Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 26, 2018
Convenience Always Wins, In One Form or Another
My colleagues and I often write about the frustration that security professionals have that consumer convenience will almost always win over the adoption of more secure practices. We've seen this over the decades with poor password and PIN management and the often lackadaisical approach consumers take to keeping their payment devices safe and secure. This post will take a slightly different tack—it will explore the influence convenience has on the payment card issuance strategy of U.S. financial institutions (FI) and how convenience always seems to win, though sometimes in unexpected ways.
When the various mobile pay wallets were being launched, many observers speculated that they might be the beginning of the end for plastic payment cards. Some, presuming that mobile was a more convenient way to pay, opined that the day would come when FIs would have no reason to continue issuing cards since everyone was going to be using their phones. Although adoption has been increasing, the reality is that mobile payments at the point of sale have been slow to gain traction. Recently released results of a survey of FIs in seven of the Federal Reserve Bank districts revealed that 75 percent of respondents thought it would be at least three years before consumer adoption rates of mobile payments would exceed 50 percent; 40 percent said it would take five years or longer. Consumer surveys consistently indicate that consumers aren't adopting mobile payments because they find their plastic payment card more convenient. So for mobile devices, convenience still has a ways to go.
Some financial-institution-owned ATM operators, continuing efforts to provide alternatives to plastic cards, have recently begun supporting cardless ATM transactions. With this service, you use your FI's mobile banking application to set up or stage an ATM withdrawal, identifying the account and amount to be dispensed. The details of the various technologies differ, but they all work like this: you go to the FI's ATM, select the cardless ATM function, and use a smartphone to either scan a QR bar code or enter a one-time transaction code. (Sometimes you may have to use a PIN.) Nice and convenient! And you don't have to worry about damaged or forgotten cards, or getting your card skimmed. We'll have to wait to see how consumers react to this feature's convenience.
Some FIs currently issue, or plan to issue, dual interface cards when it's time for customers to replace their existing chip card. While costlier to the FI, the new cards include a contactless feature that allows an NFC-enabled terminal such as an ATM or point-of-service device to read the data on the chip when you pass the card within a couple of inches of the reader. Contactless transactions, which are quite popular in Canada and Europe and greatly desired by mass transit systems in the United States, are faster. And we all know that faster means more convenience—right? Like cardless ATM transactions, contactless offers some security benefits. But merchant terminal acceptance remains a concern, just as it has been for the various pay wallet applications.
So it seems that convenience comes in different forms, and it appears that many FIs are betting that, like currency and checks, the plastic payment card is going to be around for quite some time. Perhaps that is the best strategy: offer a wide range of options and let the customers decide for themselves which are the most convenient.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 19, 2018
Mobile Banking and Payments' Weakest Link: Me
What's the biggest hole in mobile banking security? As my colleague Dave Lott reported in January, bankers say it's consumers' lack of protective behavior when using mobile devices. That means you and me.
In response, financial institutions (FI) have implemented controls including inactivity timeouts and multifactor authentication, as noted in Mobile Banking and Payment Practices of U.S. Financial Institutions, which reported the findings of a 2016 Federal Reserve survey.
Baking these controls into mobile apps makes sense because research on consumer behavior suggests that expecting consumers to independently take steps to protect their accounts and data is not realistic. Take as one example: I co-wrote a paper with Joanna Stavins for the Boston Fed reporting the results of our investigation into consumers' responses to the massive Target data breach. We found that while consumers do react to reports of fraud, their reactions can be short-lived. In addition, consumers' opinions may change, but their behavior may not. In other words, considerations aside from security could take priority. (See also a report on the 2012 South Carolina Department of Revenue breach.)
Debit and credit card data for 40 million cards used in Target stores were stolen in late 2013. The breach was widely reported in the news media and caused many financial institutions to reissue cards. Because it was primarily a debit card breach, one might reasonably expect consumers to take a jaundiced view of debit cards after the breach.
And, indeed, that was the case. The Survey of Consumer Payment Choice was in the field at the time of the Target breach. Some consumers answered questions about the security of debit cards before the breach became public. Others answered after.
Consumers who rated card security after the breach rated debit cards more poorly relative to the average rating of the other payment instruments—cash, paper checks, ACH methods, prepaid cards, and credit cards. So in that sense, they reacted to the news.
One year later, consumers in 2014 rated the security of debit cards more poorly both relative to their ratings of other payment instruments and absolutely (that is, a greater percentage of consumers rated debit cards as risky or very risky). In contrast, compared to 2013, the absolute security ratings of cash improved. There was no change in the security ratings of credit cards.
The more important question: Did consumers change their behavior in response to this massive and widely reported data breach? The answer: not according to this survey data. There was no statistically significant change in consumers' method of payment mix in 2014. Debit cards remained the most popular payment instrument among consumers in 2014, accounting for almost one-third of their payments per month.
What does this mean for financial institutions? Realism about my willingness to take action is well placed. You can't count on me.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 12, 2018
Webinars Discuss Mobile Banking and Payments Survey Results
Earlier this year, I wrote a post highlighting some of the Mobile Banking and Payments Survey results that were consolidated from the seven Federal Reserve districts that conducted the survey: Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond. The 706 responding financial institutions gave us valuable information about their current and planned services as well as security features for their mobile banking and mobile payments products. (You can download a copy of the report from the Boston Fed's website.)
You can get a more detailed review of the survey findings when the Boston Fed's Payment Strategies Group conducts two webinars on March 21 and March 22.
Attendees will learn about:
- Current developments in mobile financial services
- Practices, products, and trends related to consumer mobile banking and payment services
- Financial Institution perspectives on mobile security, concerns, and mitigation tools
There is no charge for the webinars but you must register. To view both webinars, you must register for both. Select a link below, then click the Register button. After you have registered, you will receive a confirmation email with the access information.
REGISTER for Part I: Consumer Mobile Banking, Wednesday, March 21, 2018 at 2 p.m. (EDT)
REGISTER for Part 2: Consumer Mobile Payments, Thursday, March 22, 2018 at 2 p.m. (EDT)
Feel free to share this post with any of your colleagues who may wish to attend. If you have any questions about the webinars, please email email@example.com.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 5, 2018
Webinar to Explore Faster Settlement and Funds Availability
"I'd gladly pay you Tuesday for a hamburger today." Have you ever thought of this comical catchphrase, spoken by the character J. Wellington Wimpy in the long-running comic strip Popeye, when you hear conversations about faster payments? Hamburgers and jokes aside, there are important considerations for getting paid tomorrow for an agreement or exchange made today. That's why the main ingredient to faster payments is settlement.
Settlement provides the decisive transfer of funds between participants. In today's world, we want everything fast, especially money owed to us. A business that waits two to four days for an ACH transaction to process may be waiting too long. The ACH network has recently expedited settlement and now funds availability. Effective March 16, 2018, phase 3 of Same-Day ACH will roll out, making ACH funds availability faster than ever. However, there are still options and business cases that influence how services might be made available to participants. After all, a faster settlement is more than a credit risk discussion.
The Atlanta Fed's Retail Payments Risk Forum is hosting a Talk About Payments (TAP) webinar to discuss the new faster funds availability that Phase 3 of Same-Day ACH will usher in.
The TAP discussion will explore opportunities this faster payment option makes available, along with risk considerations. We encourage financial institutions, retailers, payments processors, law enforcement, academics, and other payments system stakeholders to participate. Participants will be able to submit questions during the webinar.
The TAP webinar—titled "A New Faster Payment Settlement"—will take place on Wednesday, March 14, from 1 to 2 p.m. (ET). Participation in the webinar is complimentary, but you must register in advance at the TAP webinar web page. After completing registration, you will receive a confirmation email with all the log-in and toll-free call-in information.
We hope you will join us for our next TAP webinar March 14.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Hiding in Plain Sight
- A New You: Synthetic Identity Fraud
- Card Fraud Values Often above Average
- A Look in the Rearview Mirror of Payments for 2018
- Building Blocks for the Sandbox
- Smaller FIs Weigh In on Mobile Financial Services
- In Payments, What I Say May Not Match What I Do
- Organizational Muscle Memory and the Right of Boom
- Remote Card Fraud: A Growing Concern
- Three Views of Noncash Payments Fraud
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud