Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« November 2010 | Main | January 2011 »

December 20, 2010

You better watch out! ...Santa goes cyber

Happy holidays from the Retail Payments Risk Forum!

As this world has drifted away from traditional written communication to a fully electronic communications process, we see that Santa Claus has finally moved into the 21st century. On a network news show this week, we saw that there are still plenty of letters being written to Santa in the conventional way, but data from the industry consultant Javelin Gifts has shows that only 26 percent of all Christmas lists are in paper form. Most kids now want to communicate with Jolly Ol' Saint Nick electronically. The benefits appear to be extraordinary for both the wide-eyed children and the man himself, not to mention the beleaguered elves that can now use automated list sorting tools, name and address directories, and list matching to ensure the elimination of duplicate orders. A new feature labels each entry with a GPS locator that cuts down tremendously on useless flying around, thereby dramatically improving the overall "bales-of-hay-per-mile-flown" reindeer efficiency measure.

Santa's new website unveiled
Recently, we explored Santa's new site, where you can choose a variety of options, including the usual descriptions and pictures of Santa's house, Mrs. Claus, all the important workshops, the latest Elf of the Month, and live video of the reindeer in their stables. The main tab Christmas Lists is, of course, the place for all boys and girls to go to enter their wish lists, following a brief application process (name, address, age, chimney/no chimney, naughty/nice, etc.) and the usual OFAC—Office of Foreign Assets Control—screening to ensure that those kids requesting bomb-making material are not terrorists. Recent attempts to hack the site have revealed that Santa's firewalls are pretty darn good, ensuring that there are no last-minute denial-of-service attacks from the Grinch or other such hooligans intent on spoiling Christmas for the rest of us. The site also appears to have pretty strong SPAM filters to counteract the recent attempts of high end retailers trying to get Santa to provide only their brand of products.

Two other tabs are prominently shown. First, there is a live chat room where the customer can chat with specialist elves to get expert opinions on some of the hottest toys, including the current backlogs in production. Second, a tab called Value-Added Services encourages the customer to take advantage of things like gift wrapping, special notes from Santa, gift recall lists, and roof/chimney repair services. The fees associated with such services help keep the site maintained and contribute to the necessary overtime pay that inevitably piles up the last week before Christmas. One of the more interesting services is a data privacy service that provides for a Christmas list to be encrypted, thereby preventing prying eyes from seeing what they are getting under the tree. Of course, this also helps Santa stay out of legal trouble and avoid cumbersome government-mandated data breach reporting.

Wrestling with Christmas Criminals
Recently, the North Pole has had to address a growing number of account takeover concerns about Ukrainian hackers posing as children who might try to compromise the website on Christmas Eve, changing the addresses associated with some of the more attractive gift lists. The most effective malware to date rode in on a piece of spam entitled "Cookies and Canes" that the jolly old elf couldn't resist opening. My understanding is that Santa has fixed this problem by moving his site to a separate computer from his personal e-mail laptop.

Before logging off, we clicked on another tab called Flight Tracker that allows concerned parents to track the progress of their children's deliveries on Christmas Eve. This can be particularly helpful if Santa gets to your house at, oh, say 5:00 a.m. and you need to barricade the hallway to forestall the progress of some particularly geeked-up kids who wake up way too early and want to check out the tree.

And to all a good night!
Upon reflection, we were really impressed with Santa's new website, but disappointed that he had to implement so many fraud detection and prevention tools. However, there seems to be even more features to come. A news line scrolling across the bottom of the page promised upgrades next year to text messaging and Facebook for those kids who just don't have the time to send e-mail.

While the point of all this may seem to be to let you know that no one, including Kris Kringle himself, is exempt from fraud in the electronic world, it really is just a way to give our staff a week off from serious blogging and to wish all our dedicated readers a very Merry Christmas and Happy Holidays! See you next year!

By Rich Oliver, Cindy Merritt, and Ana Cavazos-Wright

December 20, 2010 in consumer protection, innovation | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference You better watch out! ...Santa goes cyber

Happy holidays from the Retail Payments Risk Forum!


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 13, 2010

Numbers don't back up fears about WEB and TEL

Recently, I got word that many banks, particularly small banks, may be bypassing the opportunity to market certain ACH origination services to their corporate customers because they are concerned about the underlying potential for fraud. In particular, banks may be holding back on offering debit origination services to companies selling services or accepting bill payments over the web or telephone. These are recognized as WEB or TEL entries in the parlance of ACH.

Certainly, conscientious, well-controlled financial institutions should be concerned about ensuring that they are not party to fraudulent transactions through the ACH. However, there is nothing inherently risky about WEB and TEL entries compared to any other types of transactions. In fact, in recent presentations, the NACHA-The Electronic Payments Association has revealed encouraging long-term trends with regard to a key statistic in sensing fraud: the level of unauthorized ACH returns.

WEB and TEL return data are favorable
Data collected from the Federal Reserve and the Clearing House Payments Company—the two ACH operators—and aggregated by NACHA show that the overall return rate for WEB transactions stands at 0.03 percent, or three transactions in every 10,000, as of the second quarter of 2010. Interestingly, this rate is actually slightly lower than the rate for all preauthorized debits—such as insurance premiums, car payments, and health club fees—which stands at 0.04 percent over the same period.

For TEL transactions, the rate is somewhat higher at 0.11 percent, or 11 returns for every 10,000 transactions. This higher rate may stem from the fact that a good percentage of TEL transactions flow from telemarketing activities that are sometimes fraudulent or sometimes characterized by "buyer's remorse." In contrast, Federal Reserve data show that return rates for check collection—a business generally thought to be safe by most banks—average something less than 1.0 percent. The point here is that data shows that ACH WEB and TEL transactions do not appear to be risky by common transaction processing measures.

Knowing the customer is still critical
As with all account relationships held by financial institutions, a small dose of due diligence can go a long way to help ensure that an institution does not engage with a fraudulent firm. This "know your customer" process, if applied regularly, can diminish any significant chance of experiencing ACH fraud for TEL transactions. For that matter, the same due diligence is necessary for remote deposit capture, remotely created check relationships, and credit card services. In addition, both the Federal Reserve and the Clearing House offer originating depository financial institutions ACH risk management and monitoring services that allow a bank to quickly detect any dangerous trends in unauthorized return experience. In fact, the Federal Reserve service allows originating financial institutions to reduce their risk exposure by establishing debit and credit origination limits on any of their corporate originators as part of their overall risk management program.

The only thing we have to fear...
It's possible that some of the concerns that small banks have regarding these transactions stem from recent news reports. Some corporations that have fallen victim to so-called account takeovers have accused their banks of not doing enough to help them detect fraudulent activity in their ACH-originated payroll files. As most professionals know by now, Internet-based criminals use the account takeover scheme to insert malware into a company's system through e-mail, spam, or some other vehicle. Banks are still wrestling with ways to help their clients monitor such files, and ACH operators do not have any specific services in place yet to help the banks do this. However, WEB and TEL transactions involve the origination of debit transactions, not credit transactions, as is generally the case with account takeovers.

Small banks may also not be originating WEB and TEL transactions simply because many smaller companies, utilities, manufacturers, and retailers are not yet offering web-based payment services. In essence, the market for selling such services is limited, but it's clear that over time more and more small companies will be able to offer these payment services and will be asking their banks to support ACH WEB and TEL originations. And really, given the data and controls noted above, "The only thing we have to fear is fear itself," to quote a famous president.

Marie Curie said it a little differently: "Nothing in life is to be feared. It is only to be understood." It is important to be risk-conscious, but it is also important to understand the available data and controls for informing decisions about ACH services that could represent opportunities to service a customer's changing needs better.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

December 13, 2010 in ACH, fraud, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Numbers don't back up fears about WEB and TEL:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 6, 2010

Tough decisions: Fighting fraud in a free market

Over the past two years, despite a stagnant economy, the U.S. payments system has harvested the benefits of a free market: the generation of hundreds of innovative ideas. Mobile payment pilots, P2P offerings, remote banking services, small merchant credit card approval tools, and at-home remote deposit capture services for checks are only a sampling of the new ideas, many of which came from nonbank participants. Inevitably, this type of innovation and competition will result in more choices at more reasonable prices for American consumers and businesses.

This extraordinary explosion of payments system creativity stems not only from the benefits of free market capitalism, but also from the historical fact that our payments system enjoys substantially less oversight than other advanced economies. While we have a considerable array of consumer protection regulations in place in the United States, we do not have any specific government body charged with determining and enforcing overall payments policies and practices. Unlike much of Asia, Europe, the Far East, and Australia, there are no competition authorities, payments councils, commissions, or boards that set policy across payments channels. The Federal Reserve does not play as strong a role in governing payments as do the European Central Bank, the Bank of Japan, or the Reserve Bank of Australia. Congress has passed no comprehensive payments law such as the Payments Services Directive in Europe or the Payments Services Act in Japan. Predictably, then, we see the type of lively and innovative payments market in place in the United States today.

The downside of freedom
But, in the words of that great college football guru, Lee Corso, "Not so fast, my friends!" With the freedom to innovate also comes the freedom to do bad things. Said differently, there exists an inconsistent appreciation or concern for the necessary integrity of payments products and services. Entrepreneurs are not given the responsibility to ensure that their ideas can pass muster in the public policy arena. Their first concern is the marketability of their glitzy new product, not its protection against intrusion or susceptibility to fraud. While we can argue that banks by their very nature are more steeped in the tradition of focusing on integrity and security as key elements in payments services, the same is probably not as true for the large number of new nonbank players entering the payments world. Certainly, some such companies, particularly those run by experienced financial services professionals do get the message, but many do not. We can assume that as less secure products and services are deployed, bad things will happen and lessons will be learned that bring about a reformation. In the meantime, many consumers and businesses may be seriously impaired.

The likely result of such experiences, however, may be the further engagement of Congress—and, ultimately, government—to devise remedies for the failings of a highly innovative payments system. Over time, we have seen some of this in the form of targeted legislation intended to fix problems or reign in abuses. Payments-related controls are embedded in the Expedited Funds Availability Act (EFAA), the Patriot Act, the CARD (Credit Card Accountability Responsibility and Disclosure) Act, and the recent Financial Reform Act. But none of the past legislative efforts have been comprehensive. The EFAA focused on checks, the Patriot Act on cross-border payments, the CARD Act on credit cards, and the Durbin Amendment to the Financial Reform Act on debit cards. The specific rules and controls for operating our various payments systems are resident in the requirements of the card companies, the NACHA rules for ACH, and Fed and ECCHO (Electronic Check Clearing House Organization) rules for check image exchange. In essence, the integrity of our payments system relies as much on vigorous self-policing as it does on law making. In fact, one could argue that law making is the predictable successor to bad self-policing.

The challenge to self-police
So the challenge for the payments industry, in an era of explosive technological development and worldwide connectivity, is to become much more focused on the issues associated with protecting the integrity of the payments system. Such attention needs to encompass a wide range of concerns, including data privacy, fraud mitigation, and financial stability. We cannot continue to build solutions that allow customer accounts to be taken over, identities to be stolen, and terrorist financing and money laundering to prosper. If we do, than we can be certain that Congress will move to clamp down, either on a piecemeal basis or more comprehensively, following models in place elsewhere. Ultimately, it is up to the industry as a whole, through its individual parts and representative groups, to get serious about its deficiencies within and across silos. In difficult financial times, it is hard to contemplate spending more on protecting the payments system when so many other priorities call. But our ability to preserve the potential benefits of widespread innovation may depend on it. If we fail to spend on remedies now, we will inevitably spend on them later and probably with less efficiency in reaction to legislation and regulation.

By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum

December 6, 2010 in innovation, payments systems, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Tough decisions: Fighting fraud in a free market:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad