Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 19, 2019
Why Should You Care about PSD2?
The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.
The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.
Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:
- Something you know (for example, PIN or password)
- Something you have (for example, chip card, mobile phone, or hardware token)
- Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)
PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.
The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:
- Low-value transactions (under €30, approximately $33)
- Transactions with businesses that the consumer identifies as trusted
- Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
- "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
- Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
- Business-to-business (B2B) payments
Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 12, 2019
At the Intersection of FinTech and Financial Inclusion
Technological innovation is booming, and many financial institutions and financial service providers, including mobile phone providers, are increasingly adopting financial technology, or fintech, to offer easier and faster payments to consumers. In other words, the consumers who have traditional banking services such as checking and savings accounts naturally have access to solutions such as online or mobile bill pay, account and P2P money transfers, and customized saving options. But what about the people who don't have a bank account?
According to the Federal Reserve's Report on the Economic Well-Being of U.S. Households in 2018, approximately 6 percent of adults do not have a bank account, and approximately 22 percent are either unbanked or underbanked (having a bank account but relying on alternative financial services). How does the payments industry make sure that, in the words of the World Bank, all "individuals and businesses have access to useful and affordable financial products and services that meet their needs"? How can the industry help boost financial inclusion, which is "a key enabler to reducing poverty and boosting prosperity" (also in the words of the World Bank)?
Join us for the Atlanta Fed's latest episode in our Talk About Payments webinar series on Thursday, August 22, from 1 to 2 p.m. (ET). A panel of payments experts will focus on how fintech aims to improve financial inclusion by giving people who are un- or underbanked access to the payments system. Panel members will also discuss current research on financial inclusion and programs intended to support economic mobility.
Panel members are:
- Dr. Sophia Anong, associate professor, financial planning, housing and consumer economics, University of Georgia
- Nancy Donahue, Federal Reserve Bank of Atlanta
- Catherine Thaliath, Federal Reserve Bank of Atlanta
Participation is free, but you must register in advance. After you've registered, you'll receive a confirmation email with the login and toll-free call-in information. We hope you and your colleagues will join us and be part of the discussion as we delve into the ways financial technology is helping to meet the needs of the underserved.
By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed
August 5, 2019
A Call to Action on Friendly Card Fraud and Loss?
I have recently had two conversations about the topics of friendly fraud and loss, one from a merchant's perspective and another from a financial institution's issuer perspective. Friendly fraud is often used interchangeably with first-party fraud, as was the case in the conversations, but they are quite different. First-party, sometimes called "bust-out," fraud occurs when an individual applies for and receives a loan or credit line with no intention of ever making a payment. (The term "bust-out" comes from when the individual maxes out the credit, getting as much "free" stuff as possible and making no plans to pay.) First-party fraud is generally considered credit fraud and not payment fraud.
Friendly fraud occurs when a cardholder disputes a transaction that the cardholder never intended to pay even though products or services were properly rendered. Sometimes cardholders dispute legitimate transactions that they honestly do not recognize or remember—think of an annual recurring charge that might slip a cardholder's mind, or the merchant name on the statement is the parent company and not the more easily recognized d/b/a store name. If the resolution of such a dispute is such that either the merchant or issuer takes a loss, this is not true payment card fraud but should be classified as a loss rather than fraud.
The two conversations were clearly around friendly fraud and loss situations that are transaction fraud rather than credit account fraud. Both the merchant and financial institution claimed that friendly fraud and loss transactions are growing rapidly yet are not necessarily being properly captured or categorized. One of the organizations even went so far as to suggest that third-party card fraud is being greatly overstated because a significant portion of that fraud is actually friendly fraud and loss, and this mismeasurement is directing fraud discussions and mitigation decisions away from creating ways to better identify and mitigate friendly card fraud and loss.
So I issue a call to action for Take on Payments readers with multiple questions:
- What is your experience with friendly fraud and loss?
- Are you able to track these independently of third-party fraud?
- If so, are you seeing growth in friendly fraud and loss, as the merchant and financial institution stated was happening?
- What's the driving force in the friendly fraud and loss that you are experiencing?
- Does this particular fraud warrant more discussion by the industry, and in particular the Risk Forum, as it has not been an area of focus of ours relative to third-party card fraud?
Feel free to email me at email@example.com or use the comment button below. I would greatly value your thoughts on this topic.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- You Can't Manage What You Can't Measure
- Ransomware Attacks Continue
- The Future of Fraud in a Post-EMV Chip Environment
- A Tip for Summer Travel
- Ransomware: Hopefully Not Coming Soon to a Computer Near You
- Moving towards Electronic Social Security Number Verification
- Performing and Paying in the Gig Economy
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud