About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« April 2015 | Main | June 2015 »

May 18, 2015


A Presumption of Innocence

Presumption of innocence is a principle that goes all the way back to Roman law. This concept means that if reasonable doubt remains after the accuser presents his or her proof, then the accused must be acquitted. In the payments ecosystem, the guilty is defined as the party that the account holder or cardholder has not authorized to conduct a transaction on that account or card. According to the 2013 triennial Federal Reserve Payments Study, the estimated number of unauthorized ACH transactions in 2012 reached a total of $1.2 billion.

With dollar stakes so high, reaching a guilty verdict when fraud has been committed is important. What is the best due process to identify the guilty while ensuring the preservation of the rights of the accused?

In 2009, NACHA members passed a rule change requiring financial institutions (FI) to keep the percentage rate of unauthorized transaction returns below 1 percent per originating company. If an originating company reaches the unauthorized return threshold, NACHA will contact the originating FI to investigate and resolve any potential issues that can lead to rules violations and fines. Some of the reasons an ACH transaction can be returned unauthorized include the following: the entry amount is different than the amount that was authorized, the debit was processed earlier than authorized, the transaction was fraudulent, the transaction sender is unrecognized, the check conversion was done improperly, or a previous authorization has already been revoked. Unauthorized transactions can even be a result of the receiving party committing the fraud, by reporting the transaction as unauthorized but still in receipt of goods and services. The rule change set an expectation that FIs would monitor unauthorized returns received for each originating company name over a two-month period.

Monitoring for unauthorized activity unveils a number of payment issues, but there are more opportunities to identify the guilty. The ACH operator provides unauthorized return rate data, representing returns coded properly with NACHA’s unauthorized return reason codes (R05, R07, R10, R29 or R51). If a disputed transaction is improperly coded or returned with a different code, the transaction would not factor into current unauthorized return monitoring. Regulation E provides consumer protections that require FIs to provide error resolution beyond the NACHA return deadlines and therefore such disputed transactions will also fall outside unauthorized monitoring, unless the FI manually adjusts return counts. Additionally, unauthorized transactions are sometimes quickly returned under the codes for "insufficient funds, "invalid account" or "unable to locate an account." These codes should also be monitored in order to uncover guilty originators.

Effective September 18, 2015, a new NACHA rule will lower the unauthorized transaction return rate to half a percent. In addition two new thresholds will be introduced to monitor other return reason codes that can unveil guilty originators while improving overall network quality. Thresholds are meant to provide a red-flag approach to return monitoring. However, return rates over or near the threshold should trigger investigation and due process before a final verdict is rendered.

By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 18, 2015 in regulations | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01bb08305c2e970d

Listed below are links to blogs that reference A Presumption of Innocence:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 11, 2015


The Hill Tackles Cybersecurity

In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.

Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.

National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.

Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.

The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.

Photo of David Lott By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 11, 2015 in collaboration, consumer protection, cybercrime, law enforcement, regulations | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01bb082c5f0e970d

Listed below are links to blogs that reference The Hill Tackles Cybersecurity:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 4, 2015


Keeping Up with the Criminals: Improving Customer Authentication

The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.

Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.

The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.

Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.

The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.

New_characteristics_table

The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 4, 2015 in authentication, biometrics, emerging payments, innovation, mobile banking, mobile payments, risk management | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01b8d10cb742970c

Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad