Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 27, 2014
The Importance of Partnerships between the Private Sector and Law Enforcement
Helen Keller once said, "Alone we can do so little; together we can do so much." As the "forum" part of our name implies, we tend to agree with Helen Keller's comment on collaboration. The mission of the Retail Payments Risk Forum (RPRF) is to identify, detect, educate, and encourage mitigation of risk in retail payment systems. We firmly believe that one of the ways to achieve our mission is to collaborate with industry participants, regulators, and law enforcement. And while we convene our own forums to encourage collaboration, ample opportunities for collaboration between law enforcement and the private sector exist beyond the boundaries of the RPRF.
Below are descriptions of organizations that are built on such collaborations.
- Financial Services Information Sharing and Analysis Center (FS-ISAC): An organization dedicated to gathering and disseminating reliable and timely information from financial services providers, security firms, local, state, and federal law enforcement agencies, and other trusted resources related to physical and cyber threats against the financial services community.
- National Cyber-Forensics &l Training Alliance (NCFTA): A nonprofit corporation with formal partnerships/agreements with more than 40 U.S. private-sector organizations and more than 15 U.S. and international law enforcement or regulatory agencies. The NCFTA enlists subject matter experts from stakeholder organizations to share real-time intelligence regarding cyber threats and supports the development of joint proactive strategies to better identity, mitigate, and ultimately neutralize threats.
- Electronic Crimes Task Forces: Led by the United States Secret Service, these groups bring together federal, state, and local law enforcement with prosecutors, private industry, and academia for the purpose of preventing, detecting, investigating, and mitigating attacks on the nation’s financial infrastructures. Groups are structured through local field offices and organized in most major metropolitan areas.
- InfraGard: Led by the Federal Bureau of Investigation, this association with representatives from the private sector, academia, and state, local, and federal law enforcement agencies is dedicated to sharing information and intelligence to prevent hostile acts against the United States. Like the Electronic Crimes Task Force, InfraGard is comprised of groups organized by FBI field offices in major metropolitan areas.
- Anti-Phishing Working Group (APWG): An organization that seeks to unify the global response to cybercrime across industry, government, and law enforcement through data sharing, education, and standards development.
Each of these groups is different, but the common thread is information sharing between the private sector and law enforcement. This collaboration increases knowledge and awareness of threats and is often required to effectively capture and prosecute the masterminds behind attacks on financial institutions and their customers. I encourage our readers to learn more about and take advantage of these opportunities and others for collaboration between law enforcement and the private sector.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Importance of Partnerships between the Private Sector and Law Enforcement:
January 21, 2014
Online Payday Lenders: An Illustration of the Importance of Bank Due Diligence
Because of a series of incidents involving illegal payday loans, online payday lenders have been featured in news articles of late. They've also been the focus of increasing enforcement actions to ensure that adequate consumer protection is in place. States are stepping up their enforcement actions against online payday lenders that violate state laws, and federal regulators are stepping up enforcement of federal and state laws. Meanwhile, online lenders and their third-party payment processors are defending their roles in providing this borrowing option to consumers.
The recent uptick in attention on online payday lenders is an impetus for us to stress the importance of banks conducting their due diligence process for any payment processor or business for which they provide payment services. It's useful to look at this due diligence as a three-legged stool, with regulatory compliance, know your customer (KYC), and know your customer's customer (KYCC) all working together to keep the stool upright.
In an August 2013 post, we examined the risks incurred by banks that originate payments for online payday lenders. Much debate has focused on whether online payday lenders—and those who provide services to them—are unfairly targeted by regulators and enforcement agencies. The reality is that businesses that comply with state and federal law are not the reason for increased guidance and enforcement.
When it comes to online payday lending, the law—one leg of the stool—is quite complex. At the state level, laws can significantly differ from state to state. Some states, including Georgia, do not even allow online payday lending. But many online payday lenders operate virtually, and are therefore more likely to operate nationally, which can add to the confusion about complying with all relevant state and federal laws. When conducting their due diligence processes, banks should always consider their customers' ability to operate within the law.
KYC and KYCC are also two very important components of a bank's due diligence process with any customer for which they originate transactions. The better the bank understands the business lines of its originator from the very beginning, and the better they understand it over time by way of continuous monitoring, the greater their chance to quickly identify and address any problems.
Like any business, online payday lenders can use the services of a third-party payment processor. As we explained in a September 2013 post, payment processors are a bank's direct customer in providing payment services to businesses . This adds another layer to the bank's due diligence processes. With this kind of relationship, banks now need to know their customer's customer—in this case, the online payday lender.
Banks should use the recent attention to online payday lenders as a reminder to review and improve their due diligence practices for all their customers. They should make sure that all three legs—KYC, KYCC, and compliance with the law—are in place so that the stool doesn't topple.
What lessons has your bank learned from the recent attention to payday lenders?
By Deborah Shaw, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 13, 2014
Into the Breach: Protecting the Integrity of the Payment System
The breach of Target's point-of-sale system that compromised up to 40 million cardholders during the 2013 holiday shopping period has prompted us to step back and examine this attack—and wonder about its aftereffects. We've certainly seen the expected media attention for a crime of this magnitude, and the filing of class-action lawsuits wasn't far behind despite the lack of any verifiable fraud—as yet. We also have to wonder about its effect on consumers' confidence in the U.S. payment system.
For consumers to have confidence in the payment system, it is critical that they feel their financial information is protected during a payment transaction. And when that information has to be stored, they need to know that it is stored safely and securely. The research shows—and many consumers are well aware—that the creation of synthetic or stolen identities depends primarily on information obtained from data breaches.
All kinds of consumer advice followed the data breach. Many consumer advocates advised cardholders who had used their debit card at Target during the time their POS system was compromised to go to their financial institutions and request a card reissuance to prevent possible fraud. Others focused not on how consumers might recover from the Target breach but on how to prevent problems in the future—that is, they suggested that consumers use credit cards rather than debit cards because with credit cards, unauthorized transactions will not affect the payment of legitimate transactions. Some advocates suggested that people authenticate their debit cards at POS terminals with their signatures rather than their PINs, despite the fact that the level of PIN-based debit card fraud is almost one-third the level of signature-based debit card fraud.
Financial institutions also had varying responses. Some reissued cards when customers requested new cards, while others took a wait-and-see attitude. Still others lowered transaction limits on their customers' debit cards to minimize fraud exposure.
Of course, the Target incident has heated up the magnetic-stripe-versus-EMV conversation. As we've posted many times, the magnetic stripe was never intended to be a secure medium; the sophisticated and highly automated authorization systems were intended to carry the load of fraud detection capabilities. Some in the U.S. payment industry are calling for an acceleration of the migration to chip cards, currently scheduled for October 2015. They argue that EMV/chip cards will virtually eliminate the ability to create counterfeit cards. Some are even requesting that the government or the card networks mandate the technology, which many other countries did in their transitions to EMV. However, the reality is, we will have to keep our magnetic-stripe cards a minimum of five to 10 years, until the vast majority of merchant locations are equipped with EMV-capable terminals. And we should keep in mind that EMV is not a solution by itself—it cannot address card-not-present fraud.
As the authorities complete the forensics of the recent data breach, the industry will develop and implement additional security controls and measures. This added security will then prompt the criminals to look for other weak points. And look they will. So has this major incident shaken consumers' confidence? It is too early to know. What is clear is that the payments industry must come together to develop a cohesive strategy, and they should do so before consumer confidence in the payments system is further compromised.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Into the Breach: Protecting the Integrity of the Payment System:
January 6, 2014
When It Comes to RCCs, Can We Make the Invisible Visible?
In May 2013, the Federal Trade Commission (FTC) issued a proposal for public comment to amend the telemarketing sales rule to prohibit telemarketers from using certain payment types, including remotely created checks (RCCs). The proposal addressed attributes of RCCs that make their use susceptible to abuse. RCCs, sometimes referred to as demand drafts, are checks that payees issue rather than the consumer or the consumer’s bank, and are not signed by the consumer. The attributes the proposal addresses include the difficulty of distinguishing RCCs from check images, the absence of reliable data on the volume of RCCs and returns, and the lack of centralized fraud monitoring. Together, these attributes make RCCs relatively invisible.
RCCs usually garner attention only when a law enforcement case uncovers their use in fraud, typically when consumers are victimized by unfair and deceptive practices. Still, RCCs are not just a tool for committing fraud—they are used for legitimate purposes and are frequently authorized by consumers as payments for credit cards, charitable donations, and insurance premiums. At times, banks originate the RCCs themselves or on behalf of the payee, so in these instances, the bank monitors returns, identifies issues, and manages them.
In other payment methods, including ACH transactions and cards, the ability to recognize the payment, track volume and returns, and monitor fraud centrally have proven to be beneficial in addressing fraud. For example, ACH operators have data on forward entries and returns for ACH transactions that enable ACH participants to identify and address issues proactively. Adding these layers of data to enable identification and monitoring of RCCs would prove equally beneficial to the depository and paying banks, as well as regulators and law enforcement to potentially identify and address RCC fraud more directly.
How can the industry improve the identification and tracking of RCCs? One option could be to develop some kind of technology that would distinguish between RCCs and check images with a high degree of accuracy. Another option could be to approve a standard for an identifier in the MICR (short for magnetic ink character recognition) line to indicate that this document is an RCC.
Some industry participants have pursued the MICR line identifier in the past, but these efforts did not gain traction within the industry. However, it may be an idea whose time has come given the concerns that regulators and law enforcement officials are raising about the "invisibility" of RCCs. A MICR line identifier would also allow for centralized fraud monitoring. For instance, depository banks could report periodically to their primary regulator on RCC returns. This reporting would provide information to regulators and law enforcement on possible fraud and support banks in their efforts to mitigate improper RCC usage.
Does your institution see value in making RCCs visible in the processing stream and quantifying their use?
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference When It Comes to RCCs, Can We Make the Invisible Visible?:
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud