Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 30, 2019
"Insuring" Ransomware Will Continue to Flourish
Making predictions is a dangerous game. More than two years ago, I predicted that 2017 and 2018 would be the Years of Ransomware. And while I am not willing to admit that I completely missed out on that prediction, it does appear to be a bit short-sighted. If I could go back to May 2017, I would also include 2019 in my prediction. According to the insurance firm Beazley, ransomware attack notifications from clients increased by 105 percent in the first quarter of this year compared to the first quarter of 2018, and the average ransom demand increased to $225,000 from $116,000 during the same period. My colleague Dave Lott wrote two blogs in July highlighting the changing nature of ransomware attacks and suggesting ways to avoid them or minimize their impact.
In just the few weeks since Dave's posts were published, ransomware attacks have continued to flourish. On August 16, 22 Texas municipalities and agencies were hit by an apparent coordinated attack. On August 26, a cloud management provider for the dental industry was stricken with ransomware, impacting approximately 400 of its dental clients. And over Labor Day weekend, a small Pennsylvania school district was attacked.
In both of his posts, Dave noted that law enforcement officials urge ransomware victims not to pay ransom because doing so encourages criminals to continue. Moreover, there is no guarantee that they will send the decryption keys. Ultimately, the decision of whether or not to pay a ransom lies with the organization that has been attacked and its unique situation. The ransom payment dilemma was recently featured in the Wall Street Journal's September 18 Cybersecurity Journal Reports section. Two cybersecurity experts debated whether or not cities affected by ransomware should succumb to the criminals' demands for payment.
But now an interesting twist in ransom payments has emerged: who is making the ransom payment, the attacked organization or an insurance company?
In his last ransomware blog, Dave wrote that entities should evaluate their "cybersecurity insurance policy in terms of its ransomware coverage." This brings us to an interesting question: Are insurers making ransom payments on behalf of their clients under cybersecurity insurance policies? The answer is yes. So this begs a couple of other questions: Will insurers paying ransoms on behalf of ransomware victims guarantee that ransomware attacks will continue? And could they lead to larger ransoms? I believe the answer to both questions is a resounding yes. It's not my place to debate whether or not insurers should be in the business of paying ransoms, but continuing the practice could cause ransomware attacks to continue to flourish.
September 23, 2019
Designing Disclosures to Be Read
Have you ever wondered if consumers actually look at disclosures for payment services? And if they do look at them, how much time do you think they spend reading them? If the average adult reads around 250 words per minute and a disclosure page contains 1,000 words—likely a low estimate—then a consumer would spend four minutes on the page before clicking accept or reject. I am confident that a more realistic estimate of time consumers spend on these pages falls far short of the time required to read the legally required consumer protection information. How many of us just click on the "I Accept" button without reading the disclosure? Maybe it's time to come up with a better way to disclose.
I believe that disclosures are one of the more dreaded elements in designing, launching, and managing financial services. If you haven't experienced the dread first hand, you can find evidence of it in the countless comment letters submitted by payments stakeholders and posted to the Federal Register when a proposed rule could affect disclosure terms. The work and expense of delivering disclosures at precisely the time required by law are completely wasted when consumers fail to read them.
The goal of disclosures is to educate consumers on a product's terms and conditions, to define their responsibilities, and to ultimately protect them from financial harm or surprises. With this information, consumers can make informed decisions. We should hope consumers comprehend and retain the critical information provided.
Opportunities exist to present important consumer protection information in ways that are far more easily digestible than a thousand-word disclosure in a four-point font. For instance, a gamification model could ask the consumer direct questions related to fees in pop-up windows with animated visual representations of the scenarios. You can brainstorm to come up with messages, jotting down quick ideas—for example, "You chose instant transfer, the fee is $1, Accept or Decline." Or, "Help us monitor your transactions daily, instant transfers will be $0, Accept or Decline." A large font and short words can quickly articulate the key points and big risks. Moreover, building the disclosure logic into the technology better protects the consumer.
Here's some good news—you now have the support of the Consumer Financial Protection Bureau (CFPB) to test your innovative solutions in making disclosures likelier to achieve their aim. The CFPB's Office of Innovation recently issued new policies to encourage innovation. For example, the office instituted a trial disclosure program and has committed to granting or denying applications for these trials within 60 days of submission. Accepted applicants will have up to two years to test their disclosures. They will also have access to state and global regulators through the CFPB's affiliation with the Federal Financial Institutions Examination Council, the Global Financial Innovation Network, and the newly formed American Consumer Financial Innovation Network.
Applicants and disclosures need not be company- or product-specific, although that is an option. Service providers, trade associations, consumer groups, or other third parties may also use the trial application program. Group applications could help spread trial disclosure development costs such that smaller entities would be able to afford to participate in the program. Such intention has been evidenced in the CFPB's Office of Innovation's first "No-Action Letter," issued to more than 1,600 HUD housing counseling agencies, stating that it will not take enforcement action with agencies that enter into "certain fee-for-service arrangements with lenders for pre-purchase housing counseling services."
Have you considered redesigning a payment product or service disclosure that consumers will be likelier to read? Apply to test it , and good luck!
September 16, 2019
Is There a Generation Gap in Cash Use?
How different are millennials from boomers in their reported payment habits, especially regarding their use of cash? New data from the Survey of Consumer Payment Choice, out this month, lets us look at age segments using the interactive charts accompanying the report.
For example, in 2018, consumers overall made 17 payments a month in cash. Drilling down, consumers aged 25 to 34—that is, millennials—used cash for 15 payments per month. Consumers 55 to 64—the boomers—used cash for 18 payments a month.
It's good to put these numbers in context. Here's a fact that surprised me: the younger group makes more total payments per month (73) than does the older group (67). That means that, as a percentage share of all payments, the difference by age is more pronounced:
- Millennials: 21 percent of their payments in cash
- Boomers: 27 percent of their payments in cash
The differences are similar when we look at paper checks, which the younger group used for 2 payments per month (3 percent of their payments) and the older group for 4 payments per month (6 percent).
You'll notice in the chart that payments instrument usage has been relatively stable for all the age groups since 2015.
Millennials' relatively lower use of cash doesn't mean, however, that the cashless society is going to arrive any time soon. In 2018, 85 of 100 consumers used cash in a typical month. And, in an analysis that incorporates a complete set of demographic variables plus income, differences by age could prove not so relevant. So, is there a generation gap in cash use? Yes. Does it mean the end of cash? No.
The charts at the website let you look at consumer payment choice by household income group and by the type of transaction. For example, you can examine how consumers' use of payment instruments is different for P2P payments than for bill payments. Check them out.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 9, 2019
What the Most Convenient Food Tells Us about Payments
I asked some friends to describe their most convenient food. The range of answers tells us how we think about convenience.
Some people think convenience implies flexibility:
- "Can be paired with peanut butter and even make a sandwich."
- "I can put it on a cracker, a slice of bread, or just eat it."
Some say convenience is situational:
- "Do you mean at home or in the car?"
- "It's portable."
- "Everyone in the family eats it, too."
Most say convenience means labor-free:
- "You can pick it up and eat right away."
- "All I have to do is eat it."
- "You need no tool."
- "Doesn't require any prep or even need washing."
This bunch of reasons mostly adds up to...drumroll, please...a banana (five votes of 11) or other fruit (two for apple). Other colleagues chose different foods (delivery pizza, candy bar, pasta, cheese) but often gave the same reasons as those who favored the fruits. That shows that convenience can be a slippery concept.
This is also the case when we talk about convenience and payments. The Survey of Consumer Payment Choice defines convenience as a mix of qualities: "speed, control over payment timing, ease of use, effort to carry, ability to keep or store." It's not just one factor that appeals. This question conforms to Merriam-Webster's definition of the term, which highlights "fitness" and "suitability."
The survey asks consumers to rate the convenience of payment instruments on a five-point scale. The payment instruments that are rated include cash, paper checks, debit cards, prepaid cards, credit cards, online banking bill payments, and bank account number payment (that is, when you provide your bank's routing number and your account number at a third-party website). From the collected responses a relative ranking is then calculated.
In every year from 2010 through 2018, debit cards and credit cards traded the top convenience ranking back and forth. Cash ranked third for convenience in all those years.
This ranking is important. Research shows that assessments of characteristics like convenience, setup, record keeping, and security matter for a consumer's choice to own a payment instrument or for his or her decision to use it. When we talk about "frictionless" payments, aren't we talking about convenience? Flexible, works anywhere, labor free—just like a banana.
In a New York Times opinion piece titled "The Tyranny of Convenience," Columbia professor Tim Wu wrote that "[p]articularly in tech-related industries, the battle for convenience is the battle for industry dominance." For the tech-related payment industry, I agree. Doug King recently wrote about the dominance of payment cards. Here's another indicator that cards, like bananas, are a long-lasting favorite.
The latest data from the Survey of Consumer Payment Choice provide detail on these rankings (Table 14 in the report).
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 3, 2019
Is Friction in Payments Always Bad?
Numerous posts in this blog have noted the conventional wisdom that the less friction there is for a consumer in making a payment, the likelier it is that the consumer will have a good experience. Merchants, especially ecommerce retailers, point to studies consistently showing that when customers are required, for stronger authentication, to enter more information than they're used to during a payment, the cart abandonment rate increases and merchants lose sales. I have learned from my own conversations with merchants that some have backed away from adding more risk management tools because they would rather take the financial loss from a fraudulent transaction than discourage an otherwise legitimate sale. This balancing act between reducing friction for the customer and reducing fraud risk to the merchant or payment card issuer is a constant challenge.
Many merchants have incorporated mobile devices' biometric authentication features into their mobile apps to keep the customer from having to provide additional authentication data. Some other vendors have recently developed risk mitigation and authentication tools that work completely in the background and give them more confidence that the individual conducting the transaction is legitimate. These tools range from behavioral analytics that rely on patterns of previous transactions—whether they're based on a specific customer or on a group of customers with a similar profile—to electronic device information, called device fingerprinting, that validates that the device being used is actually the customer's. The customer is unaware that these tools are being used, so experiences lower friction.
A new term being used for what is regarded as an improved payment experience is the invisible payment transaction. This happens when a payment is triggered automatically without any customer intervention at the time of the transaction. The best examples of invisible transactions are in the sectors of subscription or card-on-file services. Subscription services include any service where the customer has provided, for example, a payment card or deposit account for a transaction and authorized the merchant or service provider to make future payments using that account. Online retailers, rideshare services, and recurring payments for health clubs, parking garages, utility companies, and charitable organizations are all types of businesses that use subscription services. A relatively recent entrant in the invisible payment segment is the computer/camera monitored shopping experience at some retailers.
So do invisible payments mean we've achieved nirvana? While they certainly provide the lowest level of customer interaction, they also have some possible disadvantages. Consumer advocates are concerned about the impact such payments might have on an individual's budget management. What if they forget about a subscription payment, and when it's deducted from their account, it creates an overdraft or insufficient funds return? Will invisible payments result in increased spending by the consumer? And then there is the bother of updating a bunch of subscriptions if the consumer changes the funding account.
While research has shown that consumers see convenience as a positive factor, they also want to be confident that there is a security process that will make them less likely to be victims of fraud. Will we ever reach the place of total payments peace and happiness with the right balance of security and convenience? Please let us know what you think.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud