Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
November 19, 2018
Smaller FIs Weigh In on Mobile Financial Services
I have previously written several posts on the Sixth District's 2016 Mobile Banking and Payments Survey results as well as the consolidated results of the 2016 survey involving financial institutions (FIs) in the Atlanta Fed's district and six other Federal Reserve districts. Readers will recall that the primary goal of the survey was to allow the Federal Reserve and industry stakeholders to better understand the status of financial institutions' strategies with regard to mobile banking and payments products and services.
As a follow-up to this work, the Federal Reserve districts of Atlanta, Boston, Cleveland, Kansas City, Minneapolis, and Richmond conducted a "quick-hit" survey in June 2018 of the FIs that did not respond to the detailed 2016 survey. The survey consisted of just five questions pertaining to mobile financial service offerings. It also gathered some demographic data. A total of 565 FIs responded, representing an 11.7 percent response rate. You can find a report that the Payment Strategies Group at the Federal Reserve Bank of Boston prepared on the Boston Fed website.
As a group, the FIs responding to the 2018 survey were smaller in asset size than were respondents to the 2016 survey.
Some of the key takeaways in the report include:
- Of the 2018 respondents, 88 percent of banks and 81 percent of credit unions currently offer mobile banking services or plan to offer them by the end of 2018.
- Fifty-five percent of the respondents reported that more than 20 percent of their customers were active mobile banking users.
- Surprisingly, 14 percent of the respondents indicated they have no plans to offer mobile banking services. All but one of the FIs that have no plans to offer mobile banking had assets under $500 million. These FIs were almost evenly split between credit unions (33) and banks (36).
- Not tracking or being unwilling to reveal customer usage levels of mobile banking services remains an issue; 29 percent of the respondents did not answer the question. My opinion is that it's the latter reason, given that a standard reporting option of mobile banking systems is to be able to track enrollment and unique sign-on activity.
- Offerings of mobile payment services continue to lag significantly behind mobile banking. Of the 2018 responses, 57 percent currently offer or plan to offer them, while 43 percent have no plans to offer them or were undecided.
We will be conducting the detailed Mobile Banking and Payments survey in early 2019 and look forward to sharing the results with you.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 13, 2018
In Payments, What I Say May Not Match What I Do
How do you like to pay your bills? Perhaps you schedule bills to pay automatically by bank account number so you don't miss a due date. Or maybe you would rather review a paper statement and then mail a check.
By number, U.S. consumers report paying 4 in 10 bills by electronic means—for example, by using their online banking bill pay function or providing a bank account number at a biller's website. By dollar value, the practice of using electronic transactions to pay bills is also prevalent: about half of bill payments by dollar value are made using online banking bill pay or bank account number payment. These are among findings from the Diary of Consumer Payment Choice, a survey of U.S. consumers released in September of this year.
The diary also asks respondents how they prefer to pay bills, so we can look at how consumers' stated preferences compare to what they actually do in specific situations. It turns out that 36 percent of consumers prefer online banking bill pay or bank account number payment, and about the same percentage prefer either a debit card or credit card.
Keep in mind that 38 percent of bill payments and 36 percent of consumers are not comparable. Actual behavior is measured in percentage shares of transactions. Preferences are measured in percentage shares of consumers (about 2,900 U.S. adults responded to this nationally representative survey).
We can see, however, the transactions for which consumers deviate from their stated preferences for bill payments. Of the bill payments recorded in the 2017 DCPC, about half were made using the consumers' preferred payment instrument.
Why do we consumers deviate from what we say we prefer? Think of your own payment choices. You might be constrained by what is feasible. For example, you might prefer to pay most bills with a paper check but for bills you pay online, it's impossible to use paper payment instruments. Your choice could be limited by what the payee prefers to accept. For example, your plumber might prefer payment by cash or check. Or you might deviate from your preferred method to save money. For example, your local municipality might put a surcharge on card payments, so paying with your bank account number is less costly. Or, for larger bills, you might use a credit card to earn points.
To see more about how consumers adjust our payment choices given the situation, take a look at the interactive charts detailing payment choice by dollar value, payment type, and remote or in-person payments, as reported in the 2017 Diary of Consumer Payment Choice.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 5, 2018
Organizational Muscle Memory and the Right of Boom
"Left of boom" is a military term that refers to crisis prevention and training. The idea is that resources are focused on preparing soldiers to prevent an explosion or crisis—the "boom!" The training they undergo in left of boom also helps the soldiers commit their response to a crisis, if it does happen, to muscle memory, so they will act quickly and efficiently in life-threatening situations.
The concept of the boom timeline has been applied to many other circumstances, as I can personally attest. More years ago than I will admit to, I was a teller and had to participate in quarterly bank-robbery training that focused on each employee's role during and immediately after a robbery. The goal was to help us commit these procedures to muscle memory so that when we were faced with a high-stress situation, our actions would be second nature. My training was tested one day when I came face-to-face with a motorcycle-helmet-wearing bank robber who leaped over the counter into the teller area. Like most bank robbers, he was in and out fast, but thanks to muscle memory, we were springing into action as soon as he was leaping back over the counter and running out of the branch.
This type of muscle memory preparation has also been applied to cybersecurity. Organizations commit significant human and capital resources to the left of boom to help prevent and detect threats to their networks. Unfortunately, cybersecurity experts must get things right 100 percent of the time while bad actors have to be right only once. So how do organizations prepare for the right of boom?
Recently, I had the opportunity to observe a right-of-boom exercise that simulated a systemic cyberbreach of the payments system. This event, billed as the first of its kind, was sponsored by P20 and held in Cambridge, Massachusetts. Cybersecurity leaders from the payments industry convened to engage in a war games exercise that was ripped from the headlines. The scenario: a Thanksgiving Day cyberbreach, the day before the biggest shopping day of the year, of a multinational financial services company that included the theft and online posting of 75 million customer records, along with a ransomware attack that shut down the company's computer systems. The exercise began with a phone call from a reporter asking for the company's response to the posting of customer records online—BOOM! Immediately, the discussion turned to an incident response plan. What actions would be taken first? Who do you call? How do you communicate with employees if your system has been overtaken by a ransomware attack? How do you serve your customers? What point is the "in case of fire break glass" moment, meaning, has your organization defined what constitutes a crisis and agreed on when to initiate the crisis response plan?
An overarching theme was the importance of the "commander's intent," which reflects the priorities of the organization in the event of an incident. It empowers employees to exercise "disciplined initiative" and "accept prudent risk"—both principles associated with the military philosophy of "mission command"—so the company can return to its primary business as quickly as possible. In the context of a cyberbreach that has shut down communication channels within an organization, employees, in the absence of management guidance, can analyze the situation, make decisions, and then take action. The commander's intent forms the basis of an organization's comprehensive incident response plan and helps to create a shared understanding of organizational goals by identifying the key things your organization must execute to maintain operations.
Here is an example of a commander's intent statement:
Process all deposits and electronic transactions to ensure funds availability for all customers within established regulatory timeframes.
Having a plan in place where everyone from the top of the organization down understands their role and then practicing that plan until it becomes rote, much like my bank robbery experience, is critical today.
By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed
- Hiding in Plain Sight
- A New You: Synthetic Identity Fraud
- Card Fraud Values Often above Average
- A Look in the Rearview Mirror of Payments for 2018
- Building Blocks for the Sandbox
- Smaller FIs Weigh In on Mobile Financial Services
- In Payments, What I Say May Not Match What I Do
- Organizational Muscle Memory and the Right of Boom
- Remote Card Fraud: A Growing Concern
- Three Views of Noncash Payments Fraud
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud