Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 6, 2019
Business Email Compromise Moves Mainstream
The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.
When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.
In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.
In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."
And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."
To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.
How are you attacking this growing threat, and what are you doing to educate your employees and customers?
October 23, 2017
ACH and Consumer-Only Payments: Will the Twain Ever Meet?
For many years, person-to-person (P2P) payment providers have touted the emergence of compelling P2P mobile-based products that exploit some combination of financial institutions (FIs) and fintech providers. Several players have made notable inroads into P2P with certain demographics and use cases, but the overall results in terms of absolute numbers are far from ubiquitous. This post uses hard numbers to explore what progress ACH has made with P2P payments.
During a payments conference earlier this year that showcased findings from the Fed's triennial payments study (here and here), the table below was presented showing the number and value shares of domestic network ACH payments in 2015. The table is complicated because it shows both debit pull and credit push payments by consumer and business counterparties. Despite the complexity, the table distills ACH to its essence by removing details associated with the 14 transaction payment types (known as Standard Entry Class codes) that carry value for domestic payments. Many of these individual codes reflect similar types of payments (for example, three codes are used for converting first presentment checks to ACH). As expected, virtually all payments involve at least one business party to each payment. Consumer-only payments are negligible.
In a typical use case for consumer-only ACH, a consumer transfers funds from one account to another account across financial institutions. As shown in the solid red oval, 0.04 percent of all domestic payments were consumer-to-consumer payments, where the payee initiated a debit to the payer's bank account. For consumer credit push payments, the figure is 0.3 percent. The combined figure rounds to 0.3 percent. On the value side for consumer-only payments (in the dashed red oval), debit pulls, credit pushes, and the combined figure were 0.02 percent, 0.2 percent, and 0.2 percent, respectively. These types of payments typically reflect P2P payments1, when one consumer pushes funds to another consumer.
The next table shows the figures that prevailed in 2012. Given the modest share by both number and value across both years, it is apparent—and interesting—that ACH has made little progress in garnering consumer-only payments. Although ACH is ubiquitous on the receipt side across all financial institutions, it is not so for consumers, given the lack of widely promoted and compelling service offerings from FIs and no standardized form factor like there is for card payments. Additionally, many small FIs do not offer ACH origination services.
This lack of adoption is not unique to ACH. Although some of the electronic P2P entrants are experiencing significant growth, it will be some time before they supplant the billions of P2P cash and check payments. P2P players on the FI-centric side include Zelle, which a large consortium of banks owns. Non-FI providers include PayPal and its associated Venmo service. Given the lack of ubiquity with the new offerings, the fallback option for consumer-only payments is cash and checks. As the payments study reports, check use is still declining, though the most recent trend shows that this decline has slowed. ACH or other electronic options still seem a good bet to continue to erode paper options, but perhaps the market is signaling that paper options have ongoing utility and are still preferred if not optimal for some users in some instances.
So what would it take for ACH to gain some traction in the consumer payments space? Perhaps the presence of same-day ACH, in which credits were mandated in September of 2016 and debits followed in September 2017, offers some opportunity for compelling service offerings coupled with a user-friendly way to send an emergency payment to your ne'er-do-well son.
What are your views on the viability of ACH garnering more P2P payments?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
1 Sometimes account-to-account (A2A) transfers are lumped in with P2P payments.
January 9, 2017
The Year in Review
As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.
Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.
Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.
Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.
Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.
Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.
EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.
Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.
Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.
All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.
December 14, 2015
Down and Out in Myanmar
Here in the United States, we have gotten used to cash being the default payment method when other payment methods are not accepted or fail for one reason or another. But a few years ago, I had the pleasure of traveling to a country where cash was pretty much the only acceptable payment method. My experience there really made me appreciate the existence of mobile money transfer (MMT) services like M-Pesa. These MMTs are rapidly spreading across the developing world. Unfortunately for me, however, I had no access to an MMT in the country I visited.
In 2010, my wife was sent on a three-year assignment to her employer's Asian offices in Singapore. During one of my periodic visits, my wife and I vacationed in Myanmar, also known as Burma. Myanmar has a predominately cash-based economy.
Let me provide a little geography and history. Myanmar is bounded by Bangladesh, India, China, Laos, and Thailand. Before independence in 1948, it was ruled by the British, except during World War II, when the country was occupied by Japanese troops. At the end of the war, the country reverted to British rule. In 1962, a military coup led to nearly 50 years of military rule. In the year we visited, fewer than 600 tourists arrived at the international airport in Yangon, the busiest airport in the country.
Before our visit to Myanmar, we wired funds to a tour operator's account in Thailand to pay for the services of a driver, a guide, and some of our lodging. We estimated that we would need about $3,000 for the rest of our travel expenses during our three-week visit. At the time of our visit, Myanmar was under stringent trade sanctions due to the repressive military regime, so no international payment networks operated in the country. Consequently, the coin-of-realm for international tourists was U.S. hundred-dollar bills that could be exchanged for kyats, the local currency.
What we didn't understand is that the money exchangers required U.S. bills of the 1996 series or later with no folds, tears, markings, or stains of any sort. Yikes, we are essentially talking about uncirculated, brand-new bills. Since no international ATMs operated in the country, our first visit was to a local bank. The teller agreed to exchange only $500 after scrutinizing in microscopic detail (like a paleontologist examining a fossil) for 15 minutes our thirty $100 bills. This would cover less than our first week of expenses. We had thousands of dollars burning a hole in our pocket and no place to spend it. We were hard up.
We were getting anxious after several failed attempts at other bank branches, so our guide suggested using an unofficial currency marketer to see if we could exchange more bills. We walked a serpentine route to an untouristed, possibly unsafe area of town. Our guide took us to a money exchanger who grudgingly exchanged an additional $500. Even with further economizing, we estimated we were still short in funds for the last week of our trip. Success arrived when we met fellow travelers with excess funds they were willing to exchange.
I have wondered to this day why the reluctance to accept less-than-pristine bills. Obviously, one concern is the possible counterfeiting of $100 U.S. notes by the government of North Korea, according to some press accounts.
But whatever the reason, it left us spending $1,000 less than we anticipated. If we had had access to an MMT, we presumably would have been able to more freely purchase goods and service without wondering whether our cash would be accepted—though it should be noted that we may still have had problems with the initial cash load at an MMT money transfer agent.
Stepping back, the lessons we learned include the various risks associated with a cash economy, such as counterfeiting and, on a personal level, the disappointment of a diminished vacation due to the time and anguish spent in exchanging money. As I said in the beginning, I can appreciate firsthand the real advantages of moving away from cash to a low-cost, widely accepted mobile money transfer service. In Kenya, for example, M-Pesa reported in 2015 a 22.8 percent growth in revenue and 13.86 million active customers out of a population of 45 million. Meanwhile, next time I go to Myanmar, I'll know what to bring.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 28, 2015
I Want My Two Dollars!
Dizziness and nausea come over me sometimes when I have to pay individuals. My mind scrambles. I don't carry cash or have checks. What grueling, lengthy steps will I have to go through to pay this person? Besides worrying about forgetting to meet my financial obligation if I don't pay right now, I find myself crossing my fingers behind my back hoping they have the same mobile app as I do. Or maybe we use the same bank, with any random luck. I picture myself as Layne Frost, the character played by John Cusack, from the movie Better Off Dead, with the paperboy at my doorstep insisting, "I want my two dollars!"
From bartering to exchanging livestock and shells, from cash and coin to checks and now mobile, it is inevitable that people will always find a way to pay and be paid. Forrester Research forecasts that the U.S. mobile peer-to-peer (P2P) market will grow to nearly $17 billion in transaction value by 2019. Yet the United States P2P payment volume by instrument is still largely cash-based, followed by check. Forecasters are planning on migration from over 6 billion cash and 2.1 billion check P2P transactions to the mobile space. Who will win the lion's share of paper-based P2P payments as people embrace electronic payments?
Let's look at the P2P payment lifecycle before you make your predictions:
My expectation is that everyone in the P2P space today faces challenges in getting there from here. Some will have a handsome share of the market but in doing so may suffocate opportunity for ubiquitous solutions that will benefit consumers nationwide. Fragmentation is our obstacle in P2P today. If both Ps don't have something in common (for example, financial institution, phone manufacturer, mobile application, social media, branded debit card), then the payment can't occur and...back to the basics we go. Cash and checks are accepted by almost everyone. Moreover, cash eliminates the middle part—cash means finality of good funds, sender to recipient, instantly.
All P2P access channels, or funds load, providers who offer accounts to consumers—whether these providers are financial institutions; virtual wallets like Google and Paypal; mobile/online applications like SquareCash, Venmo, or Dwolla; or prepaid accounts like Bluebird or NetSpend—should be able to access a directory to process payments from anyone to anyone. Ubiquity means debit card or not, banked or unbanked, same state or not. This can be achieved when financial institutions cooperate through open access to a directory, since all nonbank P2P providers ultimately use a bank to conduct the business of processing payments.
There is an option that could surpass directory deliberations. Bitcoin's blockchain technology, like cash, can eliminate middle participants—like cash, it is finality of good funds, sender to recipient, instantly. Perhaps the directory will be technology nonpartisan and connect all payments. Until then, I'll keep crossing my fingers when the paperboy shows up.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 12, 2011
Retail Payments Risk Forum publishes discussion paper on peer-to-peer payments
Peer-to-peer (P2P) payment products are some of the most innovative developments from the payments industry in the past decade. Consumers have never had so many payment choices. Alongside a host of recent entrants like PayPal and CashEdge, longstanding industry players like Fiserv, Visa, and MasterCard all offer P2P products. Additionally, three major banks have announced a collaborative P2P initiative called ClearXchange.
Despite this range of innovative offerings, however, the industry lacks a standard understanding of how the various P2P payments in the market work. Further, consumers and businesses are also confused by the many options, and a lack of familiarity may be a source of the inertia that keeps consumers relying on cash and checks for most P2P payments.
The Retail Payments Risk Forum recently published a working paper on P2P payments as a resource for regulators, consumers, and the payments industry in general. The paper offers a framework to organize a discussion of P2P payments and evaluate the associated risks. This framework should help bankers and regulators better manage the risk exposure of different P2P products currently in the market. The framework categorizes transactions by counterparties, access channel, funds load and receipt instruments, and settlement network. Any P2P payment can be mapped across this lifecycle into categories that are mutually exclusive and comprehensively exhaustive.
Consumers send P2P payments by first initiating the transaction through an access channel. Traditionally limited to face-to-face, mail, or bank branches, today you can send payments at a kiosk, online, or even with your mobile phone. The payment funds are loaded and received through an instrument like cash, a bank account, credit card, or prepaid balance. In the background, the funds clear and settle over traditional networks, including ACH, wire, and card networks.
The paper goes on to detail specific P2P payments with case studies indicating how a provider fits across the payment lifecycle. Two of the covered providers have been mentioned in this blog before: Western Union and CashEdge's PopMoney.
In a Western Union P2P transaction, both counterparties are consumers. The sender can initiate a payment at an agent location, a kiosk, or online, or by using their mobile phone in some limited markets. The sender can fund the transaction using cash or a credit, debit, or prepaid card. Senders can also use their account and routing numbers to fund transactions made online or by mobile. Western Union has been proactive in expanding the access channels and funding instruments available to remittances senders. The transaction clears by ACH in countries where the network is available, and by wire in other geographies. Finally, the recipient can receive the funds as cash, or can direct them to their bank account using account and routing numbers.
Consumers can use CashEdge's Popmoney to send a payment to another consumer or to a small business, and can access the service through online or mobile banking. The payment is funded from the sender's bank account using the account and routing number, and the recipient receives funds into their bank account the same way. CashEdge recently partnered with MoneyGram, an international money transmitter, and some recipients may be able to pick up their payment in cash at MoneyGram agents around the globe. Transactions are usually settled via ACH, although recent partnerships with EFT networks enable card network settlement as a speedier option in some cases.
The working paper concludes by discussing some of the risks of P2P payments. P2P payments may seem new and unprecedented from the industry and media buzz surrounding them, but, as described above, most P2P payments actually rely on traditional networks and banking channels. Therefore, the risks posed by P2P payments are not original, but rather map to the risks of the underlying payment type. The risk profile of each P2P product must be evaluated across the specific use case, access channel, and settlement network, a specific risk profile. A one-size-fits-all risk management plan cannot work for such a diverse market. Finally, in evaluating the risk of P2P payments, consumers, banks, and third parties should make comparisons to the status quo of cash and check transactions. Many times new products will offer benefits in terms of efficiency and innovation that may outweigh their greater risk, and in some cases the risk of new products may be lower than that of the status quo.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 1, 2011
Regulation E expected to add new consumer protections for remittance transfers
One of the many changes required by the Dodd-Frank Wall Street Reform and Consumer Protection Act is an update to Regulation E to reflect new protections for consumers who make remittance transfers to recipients in foreign countries. A remittance transfer is a transaction in which a consumer sends funds to someone in another country. The proposed rule is expected to help carry out the Dodd-Frank Act's overall intent to improve accountability and transparency in the financial system through new disclosures, notices, and error resolution procedures for remittance transfers. Recently, the Federal Reserve Board (the Board) formally announced its request for public comment on the proposed rule and model disclosures.
According to some initial comments on the proposed rule, some industry participants believe that the added requirements could increase costs and add unnecessary burdens to a system that is, as they view it, already functioning properly. Others expect that the proposed changes will reduce errors and even, in some instances, improve the speed for remittance transfers because of enhanced communications between the sending and receiving agents.
Will these changes to Reg E stifle progress in the remittance industry or help it become more consumer-friendly? And will these changes enable a thriving business environment for transfer providers—rather than stifling market growth—while preserving consumer protections?
Prevalence of remittance transfers
Remittance transfers are typically consumer-to-consumer payments of low monetary value. The World Bank estimates that a total of $440 billion in remittances was sent worldwide in 2010, of which $325 billion went to developing countries. The World Bank further estimates that the United States had the highest volume of remittances in 2009, totaling $48.3 billion.
New disclosures, notices, receipts, and error resolution procedures
Some of the proposed disclosure requirements call for remittance transfer providers to disclose to the sender, before the sender pays any money, the remittance value in the currency of the recipient's country, all fees charged in connection with the remittance transfer, and the exchange rate that will be used (to the nearest 1/100 point). Then, after sending the payment, the provider must provide the sender a series of other disclosures on the receipt. Separate notices are required for transfer providers that offer Internet-initiated remittance transfers.
Additionally, remittance transfer service providers may be required to prominently display notices describing a model remittance transfer in every storefront location that the provider owns or controls. The proposal also adds new error resolution procedures for remittance transfers. Under the proposal, the deadline for a consumer to report an error is 180 days from the promised delivery date. This notice may be oral or written, but it must contain the amount of the transfer shown in the foreign currency amount, as indicated in the receipt.
Testing existing disclosures, notices, and error resolution procedures
Prior to releasing these proposals, the Board consulted with a research group to help determine whether these requirements would help the consumer price shop remittance services or understand their fee structure. Overall, the resulting study found that most participants (remittance senders) were satisfied with their experiences.
The study, when determining what information participants received from remittance transfer service providers during an in-person transaction, found that participants infrequently received written information before they completed the transaction. However, the participants indicated they could get needed information by asking an agent. In contrast, they almost always received some form of written information after the transaction, including the exchange rate, fees, amount of money sent, and so on.
Study participants were also asked to share their experiences with dealing with errors or problems during a remittance transaction. Most reported having had problems with at least one service provider, but almost all reported that their problems were resolved expeditiously. The most common error they reported was the misspelling of the recipient's name.
Remittance transfers are an increasingly important source of income for households in lower-income countries. Yet, given the results of the study on the current state of remittance transfers, it is difficult to know whether the Dodd-Frank's remittance provisions will increase efficiency in the remittance industry while preserving consumer protections. What is clear, though, is that the proposed amendments to Reg. E will establish standardized disclosures and notices, thereby creating more transparency in the remittance industry so that a consumer can confidently price shop providers while fully understanding fee structures and services. Although the Board has initiated these proposals, the Consumer Financial Protection Bureau assumed responsibility over this new regulation on July 21, 2011.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
April 25, 2011
Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?
I paid little attention when news broke on the April 1 announcement by the marketing services firm Epsilon that a subset of their clients' data—e-mail addresses and names—was compromised. However, my interest in the story grew as I began receiving numerous e-mails from various financial institutions and merchants letting me know that my name and e-mail address, which I voluntarily supplied to them at some time, were part of the compromise. Unbeknownst to me, these companies had provided my data to Epsilon for marketing services.
Perhaps if I had taken the time to read the service agreements and privacy notices from these companies, I would have been more aware that my data might be shared with a third party. But in today's digital and mobile world that's all about speed and convenience, does anyone really take the time to read these privacy notices before submitting personal information? And I have to think that for most people, the e-mails and snail mail about changes to privacy policies that seem to come on a monthly basis from various companies quickly find their way unread into the trash. Do current bank-enabled P2P offerings present data compromise risks for customers and are banks offering other P2P alternatives that offer convenience without the potential risks?
The current bank-enabled P2P environment
In light of the Epsilon data compromise, it seems only fair for consumers to be fearful about the amount of personal (and highly sensitive) information they hand over to financial institutions to complete a P2P transaction. These institutions could potentially share this data with third parties that provide P2P services for banks or with companies that provide marketing services—such as Epsilon. Once a consumer provides information to the bank, he or she does not necessarily know how much of the data is shared and with whom it is shared. This person is left in the dark about who actually has access to PII and the corresponding privacy and security policies of those companies.
Are today's bank-enabled P2P services solid replacements for cash and checks?
Based on my two recent experiences with these bank-enabled P2P solutions, their value—even ignoring the cost of the service—appears to be small for one-time, small-dollar payments between individuals. The idea of bank-enabled P2P payments may be cool and trendy. However, the amount of information the sender’s bank requires about the receiver to complete the transaction not only is time-consuming to enter but also presents risk issues that outweigh any perceived benefits, especially for the recipient. Perhaps banks are realizing the challenges behind P2P services for small value, one-time payments given the recent proliferation of banks offering an alternative to traditional check depositing, remote deposit image capture (RDIC), which is potentially simpler and less risky for the consumer than banks' current P2P offerings.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?:
January 24, 2011
The future role of financial institutions in the domestic P2P environment
Although the use of online banking and online bill payment has flourished over the past decade, banks have yet to capitalize on the opportunity of the thriving online and mobile domestic person-to-person (P2P) transaction market. Online banking use more than doubled from 20 percent of households in 2000 to 53 percent in 2009, according to a December 2009 Javelin Strategy report (Multi-Channel Account-to-Account Transfers and P2P Payments Forecast: Evaluating Trends and Assessing the Future 2006–2014). Further, online bill payment usage has grown from 5 percent of households to 36 percent during the same time period. However, the traditional bank P2P methods of check, cash, and wire transfer continue to decline while online and mobile domestic transfers are expected to grow at a 9 percent compound annual growth rate, according to the Javelin Strategy report. As banks face continued downward pressure on revenues and intense competition from both new and existing players, the online and mobile P2P market represents a threat to banks' traditional check business. However, it also represents a potential opportunity for banks to offer a distinct service to their customers.
The expanding domestic P2P market
A 2009 TowerGroup report (Noncash P2P Payments: Checks in Decline Still Rule the Roost) estimates the U.S. noncash domestic transfer market at $1.1 trillion, composed of more than three billion transactions. Checks remain the dominant P2P means of settlement. However, the availability of the Internet to households, impressive growth of smartphones, exponential increases in consumer mobile data usage, and numerous mobile applications (especially for the iPhone) are creating a healthy environment for the growing online and mobile domestic transfer market in the United States. The Javelin Strategy report suggests nearly 44 percent of the 86 million online households made at least one online P2P transfer, up from 27 percent in 2008.
The online and mobile P2P market has been dominated by PayPal to date. However, payment processors, electronic card networks, and new emerging payment service providers have launched competing products over the last several years. PayPal and other service providers, such as CashEdge, Fiserv, FIS, and MasterCard, have each created products designed to integrate into banks' existing online and mobile channels. Although these products can be integrated into banking channels and the transactions are more convenient for consumers than a traditional bank wire or check transaction, the transaction is far from seamless. In order to use the online and mobile P2P products that banks currently offer, consumers must register not only with their bank but also with the bank's P2P service provider partner, which often requires them to submit their personal and banking account information. Adding further complications, completing the transaction may require the receiver of the payment, or the receiver’s bank, to have a relationship with the P2P provider that the payer uses.
Tapping the ACH network?
While it appears that the migration from paper checks to electronic forms of payment in the consumer-to-business market is crossing over to the P2P market, banks still have many hurdles to clear before they can capitalize on the P2P opportunity as online and mobile P2P payments become widespread. The P2P providers offer banks a solution that allows for quicker settlement than either checks or wire transfers, but the solution is still far from consumer-friendly. In order to provide banking consumers a friendlier P2P online and mobile service, banks could consider the development of a P2P solution that leverages the extensive ACH network in a manner similar to a person-to-business transaction. Much like mobile banking or bill payment, consumers could opt into the P2P service and transfer or receive funds between any banking institution on the ACH network without having to register with and provide confidential data to a third-party P2P service provider to access the service.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 15, 2010
Retail Payments Risk Forum publishes white paper on mobile payments
Everyone has a cell phone these days, and that ubiquity is paving the way for wide acceptance of mobile money person-to-person transfer services, also known as MMT. Emerging countries, where the mobile channel provides a safe, efficient environment for conducting financial transactions and improving financial inclusion, have been especially quick to adopt MMT. In contrast, mobile payment adoption in the United States has been slow, but many experts believe that, with more people acquiring smart phones and having access to all the applications that go with them, MMT is on the brink of becoming widely accepted.
As roaming agreements between wireless carriers and the globalization of commerce in general work together to render our world's geographic borders irrelevant, how quickly can we expect these services to migrate to the United States? More importantly, as various forms of electronic payment crimes emerge, what should the industry do to prepare for new mobile services in a cross-border environment?
To answer these questions, the Retail Payments Risk Forum recently published a white paper titled "Mobile money transfer services: The next phase in the evolution in person-to-person payments," which describes the current landscape for these services and examines the risk environment for mobile money for both developed and emerging countries as new business partnerships between bank and telecom firms take shape.
MMT has the potential to catalyze the mobile financial services market
Infrastructure developments to support MMTs could support the evolution of other financial services. According to the GSM Association, this infrastructure provides the basis for the concept of the mobile wallet, which will allow mobile phones users to conduct banking, proximity payments using the phone at a merchant's point-of-sale terminal, and remote mobile payments, including domestic and cross-border mobile transfers.
The mobile money risk environment
The risks inherent in all retail payments are also present in the mobile space, including money laundering, privacy and security, consumer protection, fraud, and credit and liquidity. As mobile financial services evolve, there will be a number of issues to consider for managing the new risks mobile phone-based payments stand to introduce. The emergence of more nonbank participants in the distribution of mobile payments, including telecom firms and their agents along with technology vendors, may create additional risk considerations for payment regulators. Since mobile technology-enabled payments do not require the face-to-face interaction that takes place with traditional banking, the resulting opaque, anonymous experience can also create more opportunity for criminal activity. This will be increasingly important in a future where mobile retail payments will occur rapidly and across geographic borders, potentially outside the purview of traditional regulatory oversight. Payments regulators have limited expertise and experience in identifying electronic payments crime in communication systems—so the potential for abuse is a real and imminent threat that is still abstract and not well understood in this early stage of the game.
Policy considerations for industry stakeholders, policymakers, and regulators
The integrity and safety of the world's retail payment systems rely on cooperative information sharing about service developments and potential gaps in regulation. A number of considerations should remain at the forefront of industry discussions.
- The new mobile landscape will require dialogue between the regulatory authorities for financial services and telecom firms. Financial and telecom sector regulators will need a comprehensive understanding of the emerging risks in mobile payments with a collective eye toward the potential need to establish new regulatory concepts of electronic money regulation. This may demand a program for routine communication to ensure that regulators understand payment system risk issues and provide effective risk-based supervision for payment services providers.
- An oversight infrastructure for mobile payments, including the financial services of telecom firms, should be established. This oversight might be established through a routinely convening workgroup representing applicable regulators or the creation of a new organization with expertise in the unique and dynamic risk issues in mobile services.
- Cross-border mobile payments may require improved customer-data sharing on an international basis. The anticipated growth in mobile remittances may demand a new environment of international cooperation and sharing of customer data and analysis.
- U.S. mobile payments services providers should be required to establish programs to mitigate the risk of money laundering. Mobile services will require new methods for detecting and monitoring data flows. All service providers, including telecoms, will need to establish risk management programs commensurate with the risk in their service offerings.
- Converged regulatory authorities should examiner consumer protection risks for potential gaps in regulatory oversight. In the United States, it may be necessary to reexamine the applicability of Regulation E protections to stored-value payments as they become more prevalent in the mobile channel, in order to prevent consumer confusion in error resolution scenarios.
The experts are right in saying that mobile adoption still low. But the rapid pace of change means that industry stakeholders, and especially regulators, need to be forward-looking and anticipate where the winds of change will blow. A rearview mirror approach to addressing emerging risks in mobile payments can be modified with proactive thinking, dialogue, and global collaboration.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud