Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 28, 2015
I Want My Two Dollars!
Dizziness and nausea come over me sometimes when I have to pay individuals. My mind scrambles. I don't carry cash or have checks. What grueling, lengthy steps will I have to go through to pay this person? Besides worrying about forgetting to meet my financial obligation if I don't pay right now, I find myself crossing my fingers behind my back hoping they have the same mobile app as I do. Or maybe we use the same bank, with any random luck. I picture myself as Layne Frost, the character played by John Cusack, from the movie Better Off Dead, with the paperboy at my doorstep insisting, "I want my two dollars!"
From bartering to exchanging livestock and shells, from cash and coin to checks and now mobile, it is inevitable that people will always find a way to pay and be paid. Forrester Research forecasts that the U.S. mobile peer-to-peer (P2P) market will grow to nearly $17 billion in transaction value by 2019. Yet the United States P2P payment volume by instrument is still largely cash-based, followed by check. Forecasters are planning on migration from over 6 billion cash and 2.1 billion check P2P transactions to the mobile space. Who will win the lion's share of paper-based P2P payments as people embrace electronic payments?
Let's look at the P2P payment lifecycle before you make your predictions:
My expectation is that everyone in the P2P space today faces challenges in getting there from here. Some will have a handsome share of the market but in doing so may suffocate opportunity for ubiquitous solutions that will benefit consumers nationwide. Fragmentation is our obstacle in P2P today. If both Ps don't have something in common (for example, financial institution, phone manufacturer, mobile application, social media, branded debit card), then the payment can't occur and...back to the basics we go. Cash and checks are accepted by almost everyone. Moreover, cash eliminates the middle part—cash means finality of good funds, sender to recipient, instantly.
All P2P access channels, or funds load, providers who offer accounts to consumers—whether these providers are financial institutions; virtual wallets like Google and Paypal; mobile/online applications like SquareCash, Venmo, or Dwolla; or prepaid accounts like Bluebird or NetSpend—should be able to access a directory to process payments from anyone to anyone. Ubiquity means debit card or not, banked or unbanked, same state or not. This can be achieved when financial institutions cooperate through open access to a directory, since all nonbank P2P providers ultimately use a bank to conduct the business of processing payments.
There is an option that could surpass directory deliberations. Bitcoin's blockchain technology, like cash, can eliminate middle participants—like cash, it is finality of good funds, sender to recipient, instantly. Perhaps the directory will be technology nonpartisan and connect all payments. Until then, I'll keep crossing my fingers when the paperboy shows up.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 21, 2015
Mimicking Mother Nature
A few months ago, we had a large colony of bats take up residence in our house. With the issue now resolved, and with everything we had to do to get rid of them, I realize how the whole experience was similar to the tactics of fraudsters and the challenges faced by their victims in taking preventive, detective and corrective action.
We learned of the initial intrusion purely by accident. Previously, we have never had any sign of vermin being able to gain entry, so I thought we had a solid defense. My wife had noticed a small amount of droppings on the back porch but we thought they were from squirrels. Imagine my shock when my adult son informed me we had been invaded by bats. He had discovered them one morning following an overnight stay. Departing for an early tee time, he noticed a swarm of bats flying into a soffit vent crevice. Incredulous, I waited for dusk only to see for myself a constant stream of small brown bats exiting the soffit crevice.
My wife went a little bat crazy as she imagined hoards bats swooping down to carry off one of our grandkids. Actually, she was more concerned about the real threat of respiratory disease from their droppings as well as the potential for rabies. We began to do some research, and I soon learned that bats are a protected species, so they cannot be disturbed unless they are posing an immediate health threat. They weren’t, since they were not in our living space. But the problem intensified, which I realized one evening when I saw an even larger colony emerging from our chimney.
We began contacting companies that specialize in wildlife removal. We found a wide variety of suggested courses of action and prices. We selected one company based on its reputation, process, guaranteed results, and pricing. The company’s first step was to inspect the entire house to identify any other potential points of entry and to seal them. We notified our neighbors so they could be on the lookout to make sure the bats didn’t settle inside their houses. The next step was to install one-way excluders that would permit the bats to leave but not get back in. This seemed to be working well until a group of the bats somehow got word they were being evicted. Trying to find another way into the house, they navigated an interior wall and became trapped. Without water, they soon died and a putrid smell began to emerge. After cutting several holes in the wall, the technicians were able to locate the source and remove the carcasses. After a couple of weeks, the excluders were removed and the entry points sealed so we thought the problem was resolved.
Imagine our further surprise when we returned from vacation and found about 50 dead bats in our unfinished basement. It seems a group had remained and found a chase route from the attic to the basement seeking water. With the disposal of those bats, the problem seems to have finally been resolved. As fall approaches and bats migrate to warmer climates, the threat diminishes, but I can assure you we will be on the alert next spring.
So how does this relate to the payments fraud environment? Some similarities:
- We thought we had a strong defense perimeter and were safe, but the bats found a way inside given they require an opening of only three-eighths of an inch.
- While our discovery came shortly after their initial entry, it was only by sheer luck. We could have acted earlier if we had not ignored the early warning sign of their droppings.
- We thought we had identified the sole location of the problem, but they then migrated to a second entry point.
- Regulations limited the potential range of actions we could take to deal with the issue.
- We shared information about the situation with our neighbors so they could be on the alert.
- We analyzed several different options for dealing with the issue and preventing its recurrence.
- Despite what we thought was a successful process, other issues arose and required action before there was a final resolution.
This experience with Mother Nature has provided us a learning opportunity and we are better informed and on the alert for future such events.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 14, 2015
The Cost of Free Wi-Fi
When I was a teenager, my friends and I were often on the prowl for bargain restaurant offers. The all-you-can-eat buffet at our local Chinese restaurant was a favorite, but every so often we would discover a "free meal deal." We were once reminded by my friend's dad that "nothing in life is free." That quote left a lasting impression on me.
The validity of this quote was hammered home recently during a security discussion I had with a friend on connectivity to the Internet through free public Wi-Fi. Though free public Wi-Fi is, well, free, it has "soft" costs tied to the lack of security in the connection. And these soft causes can quickly lead to the "hard" costs of fraud—from theft of personal information, user names and passwords, or payment credentials, since hackers are easily able to intercept data transmitted over the Wi-Fi network. Beyond this method, which involves a legitimate network, fraudsters can also deploy rogue Wi-Fi networks for the sole purpose of stealing information. And then, once they have that information, the fraudster can use it to access your accounts under your identity.
This does not mean that people shouldn't use free or public Wi-Fi. When I am away from my home, whether I'm at a local coffee shop or on the road at a hotel, I often seek locations with free Wi-Fi. Apparently, I am not the only one. A recent survey by a U.K. hotel chain found that free Wi-Fi was the most important factor for its customers when choosing a hotel. Free Wi-Fi even ranked higher than a good night's sleep!
However, using free public Wi-Fi and trusting it are two different things. It should never be trusted, and therefore users should do everything to protect themselves and their information. Before joining a free public Wi-Fi network, users should ensure that it is a legitimate network offered by a legitimate entity such as a business, municipality, hotel, or airport. Criminals often will use deceptive Wi-Fi names to trick users into choosing bogus Wi-Fi networks, so users should pay close attention to signage promoting Wi-Fi networks or ask staff for help in identifying legitimate networks. The Federal Trade Commission offers detailed advice on protecting yourself against Wi-Fi security risks once you are connected, including:
- Use a virtual private network, or VPN.
- Use SSL-encrypted connections by enabling the "Always Use HTTPS" website option.
- Turn off file sharing.
These risks are not just limited to free public Wi-Fi networks. They are also inherent to any public Wi-Fi network, including paid networks such as the in-flight Wi-Fi that many airlines offer. It is imperative that users of public networks take the necessary steps to safeguard their information, especially while conducting financial transactions. As free public Wi-Fi spots continue to proliferate and more financial transactions move to connected devices, rest assured that fraudsters will continue to exploit this communications channel. Educating users on how to protect themselves using public Wi-Fi is critical to safeguarding financial information.
What are you doing to bring awareness to your customers about public Wi-Fi risks?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 8, 2015
Why Is the U.S. Card-Present Fraud Breakout Not Present?
Before answering the question the title poses, let me introduce myself. I'm the newest blogger in the Risk Forum. Recently, I was the faster-payments-product guy in the Retail Payments Office (RPO) at the Atlanta Fed. While in the RPO, I was a cheerleader who pushed and cajoled the industry to get same-day ACH off the ground. Incidentally, same-day ACH is due to become available universally as early as September 2016 due to a recent rule change passed by NACHA.
Back to my question—while doing some research on expanding fraud data coverage in the Fed's upcoming triennial payments study, I came across a gap in publicly available detailed fraud data for the United States compared to other geographies. As the table shows, the gap is evident from the Fourth Report on Card Fraud published in July 2015 by the European Central Bank. You probably see the "Not available" designation in the card-present subcategory.
What gives? What could be gained if this information were made available? As the footnote shows, the high-level data is taken from the Fed's last triennial payments study published in 2014. And as a previous post notes, the United States does not have a publicly available, single, uniform repository for payments fraud data. Back in 2009, the problem was covered in detail in the briefing paper "The Benefits of Collecting and Reporting Payment Fraud Statistics for the United States" by my colleague Rick Sullivan from the Kansas City Fed. In fairness, it should be noted that information is available in the United States to varying levels of detail as a paid service or through surveys conducted by such organizations as the Association of Financial Professionals and is typically distributed only to the organization's membership.
So that you know what we are missing out on in the United States, here are capsule descriptions of each card-present fraud type:
- Counterfeit/Skimming: Fraud is perpetrated using an altered or cloned card.
- Lost/Stolen: Fraudulent transactions result from the use of a lost or stolen card.
- Card not received: A newly issued card in transit to a card holder is intercepted and used to commit fraud.
- Fraudulent application: A new card is issued based on a faked identity or using someone else's identity.
- Other: This is a catchall category for fraud not covered above.
The card-not-present subcategory, which is fully reported on in the triennial study, generally covers fraudulent payments initiated online, or by mail or telephone. Unlike card-present fraud, this type of fraud is not usually subdivided any further.
It should be noted that the current study was the first of the triennial series to report on fraud. Unfortunately, scope limitations precluded breaking out fraud further. As it is, the current study offers a wealth of payment and fraud data for cards and all other forms of noncash payments.
Adding a level of specificity for card-present fraud in the United States will help in tracking the movement of fraud from one type to another and the migration of fraud to other countries. In the United States, fraud is likely to further shift from card present to card not present due to increased counterfeiting controls at the point of sale from the anticipated broad adoption of EMV (chips) for cards and POS terminals. The Federal Reserve, in partnership with other payment system stakeholders, hopes to track these and other developments by collecting additional fraud data for the next triennial study due to be published in 2017.
What suggestions do you have for identifying and collecting other fraud data?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud