Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 27, 2015
Friendly Fraud: Nothing to Smile About (Part 1)
Friendly fraud (also referred to as chargeback fraud or first-party fraud) occurs when someone makes an online purchase then later requests a chargeback from the bank. The person has received the goods or services, but claims they were defective or the transaction never authorized. Sometimes this happens because of buyer's remorse—the customer just doesn't want to have to explain his or her regret to the merchant, preferring to initiate a chargeback and let the bank resolve it with the merchant. Sometimes the buyer's remorse comes from a child making purchases, particularly digital goods, using the parent's card, or when a merchant's refund time limit has passed but the cardholder still wants to be reimbursed.
While there certainly can be legitimate disputes, friendly fraud is becoming a growing problem for e-commerce merchants. Not only are the merchants out the cost of the goods or services, but they also incur administrative costs and fees from the card-issuing bank. Companies selling digital goods, office supplies, or electronics—as well as auction sites—seem to be the most frequent targets of friendly fraud, but other types of businesses can also be affected.
One of the main difficulties merchants experience in combating this fraud is predicting or recognizing when it first occurs, since it often occurs on the account of a "good" customer. And with these remote purchases, the merchant is at a disadvantage in determining if a legitimate cardholder made the purchase or the goods were actually received by the cardholder.
Because the burden of proof is on the merchant, the merchant community has started to implement a number of tactics to help reduce this increasing problem. In our next installment on this topic, we will discuss some of those tactics.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 20, 2015
Unsafe at Any Speed?
If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?
I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.
- Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
- Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
- Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
- Track and report. We must do more of this in a frank, transparent way and it must be timelier.
Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.
There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.
The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
July 13, 2015
Biometrics and Privacy, or Locking Down the Super-Secret Control Room
Consumer privacy has been a topic of concern for many years now, and Take on Payments has contributed its share to the discussions. Rewinding to a post from November 2013, you'll see the focus then was on how robust data collection could affect a consumer's privacy. While biometrics technology—such as fingerprint, voice, and facial recognition for authenticating consumers—is still in a nascent stage, its emergence has begun to take more and more of the spotlight in these consumer privacy conversations. We have all seen the movie and television crime shows that depict one person's fingerprints being planted at the crime scene or severed fingers or lifelike masks being used to fool an access-control system into granting an imposter access to the super-secret control room.
Setting aside the Hollywood dramatics, there certainly are valid privacy concerns about the capture and use of someone's biometric features. The banking industry has a responsibility to educate consumers about how the technology works and how it will be used in providing an enhanced security environment for their financial transaction activities. Understanding how their personal information will be protected will help consumers be likelier to accept it.
As I outlined in a recent working paper, "Improving Customer Authentication," a financial institution should provide the following information about the biometric technology they are looking to employ for their various applications:
- Template versus image. A system collecting the biometric data elements and processing it through a complex mathematical algorithm creates a mathematical score called a template. The use of a template-based system provides greater privacy than a process that captures an image of the biometric feature and overlays it to the original image captured at enrollment. Image-based systems provide the potential that the biometric elements could be reproduced and used in an unauthorized manner.
- Open versus closed. In a closed system, the biometric template will not be used for any other purpose than what is stated and will not be shared with any other party without the consumer's prior permission. An open system is one that allows the template to be shared among other groups (including law enforcement) and provides less privacy.
- User versus institutional ownership. Currently, systems that give the user control and ownership of the biometric data are rare. Without user ownership, it is important to have a complete disclosure and agreement as to how the data can be used and whether the user can request that the template and other information be removed.
- Retention. Will a user's biometric data be retained indefinitely, or will it be deleted after a certain amount of time or upon a certain event, such as when the user closes the account? Providing this information may soften a consumer's concerns about the data being kept by the financial institution long after the consumer sees no purpose for it.
- Device versus central database storage. Storing biometric data securely on a device such as a mobile phone provides greater privacy than cloud-based storage system. Of course, the user should use strong security, including setting strong passwords and making sure the phone locks after a period of inactivity.
The more the consumer understands the whys and hows of biometrics authentication technology, I believe the greater their willingness to adopt such technology. Do you agree?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 06, 2015
Growing, Growing, Gone!
As we've blogged before, check writing has been steadily declining as electronic payments have grown. For example, the number of checks written in 2012 was 21 billion, down from 27.8 billion in 2009, according to the 2013 Federal Reserve Payments Study. We may be writing fewer checks than ever, but more than anything, we want the convenience of depositing our checks with mobile devices. A 2013 survey by ath Power Consulting found that mobile remote deposit capture (mRDC) is the "most sought-after mobile banking feature" among consumers. And financial institutions are answering this demand. According to 2014 surveys from Federal Reserve Banks (the Dallas Fed's, for example), about 48 percent of responding institutions are currently offering mobile capture and another 41 percent are planning to offer it within the next two years.
With mRDC in such demand, solutions providers and financial institutions should be investing in risk management strategies. But if check writing is a declining business, will mRDC risk management investments end up on the disabled list? Financial institutions must look at the potential losses and how they occur, evaluate the means to minimize these, and carefully weigh these factors against the dwindling check industry.
The mRDC channel faces two primary loss challenges: fraudulent items and duplicate check presentment. A fraudulent item might be an altered, forged, or counterfeit check; it can also be an intentional duplicate presentment. The other challenge occurs when a customer unintentionally presents a deposited item a second time. Research and anecdotal evidence suggest many duplicate presentments result from customer errors. These represent a growing customer education need. Financial institutions must find room in the allocated lineup and spending cap for fraud and duplicate detection enhancements.
Handling duplicate check presentments landed an all-star position on the agenda at most payments operation conferences this past year. Duplicate check presentments mean returns and adjustments, which in turn mean time and money for the financial institutions. When duplicate presentment involves more than one bank of first deposit, losses are often sustained from misunderstanding holder-in-due-course rights and return-versus-adjustment processes. Financial institutions often need to reconstruct what happened, analyze the facts, and possibly consult legal counsel.
But rather than handling these risks with expensive roster moves, considering the declining use of checks, financial institutions can meet the threat at the origin, through customer education and enforcement policies. Financial institutions that offer mRDC can make disclosed stipulations. For example, they can require that the original check be destroyed after confirmation, or that checks have a specific restrictive endorsement that includes "for mobile deposit only." Ultimately, if a consumer deposits a check twice, financial institutions can charge a fee or suspend service. In general, customers want to avoid fines, so they tend to play within the rules when fines are looming. If training customers is a home run in mitigation, then the grand slam is having detection systems that support the stipulations and rules put into place.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Friendly Fraud: Nothing to Smile About (Part 1)
- Unsafe at Any Speed?
- Biometrics and Privacy, or Locking Down the Super-Secret Control Room
- Growing, Growing, Gone!
- The More Things Change, the More They Stay the Same
- The Current Tokenization Landscape in the United States
- “Customer, You Have the Conn”
- Is the Conventional Wisdom about EMV Migration Right?
- Follow the Money
- A Presumption of Innocence
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud