Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

March 30, 2015

Safely Motoring the Payments Highway

I've ridden a motorcycle for 30-plus years and, except for a slight bump from behind by a car when I was stopped at a four-way stop sign, I have a perfect safety record. Some say I'm lucky. While there is probably some element of truth to that—I've made it through a number of dangerous situations over the years—I believe my good safety record is largely because early on in my riding days, I invested in proper safety clothing and took classes in motorcycle riding skills and safety. In addition, when I've been out on the road, risk management has played an integral role in my safety: I follow the Motorcycle Safety Foundation's recommended practice of S-I-P-D-E: scan, identify, predict, decide, and execute.

I recently took advantage of an early spring day and rode the North Georgia back roads. Later that evening, when I thought back over my day, I couldn't help but think of the parallel between motorcycling risk management and payments risk management. To maintain a good safety record in both, you should practice SIPDE. Here's how SIPDE can work with payments.

Scan: Constantly examine the environment you are in. Don't focus on a particular payment method or channel or you will get target fixation and be likely to miss threats to other payment types. How often have we heard that while resources were focused on responding to a distributed denial of service attack, the criminals took advantage of the distraction and executed some unauthorized transactions? When riding, I try to always be alert and I constantly move my sight lines to spot any dangers.

Identify: As you conduct your examination, identify all potential risks. Some may be immediately apparent, and some may be hidden. Some may be major threats, and others less serious. While most of the criminal threats will come from external elements, don't forget about insider fraud.

Predict: After you have identified the risks, run through scenarios as to potential outcomes given a variety of circumstances. I sometimes change my lane position to increase my visibility and always cover the brake lever to prepare for that emergency stop. You must certainly consider the worst-case scenario, but don't forget that an accumulation of less-severe situations may result in a loss that is just as big.

Decide: After weighing all the options and the likelihood of their panning out, determine your course of action so that you're ready if one of the scenarios becomes a reality. Reaction time is critical with motorcycle riding and dealing with criminal attacks.

Execute: Put into motion that course of action to deal with the risk. This is where your training, skills, and tools come into play, helping you to properly and completely execute your plan.

Just as when I ride and the environmental factors and potential threats around me are constantly changing, such is the case in our payments environment. We must constantly use our S-I-P-D-E skills to assess and react to the environment, whether that's the road you're riding on or the payments environment you're operating in.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 30, 2015 in consumer protection, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Safely Motoring the Payments Highway:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 16, 2014

Banking on the Financial Institutions as Gatekeepers

With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.

Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.

Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.

Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)

An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.

The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.

Photo of Deborah Shaw

June 16, 2014 in banks and banking, regulations, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Banking on the Financial Institutions as Gatekeepers:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 19, 2014

Choking on the Cost of Risk Management

In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.

While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.

The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.

By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.

To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.

Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?

Photo of Deborah ShawBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 19, 2014 in banks and banking, law enforcement, regulations, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Choking on the Cost of Risk Management:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 30, 2013

Securing All the Links in the Chain: Third-Party Payment Processors

Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).

The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.

Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.

Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.

A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.

Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.

Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.

We would like to hear what processes your institution has in place to monitor processors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 30, 2013 in banks and banking, consumer protection, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Securing All the Links in the Chain: Third-Party Payment Processors:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 6, 2013

Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013 in ATM fraud, crime, identity theft, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Staying One Step Ahead of ATM Attacks:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 1, 2012

Summer Is Gone, but ACH Fraud Remains

As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.

In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.

Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:

  • ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
  • ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
  • RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
  • RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
  • RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.

In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.

The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 1, 2012 in ACH, consumer fraud, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Summer Is Gone, but ACH Fraud Remains:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 16, 2012

Online and mobile banking create many front doors

"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.

An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.

The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.

Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.

Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.

Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.

Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.

Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.

Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.

With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.

Mary KeplerBy Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed

April 16, 2012 in banks and banking, mobile banking, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Online and mobile banking create many front doors:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 17, 2012

How risky? The elements of an effective payments risk management program

Financial institutions manage a range of businesses with distinct risk management needs. Banks of all sizes that offer payment services to retail and commercial clients must appropriately identify and manage the myriad dimensions of risk entailed. The Retail Payments Risk Forum recently spoke with Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. The conversation, captured in a podcast and highlighted in this post, covered the elements of a successful payments risk management program. Formerly a banker, DaSilva is able to take the perspective both of the supervisor and of the supervised institution when it comes to understanding the challenges of managing retail payments risk.

He said that in financial institutions today, "payments risk management is sometimes informal or decentralized." Without a comprehensive risk assessment, said DaSilva, these institutions have a heightened vulnerability to risks they do not understand. As a result, they may incur losses, lawsuits, or even regulatory formal actions.

Often, the scope and rigor of the bank's risk management program is not commensurate with the bank's risk profile. He added that the loose oversight combines with a variety of other factors to undercut a bank's risk management capabilities. A major driver in adding new payment services may be anxiety for fee income in an environment where many sources of payments revenue have been pressured.

Other factors include incomplete due diligence or inadequate "know-your-customer" (KYC) programs, or the institution may have insufficient payment expertise, senior leadership involvement, or employee and management training. DaSilva has seen institutions that do not perform adequate risk assessments or due diligence when deploying new payment products or services, for example, or when engaging in third-party service-provider relationships.

Implementing a strong risk management program
DaSilva explained that there are multiple types of risk in the payments business that institutions must consider. These types include "credit risk, compliance risk, transaction risk, fraud risk, and legal and reputational risk." Responding to all these requires establishing a risk management program with the following elements:

  • Planning. Having clear, defined objectives, a well-developed business strategy, clear risk payments parameters, and a role within the financial institution's strategic plan.
  • Risk identification and assessment. Senior management knowledge and understanding of their institution's risks is critical. The risk assessment should be incorporated into the bank's overall risk management process, which will vary by institution.
  • Mitigation. Establish policies and procedures to mitigate identified risks. These policies should consist of clearly defined responsibilities and strong internal controls over transactions. Mitigation is also achieved through a good risk-based audit program, and well-designed contracts and agreements.
  • Measurement and monitoring. Periodic reporting should enable the board and senior management to determine that payments activities remain within the bank's established risk parameters.

The role of bank leadership in risk management
DaSilva repeatedly emphasized that it is critical for bank board and senior management to be actively involved with and knowledgeable about their institution's payments risk management. For an institution to be able to gauge senior management knowledge, he suggested it begin by exploring whether management "understands the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks, [as well as] their reputational [and] legal risk."

DaSilva encouraged leveraging subject matter experts and ensuring that the retail payments strategy matches the bank's overall strategy and competencies. The best policy may be to limit product offerings to those for which management and employees have a full understanding of the accompanying risks. Despite the pressure to develop new sources of revenue, financial institutions should carefully evaluate the risks of any new payment product before adding it to their portfolio.

To end on a positive note, DaSilva has seen some institutions improving in all the right areas. They are assessing and mitigating risk across multiple payment channels, products, and delivery systems, including ACH, remote deposit capture, card products, and wire transfer. And for icing on the risk management cake, some do annual reviews of client accounts that include exposure from all payment, deposit, and loan products.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 17, 2012 in banks and banking, payments risk, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference How risky? The elements of an effective payments risk management program:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 11, 2011

High-impact events in a warming world: Business continuity planning for retail payments

Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.

Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.

Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:

The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.

The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.

In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

October 11, 2011 in banks and banking, financial services, payments systems, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference High-impact events in a warming world: Business continuity planning for retail payments:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 15, 2011

Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud

It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.

Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.

Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.

Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.

Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.

Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.

Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.

Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

August 15, 2011 in consumer protection, fraud, payments systems, regulators, risk, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad