About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

September 23, 2019


Designing Disclosures to Be Read

Have you ever wondered if consumers actually look at disclosures for payment services? And if they do look at them, how much time do you think they spend reading them? If the average adult reads around 250 words per minute and a disclosure page contains 1,000 words—likely a low estimate—then a consumer would spend four minutes on the page before clicking accept or reject. I am confident that a more realistic estimate of time consumers spend on these pages falls far short of the time required to read the legally required consumer protection information. How many of us just click on the "I Accept" button without reading the disclosure? Maybe it's time to come up with a better way to disclose.

I believe that disclosures are one of the more dreaded elements in designing, launching, and managing financial services. If you haven't experienced the dread first hand, you can find evidence of it in the countless comment letters submitted by payments stakeholders and posted to the Federal Register when a proposed rule could affect disclosure terms. The work and expense of delivering disclosures at precisely the time required by law are completely wasted when consumers fail to read them.

The goal of disclosures is to educate consumers on a product's terms and conditions, to define their responsibilities, and to ultimately protect them from financial harm or surprises. With this information, consumers can make informed decisions. We should hope consumers comprehend and retain the critical information provided.

Opportunities exist to present important consumer protection information in ways that are far more easily digestible than a thousand-word disclosure in a four-point font. For instance, a gamification model could ask the consumer direct questions related to fees in pop-up windows with animated visual representations of the scenarios. You can brainstorm to come up with messages, jotting down quick ideas—for example, "You chose instant transfer, the fee is $1, Accept or Decline." Or, "Help us monitor your transactions daily, instant transfers will be $0, Accept or Decline." A large font and short words can quickly articulate the key points and big risks. Moreover, building the disclosure logic into the technology better protects the consumer.

Here's some good news—you now have the support of the Consumer Financial Protection Bureau (CFPB) to test your innovative solutions in making disclosures likelier to achieve their aim. The CFPB's Office of Innovation recently issued new policies to encourage innovation. For example, the office instituted a trial disclosure program and has committed to granting or denying applications for these trials within 60 days of submission. Accepted applicants will have up to two years to test their disclosures. They will also have access to state and global regulators through the CFPB's affiliation with the Federal Financial Institutions Examination Council, the Global Financial Innovation Network, and the newly formed American Consumer Financial Innovation Network.

Applicants and disclosures need not be company- or product-specific, although that is an option. Service providers, trade associations, consumer groups, or other third parties may also use the trial application program. Group applications could help spread trial disclosure development costs such that smaller entities would be able to afford to participate in the program. Such intention has been evidenced in the CFPB's Office of Innovation's first "No-Action Letter," issued to more than 1,600 HUD housing counseling agencies, stating that it will not take enforcement action with agencies that enter into "certain fee-for-service arrangements with lenders for pre-purchase housing counseling services."

Have you considered redesigning a payment product or service disclosure that consumers will be likelier to read? Apply to test it , and good luck!

September 23, 2019 in consumer protection, financial technology, fintech, payments innovation, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 3, 2019


Is Friction in Payments Always Bad?

Numerous posts in this blog have noted the conventional wisdom that the less friction there is for a consumer in making a payment, the likelier it is that the consumer will have a good experience. Merchants, especially ecommerce retailers, point to studies consistently showing that when customers are required, for stronger authentication, to enter more information than they're used to during a payment, the cart abandonment rate increases and merchants lose sales. I have learned from my own conversations with merchants that some have backed away from adding more risk management tools because they would rather take the financial loss from a fraudulent transaction than discourage an otherwise legitimate sale. This balancing act between reducing friction for the customer and reducing fraud risk to the merchant or payment card issuer is a constant challenge.

Many merchants have incorporated mobile devices' biometric authentication features into their mobile apps to keep the customer from having to provide additional authentication data. Some other vendors have recently developed risk mitigation and authentication tools that work completely in the background and give them more confidence that the individual conducting the transaction is legitimate. These tools range from behavioral analytics that rely on patterns of previous transactions—whether they're based on a specific customer or on a group of customers with a similar profile—to electronic device information, called device fingerprinting, that validates that the device being used is actually the customer's. The customer is unaware that these tools are being used, so experiences lower friction.

A new term being used for what is regarded as an improved payment experience is the invisible payment transaction. This happens when a payment is triggered automatically without any customer intervention at the time of the transaction. The best examples of invisible transactions are in the sectors of subscription or card-on-file services. Subscription services include any service where the customer has provided, for example, a payment card or deposit account for a transaction and authorized the merchant or service provider to make future payments using that account. Online retailers, rideshare services, and recurring payments for health clubs, parking garages, utility companies, and charitable organizations are all types of businesses that use subscription services. A relatively recent entrant in the invisible payment segment is the computer/camera monitored shopping experience at some retailers.

So do invisible payments mean we've achieved nirvana? While they certainly provide the lowest level of customer interaction, they also have some possible disadvantages. Consumer advocates are concerned about the impact such payments might have on an individual's budget management. What if they forget about a subscription payment, and when it's deducted from their account, it creates an overdraft or insufficient funds return? Will invisible payments result in increased spending by the consumer? And then there is the bother of updating a bunch of subscriptions if the consumer changes the funding account.

While research has shown that consumers see convenience as a positive factor, they also want to be confident that there is a security process that will make them less likely to be victims of fraud. Will we ever reach the place of total payments peace and happiness with the right balance of security and convenience? Please let us know what you think.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 3, 2019 in consumer protection, fintech, innovation, mobile banking | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 19, 2019


Why Should You Care about PSD2?

The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.

The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.

Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:

  • Something you know (for example, PIN or password)
  • Something you have (for example, chip card, mobile phone, or hardware token)
  • Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)

PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.

The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:

  • Low-value transactions (under €30, approximately $33)
  • Transactions with businesses that the consumer identifies as trusted
  • Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
  • "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
  • Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
  • Business-to-business (B2B) payments

Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 19, 2019 in authentication, banks and banking, consumer protection, fraud, Payment Services Directive, PSD2 | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 3, 2019


Hitting the Brakes on the Cashless Society

"Reverse ATMs" is a term I learned from reading my colleague Oz Shy's new working paper, "Cashless Stores and Cash Users." At venues that don't accept cash at the register, the patron puts cash into the reverse ATM and a loaded prepaid card comes out. Mercedes-Benz Stadium in Atlanta, for example, is one of the latest venues to adopt this practice.

Speaking of "reverse," I'm sure you know that some states and municipalities are seeking to reverse what may—or may not—be a trend toward brick-and-mortar retailers not accepting cash. Refusing to accept cash has been illegal in Massachusetts, where I live, since 1978. More recent developments:

  • Philadelphia will ban cashless stores beginning in July.
  • In March, New Jersey outlawed cashless restaurants and stores.
  • In May, the San Francisco Board of Supervisors voted to require brick-and-mortar businesses to accept cash.
  • Also in May, Representative David Cicilline (D-RI) introduced the Cash Buyer Discrimination Act, which would require businesses all across the United States to accept cash.

These and other proposed laws are predicated on the idea that people without access to payment cards or digital payments are harmed when they cannot make purchases using their payment instrument of choice: cash. Oz's paper adds to the conversation by examining the choices consumers make at the point of sale, depending on their access to different ways to pay.

Using data from the 2017 Diary of Consumer Payment Choice, Oz found that consumers who own different mixes of payment instruments use cash with different intensity to make in-person purchases:

  • Diary respondents who own neither a credit card nor a nonprepaid debit card made almost 9 in 10 of their in-person payments with cash, on average. The median share of cash purchases was 100 percent.
  • Diary respondents who own at least one credit card and one nonprepaid debit card make about one-third of their in-person payments with cash, on average. The median share was 20 percent.

Oz goes on to calculate the cost to the cash payers who do not have credit or nonprepaid debit cards of switching from cash to a prepaid card. He finds that, all things being equal, for some consumers, using cash would have to cost twice as much as using a prepaid card for the cash users to be indifferent to switching. Oz's conclusion: "A complete transition to cashless stores imposes a measureable burden on consumers who do not have credit or [nonprepaid] debit cards." For perspective, 8.5 percent of respondents with household income below the U.S. median ($61,000) did not have a credit card or nonprepaid debit card in 2017, according to the diary.

As this research shows, cash is important to some consumers. The cashless society could be on a collision course with reality.

June 3, 2019 in cards, consumer protection, credit cards, currency | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 29, 2019


Next-Gen Security

In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.

I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:

  • The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
  • The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
  • In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.

I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).

When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.

What is your bank doing to educate the next gen of security ninjas?

April 29, 2019 in consumer fraud, consumer protection, cybersecurity, identity theft, payments fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 15, 2019


For Customer Education, Map Out the Long Journey

Financially savvy consumers are good customers for financial services. They save for retirement and pay back loans. Those are among the findings of research looking into the effects of formal financial education. And, as readers of this blog already know, customer education is central to risk management.

Using data from the National Financial Capability Study, researchers at the University of Nebraska found that financial education encouraged positive behaviors in the long run, such as saving for retirement or setting up an emergency fund. For short-run behavior, which the researchers defined as tasks that "give continual feedback," the evidence was mixed. They hypothesized that, in the short run, people learn good behavior better from getting negative feedback like late fees.

A paper by researchers at the Federal Reserve Board looked at three states (including Georgia, Idaho, and Texas) that began requiring financial education in 2007. Students in school after the requirement was implemented had higher relative credit scores and lower relative loan delinquencies than young people in bordering states without financial education. The effects lasted for four years after high school graduation. Among the goals of the Georgia curriculum is one that says students should be able to "apply rational decision making to personal spending and saving choices" and "evaluate the costs and benefits of using credit." Through age 22, the researchers found that the students who studied personal finance were better off than peers who had not, as measured by relative credit scores and delinquency rates.

What this means: if I learn in middle school that cost should factor into college choice, perhaps I'll decide to take on less student loan debt when it's time to choose a college. If one of my college professors stresses the importance of saving for retirement, perhaps I'll be more likely to make sure I participate in my employer's 401(k) and qualify for its full match. If I receive regular reminders about phishing attacks, perhaps I would be less likely to reply to or open a link in a phishy email.

April is Financial Literacy Month. For parents, teachers, and financial institutions, it's encouraging to know that split-second timing is not necessarily critical to effective financial learning. Financial education need not be delivered at life's crossroads, but everyone should have an overview of the route before getting on the road.

Finally, let me share some tips:

  • For parents of young children: Use these parent Q & A resources during story time. They are designed to help you talk about the importance of making careful decisions when saving versus spending and other personal finance topics related to their daily lives.
  • For teachers: The Federal Reserve Bank of Atlanta offers professional development programs for teachers, designed to enhance classroom instruction of economics and personal finance, including a free webinar on April 16, "Personal Finance Basics: Classroom Resources."

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

April 15, 2019 in consumer protection, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 11, 2019


AI and Privacy: Achieving Coexistence

In a post early last year, I raised the issue of privacy rights in the use of big data. After attending the AI (artificial intelligence) Summit in New York City in December, I believe it is necessary to expand that call to the wider spectrum of technology that is under the banner of AI, including machine learning. There is no question that increased computing power, reduced costs, and improved developer skills have made machine learning programs more affordable and powerful. As discussed at the conference, the various facets of AI technology have reached far past financial services and fraud detection into numerous aspects of our life, including product marketing, health care, and public safety.

In May 2018, the White House announced the creation of the Select Committee on Artificial Intelligence. The main mission of the committee is "to improve the coordination of Federal efforts related to AI to ensure continued U.S. leadership in this field." It will operate under the National Science and Technology Committee and will have senior research and development officials from key governmental agencies. The White House's Office of Science and Technology Policy will oversee the committee.

Soon after, Congress established the National Security Commission on Artificial Intelligence in Title II, Section 238 of the 2019 John McCain National Defense Authorization Act. While the commission is independent, it operates within the executive branch. Composed of 15 members appointed by Congress and the Secretaries of Defense and Commerce—including representatives from Silicon Valley, academia, and NASA—the commission's aim is to "review advances in artificial intelligence, related machine learning developments, and associated technologies." It is also charged with looking at technologies that keep the United States competitive and considering the legal and ethical risks.

While the United States wants to retain its leadership position in AI, it cannot overlook AI's privacy and ethical implications. A national privacy advocacy group, EPIC (or the Electronic Privacy Information Center), has been lobbying hard to ensure that both the Select Committee on Artificial Intelligence and the National Security Commission on Artificial Intelligence obtain public input. EPIC has asked these groups to adopt the 12 Universal Guidelines for Artificial Intelligence released in October 2018 at the International Data Protection and Privacy Commissioners Conference in Brussels.

These guidelines, which I will discuss in more detail in a future post, are based on existing regulatory guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. They call out that any AI system with the potential to impact an individual's rights should have accountability and transparency and that humans should retain control over such systems.

As the strict privacy and data protection elements of the European Union's General Data Privacy Regulation take hold in Europe and spread to other parts of the world, I believe that privacy and ethical elements will gain a brighter spotlight and AI will be a major topic of discussion in 2019. What do you think?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2019 in consumer protection, emerging payments, fintech, innovation, privacy, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 7, 2019


A New You: Synthetic Identity Fraud

With the start of the new year, you may have resolved to make a change in your life. Maybe you've even gone so far as to pledge to become a "new you." But someone may have already claimed that "new you," stealing your credentials and using them to create a new identity. Identity theft is a growing problem, resulting in millions of dollars in damage around the world. And now there is a modern twist to this old and costly problem: synthetic identity fraud. Panelists at a forum convened by the Government Accountability Office (GAO) define this problem as a "crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers and names, to create identities with which they may defraud financial institutions, government agencies, or individuals." (Read forum highlights on the GAO website.) According to the U.S. Federal Trade Commission, synthetic identity fraud is the "fastest growing and hardest to detect" form of identity theft.

This graphic from the GAO illustrates how this type of identity fraud differs from what we have traditionally defined as identity theft.

GAPSIF

As this image shows, in traditional identity fraud, the criminal pretends to be another (real) person and uses his or her accounts. In synthetic identity fraud, the criminal establishes a new identity using a person's real details (such as social security number), combining this information with fictitious information to create a new credit record.

The challenge for the payments industry is determining whether an identity is planted or legitimate. For example, parents with excellent credit histories sometimes add their children to their existing credit accounts to give their children the benefit of their positive financial behavior. This action allows the children to kick-start their own credit records. Similarly, a criminal could plant a synthetic identity in an existing credit account and from there build a credit history for this identity. (In many cases, the criminal works for years on building a strong credit history for that false identity before "cashing out" and inflicting financial damages on a large scale.)

So what can consumers do to protect themselves? Here are some simple ways to make it harder for a thief to steal your personal information:

  • Shred documents containing personal information.
  • Do not provide your social security number to businesses unless you absolutely have to.
  • Use tools that monitor credit and identity usage.
  • Freeze your credit account as well as that of any of your minor children.
  • Check your accounts regularly to ensure that all transactions are legitimate and report any suspicious activity immediately.

Staying informed about synthetic identity fraud tactics and taking these steps to protect yourself can help you get one step closer to (preventing) "a new you."

Photo of Catherine Thaliath By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed

January 7, 2019 in authentication, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 5, 2018


Organizational Muscle Memory and the Right of Boom

"Left of boom" is a military term that refers to crisis prevention and training. The idea is that resources are focused on preparing soldiers to prevent an explosion or crisis—the "boom!" The training they undergo in left of boom also helps the soldiers commit their response to a crisis, if it does happen, to muscle memory, so they will act quickly and efficiently in life-threatening situations.

Image-one

The concept of the boom timeline has been applied to many other circumstances, as I can personally attest. More years ago than I will admit to, I was a teller and had to participate in quarterly bank-robbery training that focused on each employee's role during and immediately after a robbery. The goal was to help us commit these procedures to muscle memory so that when we were faced with a high-stress situation, our actions would be second nature. My training was tested one day when I came face-to-face with a motorcycle-helmet-wearing bank robber who leaped over the counter into the teller area. Like most bank robbers, he was in and out fast, but thanks to muscle memory, we were springing into action as soon as he was leaping back over the counter and running out of the branch.

This type of muscle memory preparation has also been applied to cybersecurity. Organizations commit significant human and capital resources to the left of boom to help prevent and detect threats to their networks. Unfortunately, cybersecurity experts must get things right 100 percent of the time while bad actors have to be right only once. So how do organizations prepare for the right of boom?

Recently, I had the opportunity to observe a right-of-boom exercise that simulated a systemic cyberbreach of the payments system. This event, billed as the first of its kind, was sponsored by P20 and held in Cambridge, Massachusetts. Cybersecurity leaders from the payments industry convened to engage in a war games exercise that was ripped from the headlines. The scenario: a Thanksgiving Day cyberbreach, the day before the biggest shopping day of the year, of a multinational financial services company that included the theft and online posting of 75 million customer records, along with a ransomware attack that shut down the company's computer systems. The exercise began with a phone call from a reporter asking for the company's response to the posting of customer records online—BOOM! Immediately, the discussion turned to an incident response plan. What actions would be taken first? Who do you call? How do you communicate with employees if your system has been overtaken by a ransomware attack? How do you serve your customers? What point is the "in case of fire break glass" moment, meaning, has your organization defined what constitutes a crisis and agreed on when to initiate the crisis response plan?

An overarching theme was the importance of the "commander's intent," which reflects the priorities of the organization in the event of an incident. It empowers employees to exercise "disciplined initiative" and "accept prudent risk"—both principles associated with the military philosophy of "mission command"—so the company can return to its primary business as quickly as possible. In the context of a cyberbreach that has shut down communication channels within an organization, employees, in the absence of management guidance, can analyze the situation, make decisions, and then take action. The commander's intent forms the basis of an organization's comprehensive incident response plan and helps to create a shared understanding of organizational goals by identifying the key things your organization must execute to maintain operations.

Here is an example of a commander's intent statement:

Process all deposits and electronic transactions to ensure funds availability for all customers within established regulatory timeframes.

Having a plan in place where everyone from the top of the organization down understands their role and then practicing that plan until it becomes rote, much like my bank robbery experience, is critical today.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed

 

November 5, 2018 in consumer protection, cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 10, 2018


The Case of the Disappearing ATM

The longtime distribution goal of a major soft drink company is to have their product "within an arm's reach of desire." This goal might also be applied to ATMs—the United States has one of the highest concentration of ATMs per adult. In a recent post, I highlighted some of the findings from an ATM locational study conducted by a team of economics professors from the University of North Florida. Among their findings, for example, was that of the approximately 470,000 ATMs and cash dispensers in the United States, about 59 percent have been placed and are operated by independent entrepreneurs. Further, these independently owned ATMs "tend to be located in areas with less population, lower population density, lower median and average income (household and disposable), lower labor force participation rate, less college-educated population, higher unemployment rate, and lower home values."

This finding directly relates to the issue of financial inclusion, an issue that is a concern of the Federal Reserve's. A 2016 study by Accenture pointed "to the ATM as one of the most important channels, which can be leveraged for the provision of basic financial services to the underserved." I think most would agree that the majority of the unbanked and underbanked population is likely to reside in the demographic areas described above. One could conclude that the independent ATM operators are fulfilling a demand of people in these areas for access to cash, their primary method of payment.

Unfortunately for these communities, a number of independent operators are having to shut down and remove their ATMs because their banking relationships are being terminated. These closures started in late 2014, but a larger wave of account closures has been occurring over the last several months. In many cases, the operators are given no reason for the sudden termination. Some operators believe their settlement bank views them as a high-risk business related to money laundering, since the primary product of the ATM is cash. Financial institutions may incorrectly group these operators with money service businesses (MSB), even though state regulators do not consider them to be MSBs. Earlier this year, the U.S. House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing over concerns that this de-risking could be blocking consumers' (and small businesses') access to financial products and services. You can watch the hearing on video (the hearing actually begins at 16:40).

While a financial institution should certainly monitor its customer accounts to ensure compliance with its risk tolerance and compliance policies, we have to ask if the independent ATM operators are being painted with a risk brush that is too broad. The reality is that it is extremely difficult for an ATM operator to funnel "dirty money" through an ATM. First, to gain access to the various ATM networks, the operator has to be sponsored by a financial institution (FI). In the sponsorship process, the FI rigorously reviews the operator's financial stability and other business operations as well as compliance with BSA/AML because the FI sponsor is ultimately responsible for any network violations. Second, the networks handling the transaction are completely independent from the ATM owners. They produce financial reports that show the amount of funds that an ATM dispenses in any given period and generate the settlement transactions. These networks maintain controls that clearly document the funds flowing through the ATM, and a review of the settlement account activity would quickly identify any suspicious activity.

The industry groups representing the independent ATM operators appear to have gained a sympathetic ear from legislators and, to some degree, regulators. But the sympathy hasn't extended to those financial institutions that are accelerating account closures in some areas. We will continue to monitor this issue and report any major developments. Please let us know your thoughts.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 10, 2018 in banks and banking, consumer protection, financial services, money laundering, regulations, regulators, third-party service provider | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad