Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« July 2012 | Main | September 2012 »

August 27, 2012

Mind the Gap: PIN versus Signature Authentication

In a January post, Portals and Rails considered the difference in fraud rates for payments using signature versus those using PIN authentication. Based on the data at hand, we concluded that "financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than those from PIN authentication." The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions.

Debit Card Issuer Loss Rates

Fraud is a concern for issuers
According to the study, which was conducted by the consulting firm Oliver Wyman on 57 banks and credit unions, 74 percent of large financial institutions (asset size greater than $10 billion) and 90 percent of small institutions (asset size under $10 billion) view fraud as a major challenge for 2012. Looking deeper into 2012 fraud concerns, 54 percent of issuers, regardless of their size, expect signature debit fraud to increase, while only 37 percent of issuers expect an increase in PIN debit fraud levels.

With fraud being of such high concern to issuers, I expected EMV card issuance to be high on their priority list, but that is not the case. In fact, 71 percent of the financial institutions have no immediate plans to issue EMV cards. In the past, we've highlighted some of the many possible ways to do an EMV implementation—according to the study, these unknowns of a U.S. EMV implementation have many financial institutions taking a "wait-and-see" approach.

Of particular note, issuers are interested in knowing if PIN authentication will become mandatory or if it will continue to coexist with signature authentication. Hopefully, this issue and others surrounding EMV implementation will soon be addressed by the industry through the recently announced collaborative EMV Migration Forum created by the Smart Card Alliance. The sooner these issues get sorted out, obviously, the better, as signature debit card fraud is showing no signs of slowing down.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 27, 2012 in chip-and-pin, crime, EMV, fraud | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 20, 2012

Finding a Reasonable Definition of Commercially Reasonable

Corporate account takeovers have cost businesses millions of dollars over the last several years. According to 2011 congressional testimony of Gordon Snow, assistant director of the FBI's cyber division, the FBI was at that time investigating more than 400 reported cases of corporate account takeovers. These 400 cases involved the attempted theft of over $255 million, resulting in actual losses of approximately $85 million.

Corporate accounts are not offered the same protections as consumer accounts, which are protected from financial loss from online fraud through the Electronic Funds Transfer Act and Regulation E. Article 4A of the Uniform Commercial Code (UCC) states that as long as a bank adopts commercially reasonable security measures, its business customers are accountable for fraud losses arising from funds transfers. Unfortunately, Article 4A does not provide a definition for "commercially reasonable," which leaves the term open to interpretation.

A recent ruling by a court of appeals reveals one court's opinion on what is commercially reasonable versus unreasonable. Despite the bank's compliance with Federal Financial Institutions Examination Council (FFIEC) guidance, the court found in favor of the bank's customer. In accordance with the FFIEC guidance, the bank employed multifactor authentication and had the capacity to detect and stop possible fraud. However, the court still found the bank's security measures unreasonable due to two factors.

First, the bank failed to consider the circumstances of its customer's frequency and volume of ACH transactions when implementing security measures and developing security procedures. And second, it failed to monitor and provide notice of possible fraudulent transactions to the customer. A key takeaway from this court's opinion is that financial institutions must take a holistic approach to preventing and detecting fraud. Having the proper prevention and detection tools in place is just one aspect of a fraud mitigation strategy. Financial institutions should also have policies and procedures in place to effectively use their deployed resources and technology for the unique circumstances of each of their customers. Unfortunately, a "one-size-fits-all" approach does not work in the fraud prevention arena.

Though the court did not offer an opinion on the customer's obligations in this particular case, it did recognize that commercial customers also have "obligations and responsibilities" under Article 4A of the UCC. So, at least according to this court's opinion, the holistic approach to fraud prevention does not stop with the financial institution. Corporate customers must also incorporate systems and policies to prevent unauthorized access to its financial accounts and other sensitive documents. With corporate account takeover fraud showing no signs of slowing down, it is imperative that financial institutions and their corporate customers discuss each others' roles and obligations to effectively minimize their risks.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 20, 2012 in account takeovers, ACH | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Finding a Reasonable Definition of Commercially Reasonable:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 13, 2012

Tourism Traffic Boosts Prepaid Cards

Prepaid cards, at least until 2010, were the fastest growing payment method in the United States, according to the Fed's latest payments study. Their use is also growing in other markets, including Latin America in general and Brazil in particular, especially for funding tourism activities. Brazilian tourists are increasingly choosing rechargeable prepaid travel cards loaded with U.S. currency over cash. Interestingly, U.S. banks are also realizing economic benefits from tourists' move from cash to prepaid cards.

Growing South Florida tourism drives Brazilians to spend more
Brazilians make up the second largest tourist group to Florida, next to Canadians (3.3 million of whom visited the United States in 2011). Last year, approximately 1.5 million Brazilians visited Florida. They spent more than a billion dollars total, with a per-visit amount typically exceeding $5,000. Altogether, the Fed Atlanta's Miami Branch paid out $1.7 billion U.S. dollars to Brazil.

A number of factors are contributing to the rise in Brazilian tourists to Florida, including the high number of available flights, expedited processing for travel visas, significantly lower prices for many designer brands coupled with the absence of Brazilian import tax, and relatively cheaper real estate prices.

Brazilian tax rule, other factors influence credit card spending abroad But why are these tourists increasing choosing to use prepaid cards? In 2011, the Brazilian government imposed a new financial operations tax of 6.38 percent on foreign transactions made with Brazilian-issued credit cards. The tax, called the IOF—short for Imposto sobre Operações Financeiras—makes using credit cards abroad very unattractive for Brazilians.

Prepaid travel cards also offer more favorable exchange rates, and they insulate consumers against rate fluctuations by offering a fixed exchange rate on all purchases.

Banks in Brazil also benefit from prepaid cards used abroad. Transportation and custody expenses make it costly for Brazil's commercial banks to obtain and hold U.S. dollars. As a result, these banks are actively promoting prepaid cards. U.S. commercial banks quickly seized the opportunity to compete with their Brazilian counterparts by rolling out marketing campaigns in Brazil promoting the benefits of prepaid travel cards for U.S. travel.

All these conditions and incentives have combined to create a 50 percent rise in travel card applications by Brazilians shortly after the tax regulation was introduced.

Brazil offers an interesting case study of the growth in the use of prepaid payment cards. Just as U.S. consumers beyond the unbanked are recognizing the ease and convenience of this payment device, so are international consumers.

Paul GrahamBy Paul Graham, assistant vice president and branch operations officer, Miami Branch of the Federal Reserve Bank of Atlanta

August 13, 2012 in banks and banking, cards, payments, prepaid | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Tourism Traffic Boosts Prepaid Cards:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 6, 2012

Policymakers, Regulators Keep a Watchful Eye on Mobile Payments

Policymakers and regulatory authorities are beginning to turn their collective eye toward mobile payment developments and with good reason. The rapidly changing environment and the entry of nonbanks in mobile-enabled financial services create a new paradigm in regulatory oversight for consumer protections, bank safety and soundness, and regulatory compliance.

In recognition of these environmental dynamics, the Federal Reserve Banks of Atlanta and Boston recently convened a joint meeting of the Mobile Payments Industry Workgroup (MPIW) and regulatory authorities to discuss recent mobile payment developments and potential regulatory gaps. The two Reserve Banks then jointly published on July 30, 2012, a summary of the meeting describing the meeting dialogue between members of the MPIW and the regulatory community.

You can read the paper on the Atlanta Fed and the Boston Fed websites, but below are some quick highlights.

The complexity of the regulatory framework for mobile financial services requires further ongoing analysis—While regulators recognize supervisory elements common to both mobile and Internet environments, they say that the fast pace of change requires them to more closely monitor mobile payment developments. Regulators have an interest in ensuring safety and soundness as well as consumer protections in the emerging mobile payments environment. Both these objectives require that financial institutions adequately manage vendors when they outsource and partner with third parties in new mobile payment business models.

Education is needed to teach all stakeholders about the mobile environment, from regulators to consumer advocates to consumers themselves—Security, privacy, and consumer protections are important themes that all stakeholders should understand in order to be able to communicate appropriately with policymakers in mobile payments regulation. As mobile payment systems evolve, it will be important to engender cross-industry dialogue at both the industry and regulatory levels to ensure risks in these key themes are sufficiently addressed.

Next steps
The MPIW plans to continue to meet on regulatory issues with regulators as the mobile payments market matures. These meetings will serve to educate the regulators about mobile payment developments and risk mitigation initiatives. At the same time, regulators will be able to share early insights and concerns about mobile payments with the MPIW, while hearing their input and perspectives on future policy and regulatory decision making.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

August 6, 2012 in innovation, mobile payments, regulators | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Policymakers, Regulators Keep a Watchful Eye on Mobile Payments:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad