Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 30, 2017
Why the Explosion in Household Payments?
In a post last August, I analyzed some of the data from the inaugural release of the entire aggregated data set of estimated noncash payments from the latest Federal Reserve payments study. In this go-round, I will discuss the household payment figures in the report that accompanied the data set. These figures reflect core noncash payment types—including ACH transfers, check, nonprepaid and prepaid debit cards, and credit cards— that consumers in the United States use today.
The two pie charts show the distribution of household noncash payments for 2000, when the payments study began, and for 2015. Over this period, the number of consumer payments increased to 117.5 billion in 2015 from 50.7 billion in 2000. The area of each pie chart reflects the proportional difference in the average monthly household noncash payments for the two periods. In 2000, households made on average 40.3 noncash payments per month, compared to 78.6 monthly payments in 2015, a 95 percent increase.
Besides the near doubling of monthly payments per household, the other striking difference is the distribution of payments by type over time. Most dramatically, checks written decreased 6.4 percent per year over this time while debit cards, with an annual increase of 13.7 percent, were on a tear.
As the report notes, and according to my own speculations, increases in the number of monthly household noncash payments could be attributed to the following factors:
- Some payments that historically would have been made with cash are now made with mostly noncash forms of payment. Debit cards snagged the greatest share, given their high growth rate and relatively low average ticket amount, which aligns with payments typically made with cash.
- Storefront merchants and consumers have expanded their acceptance of card payments as a substitute for cash and check.
- The growth of remote payments such as ecommerce have reduced check and cash usage.
- Many people have migrated from using cash and check to using payment cards so they can gain points and other benefits from card rewards programs.
- Online purchases of digital content such as games and music have brought about increases in micropayments.
We might surmise that increases in the number of payments in 2015 are also due to increases in household expenditures since 2000, though this is hard to quantify by number of payments. World Bank data show aggregated U.S. household consumption expenditures of $12.284 trillion and $6.792 trillion (in current dollars) in 2015 and 2000, respectively. Unlike the payments study data, these figures include both cash and noncash payments, and some of the expenditures are derived from imputed income related to high-ticket items such as purchases of homes and automobiles. With these caveats in mind, dividing these figures by the number of households during each of these years shows that the per-household expenditures in current dollars is about 52 percent higher in 2015 than it was in 2000. Not all of this gain came about from more payments—some payments may be higher ticket amounts than in previous periods due to luxury purchases.
What are your views on other factors contributing to the near doubling of monthly household noncash payments since 2000?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
October 23, 2017
ACH and Consumer-Only Payments: Will the Twain Ever Meet?
For many years, person-to-person (P2P) payment providers have touted the emergence of compelling P2P mobile-based products that exploit some combination of financial institutions (FIs) and fintech providers. Several players have made notable inroads into P2P with certain demographics and use cases, but the overall results in terms of absolute numbers are far from ubiquitous. This post uses hard numbers to explore what progress ACH has made with P2P payments.
During a payments conference earlier this year that showcased findings from the Fed's triennial payments study (here and here), the table below was presented showing the number and value shares of domestic network ACH payments in 2015. The table is complicated because it shows both debit pull and credit push payments by consumer and business counterparties. Despite the complexity, the table distills ACH to its essence by removing details associated with the 14 transaction payment types (known as Standard Entry Class codes) that carry value for domestic payments. Many of these individual codes reflect similar types of payments (for example, three codes are used for converting first presentment checks to ACH). As expected, virtually all payments involve at least one business party to each payment. Consumer-only payments are negligible.
In a typical use case for consumer-only ACH, a consumer transfers funds from one account to another account across financial institutions. As shown in the solid red oval, 0.04 percent of all domestic payments were consumer-to-consumer payments, where the payee initiated a debit to the payer's bank account. For consumer credit push payments, the figure is 0.3 percent. The combined figure rounds to 0.3 percent. On the value side for consumer-only payments (in the dashed red oval), debit pulls, credit pushes, and the combined figure were 0.02 percent, 0.2 percent, and 0.2 percent, respectively. These types of payments typically reflect P2P payments1, when one consumer pushes funds to another consumer.
The next table shows the figures that prevailed in 2012. Given the modest share by both number and value across both years, it is apparent—and interesting—that ACH has made little progress in garnering consumer-only payments. Although ACH is ubiquitous on the receipt side across all financial institutions, it is not so for consumers, given the lack of widely promoted and compelling service offerings from FIs and no standardized form factor like there is for card payments. Additionally, many small FIs do not offer ACH origination services.
This lack of adoption is not unique to ACH. Although some of the electronic P2P entrants are experiencing significant growth, it will be some time before they supplant the billions of P2P cash and check payments. P2P players on the FI-centric side include Zelle, which a large consortium of banks owns. Non-FI providers include PayPal and its associated Venmo service. Given the lack of ubiquity with the new offerings, the fallback option for consumer-only payments is cash and checks. As the payments study reports, check use is still declining, though the most recent trend shows that this decline has slowed. ACH or other electronic options still seem a good bet to continue to erode paper options, but perhaps the market is signaling that paper options have ongoing utility and are still preferred if not optimal for some users in some instances.
So what would it take for ACH to gain some traction in the consumer payments space? Perhaps the presence of same-day ACH, in which credits were mandated in September of 2016 and debits followed in September 2017, offers some opportunity for compelling service offerings coupled with a user-friendly way to send an emergency payment to your ne'er-do-well son.
What are your views on the viability of ACH garnering more P2P payments?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
1 Sometimes account-to-account (A2A) transfers are lumped in with P2P payments.
October 16, 2017
No Magic Bullet for Preventing Data Breaches
Much has been written about the Equifax data breach, including a Take On Payments piece several weeks ago. Since the announcement of the breach in early September, my LinkedIn timeline has been filled with articles and messages from sales and development professionals claiming that their technologies and solutions could have prevented the Equifax breach. Unfortunately, the weakest leak isn't a technology problem or issue. It is, and will continue to be, the human element.
Before I hear from the sales and development professionals I just referred to, let me say that I believe that technology does play an important role in mitigating data breaches. For example, statistics show that homes equipped with a security system—"hard targets"—are significantly less likely to be burglarized than homes without them—"soft targets." I suspect the same is true for companies and data breaches in that those who do a better job of securing their data with technology are harder targets than those who do not. However, technology is only one aspect of preventing data breaches—which brings us back to the human element.
We are the weakest link. We architect and program security systems with flaws. We fail to properly update software or install patches on a timely basis. We open suspicious attachments on emails. We sometimes visit dubious websites and click on suspicious ads or links. We divulge too much information over social media. We share sensitive information with people we think we know and who we think are friendly. And we are mistake- and accident-prone. Education does and will continue to help, but humans will continue to make mistakes and be accident-prone, thus data breaches will remain an ongoing problem.
The late, great musician Tom Petty said, "Music is probably the only real magic I have encountered in my life. There's not some trick involved with it. It's pure and it's real." While Petty's remark that music is probably the only real magic is debatable, there is no debating that data breach prevention has no magic bullet. Educating people remains critical, but, as is all too often the case, education also ends up falling short. As a risk expert, I really wish that I had the answer to preventing data breaches. Unfortunately, human actions trump any answers that I might have. Given the grim outlook for data breaches, it is imperative for companies and individuals to have a plan in place to minimize the damage when a data breach occurs.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
October 2, 2017
A Record-Breaking Season of Hurricanes and Data Breaches
I lived in the panhandle of Florida in 2005, during a record-breaking hurricane season. Four hurricanes that started in the Atlantic—including Katrina—reached Category 5 status that season. That disastrous hurricane season seemed unsurpassable. Yet hurricane Harvey and Irma set new records (both made first landfall in the United States as Category 4 hurricanes).
As Hurricane Irma made its destructive way across the Caribbean, a different kind of disaster was also setting records. On September 7, Equifax announced a data breach potentially affecting most U.S. adults. Could this year also prove to be a record-breaking year for data breaches? According to the Identity Theft Resource Center (ITRC), there are already 976 on the books. Breaches reached a record high of 1,093 in 2016—a substantial hike of 40 percent over the near-record high of 780 reported in 2015.
Truth be told, we can't be sure these data breach "records" are even accurate. Data breach notification laws vary by state in terms of definitions and standard reporting elements. Even the ITRC questions whether there actually are more breaches or the numbers have risen because more states are requiring public release of information on them.
The ITRC Breach Report is a compilation of breaches confirmed by various media sources and notification lists from state governmental agencies. This list is updated daily and published each Tuesday. The ITRC has been tracking breaches since 2005, but only since 2010 has that tracking included the information that has been exposed. Even so, many notifications made available do not include what damages, or types of records, were at stake.
To that point, we don't understand the extent victims will suffer when, for example, card information is stolen along with Social Security numbers. We have yet to see standard data on how fraud trends morph when a certain type of data breach occurs. Lack of correlation could be a risk to consumers.
With data breaches, as with hurricanes, we can respond better if we know what is at stake. Is it time for states to adopt a uniform set of statutes regarding data breach notifications? What do you think?
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud