Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 24, 2011
The future role of financial institutions in the domestic P2P environment
Although the use of online banking and online bill payment has flourished over the past decade, banks have yet to capitalize on the opportunity of the thriving online and mobile domestic person-to-person (P2P) transaction market. Online banking use more than doubled from 20 percent of households in 2000 to 53 percent in 2009, according to a December 2009 Javelin Strategy report (Multi-Channel Account-to-Account Transfers and P2P Payments Forecast: Evaluating Trends and Assessing the Future 2006–2014). Further, online bill payment usage has grown from 5 percent of households to 36 percent during the same time period. However, the traditional bank P2P methods of check, cash, and wire transfer continue to decline while online and mobile domestic transfers are expected to grow at a 9 percent compound annual growth rate, according to the Javelin Strategy report. As banks face continued downward pressure on revenues and intense competition from both new and existing players, the online and mobile P2P market represents a threat to banks' traditional check business. However, it also represents a potential opportunity for banks to offer a distinct service to their customers.
The expanding domestic P2P market
A 2009 TowerGroup report (Noncash P2P Payments: Checks in Decline Still Rule the Roost) estimates the U.S. noncash domestic transfer market at $1.1 trillion, composed of more than three billion transactions. Checks remain the dominant P2P means of settlement. However, the availability of the Internet to households, impressive growth of smartphones, exponential increases in consumer mobile data usage, and numerous mobile applications (especially for the iPhone) are creating a healthy environment for the growing online and mobile domestic transfer market in the United States. The Javelin Strategy report suggests nearly 44 percent of the 86 million online households made at least one online P2P transfer, up from 27 percent in 2008.
The online and mobile P2P market has been dominated by PayPal to date. However, payment processors, electronic card networks, and new emerging payment service providers have launched competing products over the last several years. PayPal and other service providers, such as CashEdge, Fiserv, FIS, and MasterCard, have each created products designed to integrate into banks' existing online and mobile channels. Although these products can be integrated into banking channels and the transactions are more convenient for consumers than a traditional bank wire or check transaction, the transaction is far from seamless. In order to use the online and mobile P2P products that banks currently offer, consumers must register not only with their bank but also with the bank's P2P service provider partner, which often requires them to submit their personal and banking account information. Adding further complications, completing the transaction may require the receiver of the payment, or the receiver’s bank, to have a relationship with the P2P provider that the payer uses.
Tapping the ACH network?
While it appears that the migration from paper checks to electronic forms of payment in the consumer-to-business market is crossing over to the P2P market, banks still have many hurdles to clear before they can capitalize on the P2P opportunity as online and mobile P2P payments become widespread. The P2P providers offer banks a solution that allows for quicker settlement than either checks or wire transfers, but the solution is still far from consumer-friendly. In order to provide banking consumers a friendlier P2P online and mobile service, banks could consider the development of a P2P solution that leverages the extensive ACH network in a manner similar to a person-to-business transaction. Much like mobile banking or bill payment, consumers could opt into the P2P service and transfer or receive funds between any banking institution on the ACH network without having to register with and provide confidential data to a third-party P2P service provider to access the service.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 18, 2011
Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference
On November 15–16, 2010, law enforcement, regulators, and other selected payments experts gathered once again to exchange ideas, research, and business expertise at the "Emerging Risks in Emerging Payments" conference at the Atlanta Fed. The conference provided a platform for sharing retail payments knowledge and insights among payment industry participants, regulators, and law enforcement. The conference also expanded networking opportunities for industry stakeholders essential to the payments industry, all of whom have a common interest in improving the detection and mitigation of emerging risks and fraud in emerging retail payments systems.
Opening remarks were made by Patrick Barron, first vice president of the Atlanta Fed. He was followed by Richard Oliver, executive vice president and director of the Retail Payments Risk Forum. Five expert panels with representatives from law enforcement, corporations, service providers, and other stakeholders discussed a range of themes related to emerging risks in emerging payments. Each panel provided a high-level overview of the state of the retail payments environment.
The following brief summary captures some of the key themes discussed during the event. Additional presentation materials are available on the Atlanta Fed's website.
Emerging trends in retail payments
Recent technological advances have changed the way retail payments are conducted. For instance, innovations in the card space are providing better ways to combat card fraud. Countries that have adopted Europay, MasterCard, and VISA (EMV) have seen a marked reduction in skimming fraud compared with countries that use magstripe cards, including card-not-present transactions over the Internet.
The mobile payments panelists predict that consumers will eventually migrate to mobile wallets—the speed and convenience of payment both for the merchant and consumer enhance this likelihood. However, the panelists agreed that some of the challenges to mobile payment adoption in the United States include lack of standardization, merchant investment hurdles, perceived security requirements, and lack of a clear value proposition for consumers.
Emerging risks in retail payments
Innovation introduces new risk factors. Several panelists highlighted the ongoing importance of protecting consumer information as the sophistication of financial crimes continues to increase. For instance, one panelist explained that in the card space, virtual prepaid cards can be funded by a transfer from another card or by phone or Internet, often times anonymously. In some cases, illicit funds can become instantly available from ATMs in more than 200 countries, without sharing confidential or bank information, which makes it very difficult for law enforcement to trace and monitor these funds.
Another panelist discussed the risk profiles of the different person-to-person (P2P) business models. For example, while the mobile channel is emerging as a viable method for P2P payments, telecom customer data—and, to a lesser extent, e-mail addresses—have become reliable ways to identify individuals to receive messages. However, they are not 100 percent reliable public directories. Some of the key risk distribution issues in a P2P environment include unauthorized transactions, intermediary error (such as misdirected payments), and fraud.
Additionally, panelists discussed the emergence of payments in the social network realm. One panelist discussed how fraudsters use social network sites and the data they gather from those sites to commit cybercrimes such as identity theft and "clickjacking scams," which trick users into clicking on ads and other sites that divert them from safe and reputable sites. Another panelist discussed the rapidly growing new segment of social network "businesses" that leverage the payments platform but turn out to be shell or fraudulent businesses.
How to address emerging risks in new retail payments?
Fraud and risk detection and mitigation must keep pace with emerging payments trends. Advances in payments technology enable new ways to conduct retail payments but can also create new channels for criminals to exploit and commit payments crimes.
The panelists highlighted these issues and more while proffering ways for regulators, law enforcement, and others to work together towards mitigating and deterring risks and fraud in the emerging payments environment. All in attendance recognized that the challenges ahead are common to all parties involved, and information sharing along with collaborative action is imperative for achieving the goal of ensuring a safe and efficient payments system.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference:
January 10, 2011
Nonbanks and payments innovation: Because that's where the money is
In the past decade, nonbank companies have driven most payments innovations. For the most part, banks have left Silicon Valley startups and other third-party players to develop cool new payments gadgets and platforms that attract venture capital and YouTube views. While this dynamic and free market has allowed for great creativity, it has also meant that many of these new payments tools emerged outside the extensive system of regulations and consumer protections that exist in the banking industry.
This blog previously covered the lack of uniform regulation of the money services business (MSBs), a significant gap given the expansion of financial services offered by MSBs like Western Union and MoneyGram in recent years. While providing a vital service for money transfer, MSBs may be vulnerable to money laundering and fraud schemes, as they lack the robust regulatory oversight that governs mainstream financial institutions. Through a series of industry partnerships, MSBs and other less-regulated nonbank payment companies are integrating with bank operations. For example, CashEdge, a relatively new alternative payment service provider, and MoneyGram recently announced one such partnership that could have implications for anti-fraud efforts.
Last year, MoneyGram paid $18 million in a Federal Trade Commission (FTC) settlement that charged the company had known about fraud on their system but did not work to address it, disregarding law enforcement warnings and willfully ignoring customer fraud complaints against agents. Consumers reported $84 million in losses between 2004 and 2008, but it is likely that many victims did not come forward, and the FTC claims that losses may actually have run into the hundreds of millions of dollars. Since the settlement, MoneyGram has invested heavily in anti-fraud measures, including enhanced agent training, improved communication with consumers, and greater partnership with law enforcement and the FTC. In response to questions from the Connecticut Watchdog, MoneyGram explained that these efforts have prevented $30 million in fraud this year and resulted in a 75 percent decrease in fraudulent transactions between the United States and Canada.
However, con artists continue to exploit Americans, evidenced by the recent Make-A-Wish scam. This scam has already defrauded victims of $20 million, with the thieves again using Western Union and MoneyGram to receive payments. Although these companies provide a valuable service to those sending money abroad to family and others, they are still vulnerable to threats from bad actors.
In light of this vulnerability, MoneyGram's announcement this past fall of a partnership with CashEdge to integrate with their POPmoney service bears scrutiny. POPmoney is a bank-initiated peer-to-peer payments service that went live late in 2009 and allows users to send friends and family money through text, e-mail, or online banking. The product has been very popular, with more than 100 banks adopting the service within six months of launch. The new partnership means that POPmoney users will be able to transfer money not just to other bank accounts, but also to any MoneyGram location around the world. These POPmoney-to-MoneyGram transactions will likely be fast and irreversible, using CashEdge’s convenience and MoneyGram's global presence. Furthermore, users will initiate all transactions via online or mobile banking, funding them directly from their primary bank account. Although MoneyGram launched enhanced anti-fraud technology last year for scanning risky transactions, these online transfers would bypass live agents whose training is one line of defense against fraud.
Although there may be considerable risks in integrating MSBs directly to a financial institution's online banking services, doing so could also be an opportunity to fight fraud in these channels. If banks' extensive experience in fraud detection and mitigation were applied to the money transfer business, it could significantly improve consumer safety and experience. If there are lessons to be learned here, they could be applied to a variety of similar partnerships across the industry, improving banks' access to innovation and enhancing the risk management capabilities of new payments products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Nonbanks and payments innovation: Because that's where the money is:
January 3, 2011
Demand deposit accounts: Balancing convenience and risk
Today's demand deposit accounts (DDA) have multiple access points–online, mobile, and ATM–affording consumers a great deal of convenience. At the same time, though, they provide that many more ways for criminals to carry out fraud schemes, as hacking tools (PIN phishing and skimming) become more sophisticated and fraudsters more bold with their attempts to fleece DDAs. According to a white paper by Fiserv, banks are becoming increasingly concerned about DDA fraud. The paper mentions a survey by McKinsey & Co., which revealed that an estimated $5 billion to $7 billion in annual losses can be attributed to DDA fraud, a figure expected to grow at a annual rate of 7 percent.
DDA fraud can take many forms. When it occurs with debit cards, a fraudster can steal or skim the physical card, or use a phishing scheme to steal a PIN, then use that information to deplete the account. When fraud occurs with checks, a perpetrator can empty the DDA by forging check endorsements or drawer signatures, counterfeiting or altering checks, or carrying out check kiting schemes. According to the Fiserv paper, there is also cross-channel fraud, which occurs with accounts that have more than one access point. This type of DDA fraud is increasing most likely because of the introduction of new channels like mobile and account-to-account transfers.
Declining check use but rising check fraud
Interestingly, even as check use declines, losses from check fraud and attempts at such fraud rise. The decline in check usage was recently captured by the Federal Reserve's 2010 Payments Study, which showed that "in 2009 more than 75 percent of all U.S. noncash payments were made electronically, a 9.3 percent annual increase since the Federal Reserve’s last study in 2007."
According to a recent speech by an official from the Financial Crimes Enforcement Network (FinCEN), reports of scams involving checks increased 19 percent in the first six months of 2009, and 27 percent of all Suspicious Activity Reports (SAR) filed in 2009 were for fraud-related activities. Check fraud was one of only two categories—the other was money laundering—that had an increase in SARs between 1996 and 2009.
Another study that touched on the prevalence of check fraud is the 2009 Deposit Account Fraud Survey Report of the American Bankers Association, which estimated that check-related losses amounted to $1.024 billion in 2008, up from $969 million in 2006. Of the banks surveyed, 80 percent indicated that they had reported check fraud losses in 2008, the same percentage as in 2006.
Rising debit card use, rising fraud
Debit card fraud is usually carried out through point-of-sale signature, PIN, and ATM transactions. As debit card usage escalates, so does debit card fraud.
According to the Fed's 2010 Payments Study, debit card usage exceeds all other forms of noncash payments. In fact, the annual use of debit cards increased by over 12.8 billion payments, the largest increase by any payment type during the survey period, reaching 37.9 billion payments in 2009.
According to the ABA survey, commercial losses from debit card fraud reached an estimated $788 million in 2008. Approximately 92 percent of survey participants reported experiencing debit card fraud, not surprising given the prevalence of debit cards.
Addressing DDA fraud
With consumers more and more often using debit cards and other noncash payments at the point of sale, and with the continued growth of more sophisticated hacking schemes, early detection and mitigation are more critical than ever to resolving payments fraud. The management of DDA fraud risk will have to change in response to the creation of new access points to demand deposit accounts.
Notwithstanding the technological advances in software that help financial institutions prevent and detect DDA fraud, the self-vigilance of consumers can add significant value. As we move further away from paper-form and more towards all-electronic-forms of payments, ultimately, detecting and deterring demand deposit account fraud will continue to be a combined effort between the consumer and its financial institution.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud