Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 29, 2011
Seeing what dimly lies in the distance: Parting thoughts on addressing payments system risk
As this post for Portals and Rails runs, it is likely that my concerns about fraud may be starting to center on whether the manufacturer's claims about the bass lure I am using are fraudulent. I guess that's a way of saying that on August 31, I will officially retire after 38 years with the Federal Reserve, an extraordinary organization faced with extraordinary challenges across the three legs of its mission responsibilities: monetary policy, bank supervision and regulation, and payments services. I have been blessed to have had so many challenging and diverse experiences through the years, including the last two years directing the fascinating work of the Retail Payments Risk Forum. Learning about the risks in our payments system, marveling at the entrepreneurship of those who want to exploit its weaknesses to commit fraudulent activity, and working with the industry to try to find ways to mitigate those risks has been both interesting and exhilarating.
Clearly such work is never done and the constant arms race to stay ahead of the bad guys in a technology-centric payments world is not likely to abate. My hope is that those who read this column continue to support the work of the Forum, its outstanding staff, and its new leader. But even more importantly, my hope is that the industry continues to make progress in collaboratively addressing the needs of our payments system in difficult times when investment dollars are scarce and tough choices must be made. At the risk of waxing philosophic, it is with all this in mind that I leave the following thoughts for others to consider and hopefully run with.
First, as an industry, we need to push our leaders to understand that the paradigms of success today are not those that served us well 10 years ago. The payments system is now a global infrastructure, and purely domestic solutions to managing fraud will not work. Business models for success changed with the advent of the Internet and they will change again with the evolution of mobile technology. A corporation's worst nightmare may be riding a train in Eastern Europe while simultaneously cleaning out a bank account in the United States. This means that it will inevitably be harder to implement solutions, but imminently necessary to extract ourselves from domestic thinking while building partnerships across the globe.
Second, standards are the key to long-term progress in such an environment. Certainty about what standards frees markets to invest in developing solutions to payments problems in a competitive environment that encourages escalating performance. Hence, we must give a lot of attention to doing the work in the basement rooms where standards folks work. While I suppose that revenue opportunities may abound for the entity that owns the standards, companies that are able to depend on standards to deliver risk management systems and products greatly reduce their cost of development and ongoing operations.
Third, it would be useful to clarify the roles of the many government (and sometimes private sector) groups that must engage in the business of protecting our payments system. The Forum and colleagues from the Boston Fed have been engaged in an ongoing effort with mobile payments that has demonstrated to us that nobody wants this clarity more than a frequently confused marketplace. While they long for integrated operations, integrated law, and integrated technology, it is integrated oversight that would help clarify who is responsible for what, encourage collaboration and sharing, and expose gaps in coverage that bad actors can exploit.
Fourth, in recent industry meetings I have heard payments professionals lament that a big part of our problem is that customers—both consumers and businesses—are not well educated in how to protect themselves against fraud. The discussion concerning who should be responsible for providing the education, however, resembles a group of folks juggling a hot potato. My suggestion is that financial institutions (individually or collectively through their trade associations) are the one party that touches both user groups and that stepping up and assuming the leadership role in payments education would not only be a great service but might actually be an endearing customer relationship and retention strategy.
Finally, as an industry we seem to be struggling to establish a vision for the future. On a wall at a recent meeting room, I read a quote by Thomas Carlyle that said, "Our main business is not to see what dimly lies at a distance, but to do what lies clearly at hand." Carlyle (who is credited with calling economics the "dismal science") may have had a point when he wrote this in the mid-19th century, but today the future comes at us so fast, it seems to me that we have to constantly keep our eye on what lies vaguely in the distance and create a vision for the future that embraces the possibilities. Said differently, it may be useful to create a vision for how we will collectively address future risks in the payments system even as we deploy new technology, rather than focusing on how to defeat the threats we already know.
With that, I wish our readership all the best and trust that perhaps our paths may cross again.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Seeing what dimly lies in the distance: Parting thoughts on addressing payments system risk:
August 22, 2011
Is recent EMV announcement the catalyst the U.S. needs to catch up?
During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?
The merchant community in particular has rightfully expressed concerns over the infrastructure investment costs for card acceptance terminals. While they acknowledge the need to migrate to a more secure payment system that does not rely on outmoded magnetic stripe card technology, they understandably want a future-proof investment strategy.
Visa's recent announcement about its plans to accelerate chip migration and the adoption of mobile payments may just provide the clarity in direction and sufficient incentives to get merchants moving.
Reduced PCI compliance requirements and liability shifts: Carrots and sticks
Visa's plan will require merchants to invest in chip-acceptance terminals as well as bear responsibility for losses resulting from magnetic stripe card fraud if they continue to accept those cards beyond a specific transition period. Right now, the banks that issue the cards bear those costs. So Visa is essentially imposing a counterfeit fraud liability shift as the metaphorical stick to encourage merchants to comply with the plan. Since the United States is currently the last developed country to implement a plan to migrate to chip-based card payments and agree to such a liability shift, this is a significant move.
But Visa's plan also contains some compelling incentives for the merchant community. PCI data security compliance requirements are costly and increasingly ineffective in combating card fraud schemes like card skimming. The Visa plan will eliminate certain PCI compliance requirements for merchants for whom at least 75 percent of their Visa transactions originate from chip-enabled acceptance terminals. Merchants will still have responsibility for protecting customer authentication information such as security codes and PINs. The prospect for improved security coupled with the reduced PCI compliance costs should be a welcome benefit to merchants.
Building a future for mobile payments
By initiating a plan to migrate to both contact and contactless chip technology at the merchant point-of-sale, the Visa plan may actually speed up the adoption of mobile payments. Building out the acceptance infrastructure will be necessary to support contactless payments and other chip-based emerging technologies in the future.
The growing incidence of global card fraud schemes is drawing critical attention to the need to overhaul the U.S. card payment system. Not only are countries in the European Union moving to chip-and-PIN technology to support their card payments, but they've also discussed banning the acceptance of magnetic stripe cards as a possibility. What this means is U.S. travelers will not be able to use their payment cards abroad. As a matter of fact, if you've traveled to Europe lately, you've undoubtedly discovered that some merchants are not equipped to accept our U.S. payment cards now. The move to chip technology for card payments has been coming—but no one knew exactly when or how. Clearly for merchants, the Visa announcement represents a roadmap for the future.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Is recent EMV announcement the catalyst the U.S. needs to catch up?:
August 15, 2011
Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud
It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.
Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.
Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.
Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.
Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.
Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.
Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.
Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:
August 3, 2011
Fighting the rising tide of elder financial abuse
The successes and failures of law enforcement in fighting financial crime are big news here at the Retail Payments Risk Forum. Earlier this year, we highlighted the gains made in reducing identity theft in the United States. Unfortunately, one form of crime continues to grow despite law enforcement's best efforts: financial crimes targeting the elderly. Last month, MetLife released a report indicating that elder financial abuse is widespread and growing. The report estimated $2.9 billion in annual losses to victims. MetLife based these estimates on an analysis of news articles documenting crimes over two three-month periods in mid- and late 2010. Survey research conducted at Cornell confirms that this is a major problem in New York State, where an average 42 out of 1,000 elders were the victims of financial abuse. Furthermore, the report determined that victims reported fewer than 3 percent of incidents to authorities. While the rate of abuse remains subject to debate, fighting this grim crime is an ongoing battle for law enforcement and consumers.
Elder financial abuse encompasses a category of crimes including theft, confidence tricks, Medicare and Medicaid fraud, forgery, and coerced property transfers. AARP has broadly defined the crime as "the illegal or improper use of a vulnerable adult's funds or property for another person's profit or advantage." The abuse is often a betrayal of a trusted relationship, and the victims are left with emotional and psychological scars that leave them feeling even more vulnerable.
Older Americans at risk of telemarketing fraud
MetLife also conducted a literature review and victim interviews to determine why the elderly are particularly vulnerable to financial abuse. Factors include poor physical health and limited mobility, mental health weaknesses related to the onset of dementia or Alzheimer's, and social isolation. Those who are isolated may be particularly susceptible to manipulation by con artists, for example.
Older Americans disproportionately suffer from telemarketing fraud, a scam where the victim is tricked into agreeing to electronic payments for fraudulent transactions. The criminals on the other end of the line are completely shameless in their techniques to gain the victim's trust. Con artists have targeted victims by searching for surviving spouses in local obituary notices or by purchasing lists of contact information for those who have been previously victimized in similar attacks. Banks can also become entangled in this financial abuse if they are not vigilant. In 2008, Wachovia was forced to pay out $125 million to the victims of fraudulent telemarketing businesses.
Consumer education the best defense
Combating elder financial abuse requires educating potential victims about the risks. Part of Wachovia's settlement included funding for financial literacy programs aimed at seniors. However, it is clear from rising crime rates that education alone is not a cure-all. Regulators, law enforcement, and financial institutions must collaborate to create more effective preventative measures. As a starting point, MetLife has published some consumer tips for prevention, and I have consolidated the recommendations of several of the sources cited above:
- Review financial statements and bills for unauthorized transactions.
- Use direct deposit and online banking to prevent mail theft.
- Sign your own checks.
- Keep passwords and ATM/debit card PINs secret.
- Review important documents like wills and insurance policies annually.
- Do not send money to strangers contacting you over the phone or internet: if an offer sounds too good to be true, it probably is.
- Be aware that abusers may be charismatic individuals or even someone you trust.
- Do not be afraid or embarrassed to seek help if you've been the victim of financial abuse. The longer you wait, the worse the situation can become.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Fighting the rising tide of elder financial abuse:
August 1, 2011
Regulation E expected to add new consumer protections for remittance transfers
One of the many changes required by the Dodd-Frank Wall Street Reform and Consumer Protection Act is an update to Regulation E to reflect new protections for consumers who make remittance transfers to recipients in foreign countries. A remittance transfer is a transaction in which a consumer sends funds to someone in another country. The proposed rule is expected to help carry out the Dodd-Frank Act's overall intent to improve accountability and transparency in the financial system through new disclosures, notices, and error resolution procedures for remittance transfers. Recently, the Federal Reserve Board (the Board) formally announced its request for public comment on the proposed rule and model disclosures.
According to some initial comments on the proposed rule, some industry participants believe that the added requirements could increase costs and add unnecessary burdens to a system that is, as they view it, already functioning properly. Others expect that the proposed changes will reduce errors and even, in some instances, improve the speed for remittance transfers because of enhanced communications between the sending and receiving agents.
Will these changes to Reg E stifle progress in the remittance industry or help it become more consumer-friendly? And will these changes enable a thriving business environment for transfer providers—rather than stifling market growth—while preserving consumer protections?
Prevalence of remittance transfers
Remittance transfers are typically consumer-to-consumer payments of low monetary value. The World Bank estimates that a total of $440 billion in remittances was sent worldwide in 2010, of which $325 billion went to developing countries. The World Bank further estimates that the United States had the highest volume of remittances in 2009, totaling $48.3 billion.
New disclosures, notices, receipts, and error resolution procedures
Some of the proposed disclosure requirements call for remittance transfer providers to disclose to the sender, before the sender pays any money, the remittance value in the currency of the recipient's country, all fees charged in connection with the remittance transfer, and the exchange rate that will be used (to the nearest 1/100 point). Then, after sending the payment, the provider must provide the sender a series of other disclosures on the receipt. Separate notices are required for transfer providers that offer Internet-initiated remittance transfers.
Additionally, remittance transfer service providers may be required to prominently display notices describing a model remittance transfer in every storefront location that the provider owns or controls. The proposal also adds new error resolution procedures for remittance transfers. Under the proposal, the deadline for a consumer to report an error is 180 days from the promised delivery date. This notice may be oral or written, but it must contain the amount of the transfer shown in the foreign currency amount, as indicated in the receipt.
Testing existing disclosures, notices, and error resolution procedures
Prior to releasing these proposals, the Board consulted with a research group to help determine whether these requirements would help the consumer price shop remittance services or understand their fee structure. Overall, the resulting study found that most participants (remittance senders) were satisfied with their experiences.
The study, when determining what information participants received from remittance transfer service providers during an in-person transaction, found that participants infrequently received written information before they completed the transaction. However, the participants indicated they could get needed information by asking an agent. In contrast, they almost always received some form of written information after the transaction, including the exchange rate, fees, amount of money sent, and so on.
Study participants were also asked to share their experiences with dealing with errors or problems during a remittance transaction. Most reported having had problems with at least one service provider, but almost all reported that their problems were resolved expeditiously. The most common error they reported was the misspelling of the recipient's name.
Remittance transfers are an increasingly important source of income for households in lower-income countries. Yet, given the results of the study on the current state of remittance transfers, it is difficult to know whether the Dodd-Frank's remittance provisions will increase efficiency in the remittance industry while preserving consumer protections. What is clear, though, is that the proposed amendments to Reg. E will establish standardized disclosures and notices, thereby creating more transparency in the remittance industry so that a consumer can confidently price shop providers while fully understanding fee structures and services. Although the Board has initiated these proposals, the Consumer Financial Protection Bureau assumed responsibility over this new regulation on July 21, 2011.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud