Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

April 27, 2015


Not Seeing a Tree for the Forest

For this blog's title, I confess to having pineapple-upside-down-caked the common adage "missing the forest for the trees." The thing is, I want to point to a particularly nice tree in the same day ACH (automated clearinghouse) forest. By torturing the adage I hope to inspire folks to deviate from the basic, same day forest flyover and focus on one tree. It seems to me it has not gotten all the attention due.

Those advocating for same day ACH generally tout the increased functionality or the economic benefits of the latest proposal. Another oft-mentioned benefit of the proposed rule change is that it may provide a bridge from today's payments to those of the future. However, tucked into the lush same day ACH forest is a hard-to-find risk abatement species. Allow me to point out some of its features.

Settlement—By reducing the settlement window, same day ACH reduces credit risk associated with the network ecosystem—both in terms of the length of time counterparties are exposed to settlement risk and, potentially, the total amounts of settlement risk. For sure, financial institutions will have more flexibility to better manage these circumstances.

Operations—Same day ACH provides additional processing windows that result in risk reduction opportunities. Operations managers gain the means to load balance or smooth processing volumes and may also be able to ease the pressure on deadlines. The additional processing windows can be thought of as de facto contingency alternatives and seem likely to yield a corresponding increase in reliability and quality for the ACH.

Returns—Expedited settlement means expedited return handling. same day ACH would provide the opportunity for receiving banks to return same day payments on that same day. Moreover, because return requirements are tied to settlement, any same day payment that needs to be returned to an originating bank will be received one banking day earlier than would have occurred without same day settlement. NACHA points out that exceptions may be identified sooner and returned sooner, which means resolution for more problems may begin sooner. They have described this as "a 'win-win' for all parties." It's hard to argue the point.

If it passes, same day ACH will improve the risk posture of financial institutions, benefiting both ACH payers and payees. As spring continues to unfurl, perhaps some of you will get to stroll through the woods. If you come across a particularly handsome dogwood or perhaps an eastern redbud, be reminded that the same day ACH ballot will pop later this spring. I'm keeping my fingers crossed that the woodsmen don't get to clear cut the forest this time and we don't lose any of the nice trees.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed


April 27, 2015 in ACH, risk management | Permalink | Comments (0) | TrackBack (0)

April 20, 2015


Fed Survey Shows Mobile Banking on Rise in Southeast

In August 2014, the Retail Payments Risk Forum conducted a mobile banking and payments survey of financial institutions in the Sixth Federal Reserve District. (The Sixth District comprises Alabama, Florida, Georgia, and portions of Louisiana, Mississippi, and Tennessee.) The Federal Reserve's Board of Governors has annually conducted a national survey of mobile financial services for the last four years from the consumer perspective. We conducted this inaugural survey to determine the level and type of mobile financial services offered by financial institutions (FIs) in our region. (At the same time, the Federal Reserve Banks of Boston, Dallas, and Richmond conducted an identical survey of the financial institutions in their districts. (So far, only the results of the Dallas District's survey are available.)

Of the 189 validated responses, 75 percent were from banks and 25 percent from credit unions (CUs). Six of the respondents (five banks and one CU) indicated that they did not currently offer nor had any plans to provide mobile banking services. The two most important reasons given by the FIs for not offering the service were security and regulatory concerns.

The full survey report is available on the Retail Payments Risk Forum website, but some of the key findings from the survey include:

  • While mobile banking was first launched in the United States in 2007, it is a relatively new service for many FIs in the Sixth District. Almost 23 percent launched it within the last year, and an additional 15 percent are planning to offer mobile banking within the next two years.
  • The primary reason FIs selected for offering mobile banking was to retain customers. Some saw it as an opportunity to gain new customers.
  • There is very little difference in the basic mobile banking functions that banks and credit unions offer.
  • Sixth District FIs use more than 30 mobile banking application vendors, although there is a large concentration with three of these providers.
  • Despite the current headlines, the respondents expressed little to no interest in using biometrics and tokenization. (But note that the survey was conducted before the Apple Pay rolled out.)
  • Security concerns related to identity theft, data breaches, malware, and poor customer security practices remain primary concerns of FIs.
  • With the possible exception of the remote deposit capability, FIs do not expect to charge customers for mobile banking or payment services.
  • The mobile payments environment is nascent and highly fragmented in both the number of vendors and the wide range of technologies. This fragmentation has created some inertia while the FIs wait for the environment to sort itself out.

The Retail Payments Risk Forum plans to conduct this survey every two years in order to measure changing penetration and attitudes. If you have any questions concerning the survey results, please contact me via e-mail.


April 20, 2015 in mobile payments | Permalink | Comments (0) | TrackBack (0)

April 13, 2015


Leaving a Cybersecurity Legacy

On April 1, the current administration's fourth executive order related to cybersecurity was signed into action. This executive order shows an ongoing commitment to securing cyberspace. In 2009, the executive office released its Cyberspace Policy Review, which triggered a flurry of cybersecurity policy. (Relatedly, the government's "Buy Secure" initiative to increase payment security mandated the issuance of chip-and-PIN cards for all federal employees and benefits programs beginning in January 2015.) This week, Take On Payments summarizes the four cybersecurity-related executive orders that have ben signed over the last six months and what these orders could mean for the banking and payments industries.

Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (4/1/15)
Authorizes swift and severe sanctions by the Treasury Department to those engaged in malicious cyber activities that pose a significant threat to national security, foreign policy, economic health, or the financial stability of the United States. This action occurs regardless of where the offenders are domiciled, and can include the freezing of assets and denial of entry into the United States for individuals and entities. These malicious activities include, but are not limited to, distributed denial-of-service (DDOS) attacks and misappropriation of financial information for financial gain. According to an insider, attacks on banks and the financial sector, including the unauthorized access of payment credentials, would likely qualify as significant enough to warrant these new sanctions. While critics debate the enforceability of these sanctions, the banking and payments industry should find this development promising. Law enforcement is often challenged to bring these individuals to swift justice.

Promoting Private Sector Cybersecurity Information Sharing (2/13/15)
Encourages the Secretary of Homeland Security to establish information sharing and analysis organizations (ISAOs) as well as standards and guidelines to establish a robust information-sharing network related to cybersecurity incidents and risks. ISAOs can be organized on the basis of multiple attributes, including industry sector or region. Information sharing would take place both within and across ISAOs. Although the financial services industry has had some success with information sharing within their sector through organizations such as Financial Sector-Information and Security Center, the private sector generally remains challenged to share information across sectors. We hope this order will lead to the development of standards and better coordination to allow for information sharing of cybersecurity incidents and risks between the financial services sector and other industries.

Improving the Security of Consumer Financial Transactions (10/17/14)
Although cybersecurity wasn't the main focus of this executive order, two cybersecurity components are included in it. The first relates to the remediation of identity theft. It specifies that the Attorney General will issue guidance to promote regular submissions by federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance (NCFTA) Internet Fraud Alert System. Secondly, the order requires that all federal agencies that make personal data accessible develop a plan to implement multifactor authentication. While directed towards federal agencies, it is possible that this order will pressure financial institutions and other private industry entities within the payments industry to adopt similar compromised credential submission and multifactor authentication practices, if they have not already.

The current cybersecurity activity isn't just limited to executive orders. Several cyber-related bills have circulated the congressional floor the past several years. A future Take On Payments post will highlight several bills that have been introduced in 2015 on Capitol Hill and what they could mean for banking and payments.

Photo of Douglas KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 13, 2015 in cybercrime | Permalink | Comments (0) | TrackBack (0)

April 06, 2015


What Can Parenting Teach Us about Data Security?

My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.

As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.

However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.

In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


April 6, 2015 in consumer protection, data security, KYC, risk management, third-party service provider | Permalink | Comments (0) | TrackBack (0)

Google Search



Recent Posts


April 2015


Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    

Archives


Categories


Powered by TypePad