Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 28, 2011
The nitty gritty of money transfer operators (MTOs)
When a friend of mine was travelling across Cambodia last year, he had a common, yet frightening, experience of the solo voyager: his wallet was stolen. Luckily, despite the seeming remoteness of his beach vacation, there were several Western Union agents in Sihanouk Ville. His parents were able to send him enough cash to finish out his trip. While losing his identification was still stomach-gnawing, he at least had the money to pay for lodging, food, and transportation. The global reach of money transmitters offers a clear value to travelers and migrants, but may also be valued by those wishing to exploit the companies for more nefarious purposes.
The reach of MTOs across the globe is a remarkable business accomplishment. Western Union or MoneyGram agents can be in from the smallest American town to the remotest corners of the globe. Western Union currently boasts 445,000 locations worldwide, and MoneyGram offers another 227,000. This already expansive agent network is quickly growing, with Western Union adding 150,000 locations since 2007. These MTOs serve the financial needs primarily of migrants—a significant portion of the worldwide population—offering not only money transfers but also ancillary services like prepaid cards, money orders, and walk-in bill payment. Immigrants in any given country are often unbanked or underbanked, yet often need to send cash remittances to family back home. MTOs are able to charge a premium for services that customers see as reliable, fast, and private.
But how exactly are these international money transfers executed? In Western Union's case, agents take cash from remitters and enter confirmation of cash receipt into Western Union's messaging system. The agents also collect data on both the sender and recipient. On the receiving end, the recipient in most cases presents photo identification at his or her local agent to pick up the cash. Western Union net settles with agents at the end of the day via ACH, if that service is available in the country, or by wire otherwise. Western Union has some intraday credit exposure to the transaction, as they commit to reimbursing the receiving agent regardless of the sender's solvency at the end of the day. Therefore, a Western Union transfer consists of three different streams: the flow of information between the sending and receiving agents via their messaging system, the separate communication between sending and receiving customers, and the final flow of funds between Western Union and the agents. MoneyGram's system operates similarly, but typically at a somewhat lower price point.
What are the risks?
The primary concern of regulators and law enforcement vis-à-vis MTOs is the risk of illicit use—bad actors taking advantage of these global networks to launder money and finance terrorism. Unlike banks that establish long-term account relationships with their clients, MTOs offer one-off transactions with more limited customer data. Consequently, MTOs may lack the relationship-level depth of customer data that banks have access to for risk mitigation purposes. Western Union has proactively led anti-money laundering (AML) compliance efforts in response to such fears. In 2010 testimony to Congress, Western Union reported spending more than $35 million annually on AML compliance. Although MTOs are global in scope, regulatory oversight is inherently limited to specific jurisdictions, and therefore the firms must interact with many different regulators and law enforcement agencies. MTOs currently operate under a complex structure of state, federal, and foreign regulation. Western Union has advocated for more consolidated regulation at the federal level, which may be in the cards, as the new Consumer Financial Protection Bureau (CFPB) will have jurisdiction over MTOs. Of greater concern may be unregistered MTOs, which operate outside the rule of law, and against whom FinCEN regularly brings enforcement.
Another concern facing MTO regulators is fraud. Social engineers sometimes use MTOs to try to part victims from their money. For example, a scam artist might convince a victim that he or she has won a cash prize but must first send a money transfer to cover the taxes before collecting the winnings. Of course, after the target sends the irreversible transfer, he or she never sees any winnings. We have previously covered MoneyGram's remedial efforts in this area, and Western Union calls out this risk as a special concern in their annual report:
The remittance industry has come under increasing scrutiny from government regulators and others in connection with its ability to prevent its services from being abused by people seeking to defraud others.... [T]he ingenuity of criminal fraudsters, combined with the potential susceptibility to fraud by consumers during economically difficult times, make the prevention of consumer fraud a significant and challenging problem. (p. 27)
The global ubiquity that lies at the heart of MTOs' value proposition is also a key risk factor for illicit use and fraud, as criminals may leverage the systems to divert illicit gains outside the jurisdiction of their crimes. While some companies have recognized this risk and actively worked to mitigate it, others may need regulatory encouragement. How can we most effectively monitor such expansive entities? How can industry and regulators better collaborate to bring unregistered MTOs into compliance with existing laws? These questions will be increasingly important as the CFPB moves to more rationally and comprehensively supervise this dynamic industry.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The nitty gritty of money transfer operators (MTOs):
March 21, 2011
FinCEN proposed new rule addresses money-laundering risks in prepaid products
While prepaid payment products still represent a small percentage of today's electronic payments, their use is rapidly growing. According to the 2010 Federal Reserve Payments Study, the number of prepaid card transactions increased 21.5 percent each year from 2006 to 2009. Most prepaid payments are enabled by plastic cards, but today's technology can enable the same payment functionality in other form factors, including mobile phones.
As the market for these prepaid products continues to develop and grow, the Financial Crimes Enforcement Network (FinCEN) has been watchful of their potential money-laundering risk exposure and issued a proposed rule addressing various kinds of prepaid access devices. In its proposed rulemaking notice, FinCEN announced that the rule would cover not only cards but also such access devices as mobile phones, key fobs, and any other device that can serve as a portal to funds paid for in advance and allow a consumer to retrieve or transfer these funds.
Prepaid access devices and money laundering risks
Many of the same factors that make prepaid access devices attractive to consumers can make them vulnerable to criminal activity. For instance, the ease with which these devices can be obtained along with the potential for anonymity—which is the case with nonreloadable open-loop cards, for example—as well as the ease with which money can be loaded onto them can make them potential money-laundering vehicles.
To help identify potential risks related to prepaid access devices, FinCEN formed a subcommittee within their Bank Secrecy Act Advisory Group (BSAAG). The subcommittee has identified numerous risks, such as funding with cash from stolen credit cards and virtual money cards that allow individuals without a bank account to access illicit cash via ATMs globally. Some high-profile criminal activities have also surfaced, exposing some of these potential risks.
Because some products are perceived to be less likely than others to be used for money laundering, FinCEN has excluded certain prepaid access devices from its rulemaking, including payroll cards, government benefit cards, heath care access cards, closed-loop cards, and products that allow access amounts less than $1,000.
Disrupting, detecting, and deterring the illicit flow of funds
Disrupting the flow of funds can create a less-than-ideal environment for criminals attempting to conceal the sources of their illicit funds. FinCEN's proposed rule is one way to accomplish this disruption. By implementing additional systemic safeguards and filling gaps in the prepaid environment with stronger regulatory controls, the agency hopes to make it more difficult for criminals to use prepaid payments products for illicit purposes.
Ultimately, the goal of the proposed rule is to enhance the regulatory framework for prepaid access devices while finding ways to promote development and growth in the prepaid industry and discourage wrongdoers from misusing prepaid products. For now, FinCEN's final rule is pending release, but if it is adopted as proposed, it would expand Bank Secrecy Act compliance obligations to prepaid access devices beyond plastic prepaid cards to include emerging prepaid products.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference FinCEN proposed new rule addresses money-laundering risks in prepaid products:
March 14, 2011
Why U.S. issuers might be reluctant to adopt the EMV standard
A hot topic for Portals and Rails and the Retail Payments Risk Forum has been the replacement of magnetic-stripe cards with chip-and-pin cards in the United States. In fact, a recent industry blog labeled my colleague Rich Oliver "the first U.S. banking industry executive to publicly declare that a U.S. migration to the EMV payments standard is inevitable." Many countries around the globe have adopted or are in the process of adopting the EMV standard, but the United States has not budged, despite a recent European Payments Council resolution suggesting an end to mag stripe. Meanwhile, U.S. industry participants, including a large payment network and issuer, are investing in improving mag-stripe cards.
Let's consider the migration to EMV from an issuing perspective using recently collected debit card information by the Federal Reserve Board to assist with its responsibilities under the Durbin Amendment.
Current status of EMV in the United States
With the recent announcement that the Raleigh, N.C.-based State Employees Credit Union will convert its debit card portfolio to EMV by year's end, there are now two (yes, two!) small financial institutions in the United States committed to converting their portfolios to the EMV standard. If reports on fraud reduction since implementing the EMV standards in countries such as the United Kingdom are true, why then are U.S. issuers slow to convert to EMV? In last week's blog, Rich states that, given current fraud loss levels and fraud management and mitigation costs, there may not yet be a near-term business case for the migration to EMV. However, peeling back the onion another layer, a key difference in the authorization environments of the United States to other markets, such as the U.K., has led to lower levels of fraud, albeit at significant investment levels, and a fundamental reason behind issuers' reluctance to migrate.
Online versus offline authorization
Nearly all card transactions in the United States are authorized online. In this environment, the transaction authorization uses telecommunications at the time of a sale to route a merchant's authorization request to the issuer to approve or decline, based on a number of factors such as available funds or credit limit and multiple fraud prevention and mitigation checks. U.S. issuers and networks have invested heavily in fraud prevention and mitigation controls for online authorization programs. As a result, issuers have recognized relatively low levels of card fraud—approximately $.02 per debit transaction, or 5.4 basis points of transaction value. For PIN-based debit transactions, these numbers are even lower: $.01 per transaction, or 3.3 basis points of transaction volume.
Unlike the United States, the United Kingdom has primarily been an offline authorization market. In this scenario, the transactions are not authorized at the time of sale, but rather are batched throughout a given time period and transmitted to the issuers. Most importantly, this type of authorization process does not support PIN debit transactions using magnetic-stripe technology. While the EMV standard supports both online and offline authorizations, the reduction of fraud for offline authorizations was a key driver of implementation in the United Kingdom, as EMV allows for offline authorization at the time of sale.
According to analysis of data from the UK Payments Administration, fraud rates on all cards at the end of 2004 (near the beginning of the EMV implementation) were significantly higher than fraud levels currently seen on debit cards in the United States. However, by June of 2010, fraud in the United Kingdom has fallen by more than 50 percent to £.03 per transaction, or 6.6 basis points of transaction volume, which is still higher than debit card fraud rates experienced in the United States today.
Will there be a case for U.S. issuers to adopt the EMV Standard?
With approximately 500 million debit cards in circulation in the United States, relatively low levels of fraud, and significant investments into current authorization systems, it seems reasonable that debit issuers currently have little appetite for investing in the EMV standard today. While recognizing that the credit card story might paint a different picture with higher fraud losses, the fact remains that both issuers and networks have made significant investments in authorization systems to prevent and mitigate credit card fraud from which they don’t appear to be ready to walk away.
In light of U.S. issuers' shunning the EMV standard to date, here are some questions for industry participants to ponder. Will there be a tipping point for the United States to adopt the EMV standard? If so, what will that tipping point be? Can the global card payment market exist in an environment similar to the electrical market, whereby the United States uses 110-volt electricity while most of the world uses 220 volt? Can chip-and-pin prepaid cards such as the Travelex Cash Passport Currency Card address differences in global payment standards for U.S. issuers in a way that electrical adapters address the voltage issue?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 7, 2011
Moving to chip-and-pin: The cost of foresight versus the price of hindsight
As I watched the dramatic events in the Middle East unfold over the past few weeks, I realized that revolution may be the only form of change in the world today that takes less than five years. This seems particularly true in the payments industry, where managing new technology is at the heart of the change process.
It has taken six years to implement Check 21 in the United States. Meanwhile, Canada has established a five-year plan to move to chip-and-pin technology for payment cards. The United Kingdom has announced a plan to eliminate checks in seven years, with a five year checkpoint. In Europe, the goal of achieving seamless cross-border payments services as codified in the Payment Services Directive is in its fourth year of implementation, and talk has turned to setting another set of deadlines for mandating implementation of actual payment traffic, as opposed to technical readiness.
The common thread in each of these as-yet-uncompleted initiatives is that they are all actually under way. They have a start date and an anticipated finish date, a known goal toward which all participants are driving. At such time that each effort was initiated, there was someone, or perhaps many "someones", who determined that there was a compelling societal, if not individual participant, business case for moving forward toward a somewhat distant vision.
Today in the United States, however, in the wake of the economic crisis that has created a backlog of payments and IT initiatives, new investments seem stalled under the jaundiced eyes of senior financial planners. In essence, key projects whose deliverables we know we will need in five years are in danger of never getting started. Why? Because a present business case based in today’s experience is hard to construct, and funding for projects with better short-term results may be given precedence over far more strategic long-term projects with better net-present-value results.
A case in point may be the effort to move from magnetic stripe card technology to the more fraud-resistant chip-and-pin technology now being deployed throughout the rest of the world's developed nations. My colleagues and I have written about this issue previously, and some very smart friends of mine in the industry have assured me that current card losses, and I assume current all-in costs of card fraud management and mitigation, are just not bad enough to create a positive business case for change, particularly for large issuing banks who are potential market movers.
My problem, however, lies in the fact that the business case should not be based on current costs, but rather on the anticipated costs five years from now when implementation is likely to occur and depreciated investment costs actually come on line. Of course, the $64,000 question is, "What costs of fraud should we forecast for 2016?"
Frankly, no one actually knows that number, but we do know that it is very likely to be much higher than today if the United States is the last developed country on the planet to move away from mag-stripe cards. The problem is further complicated by the fact that best estimates for fraud cost growth should be augmented by less quantifiable "soft" costs that also loom in the distance. For example, if other nations decide to no longer dual-provision their cards with mag stripes in order to prevent the immigration of fraud from the United States, what costs will U.S. banks incur to continue to provide services to their globetrotting customers? Will we be the ones now having to dual-provision our cards with chip-and-pin? Several U.S. financial institutions have already announced plans to do that very thing. Additionally, with no planned changes in sight, U.S. banks will be tempted to invest in bridge technology to mitigate the growing cost of mag-stripe fraud, thereby inflating the multiyear cost picture with interim investments.
What then should we do? Perhaps we should follow the lead of the U.K. Payments Council's efforts to signal the end of checks as a payment instrument. That is, establish a long-term roadmap for desired change by picking a reasonable future date for a move to chip-and-pin, set some known interim checkpoints for further reflection, and begin an orchestrated process of educating merchants and other key players on optional ways to make the change. With such a target in place, all parties—merchants, issuers, acquirers, processors, card brands, suppliers—could then make better interim investment choices aimed at minimizing long-run costs while maximizing short term benefits to their customers.
One of my favorite movies is Field of Dreams, in which the owner of an Iowa cornfield devotes some of his acreage to the fanciful construction of a baseball field on which the spirits of great players from the past gather each night to play. The movie's famous line, "Build it and they will come," may be the answer for some of our complicated payment investment decisions. Who then should make the call? Absent a probably not-so-welcomed mandate from Congress or a government agency, the job falls to enlightened market forces anxious to control their own destiny. Many groups like the Smart Card Alliance, the Merchants Advisory Group, and others have begun to lay out multiyear roadmaps. My hope is that huddling around these and other ideas in the very near future might be the best way to proceed. Without such efforts at collaboration, I have a gut feeling that five years from now we may, as an industry, be reflecting on the fact that, regardless of the end date, we should have started sooner.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Moving to chip-and-pin: The cost of foresight versus the price of hindsight:
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud