Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 18, 2015
A Presumption of Innocence
Presumption of innocence is a principle that goes all the way back to Roman law. This concept means that if reasonable doubt remains after the accuser presents his or her proof, then the accused must be acquitted. In the payments ecosystem, the guilty is defined as the party that the account holder or cardholder has not authorized to conduct a transaction on that account or card. According to the 2013 triennial Federal Reserve Payments Study, the estimated number of unauthorized ACH transactions in 2012 reached a total of $1.2 billion.
With dollar stakes so high, reaching a guilty verdict when fraud has been committed is important. What is the best due process to identify the guilty while ensuring the preservation of the rights of the accused?
In 2009, NACHA members passed a rule change requiring financial institutions (FI) to keep the percentage rate of unauthorized transaction returns below 1 percent per originating company. If an originating company reaches the unauthorized return threshold, NACHA will contact the originating FI to investigate and resolve any potential issues that can lead to rules violations and fines. Some of the reasons an ACH transaction can be returned unauthorized include the following: the entry amount is different than the amount that was authorized, the debit was processed earlier than authorized, the transaction was fraudulent, the transaction sender is unrecognized, the check conversion was done improperly, or a previous authorization has already been revoked. Unauthorized transactions can even be a result of the receiving party committing the fraud, by reporting the transaction as unauthorized but still in receipt of goods and services. The rule change set an expectation that FIs would monitor unauthorized returns received for each originating company name over a two-month period.
Monitoring for unauthorized activity unveils a number of payment issues, but there are more opportunities to identify the guilty. The ACH operator provides unauthorized return rate data, representing returns coded properly with NACHA’s unauthorized return reason codes (R05, R07, R10, R29 or R51). If a disputed transaction is improperly coded or returned with a different code, the transaction would not factor into current unauthorized return monitoring. Regulation E provides consumer protections that require FIs to provide error resolution beyond the NACHA return deadlines and therefore such disputed transactions will also fall outside unauthorized monitoring, unless the FI manually adjusts return counts. Additionally, unauthorized transactions are sometimes quickly returned under the codes for "insufficient funds, "invalid account" or "unable to locate an account." These codes should also be monitored in order to uncover guilty originators.
Effective September 18, 2015, a new NACHA rule will lower the unauthorized transaction return rate to half a percent. In addition two new thresholds will be introduced to monitor other return reason codes that can unveil guilty originators while improving overall network quality. Thresholds are meant to provide a red-flag approach to return monitoring. However, return rates over or near the threshold should trigger investigation and due process before a final verdict is rendered.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference A Presumption of Innocence:
May 11, 2015
The Hill Tackles Cybersecurity
In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.
Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.
National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.
Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.
The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Hill Tackles Cybersecurity:
May 4, 2015
Keeping Up with the Criminals: Improving Customer Authentication
The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.
Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.
The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.
Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.
The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.
The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud