Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« August 2012 | Main | October 2012 »

September 24, 2012

Alternative Financial Services Grow, and So Do the Unbanked and Underbanked

The just-released 2011 FDIC national survey on unbanked and underbanked households reports that this demographic segment has shown modest growth since the 2009 survey. Despite improvements in the general economy, 20.1 percent of U.S. households are underbanked and 8.2 percent are unbanked completely. According to the FDIC's definition, underbanked consumers may have a traditional bank account, but they rely heavily on alternative providers for financial services (shortened to AFS in the FDIC report). As we described in a previous post on nonbanks, the landscape for AFS today is a highly dynamic free-market environment that fosters creativity and innovation. Will the confluence of a growing underserved market and the ever-expanding role of nonbanks in our U.S. payments system fuel the fire for increased reliance upon AFS in general?

Growing use of alternative financial services
The growing reliance on AFS became more widespread between 2009 and 2011. According to the 2011 FDIC report, about 25 percent of all households, including the unbanked and underbanked, reported using AFS in the last year. These AFS users report finding nonbank financial services more convenient, faster, and less expensive than traditional banks.

Figure 6.1: Timing of AFS Use ofr All Households

Every day, many new types of nonbanks, including telecom firms, are entering the payments space, as we noted in this 2009 post on mobile money transfers. More recently, social networks like Facebook and PayPal-like payment business models such as Dwolla are entering the fray. Regulators of money transfer operators are working diligently to ensure that the myriad of new firms in the business are appropriately licensed and regulated. The fast pace of nonbank entry is creating a confusing regulatory environment and potential vulnerabilities that bad actors may find opportunities to exploit.

The growing appeal of prepaid
The 2011 FDIC report also notes that the unbanked and underbanked households rely on prepaid cards more than do fully banked households. One in 10 households overall reported the use of a prepaid card. The proportion of unbanked household that have used a prepaid card climbed from 12.2 percent in 2009 to 17.8 percent in the last survey.

The fact is, prepaid card adoption has been on the rise for some time. The Fed's last triennial payment study reported it to be the fastest growing retail payment method. The expanded functionality for prepaid payments today make them practical for many uses, including payroll, travel, and the provision of benefits. Consumers can purchase prepaid cards from merchants and other nonbank locales where they might be more comfortable than they would be in a traditional financial institution.

This is all good news in the context of financial inclusion and expanded opportunity for the unbanked to participate in the electronic economy and shift from more informal transfer methods. However, payments experts still have concerns. In particular, there is the risk that violators of money laundering laws may go undetected as stored-value payments move from the plastic card to other access devices such as mobile handsets. FinCEN and other regulators will need to keep these issues front of mind as adoption grows and more nonbanks participate in the prepaid industry.

Implications for policymakers and financial institutions
The report concludes that one particularly noteworthy lesson for banks to consider is the need to make traditional financial products more convenient, faster, and less expensive in order to compete with AFS. They should try harder to appeal to the under- and unbanked by providing expedited availability for deposited funds to compete with check cashers. The report even goes on to say that banks might find it useful to promote mobile technology to increase convenience, the most commonly reported reason that households use nonbank check cashiers. With the growing use of prepaid cards for both federal and state government benefits, astute financial institutions may recognize other opportunities to provide prepaid services that may eventually shift the unbanked and underbanked to more a formal banking economy.

However, one clear trend is that technology is driving entrepreneurship in payments delivery methods in unexpected ways, with new AFS services announced all the time. In the long run, AFS may not be considered alternative any more, shedding the negative reputation that label traditionally implies. If new payments are cheaper and faster, perhaps they deserve a less jaundiced eye.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

September 24, 2012 in banks and banking, transmitters | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 17, 2012

Change Is the Only Constant: Section 1073 Set to Take Effect

If you are reading this post, then no doubt you are familiar with the passage of the Dodd-Frank Act, specifically Section 1073, which is the basis for the new rule pertaining to consumer-originated funds transfers from the United States to consumers or businesses in foreign countries. I recently attended a meeting where representatives from the remittance transfer industry discussed the responsibilities, complexities, and challenges of complying with the remittance transfer rule by the inaugural date of February 7, 2013. Not surprisingly, complying with the rule is a massive undertaking—when you consider that the remittance transfer business is, by definition, a business with a global reach.

One premise behind the rule was to create more transparency in remittance costs and thereby encourage competition in the market, to the ultimate benefit of the consumer. Today’s procedures for sending money abroad are basic. Locate one of more than a half-million domestic locations—in addition to many financial institutions, almost every gas station, drug store, and grocery store offer this service—complete a remittance form, hand money and form to a clerk, and wait a few minutes for confirmation. The funds are then made available to the receiver. A recent report published by the World Bank concluded that the United States currently maintains an average total cost to send a remittance below the global average (6.93 percent of the remittance amount versus 9.3 percent), thanks to the high volume and intense competition among the current large number of products and services available in the United States.

However, unknown to both parties at the time of origination is the exact dollar amount that the recipient will receive, because of hidden fees, taxes, and other costs not necessarily apparent. The rule will replace this "unknown" with a required hard copy receipt outlining, in any language used to market, advertise, or solicit business, all fees, commissions, taxes, the exact dollar amount netted to the receiver, and the time that the funds will be available for pickup. (There are other specifics, but no need to reiterate the entire law in this short blog!) A common pain point yet to be resolved in the compliance effort revolves around the ability of the sending entity to provide accurate receiving-end tax information. As an example, some countries have multiple and changing tax rates for different regions or a variable-fee structure on the receiving end based on the receiver’s status and relationship with the receiving entity. These tax and fee issues suitably demonstrate how achieving compliance will require cooperation from foreign entities in more than 213 country corridors, not under a remittance transfer provider’s control or subject to U.S. jurisdiction. Many in attendance suggested that a central database of tax information may be a way to address the conundrum. Whether provided by a third party in the industry or a government entity, a central database would provide consistent data and minimize research and upkeep costs for all transmitters.

In addition to cooperation, education for all players will be instrumental. Consumers should be made aware of their new right to cancel any transaction within 30 minutes of submitting and that they have contact information on their receipt in the event of any errors. At the same time, all remittance providers, including agents, need to be trained and educated to ensure compliance with this new rule.

With system changes required to produce the disclosures, will remittance providers reduce the number of channels used for remittances until they can modify their systems? With the number of contractual agreements required, will providers reduce the number of countries served or products offered? And given the cost, will remittance providers raise prices? And will U.S. consumers find alternative ways to send money? Only time will tell as the deadline for complying approaches.

The rule may eliminate some existing players from the game, as protection never comes without a price. At the same time, pioneering and innovative competitors might provide new channels and more products that will benefit consumers. Like anything that forces us to reinvent ourselves, change brings with it new threats and challenges, but the opportunities can be vast and rich. With a little imagination and a lot of hard work, the rewards can be enormous.

Remember, "The only thing that is constant is change" – Heraclitus

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

September 17, 2012 in regulators, remittances, Section 1073 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Change Is the Only Constant: Section 1073 Set to Take Effect:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 10, 2012

The Trouble with QR Codes

You've seen them, those funny-looking little squares. Like tribbles, "quick response" (QR) codes are everywhere—and, like tribbles, they seem to be propagating. You see them on billboards, magazines, real estate sale signs, and product packaging. QR codes are even being used for retail payments, as we discussed in an earlier Portals and Rails post. But like tribbles, the very fact of their ubiquity is creating a big challenge for those agencies and individuals concerned with consumer fraud protection.

Consider the findings from digital media company ComScore, which reports that in June 2011 alone, 14 million U.S. consumers scanned QR codes on their mobile phones. Nearly 50 percent of these were scanned from a printed magazine or newspaper.

Source of scanned QR code

The real problem with this large number of QR code scans is that consumers have no way to detect the presence of malware in the code before it is too late.

"Something you should be careful with"
A report by AVG Threat Labs escribes a number of cyber threats and exposure methods, including from QR codes: "Today QR symbols are showing on almost any ad you find on the street, at a conference or even online. Mobile users can simply scan the QR symbol using software on their mobile device and have their device transform it into meaningful information." However, the report also notes that QR codes can hide messages and URLs. They liken the execution of QRs to running unknown executables on a computer. The report continues: "Executing an unknown pattern of symbols on your trusted mobile or computer is something you should be careful with."

To illustrate this point, the report authors included this QR code with a hidden message for the reader to scan and discover what's behind the dots.

QR code

Here's a hint. If you can't—or, perhaps wisely, won't—scan this QR code, the message is simply a caveat for scanning QR codes.

What's next?
So how do businesses and consumers find protection from this new cyber-attack vector? Education and threat awareness by security professionals are key components of risk mitigation, as with all social engineering schemes. Standardization in code development may also provide safeguards against embedded malware, while also providing assurance to the user that the code comes from a trusted source.

Incidentally, the ease of using QR codes is prompting the payment industry to consider them as a way to facilitate electronic bill payment programs, as recently proposed by NACHA'S Council for Electronic Billing and Payment. The group is seeking feedback on proposed guidance for clear industry standards to minimize complexity and ease market adoption.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

September 10, 2012 | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 4, 2012

Pointing to the Future: Biometrics Crucial for Data Protection

Experts are escalating their call for aggressive measures to improve customer authentication as phishers, malware authors, and other criminals develop increasingly complex schemes to gain access to personal credentials. As we discussed in a previous post, the use of biometrics is gaining more attention as technological advances are bringing low-cost, high-quality solutions. In a recent paper ("The Case for Replacing Passwords with Biometrics"), authors Markus Jakobsson and Sebastien Taveau assert that biometric methods such as fingerprinting methods could address a large part of the looming cyber fraud problem.

Matching fingerprints to protection
Fingerprints as a means of identification have actually been used for more than 150 years. However, Jakobsson and Taveau note that lower technology costs may allow fingerprint authentication to become a mainstream risk mitigation solution, in concert with other backup authentication methods. (The Federal Financial Institutions Examination Council's 2011 Supplement to Authentication in an Internet Banking Environment reports that layered security controls go a long way to protecting consumer credentials and high-risk transactions from cyber threats.) According to Jakobsson and Taveau, the convergence of methods used by cybercriminals is driving fraud into the mobile arena, with an increased incidence of dual platform attacks targeting both PCs and mobile handsets. The authors describe how fingerprint authentication can improve authentication effectiveness and enable better risk management.

As more and more data are stored in personal clouds—remote data servers that store digital content for consumers—the security paradigm becomes more critical. Jakobsson and Taveau describe cases whereby fingerprints could effectively serve as a "key" to consumer information. Just authenticating users by asking who they are and what they know—in other words, prompting for name and password—is inadequate in such "remote" data storage environments. Essentially, "the cloud is a storage area with a door, the handset or other device is the lock and the fingerprint is the key."

The authors also describe the challenge of "BYOD"—that is, "bring your own device" to work. Many companies today permit employees to use their own devices. The use of multiple passwords and other protocols can create confusion that can tempt employees to circumvent authentication protocols designed for their protection. As we noted in a June post, one out of every 11 wallets contains easily discovered PINs. The use of the biometric tool of fingerprinting permits a simple authentication method that can be used across applications and devices, with greater assurance that the account or device owner and the device are in the same physical space.

I can't put my finger on it
Despite the promise of fingerprinting as an effective biometric risk management system, a number of concerns remain, according to the authors. Device sharing can be a problem when the device is secured with a biometric unique to a single user. An issue of a more violent nature is the potential of a criminal stealing someone's finger to facilitate a transaction. Jakobsson and Taveau aptly remark, "It is much better to have one's password stolen!"

In the final analysis, the authors note that the benefits of biometric authentication methods outweigh their deployment challenges. Furthermore, their authentication architecture using a "biometrically unlocked password manager" could provide significant protection against phishing and malware attacks—the primary tools of cybercrime. As the incidence of data breaches and account takeovers continues to rise, the argument for more secure authentication methods will continue as well.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

September 4, 2012 in biometrics, data security, identity theft | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Pointing to the Future: Biometrics Crucial for Data Protection:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad