About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« August 2013 | Main | October 2013 »

September 30, 2013


Securing All the Links in the Chain: Third-Party Payment Processors

Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).

The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.

Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.

Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.

A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.

Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.

Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.

We would like to hear what processes your institution has in place to monitor processors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 30, 2013 in banks and banking, consumer protection, risk management | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c019affb14827970d

Listed below are links to blogs that reference Securing All the Links in the Chain: Third-Party Payment Processors:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 24, 2013


Using Analytics to Improve Credit Quality

With consumer credit products such as mortgages and payday loans occupying headlines, credit card portfolios have been quietly and steadily marching towards improvement in quality over the last three years, according to data released by the Fed’s Board of Governors. As the chart shows, seasonally adjusted charge-off rates are down to 3.9 percent, and delinquency rates are at 2.6 percent for the largest 100 commercial banks in the United States, the lowest rate since the Federal Reserve began tracking this statistic at the start of 1991.

Credit Card Charge-Offs and Delinquency Rates: Top 100 US Commercial Banks

But how have credit card issuers been able to improve the quality and profitability of their card portfolio since the severe economic impact felt by all during the recession? One of the many tools the Board identified—and one cited by portfolio managers—is the increasing use of analytics. Issuers collect and comb vast amounts of data from a variety of sources to ensure that cardholders are equipped to manage their balances.

Credit issuers use analytics for a variety of purposes, including establishing credit limits, monitoring ongoing credit quality, targeting marketing efforts, and detecting fraud. They perform analytics at the individual cardholder level—looking at credit history and purchasing patterns, for example—as well as at the customer segmentation level to identify correlations between certain data elements and indicators of potential changes in credit quality. The increased power of these analytical tools over the last decade is due primarily to the incredible advancements in data collection and analysis technology. These advances have provided issuers with the ability to run sophisticated "what if" models to determine how changes in various key attributes of cardholders or in the overall economic environment will affect the quality of their portfolio.

Clearly, many of the issuers have taken other proven steps to improve the credit quality of their portfolios: they’ve reduced credit lines and increased payment monitoring management for existing accounts during and after the recession. And they applied more stringent credit policies, making it more difficult for new applicants to be approved (or likelier to be approved at lower credit limits than they would have been before). These are all sound risk management techniques. But data analytics has been a very powerful additional tool, allowing issuers to make huge strides in ensuring ongoing credit quality.

How are you using increased technology capabilities to improve your risk management capabilities?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 24, 2013 in cards, debt, innovation, payments study | Permalink

Comments

Data and analytics can provide a competitive advantage for financial institutions (FIs) of all sizes. Sophisticated models can lead to better decisions and improve your institution's risk management, marketing, price optimization, offer optimization, and more. Arguably, the most important area is risk management. FIs need to find their happy median for risk. Effective decisioning won’t be profitable if high-risk customers are approved for too many cards or approved for credit limits that will overreach their ability to pay, but FIs also don’t want to necessarily turn a consumer away due to an address discrepancy. The FIs that can most effectively leverage their data and analytics will gain the competitive edge. It appears many credit card issuers have already figured this out.

Posted by: Christina Lysacek | October 21, 2013 at 02:53 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 16, 2013


Be Sure to Dot Your I's and Cross Your T's in Vendor Agreements

A new twist on an existing issue has recently surfaced for financial institutions (FI) in managing vendor risk. Patent infringement lawsuits, which are not new to the banking community, have grown as FIs have become more dependent on vendor-provided technologies. FIs are being drawn into more legal proceedings, or the threat of them, in which a party sues for alleged infringement of a patent on a product or process that a vendor has provided the FI. In particular, allegations of infringement have targeted technology enhancements related to scanning and imaging, mobile banking and payments, data storage, debit and prepaid card production, and transaction management processes. In a number of cases, the FI pays a royalty or fee to settle the dispute and avoid further legal expenses.

Some aggressive patent infringement groups have become active over the last several years. Targeting financial services vendors and FIs, these "patent assertion entities" (PAEs) (or, more derisively, "patent trolls") are characterized in the June 2013 White House report Patent Assertion and U.S. Innovation as focusing "on aggressive litigation, using such tactics as: threatening to sue thousands of companies at once, without specific evidence of infringement against any of them; creating shell companies that make it difficult for defendants to know who is suing them; and asserting that their patents cover inventions not imagined at the time they were granted." According to the report, patent infringement lawsuits initiated by PAEs now represent 62 percent of all infringement suits—up from 29 percent just two years ago. The greatest danger from such aggressive legal action is a chilling effect on the development and adoption of innovative technologies.

So what might a financial institution do to mitigate its risk in this area? Federal and state officials are examining the problem and will likely make recommendations for policies or regulations that will provide a reasonable level of protection. However, this effort is likely to take time. In the interim, we suggest a number of potential actions for FIs and their legal counsel to evaluate. A critical element in risk management is understanding the sources of risk and their threat level. Consequently, FIs should consider a requirement in the vendor agreement that requires the vendor to immediately notify the FI of any such claims. Second, FIs should include an indemnification clause in the vendor agreement to protect themselves from being drawn into the legal dispute. And the FIs' lawyers should make sure that this clause requires vendors to stand behind the FI if the lawsuits target them for using vendor-provided technology. Lastly, FIs should consider obtaining or requiring the vendor to obtain patent infringement insurance.

Risk assessment and developing mitigation tactics should be an ongoing effort for all FIs. We would like to hear how your company is addressing this issue.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 16, 2013 in innovation, regulations | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c019aff6dfd3d970d

Listed below are links to blogs that reference Be Sure to Dot Your I's and Cross Your T's in Vendor Agreements:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 9, 2013


Improving Customer Authentication

The Retail Payments Risk Forum recently hosted payment industry participants at the Improving Customer Authentication forum. On July 31, banks, nonbank payment service providers, industry associations, law enforcement officials, and regulators listened as keynote speakers and panelists explored methods and technologies for improving customer authentication so that financial institutions and other payments stakeholders can better mitigate payments fraud. Forum goals were to help participants understand the challenges of current methods of authentication and the legal implications, as well as to explore emerging solutions, along with pros and cons, that can improve authentication in both the face-to-face and remote channels.

Some of the key learnings from the forum include:

  • Customer authentication is critical to proving identity, authority, and consent throughout the entire payment process.
  • Customer authentication can be achieved by any combination of factors within three categories. For best practice, different categories should be used:
    • Something you know (user ID, password)
    • Something you have (card, phone)
    • Something you are (biometrics, activity pattern)
  • Currently, no single, simple, legally approved method for authorizing a payment or ensuring that a particular payment is authorized exists.
  • New payment types are stretching the boundaries of the current payments infrastructure and have created weak points that are being probed and exploited by cybercriminals.
  • While overall payment card fraud levels, as expressed as a percentage of sales, are at an all-time low, certain categories of card fraud such as card-not-present (CNP) are significantly increasing.
  • Financial institutions are encouraged to build relationships with local and federal law enforcement officials and to report fraud—it is possible that a crime at your institution is part of a larger network of criminal activity.

For a more complete summary of the forum and to see video interviews with two of the forum speakers, go to the conference website.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 9, 2013 in authentication, biometrics, emerging payments | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c019aff4777b1970c

Listed below are links to blogs that reference Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 3, 2013


EMV Is Coming to the United States--Right?

The conferences I have attended recently have all had a session where speakers or panelists opined on the state of EMV migration and its future here in the United States. Some of the panelists have been highly optimistic, admitting to the challenges the industry currently faces but confident the issues will be successfully resolved. Those on the other end of the spectrum have been downright dismissive of the effort and sometimes even the standard itself. Based on my research and some of the industry discussion I've heard, let me offer my perspective on the current and future state of EMV migration in the United States.

Terminal migration timeline
The difference in the timelines of ATMs and POS terminals for the liability shift to take effect was initially confusing to some but that confusion seems to have been resolved—although the difference of a year between MasterCard (2016) and Visa (2017) for the ATM is still a head scratcher. But it seems likely that both networks will agree on a common date before the end of 2014.

Much of what I'd been hearing indicated that there would likely be no rush for the merchant community to upgrade their terminals to meet the POS liability shift timeline, currently scheduled for October 2015. Something tells me that many will choose to ignore the liability shift date altogether. The unresolved Application Identifier (AID) battle currently being fought among Visa, MasterCard, and the debit networks is a major factor in both the debit card issuance and POS terminal decisions. Many of the major merchants and their industry associations have not been big fans of EMV, apparently because of a variety of control, financial, and technical reasons. Understandably, merchants are attempting to consolidate their terminal upgrade efforts to support both mobile payments and EMV, so they would prefer to put off major terminal purchases or upgrades until there is a final resolution of terminal requirements for both technologies.

When U.S. District Judge Leon delivered his July 31 ruling that the Fed's Regulation II debit card transaction routing requirements did not meet the legislation's intent, it seemed that there was a greater likelihood for EMV development efforts to be placed on hold until there is a final routing rule.

Card migration timeline
Based on comments I've also heard at recent industry conferences, many of the major card issuers' replacement plans seem to be focused on card replacement for international travelers and high net worth/private banking clients rather than a wholesale card replacement effort. This issuance policy appears to be more to ensure operability when traveling to an EMV-converted country than to take financial advantage of the liability shift. Again, it seems highly likely that Judge Leon's ruling will suspend any major debit card replacement efforts until there is a resolution on the routing rules and the related AID solution.

Risk impact
Although it's normal for any major technology change to have its starts and stops, its advocates and critics, we must not forget that delays in finding a viable business solution for counterfeit card fraud only increases our risk profile through higher fraud losses and erosion of consumer confidence. We will be back to write more on this topic in future Portals and Rails posts, but for now we'd like to hear your thoughts.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 3, 2013 in debit cards, EMV, regulations | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c019aff2a942e970b

Listed below are links to blogs that reference EMV Is Coming to the United States--Right?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad