Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« September 2011 | Main | November 2011 »

October 31, 2011

Cash, check, or charge: Paying for illegal activities

In the past few years, as metal commodity prices have climbed, metal theft has become increasingly common. While theft of copper from electrical wire and air conditioning units appears to be the favorite metal heist these days, amazingly, some thieves are also targeting such metal-carrying items as manhole covers and railroad track. In fact, just last month, thieves stole a two-ton historic bell in San Francisco. By now you are probably asking yourself, what does this particular crime have to do with payments?

Well, interestingly, in an effort to crack down on the growing problem of metal theft, the state of Louisiana recently passed a bill limiting the use of cash. I discovered the bill through a recent headline on the Drudge Report: "Law bans cash transactions—for secondhand goods." Clicking the headline led me to this news story about House Bill No. 195. Among the bill's many provisions, number 1864.3 states that "a secondhand dealer shall not enter into any cash transactions in payment for the purchase of junk or used or secondhand property. Payment shall be made in the form of check, electronic transfers, or money order issued to the seller…and made payable to the name and address of the seller."

The intent of Louisiana lawmakers is to assist law enforcement by creating a trail of payment transactions between dealers, such as scrap metal recyclers. Such a trail does not currently exist for cash transactions. If history tells us anything, it tells us that the right side won't be able to stay a step ahead of criminals for long. Restrictions on cash transactions will inevitably force criminals to figure out something else they can use to hide their activities. The question is, what form will that something else take?

Risk of cash payments
In the past, this blog examined some of the risks associated with merchants who accept cash for payments. These risks include robbery, employee theft, and counterfeit currency. The recent legislation in Louisiana addresses a very different cash-related risk—the anonymity it provides to criminals. This anonymity makes cash the ideal payment for all parties involved in illicit activities such as prostitution, drug trafficking, illegal gambling, and stolen goods sales. It has proven to be difficult enough for law enforcement to catch those engaged in these activities unless they are caught in the act. Transacting for these goods and services in cash makes it even more difficult to catch them.

While Louisiana's very limited restriction of cash usage to fight crime is new to the United States, other countries have already implemented such policies. In Mexico, organized crime and drug trafficking prompted officials to adopt measures that set limits on cash transactions for real estate and luxury good items. In Italy, tax evasion led to the government banning any cash transactions exceeding 5,000 euros. Tax evasion also prompted the Greek government to ban person-to-business and business-to-business cash transactions over 1,500 euros.

Potential impacts of restricting cash payments The implications of payment restrictions are many, including additional costs and hardships for parties engaging in legitimate cash transactions. Further, such restrictions could lead criminals to the use of alternative currencies, such as Bitcoin and Liberty Reserve, which are digital currency payment systems that use digital "coins" or tokens to represent monetary values. Unlike traditional currency, these alternative currencies are generally not backed by an asset or central bank, and their value is driven through exchanges that allow people to buy and sell the digital coin. Unfortunately, like cash, these currencies provide anonymity, so people engaged in illicit activities can escape detection by using them as mediums of exchange. In fact, a recent report detailed the use of Bitcoins for purchasing illegal drugs on an underground website. (This report even prompted two U.S. senators to request that federal officials crack down on Bitcoin.)

It will be interesting to monitor efforts to restrict the use of cash and the effectiveness of these efforts in combating criminal activity. And as criminals look to circumvent restrictions on cash usage around the globe, will the use of alternative currencies gain popularity in the criminal world?

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 31, 2011 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Cash, check, or charge: Paying for illegal activities:


A payment system should deliver privacy, not anonymity.

By the way, we have the same problem in the UK.


Posted by: twitter.com/dgwbirch | November 3, 2011 at 03:46 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 24, 2011

Keeping pace as money transmitters proliferate

As the United States migrates from paper-based retail payments to electronically enabled methods, we are witnessing a proliferation of entrepreneurial and innovative nonbank stakeholders entering the retail payments market. As my colleague discussed in a previous post, these nonbanks provide a variety of services that banks can use to create more efficient payment systems. But the fast pace of technological change and the ease with which these new companies can enter the retail payments arena may also be translating into new risk vulnerabilities for the nation's retail payments systems.

There are many different types of nonbanks in U.S. payments systems today, including technology developers, aggregators, agents, third-party service providers, and money service businesses (MSB) and transmitters. As technology enables more nimble and innovative payments, the role of MSBs and, in particular, money transmitters is growing more important.

Am I an MSB?
According to this table from the Financial Crimes Enforcement Network (FinCEN), certain products or service offerings may dictate the capacities in which a business might fit the definition of an MSB. Note that money transmitters represent a specific type of MSB that engages primarily in funds transfer services.

The innovations that PayPal introduced illustrate the value that transmitters add to the payment system through the provision of nimble service offerings that respond to consumer payment needs. Over time, PayPal has evolved into a mainstream payment service provider and household name, and has demonstrated a commitment to risk management and regulatory compliance across all the jurisdictions in which it operates. But PayPal's commitment contrasts with the overall state of the industry of MSBs, whose efforts are not completely transparent. MSBs and transmitters today operate in a fragmented regulatory environment determined by the specific governing laws, licensing requirements, and permissible business activities of each U.S. state.

As money transmitters become more prevalent players in our nation's payment system, is it time to reassess their regulatory environment and consider the potential benefits of a national supervisory framework?

Transmitters and the U.S. regulatory structure
Money transmitters are required to register with FinCEN and to comply with federal laws for anti-money-laundering and counterterrorist-financing provisions of the Bank Secrecy Act. In addition, 48 states require the licensing of money transmitters before they can do business. For money transmitters that operate in more than one state and across state lines, differences in state legal requirements create challenges to developing effective enterprise-wide compliance and risk-management programs. Furthermore, monitoring changes in various state legal regimes can be extremely complicated, not to mention costly.

Ironically, state regulatory authorities governing money transmitter businesses are generally budget-strapped in today's economically distressed environment, and lack the financial resources for taking action against all but the most egregious of bad actors. Unlike the prudential regulatory governance employed by the agencies of the Federal Financial Institutions Examination Council for the nation's mainstream financial institutions, regulatory response for the oversight of money transmitters is prompted instead by complaints to state authorities, or by the filing of suspicious activity reports to FinCEN.

Future regulatory considerations
There are many risks to consider in this nascent segment of the retail payments industry. With the ease of entry into the market for money transmitters and the potential lack of funding in some states for comprehensive regulatory oversight, some startups may circumvent licensing and capital requirements by merely opening for business, undetected by state authorities. FinCEN has issued advisories requesting that financial institutions that discover such businesses file suspicious activity reports (SARs) as a means of mitigating unlicensed and potentially illegal activity. Unfortunately, as technology supports more sophisticated advancements in electronic payments as well as new alliances between carriers and money transmitters, regulatory efforts will become increasingly difficult.

The newly established Consumer Financial Protection Bureau is empowered to exercise enforcement authority for improper conduct on behalf of money transmitters, but the task is daunting, considering the disproportionate state-by-state regulatory framework currently in place. Is it time to consider a more consistent, national approach to the legal and regulatory oversight of money transmitters? And, considering the onerous compliance costs that the current environment imposes, would money transmitters in fact welcome a more consistent, uniform environment?

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum


October 24, 2011 in money services business (MSB), payments risk, payments systems, regulators, transmitters | Permalink


You are right to ask the question Cindy. A national framework that works to separate payments and other banking businesses ought to be a straightforward first step toward a more efficient payment sector. Innovation in the "money transmitter" segment should be decoupled from the areas of systemic risk (eg, credit creation).

Posted by: twitter.com/dgwbirch | October 29, 2011 at 04:58 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 17, 2011

As payments system evolves, "funny" money is still no laughing matter

Counterfeit money in the United States has been in circulation since colonial America. During the Revolutionary War, counterfeiting of Continental American money became so rampant that the currency became worthless. Hence, the phrase "not worth a Continental" was born. Counterfeiting continued after the country's independence from the British, so the government established the U.S. Secret Service in 1865 to suppress it. It was only later that the agency was also tasked with the highly visible and publicized mission of protecting national leaders, most notably the president, and visiting foreign leaders.

Since the establishment of the Secret Service, payment types have advanced from paper bills to checks and card-based payments. Alongside the advancement of our nation's payment methods, the security features of each payment type are evolving to combat attempts at counterfeiting. Yet today, 111 years after the Secret Service was established, counterfeiting remains a threat to the U.S. payments system. This blog examines the security technological advances currently deployed and those in development to fight counterfeiting schemes in consumer payments.

Counterfeit currency
In 1865, approximately one-third of all currency in circulation was counterfeit. Today, counterfeit currency is estimated to represent only 3/100ths of 1 percent of total currency—yet the crime of counterfeiting currency remains popular. According to its Fiscal Year 2010 Annual Report, the Secret Service made more than 3,000 domestic and international arrests for counterfeiting offenses in 2010, resulting in the removal of more than $261 million in counterfeit currency from circulation. This amount is an increase of more than 150 percent from the 2008 level of $103 million. Continued advancements in computer and printing technologies aid counterfeiters in producing hard-to-detect counterfeit bills. It is also important to note that counterfeit bills do not have to be perfect. These bills just need to be good enough for the counterfeiters to exchange once to another party to be deemed successful.

To mitigate the production of counterfeit currency and to help detect it, the U.S. Department of the Treasury constantly enhances paper currency's security features. Newer features such as color-shifting ink, watermarks, and security threads have made paper currency more difficult for criminals to counterfeit accurately.

Counterfeit checks
Much like paper currency, checks became an important payment instrument in the United States following the Revolutionary War. And as is the case with paper currency, checks are also a common target for counterfeiters. Even as check usage continues to decline, check fraud continues to increase and remains one of the largest threats to businesses today, according to the 2011 AFP Payments Fraud and Control Survey: Report of Survey Results. Also according to this report, the counterfeiting of nonpayroll checks using an organization's MICR line data remains the most widely used technique to commit check fraud.

Counterfeit cards
Since the first credit card was introduced in the United States in 1958, card-enabled debit and credit payments have become many consumers' preferred payment methods. But just as payments migrated from paper to electronic methods such as debit and credit cards, counterfeiting fraud schemes have shifted from paper as well. Today's payments fraud-related headlines are flooded with stories of card-skimming schemes to produce counterfeit cards. Fraudsters are using skimming devices on point-of-sale (POS) terminals and at ATMs to capture card numbers. As my colleague Cynthia Merritt previously discussed in an earlier post, these skimming devices are becoming more sophisticated. According to Verizon's 2011 Data Breach Investigations Report, tampering of ATMs and POS terminals accounted for 98 percent of physical data breaches in 2010. The report notes that these tampering attacks, which have been occurring for years, are on the rise.

Despite the continued evolution of payment types and their corresponding security features, counterfeiters persist in finding ways to harm the payments system, regardless of payment type. Although the industry can and should strive to eliminate the success of counterfeiters, history shows us that the task is all but impossible. It will be very interesting to see the effect that new security enhancements as they develop will have on counterfeiting trends in the United States. For me, I am eagerly anticipating the effect that dynamic data chip-enabled transactions will have on the skimming and counterfeiting of payment cards should the industry adopt the technology.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 17, 2011 in check fraud, crime, fraud, payments systems | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference As payments system evolves, "funny" money is still no laughing matter:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 11, 2011

High-impact events in a warming world: Business continuity planning for retail payments

Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.

Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.

Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:

The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.

The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.

In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

October 11, 2011 in banks and banking, financial services, payments systems, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference High-impact events in a warming world: Business continuity planning for retail payments:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 3, 2011

Cyberspace trust: Proving you're not a dog

A very real discomfort underlies the classic joke: "On the Internet, nobody knows you're a dog." How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate's Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you're reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.

The most recent installment of the Payments Spotlight podcast series features Jeremy Grant, leader of the U.S. Department of Commerce's National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is a White House initiative that works collaboratively with the private and public sectors to improve the security of online transactions by increasing online security and solving the problem of weak and inconvenient passwords.

"The genesis of it was President Obama's cyberspace policy review that was conducted shortly after he took office in 2009," Grant explains. The goals of the new cyberspace policy include "the creation of an identity management vision and strategy that the country could implement that would focus both on the securities aspects of the topic, as well as be dedicated to preserving or enhancing privacy and civil liberties." A critical first step, says Grant, is addressing the fact that "passwords are fundamentally broken and insecure, and simply don't cut it these days as a way to identify and authenticate online." (A May 2011 Payments Spotlight podcast addressed the weakness of single-factor authentication, such as logging in with just a password.)

Although the government is coordinating the NSTIC effort, the program is designed as a private-public partnership. Grant says it is not the government's role "to figure this out for the rest of the world, but to convene different private sector stakeholders, [including] tech firms, banks, healthcare firms, security firms, advocacy groups in the privacy and consumer communities, and other interested individuals." A major goal of NSTIC is to foster collaboration. He says, "We really want to have an open and participatory process where all different stakeholders can come together and collaborate and work out practical solutions to some of the challenges that the NSTIC lays out. Government will convene and we'll be an early adopter, but we are not going to actually lead this." Some private businesses are already excited about NSTIC. Michael Barrett, Chief Information Security Officer at PayPal, has voiced his support: "[We] will be offering more services to our customers over the coming months that directly support the NSTIC, which we expect will result in many new benefits to both our customers and the Internet overall."

So when can we expect to see NSTIC implemented? Currently the National Program Office is laying the groundwork for pilots, which can be expected sometime next year. In terms of resources, Grant notes that "for fiscal year 2012, the White House has proposed $24.5 million for NSTIC, including $17.5 million that would go towards pilot programs." The funds have not yet been appropriated, so budget wrangling may still change those numbers. Those pilots will be just the first step in architecting a more secure Internet identity infrastructure. If NSTIC achieves its vision, we can be confident that no fraudsters—or dogs—lurk behind our friends' Facebook profiles and e-mail addresses!

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

October 3, 2011 in collaboration, consumer protection, cybercrime | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Cyberspace trust: Proving you're not a dog:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad