Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« March 2011 | Main | May 2011 »

April 25, 2011

Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?

I paid little attention when news broke on the April 1 announcement by the marketing services firm Epsilon that a subset of their clients' data—e-mail addresses and names—was compromised. However, my interest in the story grew as I began receiving numerous e-mails from various financial institutions and merchants letting me know that my name and e-mail address, which I voluntarily supplied to them at some time, were part of the compromise. Unbeknownst to me, these companies had provided my data to Epsilon for marketing services.

Perhaps if I had taken the time to read the service agreements and privacy notices from these companies, I would have been more aware that my data might be shared with a third party. But in today's digital and mobile world that's all about speed and convenience, does anyone really take the time to read these privacy notices before submitting personal information? And I have to think that for most people, the e-mails and snail mail about changes to privacy policies that seem to come on a monthly basis from various companies quickly find their way unread into the trash. Do current bank-enabled P2P offerings present data compromise risks for customers and are banks offering other P2P alternatives that offer convenience without the potential risks?

The current bank-enabled P2P environment
The Epsilon data compromise comes on the heels of my recent experience with two different bank-enabled P2P products that caught me by surprise with the amount of personally identifiable information (PII) required for a transaction. In one experience, all I had to do was enter the recipient's e-mail address. But when the recipient received notice of the payment, she had to enter her name, address, telephone number, e-mail address, and bank routing and account numbers as well as agree to the terms of service and privacy policy of the institution in order to receive the funds.

In the other experience, I was required to enter the recipient's PII before actually initiating the payment. For this provider, depending on the type of transfer being conducted, I might also have had to include a passport/driver license number or a Social Security number. Because my recipient banked with a different institution than I do, she had to authenticate the account by entering her online banking username or Social Security number and password and finally agree to the terms of the service and privacy policy of the institution.

In light of the Epsilon data compromise, it seems only fair for consumers to be fearful about the amount of personal (and highly sensitive) information they hand over to financial institutions to complete a P2P transaction. These institutions could potentially share this data with third parties that provide P2P services for banks or with companies that provide marketing services—such as Epsilon. Once a consumer provides information to the bank, he or she does not necessarily know how much of the data is shared and with whom it is shared. This person is left in the dark about who actually has access to PII and the corresponding privacy and security policies of those companies.

Are today's bank-enabled P2P services solid replacements for cash and checks?
Based on my two recent experiences with these bank-enabled P2P solutions, their value—even ignoring the cost of the service—appears to be small for one-time, small-dollar payments between individuals. The idea of bank-enabled P2P payments may be cool and trendy. However, the amount of information the sender’s bank requires about the receiver to complete the transaction not only is time-consuming to enter but also presents risk issues that outweigh any perceived benefits, especially for the recipient. Perhaps banks are realizing the challenges behind P2P services for small value, one-time payments given the recent proliferation of banks offering an alternative to traditional check depositing, remote deposit image capture (RDIC), which is potentially simpler and less risky for the consumer than banks' current P2P offerings.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 25, 2011 in P2P, risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 18, 2011

Can electronification close tax loopholes opened by cash?

Happy Tax Day! Today is the deadline for paying 2011 federal taxes. Those of us who have waited until the last minute still have until midnight tonight to file our returns electronically. Although the vast majority of Americans will pay their taxes voluntarily, a small minority of evaders do not. According to a study conducted by the IRS for tax year 2001, for example, tax evasion resulted in a $345 billion federal tax gap. More than 70 percent of this gap can be attributed to individual small businesses, who the IRS estimates report only 43 percent of their income, with particularly low reporting of income received as cash. Underreporting is possible because cash payments are invisible to authorities, and therefore the social burden of tax evasion needs to be considered a risk of a cash payment system.

For those of us who do voluntarily pay our taxes, tax evasion by a few seems unfair and even immoral. Indeed, 87 percent of Americans feel that it is never acceptable to cheat on your taxes. Tax advocate Nina Olson further notes that "[t]he tax gap has real victims. Individuals and businesses that evade tax impose a significant burden on those who comply with their tax obligations." Evaders tend not to see the issue in terms of morality, however. The academic literature suggests that the primary driver of small businesses tax evasion is opportunity.

The temptation of cash income
Previously, I covered some of the risks of cash acceptance to small businesses: threats of robbery, employee theft, and counterfeit bills. Nevertheless, many small businesses seem to prefer cash. This is partly to avoid credit card processing fees and the risk of bad checks. But the greatest allure of cash to many small businesses may be its low visibility to tax authorities. Cash transactions do not automatically generate a paper trail and as such comprise the bulk of unreported income. The IRS's tax gap analysis actually understates the extent of evasion by limiting their estimate to federal income tax losses. Evaders are also dodging state income and employment taxes, as well as state and local sales taxes on the unreported income. A small merchant might be willing to accept some risk of theft in order to avoid such a hefty tax burden!

The burden of tax evasion
To achieve these illicit benefits, tax evaders take major risks and bear significant costs. The IRS conviction rate in the cases they pursue has never fallen below 90 percent. When caught in evasion, business owners often have to pay large fines and serve prison sentences. Even if they never face enforcement actions, tax evaders must invest considerable resources and change behaviors in order to avoid detection. The business owners may have to share illicit gains with a complicit accountant or spend significant time and effort to manufacture false numbers and backup documentation for claimed income. They also cannot deposit funds in a bank account, because doing so establishes a paper trail, so they must find other places to store the cash they receive. Not only do these tax-evading business owners risk theft and destruction of their hoarded cash, but they also are unable to use their unclaimed income to secure credit from banks. Furthermore, they run the risk of someone reporting their large cash purchases to the IRS or the Financial Crimes Enforcement Network, which would increase and the risk of an audit.

The costs and benefits to small businesses of underreporting cash

In addition to the costs borne by the evader, tax evasion imposes externalities on others. Businesses that voluntarily pay taxes operate at a competitive disadvantage, which results in a market distortion. Despite their having to charge market prices for their products, compliant businesses have higher costs than their tax-evading competitors.

The IRS takes action
We have a strong interest in collecting this revenue and correcting the market failures caused by tax evasion. Other countries have responded to unreported cash income in a variety of ways. Mexico has a two percent tax on large cash bank deposits to capture informal market activity. As part of their recent austerity plans, both Italy and Greece have banned high-value cash transactions in order to limit tax evasion. In the United States, the IRS will be using the electronic payments system to address underreporting of cash income: IRS rule 6050W will require merchant processors—the companies that process credit and debit card payments for businesses—to report their clients' receipts to the IRS annually. The IRS will use this data to improve audit algorithms. Third-party income reporting is a classic technique for increasing compliance. 6050W went into effect for tax year 2011, and the IRS will begin receiving the relevant data in January 2012.

Increasing electronification of both payments and tax administration should lead to increased transparency of small businesses income. This greater transparency might result in a natural decline in tax evasion over time. Is there a role for the payments industry in ensuring compliance? Cooperation among industry processors, compliant businesses, and regulators may represent an opportunity to lower the social cost of cash payments, and thereby mitigate risk in the payments system.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

April 18, 2011 in law enforcement, payments systems | Permalink


One of the arguments for the continuing usage of cash has been the lack of an alternative for the unbanked. I believe this has been answered by the dual functions of pre-paid debit cards and of mobile phone-based payments. As long as these are available at cost-effective alternatives - the program developed by our not for profit group for developing countries has a maximum fixed cost of $0.25 per transaction - it becomes increasingly likely that any continuance of cash-based transactions is for tax evasion.
The time has come for tax authorities to be proactive in this regard. If you buy goods or services and are asked to pay in cash, you should get a receipt which shows the amount of tax added to the transaction; in the US this will be Sales Tax, while in most of the rest of the world it is VAT.
As the buyer, you may have a way to protect yourself from any suggestion of aiding and abetting an illegal act, by submitting a report of the transaction to the relevant tax authority. Indeed, you may be entitled to a reward if the report assists the tax authority in fining/ prosecuting the tax-evading merchant.
The merchant can protect itself by making a payment to the tax authority at the end of each day, with full support data to show on which transactions it had accepted cash.
This policy, in conjunction with real time fraud analysis of all electronic transactions, can encourage all businesses to report their income correctly. The analysis can provide valuable data by comparing similar companies and their tax settlements.
As you point out, it is not fair for some to get away with evasion, which always means the honest merchant and customer have to pay more in the end. Technology is now available to stop such cheats - and tax authorities should act cohesively to achieve this end.

Posted by: christopher williams | May 1, 2011 at 05:31 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 11, 2011

Dispelling the myths about mobile banking and payments

There is a lot of confusion these days when it comes to mobile banking and payments. Consumer advocates warn that mobile payments will be unsafe and we need to develop consumer protections now to create a harbor from scams and rip-offs. While it's true that payment innovations often introduce new risks, they also create opportunities to create better safeguards that ensure a more secure payments system. So the path forward is best armed with accurate information about how the mobile wallet will work in the future. With so many new product trials and service rollouts for both mobile banking and payment services, it's difficult to separate fact from fiction. Today, we take an opportunity to do just that. We’ll look at some of the myths we hear most often about mobile banking and payments in the United States.

Myth #1: Mobile banking and mobile payments are one and the same
We often hear people use the term mobile financial services to refer to banking and to payments, as if they were the same thing. The fact is, they are different services that appeal to consumers in different ways, and they are accompanied by very different types of risk. As a recent position paper published by the Atlanta and Boston Federal Reserve Banks defined it, mobile banking refers to a service that accesses bank information such as account balances and transaction history and that facilitates transfers between accounts and online bill payment. Mobile payments, on the other hand, refers to the use of the phone either to make a payment for purchasing goods or services at a merchant's point-of-sale—a transaction also known as a proximity payment—or to transfer money to another person or a business. The latter transactions, domestic and remittance payments, are referred to as mobile money transfer (MMT) payments and occur remotely either within a country or cross-border. Because mobile banking services are merely extending online functionality from the PC to the cell phone, the risk profile for the mobile phone is not markedly different.

Myth #2: Mobile payments represent digital money and lack regulation
While emerging markets are experiencing some remarkable advances in mobile commerce using text messaging to send a payment via prepaid airtime, the U.S. experience, as with other developed countries, is very different. Text-message-based mobile payment systems work for those emerging markets because they are clearly safer than cash. Here and in other developed countries, we have safe payments already, so the mobile device would merely be another channel to access existing payment instruments and their networks for clearing and settlement. All the rule sets, laws and regulations, and consumer protections that govern retail payments today will simply migrate to the mobile channel. While new networks, or rails, may emerge in the future, at present, the payment network systems remain the same.

Myth #3: Mobile payments are less secure that other payment methods
First of all, the security functionalities resident in the mobile handset provide authentication capabilities that don't exist in the current payments environment. The ability to add passwords and GPS location functionality to the handset represent additional security controls to accessing payment instruments in the future mobile wallet. Today, there are no locks on your leather wallet to preclude a bad actor from stealing your credit and debit cards and using them for illicit activity.

Moreover, the technologies that enable our current payments are becoming increasingly obsolete and vulnerable to fraud. Card payments grow riskier every day as the United States remains reliant upon mag-stripe technology, which is very easy for criminals to breach and then use to clone cards for illegal payments. Because mobile devices will use contactless technology in the form of an embedded computer chip, the mobile phone will be a much more secure payment device than the plastic cards we use today.

Conclusion So maybe the idea of mobile banking and payments isn't that scary—and maybe these things aren’t even that trendy any more. When you get right down to it, the cell phone is just another form factor for a payment.

But that's not to say that a lot of new ideas aren’t percolating out there. We know that telecoms are taking small steps with micropayments by allowing consumers to pay after-the-fact for digital goods—things like avatar accessories, ringtones, and even cows and corn in online games like Farmville—on their regular phone bills. Facebook credits are reportedly evolving into Facebook payments for physical venues outside of virtual online games and stores. And we all are waiting expectantly to see if Apple will make use of its extensive iTunes network as a more open payment system whenever the next iPhone is released.

At the Retail Payments Risk Forum we'll continue to keep an eye on emerging payment developments such as these, and work toward clearing up confusion. So don't wait for a blog post, feel free to send an e-mail to any one of us in the Risk Forum if you have a question. We’d love to hear from you.

Photo of Ana Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

April 11, 2011 in mobile banking, mobile money transfer, mobile payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Dispelling the myths about mobile banking and payments:


Thank you Cindy. It is important with this kind of clarification to sift through the confusion between mBanking and mPayment. The various mPayment pilot projects and announcements of mPayment partnerships, while overall encouraging for the industry, unfortunately adds further to the perceived complexities.

You bring up many good points. It is clear that enabling mobile payments for goods and services represents a significant change in the risk and opportunities compared to traditional payments. I firmly believe and agree that appropriately architected mobile payment solutions can provide superior security compared with cards-in-wallet. You list some ways but there are more approaches. I hope you will continue with more clarifying blog posts and share your insight.

Posted by: Knud - San Francisco | April 13, 2011 at 12:44 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 4, 2011

Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments

As we've mentioned a few times in this blog, mobile payment developments in the United States lag the initiatives undertaken in Asian and African countries. Last week, the payments research teams at the Boston and Atlanta Federal Reserve Banks published a position paper on how the United States should promote the adoption of mobile payments. The paper, "Mobile payments in the United States: Mapping out the road ahead," represents collective views from 15 months of discussions with various representatives of the mobile payments ecosystem, a group that over the course of 2010 came to be known and the Mobile Payments Industry Workgroup (MPIW). The paper lays out the strategic vision for the future and outlines the foundational principles of an efficient and secure mobile payments system.

Convening the MPIW
The Fed brought this group together for several reasons, which we described in an earlier post. We wanted to understand how the key industry stakeholders in this conjoined industry of banks and telecom firms were working together. We hoped to engender a cross-industry dialogue to perhaps develop a mutual understanding between these two groups of the industry direction and consider a noncompetitive strategy to address barriers to industry adoption. The summary of this meeting was published on both the Atlanta and Boston Fed websites to ensure transparency to the industry.

The key takeaway from the meeting was that there is a lot to do to bring the various players together in the United States, where our payment systems are considerably more advanced and suitable for most consumer needs. The group agreed to meet on a quarterly basis to discuss issues of mutual interest, such as how the various participants viewed the drivers and barriers to adoption and how the business models were shaping up, as well as the industry roles and responsibilities. Of course, the group was interested in getting clarity in regulatory and legal oversight for new telecom-enabled financial services.

The group shared ideas and opinions throughout the course of the year. Oftentimes, group members disagreed on specific points. Even on some points of agreement that are outlined in the final paper, in some instances there is still no clear consensus yet on how to move the ball forward. At the very least, the paper represents issues of consensus and those where the industry must collaborate to achieve agreement.

The MPIW foundational principles for successful mobile payments in the United States
The group recognized that the past year has been marked with activity in the form of numerous trials and product rollouts—but without a vision for success shared among all the parties. Ideally, for mobile payments to take off, all participants should have common goals and still be able to flourish in the mobile ecosystem. Standards are necessary for a ubiquitous mobile commerce environment but at the same time, firms need to have the flexibility to differentiate their service offerings and add value to their shareholders. In acknowledging the need for a common environment, the group agreed on a set of foundational principles that represent the business requirements for success, which are described below.

  • Most important to the group is the concept of an open mobile wallet that carries broad payment and merchant options for consumer choice and is based on a platform that would enable a wide range of payment methods and networks.
  • Near-field-communication contactless technology must be embedded in the handset and support all payment methods and networks, and must comply with business rules and standards for existing payment methods.
  • The industry needs to establish a ubiquitous platform for mobile that not only uses existing clearing and settlement channels and rails, such as credit, debit, ACH, prepaid, and carrier billing, but also supports innovative efforts to create new rails.
  • The technology supporting the new mobile handset must enable dynamic data authentication to ensure long-term integrity and security.
  • The industry must have a global interoperable platform for standards and certification of payment methods for the mobile wallet and all its resident applications —leveraging existing standards when possible.
  • The industry needs regulatory clarity to avoid gaps in oversight and ensure robust consumer protections.
  • The group acknowledged the importance of the trusted service manager role to manage security and other account management functions.

The goal of the paper is, ultimately, to broadly circulate the ideas and discussions from the MPIW so we can ignite industry leaders to foster further collaborative work. As the paper notes, "[C]learly, there are many more (interested) parties who will need to support the ideas set forth in this document." Further, there are clear benefits to establishing a coordinating entity and forums to continue to build the roadmap for the future.

Photo of Ana Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

April 4, 2011 in banks and banking, mobile payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad