Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
November 9, 2020
Cheering on the Team—Go ACH!
Did you see the commercial during the last SuperBowl about ACH payment innovations? No? Me neither. Of course, that's because there wasn't one. In fact, it doesn't appear there needs to be public advertisements for ACH payments. Why? With value processed on the network having increased more than $1 trillion over the past seven years , ACH doesn't have to be a household name. What you do need to know is that there is lots of growth and innovation happening with ACH behind the scenes these days, and I am an ACH cheerleader.
According to Nacha, the organization responsible for administering the ACH network and its private-sector Operating Rules, the Automated Clearing House (ACH) network processed 34.7 billion transactions valued at $55.8 trillion in 2019. That's, respectively, 7.7 and 8.9 percent growth over 2018. That's also 47 times more than the combined 2019 net sales of Walmart, Amazon, Kroger, Costco, and Walgreens, which was $1.186 trillion, according to National Retail Federation rankings. As for the number of transactions, the total volume of U.S. ACH payments in 2019 translates to approximately 75 payments per person. Any way you count it, it's hard to deny that, as with a line of scrimmage, there's action around ACH.
Innovation, too, has been burgeoning. The Federal Reserve System's Retail Payments Office, which is located at the Atlanta Fed, is one of two ACH network operators, so we have a front row seat. We're seeing lots of fintech creation, including, for instance, mobile apps and voice-activated or conversational payments. Much of this innovation takes place through a democratic rule-making process, whereby stakeholder work groups study recommend opportunities for modernization. These groups have been extremely busy.
October 30 was the deadline for all depository financial institutions participating in the ACH Network to register their primary representative in the ACH Contact Registry. Nacha will maintain this database on behalf of registry members, making it easier for them to contact one another. For them to have fast access to live humans managing ACH operations can be critical, especially when mitigating time-sensitive fraud events such as business email compromise.
In the never-ending fight against fraud, three changes will take effect in 2021. First, Supplemental Fraud Detection for WEB Debits (WEB debits are also known as internet-initiated entries). With this change, ACH originators will be required to include account validation within a commercially reasonable fraudulent-transaction detection system for the first use of new account information. This validation will help block ineligible receivers. Second, security requirements for stored data will be enhanced. Third, a new return-reason code will be created for unauthorized returns, allowing financial institutions to immediately differentiate unintended mistakes from suspected fraud.
Next spring, another highly anticipated ACH change will occur. A new Same Day ACH processing window deadline of 4:45 p.m. goes live on March 19, 2021, which will expand access to same-day processing, especially beneficial to financial institutions in the Central, Mountain, and Pacific Time zones.
ACH was the very first payments system I studied, and I've been an ACH cheerleader ever since. I'm very excited for all the changes that are in play. And while my family and friends—well, most people for that matter—don't exactly celebrate the innovation wins with me, my payments teammates know how much work goes on around the ACH network to continue to make forward progress.
December 23, 2019
New Data Posted for Federal Reserve Payments Study
If you're looking for payments reading during the holidays, take a look at a new report, the Federal Reserve Payments Study 2019, which was published last Thursday on the Federal Reserve's website.
The report finds that growth in card and ACH payments has accelerated.Here are some key findings:
- The number of ACH credit and debit transfers grew by 6 percent a year between 2015 and 2018, exceeding the 4.9 percent per year growth rate recorded for the period from 2012 to 2015.
- Debit and credit card payments grew at an accelerated rate of 8.9 percent a year between 2015 and 2018, up from the 6.8 percent yearly rate of increase from 2012 to 2015.
- For general-purpose cards overall, the value of remote payments in 2018 nearly equaled that of in-person payments.
- More than half of in-person general-purpose card payments were chip-authenticated, up from 2 percent in 2015.
- Payments made by check fell 7.2 percent a year from 2015 to 2018.
The 2019 Federal Reserve Payments Study covers card (credit, non-prepaid debit, and prepaid debit), ACH, and check payments and ATM withdrawals. In these days of fintech and new ways to pay with a phone or fingerprint, these core noncash payment types are used not only in traditional ways but also to make possible alternative payment methods and services.
We look forward to continuing the payments conversation with you on January 6, 2020, when I will be challenging you to a game of pay-with-your-phone bingo.
November 25, 2019
We Are Thankful For...
Several years ago, I began the practice of making a list around Thanksgiving of things I am thankful for. I was pondering what I might include on my list this year while I was stuck in traffic behind an awful wreck I was thankful I wasn’t involved in. And then the idea hit me that maybe we at the Risk Forum should create our own list focused on what we are thankful for in payments.
To keep the list at proper blog length, I asked each Risk Forum member to name just one item. Without further ado, the Risk Forum presents to you our 2019 Thanksgiving week "What we are thankful for in payments" list.
- Nancy Donahue, project manager: I’m thankful that my debit card has only been breached once this year and although the criminal lived it up at several fast food restaurants and c-stores, it was less than $100 total and I got my money back!
- Claire Greene, payments risk expert: I am thankful that direct deposit lets me put my finances on autopilot. I’ve split my paycheck into different accounts: one for retirement, one for the mortgage, one for saving, and one for everyday expenses.
- Douglas King, payments risk expert: I am thankful for the ability to pay via self-checkout at my local grocery store and receive cash back when using my debit card.
Pictured from left: Jessica Washington, Douglas King, Nancy Donahue, Dave Lott, Catherine Thaliath, Julius Weyman; Not pictured: Claire Greene
- Dave Lott, payments risk expert: I am thankful for law enforcement and other security professionals who work diligently to protect the integrity of our payments system.
- Catherine Thaliath, project management expert: I am thankful for credit card rewards programs. It is nice to get rewarded with cash back or even a free plane ticket just by using your credit card for everyday purchases!
- Jessica Washington. payments risk expert: I am thankful for payments industry collaboration. This year I have seen improvements in fraud information sharing across stakeholders; partnerships between fintechs, financial institutions, and payment networks to promote financial inclusion; and working groups embracing emerging payment innovations.
- Julius Weyman, vice president and forum director: I am thankful that I can write a check where it makes sense; pay online where it makes sense; get paid via ACH (no choice in that, but wouldn’t choose otherwise); pull bills from a real wallet (not the fake kind) and pay that way, where it makes sense; and use a card (and get rewards), which almost always makes sense and is the one I use the most.
And we are thankful for YOU: our readers of Take On Payments and supporters of the Risk Forum. We sincerely appreciate your comments, kudos, and criticism, and hope that you all find value in the information we provide and share. As we enter into these crazy last weeks of 2019, we wish you and yours a wonderful holiday season.
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?