Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 28, 2019
Should We Throw in the Towel When It Comes to Data Breach Prevention?
We've all heard it said—we've probably, cynically, said it ourselves: "It's not a matter of if but when your company will be hit by a data breach." Reports about cyberattacks and network breaches fill my daily newsfeed with headlines on ransomware attacks, attacks on multifactor authentication, and 5G network vulnerabilities. For each new, better, stronger, faster solution the industry comes up with, criminals find a way to circumvent it in seemingly short order. Is there anyone whose personal information hasn't been stolen once, twice, five times? I've lost count of how many times I've received six months of free credit monitoring.
In today's world, is there any way for an organization to fully protect itself against the broad spectrum of ever-evolving threats and still have time, resources, and capital left over to conduct its everyday business? Or should we assume that breaches are a foregone conclusion, throw in the towel when it comes to prevention, and turn our focus instead to incident response?
According to Verizon's 2019 Data Breach Investigations Report , small businesses were frequent targets of breaches. (The report looked at incidents occurring from November 1, 2017, to October 31, 2018.) Other findings it reported: outside actors perpetrated 69 percent of breaches, 52 percent were the result of hacking, and it took months or longer to discover 56 percent of the incidents.
Last year, I wrote about committing to muscle memory your organization's plan for the right of boom. A Google search on "data breach response" returns pages of results with guides, resources, and services, but the midst of a cyber-event is probably not the best time to come up with a plan. Turns out, there's an app for that! At a recent fintech conference, I saw a demo of a dynamic breach response solution that turns response into a routine business process. The company likens its app to "an airbag for network breaches" and claims the tool helps organizations prepare for, detect, and respond to data breaches. Another company demonstrated a white-labeled application for financial institutions that aims to reduce post-breach fraud and identity theft of consumers through algorithmic risk assessments that produce recommendations for actions to take to mitigate these risks.
October is National Cybersecurity Awareness Month. It's a good time to review your own right of boom plan or take steps to implement one. One resource: the Department of Homeland Security's Cybersecurity Resources Road Map for small and midsize businesses.
While it is not hyperbole to assert that criminals will breach your organization's network, you should not throw in the towel or lower your defenses against such threats. Rather, you should avail yourself of technological innovations to support breach prevention and response preparedness so your organization can restore normal business operations as quickly as possible. What approach has your organization taken to adopting threat prevention and response preparedness?
October 21, 2019
Looking for Partners in Safer Payments
The Federal Reserve Bank of Atlanta is currently identifying financial technology companies (fintechs) involved in payments. Our goal is to build relationships with these companies so we can understand their issues and challenges.
The Federal Reserve's mission for payments is to ensure an effective and efficient system. In pursuing this mission, the Atlanta Fed focuses on the accessibility, integrity, and confidentiality of payments. We play a significant role in this mission by virtue of being an operator of ACH and check clearing as well as a payments researcher.
We are also at the center of an important regional hub of fintech activity. In Georgia, there are 120 fintech companies employing more than 38,000 workers. According to the Technology Association of Georgia, the top 20 Georgia-based fintech companies generate $72 billion in revenues annually, and 70 percent of all domestic card transactions flow through Georgia-based fintechs, earning this region the nickname of "Transaction Alley."
In addition, venture capital investment in fintech contributes to Atlanta being ranked as the 13th most important fintech hub in the world and fourth in the United States (behind San Francisco, New York, and Chicago), according to the University of Cambridge's 2018 Global Fintech Hub Index .
Given our expertise, our role in payments toward furthering the Federal Reserve’s mission, and our location, the Atlanta Fed, in partnership with fintech companies in Transaction Alley, has a unique opportunity to have a real impact on advancing safety in this innovative payments space.
Fintechs in payments aim to produce useful and profitable payments-related products and services but may lack awareness of consumer compliance and rights or the importance of development practices that culminate in safe and secure products and services. Our work will focus on safer payments innovation for payments used by consumers.
The Atlanta Fed is also interested in experimenting with innovative technology used by fintech companies where we believe the technology could solve our business problems or be beneficial to us. This experimentation will give us first-hand experience and deep knowledge of fintech-developed technology and therefore an understanding of the contribution and impact the technology has on the payments ecosystem.
Through this work, we hope also to advance economic mobility and resilience, another priority for the Atlanta Fed. Our desire is to engage fintechs with products or solutions that provide low-cost, accessible options to advance financial inclusion and improve consumers' financial health.
Together with the payments fintech industry, we can bring clarity regarding the impact of fintech solutions on the payments system. So we encourage the fintech payment innovators to partner with the Atlanta Fed to understand payments risk and create safer payments solutions.
Get in touch with me at Mary.Kepler@atl.frb.org to start the conversation.
October 15, 2019
The Range of Un-Friendly Fraud
My colleague Doug King recently penned a call to action in a Take On Payments post on friendly fraud. That post was the first we'd written about this issue in more than four years. But the feedback we received about the post echoed our concern that these disputes are becoming more frequent and expanding into new scenarios that clearly indicate that, at least to the merchant community, this type of fraud is anything but friendly.
Further research into this problem indicates a range of reasons for a cardholder to dispute a transaction. The spectrum runs from a well-intentioned misunderstanding to a premeditated effort to avoid paying for the goods or services. Below are some common friendly fraud scenarios.
Merchant description or error: A cardholder may be confused when a company descriptor in the transaction detail does not match the company name they are familiar with, so disputes a legitimate transaction. Sometimes this happens, as Doug described in his post, if a parent company name is used rather than the d/b/a name, which frequently occurs with online international transactions. Or sometimes the final transaction amount differs from the amount the cardholder thought he or she was supposed to pay because, for example, there was a miscalculation of sales tax or delivery charges. In most cases, the cardholder, upon seeing all the transaction details, remembers the transaction and withdraws the dispute.
Family usage: Family members sometimes use another family member's payment card without permission. For example, a child might use a parent's card to purchase online gaming credits or features, or a sibling might purchase gasoline, clothing, or something else. With ecommerce transactions, many merchants resort to "electronic fingerprinting" of the device used in the transaction to capture the device ID, IP address, and other details for further documentation. Hopefully, with this additional information provided to the cardholder, the cardholder will do some detective work to determine if the transaction should be honored.
Refunds or buyer's remorse: A cardholder with second thoughts about a nonrefundable purchase might deny that they made the transaction—perhaps a store's return policy deadline has passed or the cardholder just doesn't want the trouble of going through the refund process. To help combat this type of chargeback, the card brands all have "compelling evidence" chargeback documentation rules. These rules allow the merchant to provide additional documentation for certain disputes proving that the cardholder either participated in the transaction, actually received the goods or services, or benefited from the transaction. Merchants must be selective about which of these disputes to contest, depending on the transaction amount, the availability of supplemental evidence, and resource costs to collect and provide such evidence.
Criminal theft: A cardholder who understands the chargeback regulations may use them against a merchant, having purchased an item or service with no intention of making payment. The cardholder may falsely claim that goods were never delivered. Some colleagues and I recently spoke with a business owner who operates several casual dining restaurants. Because of a technology interoperability issue with the restaurant management software, the restaurant has not been able to implement EMV chip readers. The owner said that some patrons became aware of the absence of these readers and spread the word to others, to the point that the losses have become significant. Because of the EMV chip liability shift rules, the owner is considered noncompliant and has no defense against the chargebacks.
All these types of friendly fraud are almost impossible to detect upfront, especially those toward the more benign end of the range. For a merchant, having reasonable return policies and fully disclosing them and hiring exceptional customer service representatives will take them a long way with some of the disputes. But to defend themselves from the determined criminal, merchants' or card issuers' only recourse may be keeping a file listing cardholder accounts suspected of repeated friendly fraud claims.
What techniques do you think are most effective in combatting friendly fraud?
October 7, 2019
Payments Webinar October 10: Cash in the 21st Century
As I write this, I am drinking my morning cup of joe. For me, that means half caf/half decaf, then cut in half with microwaved nonfat milk. (Slurp.)
Day in, day out, I want it just that way. No sugar for me. Nonfat milk, not 2 percent. Black only when I open the door to an empty fridge.
Odds are, you're like me when it comes to coffee and payments. Your habits—and mine—are sticky. We've found something that works for us and—day in, day out—we take our coffees and choose to pay the same way. These are our preferences.
What happens when we change our minds about what we prefer? Shaun O'Brien at the San Francisco Fed has been looking into the relationship between our stated preferences for making in-person purchases and the payment instruments we use in the moment.
In an economic model that incorporates consumer demographics, household income, transaction characteristics, and the payee, Shaun finds that, over time, a change in stated preference eventually results in an increased probability of using a newly preferred payment instrument.
Note that word eventually.
For example, say I stated a preference for cash in 2016 and then switched to a stated overall preference for debit card in 2017. It might not be until 2018 that you would start to see a small change in my mix of payments, with relatively less use of cash and more of debit. Like a coffee habit, my preferred payments habit is slow to change. (Keep in mind that, as I have blogged previously, preference is one of a number of factors that are important, including, for example, what a payee is willing to accept.)
Whatever your morning beverage, I hope you'll join Shaun, the Atlanta Fed's Oz Shy, and me for the next Talk About Payments webinar, October 10, 2019.
We'll look at current data from the Survey and Diary of Consumer Payment Choice and new research—including Shaun's findings reported above—to investigate the 5 Ws and also the How of cash:
- WHAT is happening with cash?
- WHO uses cash?
- WHERE do consumers use cash?
- WHEN do consumers use cash?
- WHAT might cause cash users to switch to another payment method?
- HOW do consumers get cash?
This webinar is open to the public but you must register in advance to participate. (Registration is free.) You can register online. Once registered, you will receive a confirmation email with login and call-in information.
Date: Thursday, October 10, 2019
Time: 1–2 p.m. (ET)
- Will Payments Be Getting REAL?
- Financial Solutions for the Younger Generation
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud