Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 25, 2011
Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?
I paid little attention when news broke on the April 1 announcement by the marketing services firm Epsilon that a subset of their clients' data—e-mail addresses and names—was compromised. However, my interest in the story grew as I began receiving numerous e-mails from various financial institutions and merchants letting me know that my name and e-mail address, which I voluntarily supplied to them at some time, were part of the compromise. Unbeknownst to me, these companies had provided my data to Epsilon for marketing services.
Perhaps if I had taken the time to read the service agreements and privacy notices from these companies, I would have been more aware that my data might be shared with a third party. But in today's digital and mobile world that's all about speed and convenience, does anyone really take the time to read these privacy notices before submitting personal information? And I have to think that for most people, the e-mails and snail mail about changes to privacy policies that seem to come on a monthly basis from various companies quickly find their way unread into the trash. Do current bank-enabled P2P offerings present data compromise risks for customers and are banks offering other P2P alternatives that offer convenience without the potential risks?
The current bank-enabled P2P environment
In light of the Epsilon data compromise, it seems only fair for consumers to be fearful about the amount of personal (and highly sensitive) information they hand over to financial institutions to complete a P2P transaction. These institutions could potentially share this data with third parties that provide P2P services for banks or with companies that provide marketing services—such as Epsilon. Once a consumer provides information to the bank, he or she does not necessarily know how much of the data is shared and with whom it is shared. This person is left in the dark about who actually has access to PII and the corresponding privacy and security policies of those companies.
Are today's bank-enabled P2P services solid replacements for cash and checks?
Based on my two recent experiences with these bank-enabled P2P solutions, their value—even ignoring the cost of the service—appears to be small for one-time, small-dollar payments between individuals. The idea of bank-enabled P2P payments may be cool and trendy. However, the amount of information the sender’s bank requires about the receiver to complete the transaction not only is time-consuming to enter but also presents risk issues that outweigh any perceived benefits, especially for the recipient. Perhaps banks are realizing the challenges behind P2P services for small value, one-time payments given the recent proliferation of banks offering an alternative to traditional check depositing, remote deposit image capture (RDIC), which is potentially simpler and less risky for the consumer than banks' current P2P offerings.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?:
April 18, 2011
Can electronification close tax loopholes opened by cash?
Happy Tax Day! Today is the deadline for paying 2011 federal taxes. Those of us who have waited until the last minute still have until midnight tonight to file our returns electronically. Although the vast majority of Americans will pay their taxes voluntarily, a small minority of evaders do not. According to a study conducted by the IRS for tax year 2001, for example, tax evasion resulted in a $345 billion federal tax gap. More than 70 percent of this gap can be attributed to individual small businesses, who the IRS estimates report only 43 percent of their income, with particularly low reporting of income received as cash. Underreporting is possible because cash payments are invisible to authorities, and therefore the social burden of tax evasion needs to be considered a risk of a cash payment system.
For those of us who do voluntarily pay our taxes, tax evasion by a few seems unfair and even immoral. Indeed, 87 percent of Americans feel that it is never acceptable to cheat on your taxes. Tax advocate Nina Olson further notes that "[t]he tax gap has real victims. Individuals and businesses that evade tax impose a significant burden on those who comply with their tax obligations." Evaders tend not to see the issue in terms of morality, however. The academic literature suggests that the primary driver of small businesses tax evasion is opportunity.
The temptation of cash income
Previously, I covered some of the risks of cash acceptance to small businesses: threats of robbery, employee theft, and counterfeit bills. Nevertheless, many small businesses seem to prefer cash. This is partly to avoid credit card processing fees and the risk of bad checks. But the greatest allure of cash to many small businesses may be its low visibility to tax authorities. Cash transactions do not automatically generate a paper trail and as such comprise the bulk of unreported income. The IRS's tax gap analysis actually understates the extent of evasion by limiting their estimate to federal income tax losses. Evaders are also dodging state income and employment taxes, as well as state and local sales taxes on the unreported income. A small merchant might be willing to accept some risk of theft in order to avoid such a hefty tax burden!
The burden of tax evasion
To achieve these illicit benefits, tax evaders take major risks and bear significant costs. The IRS conviction rate in the cases they pursue has never fallen below 90 percent. When caught in evasion, business owners often have to pay large fines and serve prison sentences. Even if they never face enforcement actions, tax evaders must invest considerable resources and change behaviors in order to avoid detection. The business owners may have to share illicit gains with a complicit accountant or spend significant time and effort to manufacture false numbers and backup documentation for claimed income. They also cannot deposit funds in a bank account, because doing so establishes a paper trail, so they must find other places to store the cash they receive. Not only do these tax-evading business owners risk theft and destruction of their hoarded cash, but they also are unable to use their unclaimed income to secure credit from banks. Furthermore, they run the risk of someone reporting their large cash purchases to the IRS or the Financial Crimes Enforcement Network, which would increase and the risk of an audit.
In addition to the costs borne by the evader, tax evasion imposes externalities on others. Businesses that voluntarily pay taxes operate at a competitive disadvantage, which results in a market distortion. Despite their having to charge market prices for their products, compliant businesses have higher costs than their tax-evading competitors.
The IRS takes action
We have a strong interest in collecting this revenue and correcting the market failures caused by tax evasion. Other countries have responded to unreported cash income in a variety of ways. Mexico has a two percent tax on large cash bank deposits to capture informal market activity. As part of their recent austerity plans, both Italy and Greece have banned high-value cash transactions in order to limit tax evasion. In the United States, the IRS will be using the electronic payments system to address underreporting of cash income: IRS rule 6050W will require merchant processors—the companies that process credit and debit card payments for businesses—to report their clients' receipts to the IRS annually. The IRS will use this data to improve audit algorithms. Third-party income reporting is a classic technique for increasing compliance. 6050W went into effect for tax year 2011, and the IRS will begin receiving the relevant data in January 2012.
Increasing electronification of both payments and tax administration should lead to increased transparency of small businesses income. This greater transparency might result in a natural decline in tax evasion over time. Is there a role for the payments industry in ensuring compliance? Cooperation among industry processors, compliant businesses, and regulators may represent an opportunity to lower the social cost of cash payments, and thereby mitigate risk in the payments system.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
April 11, 2011
Dispelling the myths about mobile banking and payments
There is a lot of confusion these days when it comes to mobile banking and payments. Consumer advocates warn that mobile payments will be unsafe and we need to develop consumer protections now to create a harbor from scams and rip-offs. While it's true that payment innovations often introduce new risks, they also create opportunities to create better safeguards that ensure a more secure payments system. So the path forward is best armed with accurate information about how the mobile wallet will work in the future. With so many new product trials and service rollouts for both mobile banking and payment services, it's difficult to separate fact from fiction. Today, we take an opportunity to do just that. We’ll look at some of the myths we hear most often about mobile banking and payments in the United States.
Myth #1: Mobile banking and mobile payments are one and the same
We often hear people use the term mobile financial services to refer to banking and to payments, as if they were the same thing. The fact is, they are different services that appeal to consumers in different ways, and they are accompanied by very different types of risk. As a recent position paper published by the Atlanta and Boston Federal Reserve Banks defined it, mobile banking refers to a service that accesses bank information such as account balances and transaction history and that facilitates transfers between accounts and online bill payment. Mobile payments, on the other hand, refers to the use of the phone either to make a payment for purchasing goods or services at a merchant's point-of-sale—a transaction also known as a proximity payment—or to transfer money to another person or a business. The latter transactions, domestic and remittance payments, are referred to as mobile money transfer (MMT) payments and occur remotely either within a country or cross-border. Because mobile banking services are merely extending online functionality from the PC to the cell phone, the risk profile for the mobile phone is not markedly different.
Myth #2: Mobile payments represent digital money and lack regulation
While emerging markets are experiencing some remarkable advances in mobile commerce using text messaging to send a payment via prepaid airtime, the U.S. experience, as with other developed countries, is very different. Text-message-based mobile payment systems work for those emerging markets because they are clearly safer than cash. Here and in other developed countries, we have safe payments already, so the mobile device would merely be another channel to access existing payment instruments and their networks for clearing and settlement. All the rule sets, laws and regulations, and consumer protections that govern retail payments today will simply migrate to the mobile channel. While new networks, or rails, may emerge in the future, at present, the payment network systems remain the same.
Myth #3: Mobile payments are less secure that other payment methods
First of all, the security functionalities resident in the mobile handset provide authentication capabilities that don't exist in the current payments environment. The ability to add passwords and GPS location functionality to the handset represent additional security controls to accessing payment instruments in the future mobile wallet. Today, there are no locks on your leather wallet to preclude a bad actor from stealing your credit and debit cards and using them for illicit activity.
Moreover, the technologies that enable our current payments are becoming increasingly obsolete and vulnerable to fraud. Card payments grow riskier every day as the United States remains reliant upon mag-stripe technology, which is very easy for criminals to breach and then use to clone cards for illegal payments. Because mobile devices will use contactless technology in the form of an embedded computer chip, the mobile phone will be a much more secure payment device than the plastic cards we use today.
Conclusion So maybe the idea of mobile banking and payments isn't that scary—and maybe these things aren’t even that trendy any more. When you get right down to it, the cell phone is just another form factor for a payment.
But that's not to say that a lot of new ideas aren’t percolating out there. We know that telecoms are taking small steps with micropayments by allowing consumers to pay after-the-fact for digital goods—things like avatar accessories, ringtones, and even cows and corn in online games like Farmville—on their regular phone bills. Facebook credits are reportedly evolving into Facebook payments for physical venues outside of virtual online games and stores. And we all are waiting expectantly to see if Apple will make use of its extensive iTunes network as a more open payment system whenever the next iPhone is released.
At the Retail Payments Risk Forum we'll continue to keep an eye on emerging payment developments such as these, and work toward clearing up confusion. So don't wait for a blog post, feel free to send an e-mail to any one of us in the Risk Forum if you have a question. We’d love to hear from you.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Dispelling the myths about mobile banking and payments:
April 4, 2011
Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments
As we've mentioned a few times in this blog, mobile payment developments in the United States lag the initiatives undertaken in Asian and African countries. Last week, the payments research teams at the Boston and Atlanta Federal Reserve Banks published a position paper on how the United States should promote the adoption of mobile payments. The paper, "Mobile payments in the United States: Mapping out the road ahead," represents collective views from 15 months of discussions with various representatives of the mobile payments ecosystem, a group that over the course of 2010 came to be known and the Mobile Payments Industry Workgroup (MPIW). The paper lays out the strategic vision for the future and outlines the foundational principles of an efficient and secure mobile payments system.
Convening the MPIW
The Fed brought this group together for several reasons, which we described in an earlier post. We wanted to understand how the key industry stakeholders in this conjoined industry of banks and telecom firms were working together. We hoped to engender a cross-industry dialogue to perhaps develop a mutual understanding between these two groups of the industry direction and consider a noncompetitive strategy to address barriers to industry adoption. The summary of this meeting was published on both the Atlanta and Boston Fed websites to ensure transparency to the industry.
The key takeaway from the meeting was that there is a lot to do to bring the various players together in the United States, where our payment systems are considerably more advanced and suitable for most consumer needs. The group agreed to meet on a quarterly basis to discuss issues of mutual interest, such as how the various participants viewed the drivers and barriers to adoption and how the business models were shaping up, as well as the industry roles and responsibilities. Of course, the group was interested in getting clarity in regulatory and legal oversight for new telecom-enabled financial services.
The group shared ideas and opinions throughout the course of the year. Oftentimes, group members disagreed on specific points. Even on some points of agreement that are outlined in the final paper, in some instances there is still no clear consensus yet on how to move the ball forward. At the very least, the paper represents issues of consensus and those where the industry must collaborate to achieve agreement.
The MPIW foundational principles for successful mobile payments in the United States
The group recognized that the past year has been marked with activity in the form of numerous trials and product rollouts—but without a vision for success shared among all the parties. Ideally, for mobile payments to take off, all participants should have common goals and still be able to flourish in the mobile ecosystem. Standards are necessary for a ubiquitous mobile commerce environment but at the same time, firms need to have the flexibility to differentiate their service offerings and add value to their shareholders. In acknowledging the need for a common environment, the group agreed on a set of foundational principles that represent the business requirements for success, which are described below.
- Most important to the group is the concept of an open mobile wallet that carries broad payment and merchant options for consumer choice and is based on a platform that would enable a wide range of payment methods and networks.
- Near-field-communication contactless technology must be embedded in the handset and support all payment methods and networks, and must comply with business rules and standards for existing payment methods.
- The industry needs to establish a ubiquitous platform for mobile that not only uses existing clearing and settlement channels and rails, such as credit, debit, ACH, prepaid, and carrier billing, but also supports innovative efforts to create new rails.
- The technology supporting the new mobile handset must enable dynamic data authentication to ensure long-term integrity and security.
- The industry must have a global interoperable platform for standards and certification of payment methods for the mobile wallet and all its resident applications —leveraging existing standards when possible.
- The industry needs regulatory clarity to avoid gaps in oversight and ensure robust consumer protections.
- The group acknowledged the importance of the trusted service manager role to manage security and other account management functions.
The goal of the paper is, ultimately, to broadly circulate the ideas and discussions from the MPIW so we can ignite industry leaders to foster further collaborative work. As the paper notes, "[C]learly, there are many more (interested) parties who will need to support the ideas set forth in this document." Further, there are clear benefits to establishing a coordinating entity and forums to continue to build the roadmap for the future.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments:
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud