Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 26, 2017
Responsible Innovation, Part 2: Do Community Financial Institutions Need Faster Payments?
In my last post, I introduced themes from a summit that the Retail Payments Risk Forum cohosted with the United Kingdom's Department for International Trade. The summit gathered payments industry participants to discuss faster payments and their effects on community financial institutions (FIs). This post, the second of three in a series, tackles the question of whether community FIs and their customers actually have an appetite for increasing the speed of payments.
A summit attendee from WesPay, a membership-based payments association in the United States, presented the findings of a survey of 430 U.S. FIs about current payments initiatives. An important discovery was that awareness and adoption of faster payments solutions remains low, as the responses to two survey questions indicate:
- For same-day ACH, a majority (57 percent) indicated that the first phase—faster credits—"has had no measurable impact on our customers'/members' transactions."
- When asked about the Federal Reserve Faster Payment Task Force, 34 percent of respondents indicated they were unaware of the initiative, and 46 percent indicated they had only high-level knowledge.
Responses to another of WesPay's survey questions suggest that, although there may be low awareness of many current initiatives, many financial institutions are recognizing that faster payments are inevitable. A majority (60 percent) agreed that faster payments initiatives are "an important development in the industry. However, our institution will be watching to see which platform becomes the standard."
NACHA's representative presented statistics from phase one of same-day ACH, with reminders about the phases to come.
- Same-day ACH reached a total of 13 million transactions in the first three months (launched September 23, 2016).
- Phase 2 will allow for direct debits to clear on the same day (to launch September 15, 2017).
- Phase 3 will mandate funds availability for same-day items by 5 p.m. local time (to launch March 16, 2018).
- The current transaction limit is $25,000, and international ACH is not eligible.
Results of a study by ACI Worldwide, a global payments processor, look a little different from WesPay's survey results. The study looked at small to medium-size enterprises to gauge real-time payments demand. For the U.S. respondents, the research revealed that:
- Fifty-one percent are frustrated by delays in receiving payments.
- Forty-two percent are frustrated by outgoing payments-delivery timeframes.
- Sixty-five percent would consider switching banks for real-time payments.
We don't know yet what U.S. adoption rates will be, but Faster Payments Scheme Ltd. (FPS) in the United Kingdom already has a story to tell. U.K. panelists attending the summit at the Atlanta Fed stated that FPS has had constant adoption growth due to cultural change and customer expectations.
- FPS reached a total of 19 million transactions in the first three months (launched May 27, 2008).
- The FPS transaction limit increased in 2010 from £10k to £100k, and then to £250k in 2015.
- On April 2014, Paym, a mobile payments service provider, launched, using FPS. Paym handles person-to-person and small business payments, similar to Zelle in the United States, which started up in June 2017, using ACH.
- FPS had a total volume of 1.4 billion items in 2016.
For payment networks offering new solutions, community FIs are the critical mass that ensures adoption. Their participation will require practical benefits with a lot of support before they are willing to commit. Some community FIs might be forced to adopt new systems because everyone else has. Will new networks in the United States contest same-day ACH, which already has the advantage of ubiquity? Likely, as options develop, so will customer culture and expectations.
In the final installment of this "Responsible Innovation" series, I will look at future impacts of faster payments.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 19, 2017
Calculating Fraud: Part 2
Part 1 of this two-part series outlined an approach for whittling down credit card transactions to the value or number of authorized and settled payments as the denominator for calculating a fraud rate. This post reviews the elements needed to quantify the numerator.
To summarize from the previous post, when analyzing credit card fraud rates, you should consider what is being measured and compared. To calculate a fraud rate based on value or number, you need a fraud tally in the numerator and a comparison payment tally in the denominator. The formula works out as follows:
Fraud Rate = Numerator
Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.
Before calculating the numerator value, you must first decide what types of fraud to include in the measurement. One stratification method divides fraud into the following two categories:
- First-party payments fraud results when a dishonest but seemingly legitimate consumer exploits a merchant or financial institution (FI). That is, the legitimate cardholder authorizes a credit card transaction as part of a scam. One manifestation of this is "friendly fraud," whereby a consumer purchases items online and then falsely claims not to receive the merchandise.
- Third-party payments fraud occurs when a legitimate cardholder does not authorize goods or services purchased with his or her credit card. Besides the victimized cardholder, the other two parties to the transaction are the fraudster and the unsuspecting merchant or FI.
Sometimes no clear delineation between first-party and third-party fraud exists. For example, a valid cardholder may authorize a payment in collusion with a merchant to commit fraud.
The 2016 Federal Reserve Payments Study used only third-party unauthorized transactions that were cleared and settled in tabulating fraud. The study measured and counted fraud as having occurred regardless of whether a subsequent recovery or chargeback occurred. Survey results had to be adjusted because some card networks report gross fraud while others report net fraud, after recoveries and chargebacks. Furthermore, the study made no effort to determine which party, if any, in the payment chain may ultimately bear the loss. Finally, the study did not measure attempted fraud.
Excluding first-party payments fraud
The study excluded first-party fraud due to the greater ambiguity around identifying and measuring it along with the idea that it is difficult to eliminate, given that controls are relatively limited. One control option would be to place repeat offenders on a negative list that, unfortunately, might not be shared with other parties. As a result of excluding first-party fraud, the study focused on fraud specific to the characteristics of the payment instrument being used.
Paraphrasing from page 30 of the 2013 Federal Reserve Payments Study, first-party fraud, while important, is an account-relationship type of fraud and typically would not be included as unauthorized third-party payments fraud because the card or account holder is by definition authorized to make payments. Consequently, first-party fraud can occur no matter how secure the payment method.
As with tallying payments, you could follow a similar process for tallying fraudulent payments for other types of cards payments, with more questionnaire definitions and wording changes needed for other instruments such as ACH and checks.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 12, 2017
Watching Your Behavior
Customer authentication has been at the core of the Retail Payments Risk Forum's payments risk education efforts from the beginning. We've stressed not only that there are legal and regulatory requirements for certain parties to "know your customer," but also that it is in the best interest of merchants and issuers to be sure that the party on the other end of a given transaction is who he or she claims to be and is authorized to perform that transaction. After all, if you allow a fraudster in, you have to expect that you or someone else will be defrauded. That said, we also know that performing this authentication, especially remotely, has several challenges.
The recently released 2017 Identity Fraud Study from Javelin Strategy & Research estimated that account takeover (ATO) fraud losses in 2016 amounted to $2.3 billion—a 61 percent increase over 2015's losses. (ATO fraud occurs when an unauthorized individual performs fraudulent transactions through a victim's account.) Additionally, new-account fraud on deposit and credit accounts has increased significantly and generated several public warnings from the FBI.
In payments, the balancing act between imposing additional customer authentication requirements and maintaining a positive, low-friction customer experience has always been a challenge. Retailers, especially online merchants, have been reluctant to add authentication modalities in their checkout process for fear that customers will abandon their shopping carts and move their purchase to another merchant with lower security requirements. Some merchants have recently introduced physical biometrics modalities such as fingerprint or facial recognition for online orders through mobile phones. Although these modalities have gained a high acceptance rate, they still require the consumer to actively participate in the authentication process.
Enter behavioral biometrics for online transactions. Behavioral biometrics develops a pattern of a user's unique, identifiable attributes from when the user is online at a merchant's website or using the merchant's proprietary mobile app. Attributes measured include such elements as typing speed, pressure on the keyboard, use of keyboard shortcuts, mouse movement, phone orientation, and screen navigation. Coupled with device fingerprinting for the customer's desktop, laptop, tablet, or mobile phone, behavioral biometrics gives the merchant and issuer a higher level of confidence in the customer's authenticity. Another benefit is that behavioral biometrics is passive—it is performed without the user's involvement, which eliminates additional friction in the overall customer experience. Proponents claim that while it takes several sessions to develop a strong user profile, they can often spot fraudsters' attempts because fraudsters often exhibit certain recognizable traits.
Behavioral biometrics is still fairly new to the market but over the last couple of years, some major online retailers have adopted it as an additional authentication tool. Like any of the physical biometric modalities, no single behavioral authentication methodology is a silver bullet, and multi-factor authentication is still recommended for moderate- and higher-risk transactions.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 5, 2017
Responsible Innovation Part 1: Can Community Banks Remain Competitive?
The Atlanta Fed's Retail Payments Risk Forum recently co-hosted a summit with the United Kingdom's Department for International Trade to discuss faster payments and their effects on community financial institutions (FIs). In a series of three posts, I will share summaries of the lessons and implications that payments industry stakeholders discussed at the summit. A major theme of these discussions was whether community FIs can remain competitive independent of how they access a faster payments network. This post tackles this theme.
|United States||United Kingdom|
|ACH (NACHA)||ACH (Bacs)|
|Real-Time Payments (The Clearing House)||Faster Payments (Faster Payments Scheme Ltd.)|
The Faster Payments Scheme, or FPS, opened in the United Kingdom in 2008. The summit was a good opportunity to hear first-hand from one community banker's experience with the still-new system. A panelist from the first retail community bank to join the FPS discussed how access options played a role in the bank's ability to compete with large FIs.
- In the beginning, the only way a community bank could access the FPS was through a sponsoring bank.
- This option was expensive, hindering, and much like a newborn baby who needed attention all day and night (even on weekends), according to the panelist.
- The FPS sends messages 24/7, in near-real time, but her bank's access model often caused a delay of 15 to 30 minutes, making the bank less than competitive.
- Last year, the bank was able to join as a "Direct Participant" under the New Access Model,, an experience that the panelist compared to parenting a toddler who allows her to sleep through the night, even as it runs 24/7/365. The new model was also much more affordable and provided her community bank the near-real time model larger banks received. (The New Access Model that gives payment service providers and community FIs direct connection began in 2014, six years after the FPS began.)
- The panelist did note a serious obstacle to this access model for the smaller banks: the onerous 12-month certification process to become a Direct Participant is tailored to large banks. The process required significant resources and strained other areas of her bank. She suggested that the certification take a risk-based approach.
Two developments on the way may affect future access options: (1) plans are set to consolidate Bacs, FPS, and Cheque; and (2) the Bank of England plans to grant settlement services to nonbank payment service providers.
The United States is facing a similar challenge: community FIs will have to choose how to access faster payment systems. Some community FIs have begun to offer same-day ACH and will likely consider real-time payments later this year.
Representatives from the Clearing House's Real-Time Payments initiative shared some details on their access model:
- FIs of all sizes will be able to connect directly or through third-party service providers.
- Regional payments associations will play an important role as they collectively represent all U.S. financial institutions plus third-party processors.
- The speed will be the same for all participants.
- Indirect participation will not be available.
- Payments can be made 24/7/365.
While direct access is available for both same-day ACH and Real-Time Payments, some FIs may choose to use a sponsor or correspondent access model. To remain competitive, community FIs will have to understand the advantages and limitations that each access model provides.
The next installment in this series will discuss the U.S. market appetite for faster payments; the one after that will look at the impacts of adoption.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud