Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 28, 2017
Identity Theft: A Growing Epidemic
I recently attended a conference that explored improvements in identifying and authenticating individuals. Many of the sessions focused on identity theft. While the conference primarily targeted law enforcement, immigration control, and the military, many of the lessons can easily apply to the public sector. A recent industry report validated the conference's focus, noting that in 2016, 15.4 million Americans were victims of identity theft, an increase of 18 percent from the previous year.
Identity theft (also called identity fraud) covers a wide range of crimes in which the criminal obtains and illegally uses another person's personal information in a fraudulent or deceptive manner, typically for economic benefit. In most cases, the criminals get personal information through a data breach, but malware on a computer or mobile phone or email phishing are other sources. Sometimes criminals can get enough personal information from public data—such as property and voter records, as well as social media accounts—to create a false identity and commit a crime.
Social Security numbers appear to be the most valuable information element in creating false identities. For this reason, legislation was passed in 2015 mandating that the Centers for Medicare and Medicaid Services (CMS) remove Social Security numbers from Medicaid cards. CMS recently announced that it will reissue Medicaid cards in April 2018 with a new beneficiary identification scheme.
The criminal actions of identity theft include using account numbers to obtain merchandise that can be monetized, filing fraudulent tax refund returns, and applying for credit to buy cars, lease homes, or even get home equity lines of credit. Outside the financial services arena, identity theft crimes include obtaining medical services, social program benefits, and false identification documents.
The Identity Theft Resource Center is a nonprofit organization established in 1999 to help identity theft victims resolve their cases and to broaden public education and awareness of identity theft, data breaches, cybersecurity, scams and fraud, and privacy issues. The center also tracks the number of data breaches across five industry sectors. As this chart shows, businesses remain the number one target for data breaches, and the number of attacks targeting businesses increased 4.4 percent during the first half of 2017 compared to that same period in 2016.
The increased use of chip cards at merchant terminals has made it more difficult for the criminal element to commit point-of-sale card fraud. Meanwhile, however, overall identity theft fraud is on the rise. So how do we combat this growing threat? We will look at some threat mitigation tactics and tools in a future post.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 21, 2017
Are Our Wallets About to Get Thinner?
In February 2011, I was in Salt Lake City for the annual Smart Card Alliance conference, and a representative from the now-defunct Isis Mobile Wallet was delivering the keynote address. As part of the keynote, the speaker played a video clip from the Seinfeld show that famously depicts the "Costanza wallet," a wallet so overstuffed that it gave George a backache from sitting on it. The conference speaker had us imagining a world where our mobile phones replaced our physical wallets. Six-and-a-half years later, that world remains a dream. But are we closer to it, with private-label cards possibly leading the way?
As I was paying for my coffee this morning through a mobile phone app, it dawned on me that I haven't used a physical card for this specific retailer in at least three years. The retailer's mobile app has replaced my physical card, a private-label prepaid card, as my payments credential. I no longer have a need for the card at this retailer, nor do I want one—I'd prefer to keep my wallet from becoming a "Costanza wallet." And while my example describes a prepaid card, I believe that this retailer's model is indicative of what's on the horizon for private-label store credit cards as well.
I usually quickly turn down any offers for private-label credit cards at retailers. Even though these cards come with some sweet deals and benefits, I just don't want more plastic in my wallet. But what if this credential could be issued directly within the retailer's mobile application without ever issuing a plastic card? Sign me up!
I remain skeptical about the future of the so-called "pay wallets," but continue to believe that the future of mobile payments will be driven by retailers' mobile apps. And I think these mobile apps present these retailers the ideal opportunity to drive their private-label prepaid or credit adoption and usage without ever having to issue a plastic credential. If the credential that retailers issued were in electronic form, such as a token or virtual card, it could disrupt the plastic card industry—approximately 360 million credit and 4.5 billion prepaid cards in 2015, according to the Nilson Report. Plus, merchants would benefit by avoiding the cost of issuing and distributing cards.
So back to my original question: Are we closer to a world with thinner wallets, and with private-label cards possibly leading the way? I don't think our physical wallets will ever go away, but I do believe that they will slim down as we witness a substantial rise in the issuance of private-label virtual credentials in the future on a wide range of connected devices. In fact, I'm willing to go out on a limb and suggest that these credentials will eventually overtake the number of physical cards. What do you think on the future of plastic in the private-label space? And what new challenges, if any, will the virtualization of plastic have on the personalization and authentication of payment credentials?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 14, 2017
Extra! Extra! Triennial Payments Data Available in Excel!
In countless old black-and-white movies, street newspaper vendors would shout out the latest sensational news from hot-off-the-press special editions. The Fed is no different in that we want to shout out that it is no longer necessary to mine the PDF-based Federal Reserve Payments Study report to extract the study's data. For the first time, we are offering our entire aggregated data set of estimated noncash payments in an Excel file. The report accompanying the data is here.
The data set is very rich and covers the following categories:
Accounts and cards
Private-label credit processors
|Checks||Person-to-person and money transfer|
|ACH||Online bill pay|
|Non-prepaid debit||Walk-in bill pay|
|General-purpose prepaid||Private-label ACH debit|
|Private-label prepaid issuers & processors||Online payment authentication|
|General-purpose credit||Mobile wallet|
|Private-label credit merchant issuers|
Here is another table that is just one extract from the non-prepaid debit card portion of the extensive payments data available.
To get a taste of what this data can teach us, let's look closer at the cumulative volume distribution by payment dollar value threshold for non-prepaid debit cards (the data are shown above) along with general-purpose credit cards. The number and value of both types of payments grew substantially from 2012 to 2015, the last two survey periods. The chart compares these distributions, showing more vividly how this growth affected the relative proportions of payments of different dollar values.
For example, debit card payments below $25 accounted for 59.1 percent of all payments in 2012 versus 61.8 percent in 2015—evidence that debit card purchases are migrating to lower ticket amounts. The trend is even more dramatic over the same time span for general-purpose credit cards.
Because this is a distribution, increases in the relative number of small-value payments must be offset by decreases in the relative number of large-value payments. Unfortunately, our previous survey capped the payment threshold at $50 in 2012. Otherwise, we would see the dashed 2012 lines crossing over the solid 2015 lines at some payment value threshold above $50. In brief, the results suggest cash payments are continuing to migrate to debit cards, while credit cards may be garnering some share at the expense of both cash and debit cards.
The challenge is on for you data analysts out there. Please share your findings.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 7, 2017
Are Business Payments Directories Coming to the Fore?
Financial institutions (FIs), service providers, and particularly businesses have been dreaming of a ubiquitous payments directory for business-to-business (B2B) payments over the last five years or so. Payments directories give payers the ability to quickly look up accurate account and routing information to originate payments of all types to payees. Directories reduce friction and time needed to efficiently and accurately make payments and accelerate the transition away from checks.
That the dream is getting closer to reality became obvious to me in April, when I attended a NACHA Payments Conference that included the panel discussion "Can a B2B Directory Service Advance e-Payments?" Significantly, one of the panelists was the chair of the Business Payments Directory Association (BPDA), a nonprofit initiative to advance an open, nonproprietary B2B directory for small and large businesses. The independent BPDA has the support of the Business Payments Coalition comprising banks, industry associations, service providers, and businesses.
Businesses wanting to pay other businesses have a variety of payment instruments to choose from—check, ACH credit, wire, and card—with consequential differences among them such as costs, payment reconciliation, and funds availability. Though ACH has made significant inroads into B2B payments, particularly for large businesses, checks are still the fallback payment method when payers are not sure if the payee is willing to accept anything else. Checks are still widely accepted, and attaching associated remittance information with the check is straightforward. The ease of paying by check contrasts with the potential difficulty of determining whether the payee is willing to accept electronic payments and of getting accurate account and routing information.
Essentially, any B2B directory should contain all the information a payer needs to specify the payee’s payment account and route the payment electronically. Typically, directories by themselves do not clear and settle payments. The idea behind the BPDA initiative is that each payee in the directory is provided an electronic payment identity (EPI). That EPI uniquely identifies a payee and supports multiple payment accounts. It also specifies the payee’s preferred way to be paid, the type of remittance information needed, and preferred remittance delivery methods. A payee owns its EPI, which is portable across multiple subdirectory providers. As envisioned, a central node would link multiple subdirectories containing EPIs, each managed by a subdirectory provider that validates payee information so that it can be trusted. Subdirectory providers can include FIs, service providers, and payment networks. All of this is managed by the BPDA that sets rules, credentials subdirectory providers, payees and payers, and oversees the central node.
The image illustrates the process. Payers query the system to retrieve account and routing information from payees. They can then use this information to originate a payment through existing payment rails.
The BPDA lists several advantages of this approach, including these:
- Payees can centrally communicate preferred payment methods and the information needed to effect payments by payers.
- Payers can centrally retrieve accurate payee payment and remittance content and delivery preferences.
- Friction for noncheck payments between payees and payers is reduced.
- Minimizes misdirected payments.
One lingering concern about having a centralized directory is the risk that fraudsters could gain access to account numbers of large businesses for producing counterfeit checks or unauthorized transactions. In addition to the need for robust credentialing, one mitigant the system offers is that account information can be made private and restricted to specific payers.
It will be interesting to see how this nascent service shakes out given hurdles in governance framework, garnering industry support, developing a funding model, and, of course, getting businesses to enroll and participate. What are your views on the future of B2B directories?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud