Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 30, 2014
A Call to Action on Data Breaches?
I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.
I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.
As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?
Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?
TrackBack URL for this entry:
Listed below are links to blogs that reference A Call to Action on Data Breaches?:
June 23, 2014
Do Consumers REALLY Care about Payments Privacy and Security?
Consumer research studies have consistently shown that a top obstacle to adopting new payment technologies such as mobile payments is consumers' concern over the privacy and security protections of the technology. Could it be that consumers are indeed concerned but believe that the responsibility for ensuring their privacy and security falls to others? A May 2014 research study by idRADAR revealed the conundrum that risk managers often face: they know that consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.
The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge (see the chart).
In response to another question, this one asking about the frequency at which they changed their passwords, more than half (58 percent) admitted that they changed their personal e-mail or online passwords only when forced or prompted to do so. Fewer than 10 percent changed it monthly.
When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge. At "Portals and Rails, we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.
June 16, 2014
Banking on the Financial Institutions as Gatekeepers
With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.
Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.
Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.
Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)
An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.
The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.
TrackBack URL for this entry:
Listed below are links to blogs that reference Banking on the Financial Institutions as Gatekeepers:
June 9, 2014
Magic 8 Ball, Will We Ever Be Cashless?
Predictions of a cashless society have been broadcast sporadically throughout the decades. It became a popular concept in the United States in 1965 when Thomas J. Watson Jr., CEO of IBM, said, "In our lifetime, we may see electronic transactions virtually eliminate the need for cash." Watson believed, or hoped, that the newly released IBM mainframe computers would revolutionize financial transaction processing and make carrying cash unnecessary. Later that decade, the concept was expanded to a checkless/cashless society, with some predicting that both payment forms would be extinct by the 1980s.
Despite consumers' growing use of cards and the emergence of the ACH system, the cashless society concept took a bit of a detour during the 1980s and 1990s—ATMs and shared EFT networks proliferated, both offering tremendous convenience and making it very easy to distribute currency. When card-based point-of-sale (POS) programs also emerged, they offered an alternative to currency and checks, while also increasing the convenience of currency by allowing cash-back transactions. This expansion of currency convenience took place even as consumers were being warned of the dangers of coin and currency—the germs, the cocaine residue, the increased chance of robbery, and so on. Certainly this was a more intense negative campaign than the spontaneous combustion danger my mother warned me about when I was young. I'd received some birthday money that I was anxious to spend, and she declared that the money was "burning a hole in your pocket."
While the central banking authorities of some countries such as Sweden and Nigeria have announced a goal of moving to a less-cash society, consumers in the United States are seemingly moving in the opposite direction, as evidenced by some recent San Francisco Fed research. Researchers examined the data from the 2012 Diary of Consumer Payment Choice (DCPC) study by the Boston, Richmond, and San Francisco Federal Reserve Banks. The San Francisco Fed research included these key findings
- Cash remains the most-used form of payment, accounting for 40 percent of payment transactions.
- Cash is generally used for lower-value transactions. The average value of a cash transaction was only $21, compared with $168 for checks and $44 for debit cards.
- Cash is used most often in gift and P2P (or "person-to-person") transfers, with food and personal care supply purchases second (see the chart).
- Contrary to the conventional wisdom of millennials' love for all things electronic, 40 percent of 18–24 year olds prefer cash over all other payment methods—the highest percentage of any age group.
Yes, card, ACH, and other electronic transactions are continuing to increase and gain larger shares of the overall consumer transaction mix while check usage remains in a steady decline. Despite the dire outlook for checks, my colleague Doug King pointed out in a recent post that check usage among P2P users actually increased, according to the latest Fed payments study. My Magic 8 ball is predicting that coin and currency are going to be around for quite some time. What does yours say?
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 2, 2014
Mobile Payments Fatigue
When I was an elementary school-aged kid, I looked forward to coming home from school and grabbing an ice cold Coca-Cola and a snack before venturing out into the neighborhood to play. And while I can't remember the exact discussions I had with friends around the lunch table when I was that age, I do remember our anticipation of the launch of New Coke in 1985. And oh my, how much my friends and I were disappointed when our lips first met New Coke. My reaction, with most others, was that we wanted our "old" Coke back.
Fast forward nearly 30 years and now my lunch discussions often revolve around payments. Each day I am reminded of my New Coke experience via an e-mail or news article touting or predicting an explosion in mobile payments. I'll admit it—I'm getting mobile payments fatigue. The payments industry has been anticipating mobile payments for years now, yet I find the developments to date mostly disappointing. Sure, I've made plenty of payments using a mobile device to purchase digital goods or even to purchase physical goods in an online marketplace. But outside of a few experiences of purchasing coffee with a closed-loop solution, my mobile device stays in my pocket when I'm making a purchase at the point-of-sale (POS) as I take out my reliable cards or cash.
And that is where my New Coke analogy comes into play. To many people, nothing was wrong with Coca-Cola, yet the coolness of a new product created a great level of expectation—which turned to immense disappointment. At the POS, payments are relatively seamless, yet the newness of mobile payments creates great anticipation, only to end up being disappointing and leaving me thinking, "What's wrong with my current payment choices?"
So much attention on mobile is focused on replacing a current payment form at the POS—perhaps the most seamless piece of the commerce experience. Often in mobile payment discussions, I hear that mobile payments are a technology solution looking for a problem rather than trying to solve a problem. However, I think the industry is looking in the wrong place as the problem isn't with the payment. It's with the overall experience in and around the POS. I believe mobile devices have the ability to transform this experience, but it's not by replacing my cards or cash as a payment method. It's by replacing the entire commerce experience. Are you experiencing mobile payment fatigue? And if so, what will it take to energize you?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Mobile Payments Fatigue:
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud