Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 26, 2013
Caution, Online Payday Lender Ahead
Payday lenders offer consumers short-term unsecured loans with high fees and interest rates. Payday loans—also referred to as deposit advance loans or payday advances—are a form of credit that some consumers may find appealing for a number of reasons, including an inability to qualify for other credit sources. The borrower usually pays the loan back on the next payday—hence the term "payday loan"—which means the underwriting process typically includes a history of payroll and related employment records.
A growing number of payday lenders operate their businesses virtually. Consumers can obtain loans and authorize repayment of the loans and fees during the same online session. In a typical online payday loan scenario, a borrower obtains a loan and provides authorization for the lender to send Automated Clearing House (ACH) debits to the consumer's account at a later date for repayment. The payday lender's bank can originate the debits through the ACH network. Wire transfer and remotely created checks may be other payment options.
Both state and federal regulators are currently focusing on the payday lending industry to protect consumers from illegal payday loans. Payday lending practices are usually regulated on the state level. Some states prohibit payday lending, while others require lenders to be licensed and to comply with maximum fees, loan amounts, and interest rate caps, among other restrictions. On the federal level, the Dodd-Frank Act has given the Consumer Financial Protection Bureau the authority to address deceptive and abusive practices by payday lenders.
Payday lenders' banks should consider all the risks involved with working with online payday lenders. And they should make sure to incorporate due diligence techniques and to become familiar with the available tools.
Reputation, reputation, reputation
First, there is reputational risk. A payday lender's bank should be aware that a business relationship—including ACH origination activity—with a company making illegal payday loans can damage the bank's image. Reputation can suffer even if the bank is not complicit in the illegal activities of its payday lender customer. But once a financial institution determines that facilitating payments on behalf of online payday lenders falls within its risk management model, it should ensure compliance with applicable laws and regulations. Providing periodic reports on ACH customers to the bank's board of directors is one way to facilitate review of whether these customers' activities remain within the bank's risk management model. It is critical that the bank protect its reputation, as that affects every part of its business.
The importance of know-your-customer practices
The payday lender's bank should also develop and follow adequate due diligence procedures. ACH rules require—and regulatory guidance advises—that banks perform "know your customer" (KYC) due diligence. KYC includes a variety of activities such as assessing the nature of the online payday lender's activities, setting appropriate restrictions on the types of entries and exposure limits for the lender, and monitoring origination and return activity.
Due diligence steps can include: 1) identifying the business's principal owners, 2) reviewing ratings for the business from the Better Business Bureau, consumer complaint sites, and credit service companies, and 3) determining if there have been recent legal actions against the business. A thoughtful review of the lender's website, including the terms of the consumer's authorization agreement as well as promotional materials, is advised. These due diligence practices during onboarding and on an ongoing basis for all merchants—including online payday lenders—help the bank with setting and enforcing appropriate restrictions for the customer and therefore mitigate the risk of the bank discovering a problem when it is too late.
Mitigating problems by being proactive
Banks can develop tools that flag potential problems in-house or obtain them from vendors, ACH operators, or NACHA. In addition, incorporating a process to monitor transactions and returns to identify anomalies can be very useful. An anomaly could, for example, be a sudden uptick in returns or an unusual increase in origination volume or average dollar amount. Detecting anomalies can be a trigger to conduct further research with a customer.
Other tools can be NACHA's originator watch list and vendor-terminated originator databases, which can help banks identify customers that may warrant additional scrutiny. Periodic audits can also be a useful tool to identify rules compliance issues.
For a bank, protecting its reputation is paramount when it is considering offering payment services to high-risk originators like online payday lenders. It should exercise caution, performing risk-based due diligence on new customers and then diligently monitoring current customers so it can identify problems early and address them proactively.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Caution, Online Payday Lender Ahead:
October 1, 2012
Summer Is Gone, but ACH Fraud Remains
As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.
In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.
Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:
- ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
- ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
- RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
- RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
- RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.
In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.
The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Summer Is Gone, but ACH Fraud Remains:
August 20, 2012
Finding a Reasonable Definition of Commercially Reasonable
Corporate account takeovers have cost businesses millions of dollars over the last several years. According to 2011 congressional testimony of Gordon Snow, assistant director of the FBI's cyber division, the FBI was at that time investigating more than 400 reported cases of corporate account takeovers. These 400 cases involved the attempted theft of over $255 million, resulting in actual losses of approximately $85 million.
Corporate accounts are not offered the same protections as consumer accounts, which are protected from financial loss from online fraud through the Electronic Funds Transfer Act and Regulation E. Article 4A of the Uniform Commercial Code (UCC) states that as long as a bank adopts commercially reasonable security measures, its business customers are accountable for fraud losses arising from funds transfers. Unfortunately, Article 4A does not provide a definition for "commercially reasonable," which leaves the term open to interpretation.
A recent ruling by a court of appeals reveals one court's opinion on what is commercially reasonable versus unreasonable. Despite the bank's compliance with Federal Financial Institutions Examination Council (FFIEC) guidance, the court found in favor of the bank's customer. In accordance with the FFIEC guidance, the bank employed multifactor authentication and had the capacity to detect and stop possible fraud. However, the court still found the bank's security measures unreasonable due to two factors.
First, the bank failed to consider the circumstances of its customer's frequency and volume of ACH transactions when implementing security measures and developing security procedures. And second, it failed to monitor and provide notice of possible fraudulent transactions to the customer. A key takeaway from this court's opinion is that financial institutions must take a holistic approach to preventing and detecting fraud. Having the proper prevention and detection tools in place is just one aspect of a fraud mitigation strategy. Financial institutions should also have policies and procedures in place to effectively use their deployed resources and technology for the unique circumstances of each of their customers. Unfortunately, a "one-size-fits-all" approach does not work in the fraud prevention arena.
Though the court did not offer an opinion on the customer's obligations in this particular case, it did recognize that commercial customers also have "obligations and responsibilities" under Article 4A of the UCC. So, at least according to this court's opinion, the holistic approach to fraud prevention does not stop with the financial institution. Corporate customers must also incorporate systems and policies to prevent unauthorized access to its financial accounts and other sensitive documents. With corporate account takeover fraud showing no signs of slowing down, it is imperative that financial institutions and their corporate customers discuss each others' roles and obligations to effectively minimize their risks.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Finding a Reasonable Definition of Commercially Reasonable:
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 24, 2011
The future role of financial institutions in the domestic P2P environment
Although the use of online banking and online bill payment has flourished over the past decade, banks have yet to capitalize on the opportunity of the thriving online and mobile domestic person-to-person (P2P) transaction market. Online banking use more than doubled from 20 percent of households in 2000 to 53 percent in 2009, according to a December 2009 Javelin Strategy report (Multi-Channel Account-to-Account Transfers and P2P Payments Forecast: Evaluating Trends and Assessing the Future 2006–2014). Further, online bill payment usage has grown from 5 percent of households to 36 percent during the same time period. However, the traditional bank P2P methods of check, cash, and wire transfer continue to decline while online and mobile domestic transfers are expected to grow at a 9 percent compound annual growth rate, according to the Javelin Strategy report. As banks face continued downward pressure on revenues and intense competition from both new and existing players, the online and mobile P2P market represents a threat to banks' traditional check business. However, it also represents a potential opportunity for banks to offer a distinct service to their customers.
The expanding domestic P2P market
A 2009 TowerGroup report (Noncash P2P Payments: Checks in Decline Still Rule the Roost) estimates the U.S. noncash domestic transfer market at $1.1 trillion, composed of more than three billion transactions. Checks remain the dominant P2P means of settlement. However, the availability of the Internet to households, impressive growth of smartphones, exponential increases in consumer mobile data usage, and numerous mobile applications (especially for the iPhone) are creating a healthy environment for the growing online and mobile domestic transfer market in the United States. The Javelin Strategy report suggests nearly 44 percent of the 86 million online households made at least one online P2P transfer, up from 27 percent in 2008.
The online and mobile P2P market has been dominated by PayPal to date. However, payment processors, electronic card networks, and new emerging payment service providers have launched competing products over the last several years. PayPal and other service providers, such as CashEdge, Fiserv, FIS, and MasterCard, have each created products designed to integrate into banks' existing online and mobile channels. Although these products can be integrated into banking channels and the transactions are more convenient for consumers than a traditional bank wire or check transaction, the transaction is far from seamless. In order to use the online and mobile P2P products that banks currently offer, consumers must register not only with their bank but also with the bank's P2P service provider partner, which often requires them to submit their personal and banking account information. Adding further complications, completing the transaction may require the receiver of the payment, or the receiver’s bank, to have a relationship with the P2P provider that the payer uses.
Tapping the ACH network?
While it appears that the migration from paper checks to electronic forms of payment in the consumer-to-business market is crossing over to the P2P market, banks still have many hurdles to clear before they can capitalize on the P2P opportunity as online and mobile P2P payments become widespread. The P2P providers offer banks a solution that allows for quicker settlement than either checks or wire transfers, but the solution is still far from consumer-friendly. In order to provide banking consumers a friendlier P2P online and mobile service, banks could consider the development of a P2P solution that leverages the extensive ACH network in a manner similar to a person-to-business transaction. Much like mobile banking or bill payment, consumers could opt into the P2P service and transfer or receive funds between any banking institution on the ACH network without having to register with and provide confidential data to a third-party P2P service provider to access the service.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 13, 2010
Numbers don't back up fears about WEB and TEL
Recently, I got word that many banks, particularly small banks, may be bypassing the opportunity to market certain ACH origination services to their corporate customers because they are concerned about the underlying potential for fraud. In particular, banks may be holding back on offering debit origination services to companies selling services or accepting bill payments over the web or telephone. These are recognized as WEB or TEL entries in the parlance of ACH.
Certainly, conscientious, well-controlled financial institutions should be concerned about ensuring that they are not party to fraudulent transactions through the ACH. However, there is nothing inherently risky about WEB and TEL entries compared to any other types of transactions. In fact, in recent presentations, the NACHA-The Electronic Payments Association has revealed encouraging long-term trends with regard to a key statistic in sensing fraud: the level of unauthorized ACH returns.
WEB and TEL return data are favorable
Data collected from the Federal Reserve and the Clearing House Payments Company—the two ACH operators—and aggregated by NACHA show that the overall return rate for WEB transactions stands at 0.03 percent, or three transactions in every 10,000, as of the second quarter of 2010. Interestingly, this rate is actually slightly lower than the rate for all preauthorized debits—such as insurance premiums, car payments, and health club fees—which stands at 0.04 percent over the same period.
For TEL transactions, the rate is somewhat higher at 0.11 percent, or 11 returns for every 10,000 transactions. This higher rate may stem from the fact that a good percentage of TEL transactions flow from telemarketing activities that are sometimes fraudulent or sometimes characterized by "buyer's remorse." In contrast, Federal Reserve data show that return rates for check collection—a business generally thought to be safe by most banks—average something less than 1.0 percent. The point here is that data shows that ACH WEB and TEL transactions do not appear to be risky by common transaction processing measures.
Knowing the customer is still critical
As with all account relationships held by financial institutions, a small dose of due diligence can go a long way to help ensure that an institution does not engage with a fraudulent firm. This "know your customer" process, if applied regularly, can diminish any significant chance of experiencing ACH fraud for TEL transactions. For that matter, the same due diligence is necessary for remote deposit capture, remotely created check relationships, and credit card services. In addition, both the Federal Reserve and the Clearing House offer originating depository financial institutions ACH risk management and monitoring services that allow a bank to quickly detect any dangerous trends in unauthorized return experience. In fact, the Federal Reserve service allows originating financial institutions to reduce their risk exposure by establishing debit and credit origination limits on any of their corporate originators as part of their overall risk management program.
The only thing we have to fear...
It's possible that some of the concerns that small banks have regarding these transactions stem from recent news reports. Some corporations that have fallen victim to so-called account takeovers have accused their banks of not doing enough to help them detect fraudulent activity in their ACH-originated payroll files. As most professionals know by now, Internet-based criminals use the account takeover scheme to insert malware into a company's system through e-mail, spam, or some other vehicle. Banks are still wrestling with ways to help their clients monitor such files, and ACH operators do not have any specific services in place yet to help the banks do this. However, WEB and TEL transactions involve the origination of debit transactions, not credit transactions, as is generally the case with account takeovers.
Small banks may also not be originating WEB and TEL transactions simply because many smaller companies, utilities, manufacturers, and retailers are not yet offering web-based payment services. In essence, the market for selling such services is limited, but it's clear that over time more and more small companies will be able to offer these payment services and will be asking their banks to support ACH WEB and TEL originations. And really, given the data and controls noted above, "The only thing we have to fear is fear itself," to quote a famous president.
Marie Curie said it a little differently: "Nothing in life is to be feared. It is only to be understood." It is important to be risk-conscious, but it is also important to understand the available data and controls for informing decisions about ACH services that could represent opportunities to service a customer's changing needs better.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Numbers don't back up fears about WEB and TEL:
August 30, 2010
Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control
NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.
In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.
Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.
Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.
ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.
Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 2, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
June 29, 2010
Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks
ACH volumes have grown rapidly over the past decade, as the network has expanded beyond prearranged, recurring payments between known and trusted parties to include converted checks and one-time transactions originated over the Internet or by telephone. New ACH services have heightened concerns about risk because of the potential associated growth in ACH returns for reasons such as insufficient funds, presentment to closed accounts, and unauthorized transactions, to name just a few. To gauge the level of risk in a financial institution’s ACH origination business, it may seem reasonable to use the rate of these returned items as a possible benchmark. If an ACH originator's return rate is consistently below the industry average, we should be confident that its ACH risk management practices are generally sound, shouldn't we?
Not necessarily, according to a new Federal Reserve study. The researchers—Olivier Armantier, Michele Braun, and Dennis Kuo of the New York Fed and Ron Feldman, Mark Lueck, and Richard Todd of the Minneapolis Fed—recently conducted a study using FedACH data to look at ways to improve the benchmarks used to monitor ACH returns to shed some light on today's ACH risk environment. The study held some interesting and noteworthy findings.
Average return rates are not necessarily a good benchmark for measuring risk
The Federal Reserve study shows that about 75 percent of all consumer debit originators were below the FedACH average for consumer debit return rates during spring 2006. This large percentage stems from the fact that the average is elevated by a small number of very large originators who also have higher return rates. Consequently, some originators who fall below the average may still have rates significant enough to deserve attention. In short, while average return rates are almost the only benchmark currently available, they do not provide the most effective proxy for assessing ACH return risk management.
Better benchmarks could be constructed
The Fed study illustrates how more informative benchmarks could be computed by exploiting the ACH transactions data. The authors used FedACH data on all consumer debit forward and return items originated for a period in mid-2006. By developing a methodology that matched about 90 percent of return items to their original forward item, they could tabulate rich sets of statistics, covering the whole distribution of ACH return rates, not just the average. Their analysis tabulates return rate distributions for several individual standard entry class (SEC) codes, as well as the overall distribution of ACH transaction types, leading to the following additional results:
- Size doesn't matter much. ACH return rates for small and large originators are not very different for most SEC codes. In fact, overall and for most types of consumer debits, the median small originator has a slightly lower return rate than the median large originator, when size is measured by deposits. Return rates were also not strongly related to the originating depository financial institution's volume of originations. Thus, it would be a mistake to read deposit size or institution size as a proxy for sophistication in managing the quality of ACH originations.
- TEL and WEB are both risky, but in different ways. The average return rates for both telephone-initiated transactions (SEC code TEL) and web-initiated transactions (SEC code WEB) were high relative to most other types of consumer debits, but in different ways. TEL risks were higher across the board, so that well-below-median TEL return rates were still high compared to typical consumer debit return rates. By contrast, most WEB originators experienced lower returns on WEB than on consumer debits generally. However, a minority of WEB originators with significant volumes and very high return rates pulled the average return rate for WEB somewhat above the average return rate of all consumer debits.
- Returns come fast and are mostly the result of insufficient funds. In mid-2006, more than 98 percent of all returns occurred within five days of origination, with more than 70 percent returned due to insufficient funds. For the small minority of returns that take more than five days, authorization issues predominate.
Better benchmarks can help banks manage ACH risk
Using and customizing the type of analysis done in the Fed study has the potential to help originating banks better understand risks and therefore more efficiently deter fraud. For example, both originating banks and bank regulators could analyze the distribution of return rates and reason codes by bank peer group to gain a better sense of an individual institution's risk management practices. At the broadest level, linking returns to forward items can efficiently provide a rich array of benchmarks to help originators better monitor their ACH returns and enhance the quality of information they provide to their boards of directors. Similarly, by going beyond the average return rate concept, regulators could use the approaches adopted in the Fed study to better supervise ACH originators, or industry associations could use them to improve industry standards. In short, the sun could be setting on the days of taking false comfort from the Lake Woebegonish achievement of a below-average return rate.
By guest blogger Richard M. Todd, vice president, Community Affairs and Banking and Policy Studies at the Minneapolis Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks:
March 8, 2010
Smooth landings for payments call for a checklist
This week's blog features an interview with Devon Marsh, senior vice president and treasury management risk manager at Wells Fargo Bank, N.A. We asked Devon about his thoughts on managing risk in electronic retail payments today.
Devon, retail payments are growing increasingly more complex, creating challenges for risk managers in financial institutions. We know that many of the traditional "tried and true" control processes can still be effective in today's changing environment and understand you are a proponent of compliance checklists as a primary risk management tool for your bank. Tell us a little more about why you value the checklist process.
In more than 1,000 landings as a naval aviator, I never once made a gear-up landing. I don't think I even came close to forgetting the landing gear, but I didn't take any chances. I used a checklist every time I landed. The checklist was necessary not because lowering the landing gear is difficult to remember—of course the gear needs to be down to land! It was necessary because any discrete task—even an important one—can be easy to forget. For this reason we see pilots use checklists all the time on television and in movies to ensure completion of important tasks. We even probably consider the use of checklists to be a defining characteristic of a cockpit environment. But aviation is not the only field in which people can benefit from checklists.
I recently read a new book titled The Checklist Manifesto, by Dr. Atul Gawande. Dr. Gawande is a surgeon and regular contributor to The New Yorker magazine. He has written two previous books based on the practice of medicine that provide useful lessons on risk management and process improvement. His new book offers compelling statistical evidence on how the use of simple checklists cuts down on critical errors.
A key example in The Checklist Manifesto recounts the development of a checklist to guide the procedure for inserting a central intravenous line in intensive care patients. The steps include elementary items such as handwashing. Because its content was so basic, the checklist was initially met with scorn by many practitioners. Nevertheless, consistent use of the checklist dramatically reduced central line infection rates and deaths in ICU wards where it was implemented.
This example seems particularly relevant in financial services since significant problems are often avoided through simple yet proactive control processes. Can you draw some parallels to a checklist that might be effective in ACH processing and describe how it might work?
That's right. Errors in payment processing seldom cost lives the way medical errors might, but they can be as costly as a lost or damaged aircraft. For this reason, I believe the checklist concept has great applicability for many of the risks we address in processing payments. For example, an electronic payment checklist for ACH might help payment originators comply with rules and regulations, avoid human errors, and reduce fraud. A basic electronic payment checklist might include 10 steps.
|Electronic Payment Checklist|
|1. Authenticate the receiver or requester.|
|2. Confirm validity of authorization.|
|3. Verify account number of receiver or beneficiary.|
|4. Verify routing number of receiver or beneficiary.|
|5. Confirm effective date of transaction.|
|6. Confirm payment-related information.|
|7. Confirm sufficient funds in funding account.|
|8. Obtain internal approval for transaction.|
|9. Initiate transaction.|
|10. Confirm transaction.|
Some of the steps are required by rule or by law, while others are simply necessary to route the transaction appropriately. When any one of the steps goes wrong, the resulting error decreases the efficiency of the payment process. It can even cause the entire transaction to be misrouted, possibly without an opportunity for recovery. The eighth step in this checklist is particularly important because it represents a traditional fraud mitigation method called "dual control." This traditional method has proven effective in mitigating the risk that outside entities will attempt to initiate or change a company's transactions by using the credentials of internal employees.
The final step in the checklist, confirming the transaction, is one that is frequently overlooked. It makes sure the financial institution receives the transaction that the initiator intended. This step is critical to ensure a payment has been positively handed off to the next participant in the processing flow.
It is interesting that such a simple control mechanism can still be effective. Why do you think some of the steps you’ve outlined in this checklist get overlooked?
Its utility rests on the fact that creating an ACH transaction involves a series of steps, any one of which can be missed or performed incorrectly. Consistent use of a checklist may help those who initiate payments to ensure each transaction complies with rules, is free of processing errors, and is received by the intended recipient. Financial institutions should consider sharing compliance checklists with customers who initiate payments through the ACH. In the world of payments, these are the elements of a smooth landing.
- Will Payments Be Getting REAL?
- Financial Solutions for the Younger Generation
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud