Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
November 30, 2015
Half Full or Half Empty?
My colleagues and I in the Retail Payments Risk Forum participate as speakers or attendees in what sometimes seems to be a nonstop stream of banking and payments conferences that run from mid-September to mid-November. This effort is part of our mission to support the education of the stakeholders in the payments ecosystem with a focus on payments risk. We also use the opportunity to network with other attendees and vendors to stay on top of the latest developments and market solutions that are being deployed to combat payments fraud. These events also give us a chance to provide our perspective on trends and key issues involving payment risk.
At a recent fraud conference, I was on a panel discussing fraud trends and key threat vectors. The moderator of the panel revealed some results from Information Security Media Group's 2014 Faces of Fraud survey of financial institutions (FIs). There was a specific question about whether FIs had seen a change in the level of losses from account takeover fraud since the Federal Financial Institutions Examination Council issued its supplemental guidance on Internet banking authentication in 2011. That guidance directed financial institutions to evaluate "new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks." The survey results are shown in the chart below.
While the moderator and some of the other panelists seemed to focus on the 20 percent who said they had seen an increase in fraud, I had the perspective of the glass being half full by the 55 percent who indicated that the fraud had stayed about the same or decreased. Given the certainty that the number and magnitude of data breaches have increased and that the number of attempts by criminals to commit some sort of payment fraud through account takeovers was significantly up, I opined that since the fraud levels for the majority of the FIs had stayed at the same level or declined should be considered as a victory.
Certainly, I am not saying the tide has turned and the criminals are on their way to retirement, but I think the payments industry stakeholders should take some pride that its efforts to combat payment fraud are making some progress through the continuing development and deployment of anti-fraud tools. Am I being too Pollyannaish?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 23, 2015
Bitcoin's Bright Side
My kids' anticipation for the holiday season is at an all-time high because of the upcoming release of the new Star Wars movie. They are fans of Yoda, Chewbacca, and Luke, but are obsessed with the "Dark Side" and its band of characters, most notably Darth Vader. There is something about the mystery of the "dark side" that draws people in. Perhaps that is one reason that so much of the media coverage and discussion of Bitcoin has been focused on its being the preferred payment instrument for criminal enterprises.
Because the Bitcoin protocol does allow for a level of anonymity that is attractive to criminals, the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Act compliance risks are heightened for transactions with bitcoin. Over the past several years, companies have emerged within the Bitcoin ecosystem seeking to make it more accessible to obtain and easier to use for legitimate payments. But how do they manage the BSA/AML compliance risks?
To minimize these risks, companies in the Bitcoin ecosystem are adopting policies, practices, and procedures that leverage the transparency but also minimize risks associated with the level of anonymity Bitcoin offers. These practices are intended to make Bitcoin a safer payment system, while also enhancing the ability of financial institutions, which might otherwise be cautious about the BSA/AML risks, to bank Bitcoin-related companies successfully.
The Retail Payments Risk Forum took a deep dive into the types of companies entering the Bitcoin ecosystem, assessing the regulatory landscape and identifying measures that these companies can take to fulfill regulatory obligations and minimize BSA/AML regulatory compliance risks. Among one of the measures identified in a paper available on the Atlanta Fed's website, Bitcoin-related companies should have a BSA/AML compliance program in place that is led by a dedicated compliance officer with support from a staff of professionals.
Just as in the Star Wars movies, which depict the ongoing struggle between the good guys—the Rebels—and the Dark Side, Bitcoin will continue to have a tug of war between the good forces and the bad. While the criminal element will continue to force attention to the risks of Bitcoin, it will be up to the new entrants into the Bitcoin ecosystem to mitigate these risks if Bitcoin is to enter the mainstream. Details on managing BSA/AML risks associated with Bitcoin can be found in the paper.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 16, 2015
Is It Bigger Than a Bread Box?
The answer is yes and no. A payment card in physical form clearly is not bigger than a bread box, but it certainly is a symbol of something bigger. The card is an access device to an account. It could be a birthday gift to my favorite Italian restaurant, a debit card issued by my bank, a general purpose reloadable prepaid card purchased at my local pharmacy, or a card accessing a credit line, and the list goes on. You can't just say, “I used a plastic card to pay for my Italian dinner” and have someone know exactly which card type was used.
Let's play the classic 20-questions game, Take On Payments-style. I'll be thinking of a type of financial account, and you guess the type of account based on the 20 features below. Good luck!
- Allows you to earn interest on your account balance.
- Offers a loyalty program at selected merchants.
- Has no annual or monthly fee.
- Can be used at any domestic ATM.
- Can be used to pay bills.
- Allows person-to-person money transfers.
- Offers customer service 24/7.
- Offers cash-back rewards.
- Is usable for purchases in-person (POS) or online.
- Protects against unauthorized purchases and fraud.
- Allows access to account information via online or mobile application.
- Has budgeting features.
- Connects you to more than one account and allows you to manage multiple accounts under one main account.
- Issues mobile alerts.
- Has optional plastic card; can be all-virtual management.
- Offers mobile check deposit.
- Allows stop payments on previously scheduled transactions.
- Offers the ability to cover some purchase transactions over the account balance.
- Accepts direct deposit via ACH for payroll or other deposits.
- Allows you to order checks on the account and pay bills with a check.
Which account type did you guess? If I were to tell you that what I had thought of was a prepaid account, would you be surprised? I was thinking of prepaid as bigger than a bread box. It's not a card, or payment channel; it is an account type. Payment transactions are sent to and from a prepaid account just like a checking account. The financial institution and program manager determine the account name and features, and where accounts can be opened.
However, the payments industry needs to be careful that marketing differences don't lead to the misperception that these accounts are fundamentally different from checking accounts. If we let perceptions cloud the true purpose these accounts serve—it is essentially a transaction account, just sold differently—then regulations and risk controls may not address the actual risks. It is inconsistent to regulate transaction accounts offering the same services based on how the account was opened and the type of organization servicing the account, unless the regulation is addressing the actual risk injected at those points. In order for consumer protections and compliance to be achieved consistently, risk controls and regulations should address the operational aspects of these transaction accounts, rather than the marketing name assigned to it.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 9, 2015
Is the Payment Franchise Up for Grabs?
I have lost count on the number of discussions at payment conferences over the last few years on this topic of financial institutions (FI) losing the payment franchise to various new payment start-ups and business models. This very topic was the focus of a session at the Code/Mobile conference in October that featured executives from Chase and PayPal debating "Will Banks Eat Payments, or Will Payments Eat The Banks?" This idea was stuck on my mind while I was recently reading Fidelity National Information Service's 2015 Consumer Banking Index Report. This report reveals the findings from a survey of a thousand household decision makers who ranked 18 attributes according to their importance and according to the respondents' perception of how well banks perform. I readily admit that one shouldn't read too much into the results of a single survey, but the results in the payments and product-related category really grabbed my attention.
Consumer expectations for their financial institution to provide digital payment options through more innovative products than other financial institutions scored extremely low in the importance category. Digital payments ranked as the 14th out of 18 attributes in importance, and delivering leading-edge products was the least important attribute surveyed. Though the importance of these two attributes was significantly lower than security and reliability attributes, consumers rated the performance of their financial institution on these two attributes favorably.
My interpretation of the survey is that consumers aren't expecting much from their FI when it comes to delivering digital payments and innovative products yet the FIs are exceeding these light expectations. The survey does not cover whether consumers place importance on others—say, non-bank payment providers—offering innovative products and payment options and how they are delivering on consumers' expectations.
If consumers expect non-FIs to provide digital payment options, then perhaps FIs are in danger of losing the payments franchise. Maybe consumers don't place a lot of importance on digital payment options because they are satisfied with the options their FIs provide and so the risk to FIs losing the payment franchise to non-FIs is low.
It's possible that the consumer falls somewhere in the middle of the two scenarios above. They may be pleased with the offerings of their FIs, which offer ubiquity and are not highly differentiated, so their expectations for options are low. The non-FI payments space is fragmented with new payment options being developed and deployed at a rapid pace that will take time for consumers to digest. Should consumers realize that any of these offerings present a significant improvement in the payments experience, they may raise their expectations for their FIs. This would suggest that the non-FI providers haven't fully delivered on a compelling, ubiquitous, and widely adopted offering yet.
I believe FIs remain firmly entrenched in the payment space today. However, the level of investment and innovation taking place in the industry should capture the FIs' attention. Consumers, me included, are a finicky bunch when it comes to expectations, and these expectations can change almost instantly with the amount of innovation occurring today. I see no reason why the digital payments arena would be any different, and FIs that fail to realize this as they consider future payment options risk a declining share of the payment franchise.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 2, 2015
Will NACHA's Same-Day ACH Rules Change Be an Exception-Only Service, At Least in the Short Term?
In May 2015, the 40-plus voting members of NACHA contingently approved mandating the acceptance of domestic same-day ACH payments by receiving banks. The voting members approved a three-phase development lasting 18 months. The first phase, starting in September 2016, is limited to credit pushes, followed one year later by debit pulls in the second phase. All payments are subject to a $25,000 maximum. By the final phase in March 2018, receiving banks will be required to make credit payments available to the receiving account holder by 5 p.m. local time to the receiving bank. Funds availability in the earlier phases is by the receiving bank's end-of-processing day. The service offers both a morning and afternoon processing window. A same-day return-only service is offered at the end of the business day. Lastly, originating banks are obligated to pay a 5.2 cent fee for every payment to recover costs to receiving banks.
Last month, the Federal Reserve Board of Governors removed the contingent part of the above approval by allowing the participation of FedACH, which serves as an ACH operator on behalf of the Reserve Banks. Approval followed a review of comments submitted by the public, of which a preponderance of the responses was favorable to FedACH participating in the service.
This was not the first time NACHA tried to mandate same-day ACH. Back in August 2012, a ballot initiative to mandate acceptance failed to receive a supermajority required for passage. Failure was due to a variety of reasons, and it was difficult to discern one overriding reason.
I think that most observers would agree that the earlier rollout of the Fed's proprietary opt-in, same-day service in August 2010 and April 2013 set the groundwork for mandating same-day.
As with any collaborative organization like NACHA, compromises were needed to garner sufficient votes for passage. The compromises included:
- Same-day payment eligibility rules change due to a multi-phase development cycle requiring one-and-half years to complete from start to finish.
- Providing certainty to the receiver that funds availability will be expedited on the day of settlement as part of the final phase, rather than earlier, which only requires posting by the receiving bank's end-of-processing day. The bank's end-of-processing day can be as late as the morning of the following business day.
- Delaying a debit service by one year after the rollout of the phase one credit service will, to the potential surprise of the payment originator, delay settlement of debits one business day later than would occur for credits.
- Any payment amount over $25,000 will settle one business day later than the payment originator may have expected if the payment originator is not aware of the payment cap.
Given these compromises, what do you think financial institutions can do to accelerate broader adoption of same-day?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud