phone number can lead perpetrators to steal users' identities.

Deterring cybercrime with a healthy dose of skepticism
The global reach and public nature of social networking websites have made them a favored target for online criminals. While consumers enjoy the ease of communication and information sharing on these social networks, these online forums have introduced new and unanticipated risks. Users must take some crucial steps to deter thefts of their identities, included becoming educated in the types of online crime while avoiding such common pitfalls as weak security settings and compulsive information sharing.

A healthy dose of skepticism on what, how much, or with whom to share can go a long way in reducing the exposure of personal, confidential information, because what is shared on the Internet stays on the Internet.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 1, 2010 in cybercrime, identity theft, privacy, social networks | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad