July 28, 2014
Where's the Mobile Payment?
I was a big fan of the '80s Wendy's commercials that featured an older woman uttering the phrase, "Where's the beef?" I recently found myself muttering something similar to myself: "Where's the mobile payment?" In early July, I came across the American Banker website headline "Six Fintech Startups That Wowed Bankers." The article highlighted six tech startups that recently pitched their financial products and services to executives from 15 of the largest banks at a one-day event. I was expecting to read about several mobile payment or mobile wallet startups, but surprisingly, none were mentioned.
According to the article's author, for a fintech startup to capture a banking executive's attention, it must address a need in the marketplace that few others are meeting. Could it be that the executives don't view mobile proximity payments as a customer need? I recently blogged about mobile payments fatigue and received some mixed feedback—but I heard little from our banking community readers. From a mobile payments perspective, they are extremely active in both person-to-person and bill payment initiatives. But outside of a few limited pilot programs, financial institutions have made little noise regarding mobile proximity payments or mobile wallets.
Given the prominent role financial institutions are playing in mobile payments through person-to-person and bill payments, why aren't they actively participating in proximity payments at retailers? Are they failing to meet the needs of their customers? According to the J.D. Power 2014 Retail Banking Study, customer satisfaction with banks is at an all-time high. And though the study found that some banks are falling short of meeting their customers' needs, the large banks covered in the survey experienced a significant rise in customer satisfaction scores, leading me to believe these banks are doing as good of a job as ever in listening to their customers and fulfilling their needs.
Is it possible that there isn't currently a driving consumer need for banks to deliver a mobile proximity payment or mobile wallet solution? My colleague Dave Lott suggested earlier this year that for mobile adoption to take place, the experience needs to follow Andy Grove's 10x rule and be 10 times better than what consumers are used to. What do you think it will take to catch the eyes of banking executives in the mobile proximity payments space?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 21, 2014
How Much Will Chip-Card Technology Affect ATM Owners?
Last week, my colleague Doug King wrote a post about the impact of the migration to chip-card technology on financial institutions that issue cards, with a focus on the smaller issuers. What happens with ATMs is an aspect of the chip-card migration that hasn't received much media attention. This may be because the liability shift timetable for ATMs—for MasterCard, it's October 2016; for Visa, October 2017—comes after the merchants' October 2015 deadline.
Of the roughly 430,000 ATMs in the country, nonfinancial institutions own just over half. The size of these independent ATM deployers (called IADs) range from two large companies with installed ATM bases of 60,000+ machines to thousands of small independent owners with a handful of ATMs. The conversion to support chip cards can cost these businesses up to $500–800 per machine. This impending ATM upgrade has echoes of the Triple DES (or Triple Data Encryption Standard) upgrade that Visa and MasterCard mandated in 2003, with a 2007 deadline. That upgrade involved strengthening ATM transaction security to better protect cardholder's personal identification numbers. Like today's chip-card upgrade, some of the older ATMs did not have the computing power necessary to support the upgrade, which meant the owners had the additional expense of replacing or decommissioning these machines. The independent-ATM installed base declined by more than 12 percent from 2007 to 2009 because many of the owners could not afford the Triple DES upgrade.
The costs of the current upgrade come at a time when the operators are seeing a constriction of their revenues. ATM usage has not kept up with the increased number of machines, which has resulted in lower average volumes per ATM and lower transaction revenues. The increased use of debit cards at retailers along with the cash-back option that many retailers offer are primary reasons for the lower usage.
The ATM owner has two main sources of revenue: interchange fees and surcharge fees. The card issuer pays the interchange fee; the cardholder pays the surcharge, which the ATM owner adds to the transaction amount. (The cardholder may also incur a "foreign transaction" fee from their financial institution for using an ATM outside their financial institution's network, but the ATM owner receives no portion of that fee.)
For 10 years, net interchange revenue to the IADs been steadily decreased. An industry survey showed that average interchange revenue per cash withdrawal dropped from $0.555 in 2006 to $0.3625 in 2012. ATM owners have some ability to raise their surcharge amount, but they have to remain competitive. (The average ATM surcharge amount for ATMs is about $2.50, according to Bankrate.com’s 2012 Checking Survey.) To offset these profitability constrictions, ATM owners are continuing to look for additional revenue sources, such as video advertising or branding their ATM with the name of a financial institution.
As the chip-card deadline for ATMs gets closer, Portals and Rails will continue to monitor and report on its impact.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed.
July 14, 2014
EMV Train is Gathering Steam: Procrastinators Take Warning
With each passing day it becomes more apparent that the United States’ EMV train—the one carrying the chip-embedded credit and debit cards—has left the station and is gaining steam for the ride towards the October 2015 POS liability shift timetable. In a June 12 press release, the EMV Migration Forum estimates that 100 million EMV cards (approximately 9 percent of the card base) will be issued by the end of 2014 plus an estimated 4.5 million chip-capable terminals (approximately 40 percent of terminals) will be installed by year’s end. Demonstrating different perspectives on the speed of the EMV train, two research groups, Aite Group and Javelin Strategy & Research, released their card conversion estimates:
Javelin also projects that 53 percent of POS terminals will be chip-enabled by the end of 2015.
The newly released PULSE 2014 Debit Issuer Study perhaps best captures EMV’s gathering speed. Of the issuers surveyed for this study, 86 percent plan to issue EMV cards in the next two years, compared to only 50 percent in the previous year’s study. However, the study reveals there is a bit of discrepancy between the EMV plans of large and small financial institutions. About 22 percent of community banks and 17 percent of credit unions have no EMV issuance plans compared to only 4 percent of large banks.
We know from experience that fraud generally migrates to the weakest link. So the EMV issuance findings are a bit troublesome, especially when we consider that the study found credit unions and community banks had already experienced significant increases to their signature debit fraud rates in 2013 from 2012 compared to large banks. Further, in 2013, credit unions and community banks had fraud rates approximately 25 percent and 15 percent, respectively, greater than that of large banks.
Despite the EMV naysayers, the U.S. payments industry is moving ahead with this initiative. For those smaller financial institutions waiting to see how EMV will unfold, the future has become clearer. By not acting, those financial institutions could become the "weakest link" and an easier target for the fraudsters compared to peers and competitors that do migrate. The train is rumbling down the EMV tracks, but there still is time to get an issuance plan in place.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 07, 2014
Fighting the High-Tech Criminals
The days of small gangs or the lone criminal committing "grab-and-go" robberies or counterfeiting checks and currency are certainly not over. However, crime stories involving millions of dollars and criminal networks that span the globe tend to grab the headlines these days. Just about everyone has heard about the recent data breaches at major retailers and ATM cash-outs that have netted criminals millions of dollars. A presentation at a recent payments security conference addressed the role of high-tech criminal groups in such crimes and the major threat they present to the security and reputation of our payment system. The speaker described how law enforcement agencies are working vigilantly to shut down these large global criminal enterprises and their cybercriminal activities.
The speaker detailed the composition of a criminal network, which closely resembles the organizational structure of a multinational corporation with numerous subsidiaries. This image shows the major components of the criminal enterprise.
- Executives—These people serve as the originating group and ultimate beneficiaries of the spoils of their successful attacks. They identify the types of criminal cyberactivity to pursue, including identifying the target companies or computer systems.
- Financiers—If the executives don't have the financial resources to carry out their scheme, they often link to a funding source. The financiers may receive a share of the executives' profits as compensation, or they may simply treat the transaction as a loan, charging interest until the loan proceeds are repaid.
- Exploiters—The hackers and software personnel identify vulnerabilities in software or systems and write malware code to compromise a target's account credentials. They normally receive compensation based on the type of attack and the level of sophistication.
- Botnet operators—A botnet is a network of compromised computers. The botnet operators, sometimes called "bot herders," control these systems. They run automated programs in the background, so they are often undetected by the legitimate computer owners, to send massive amounts of spam, conduct spear phishing attacks, or in some other way launch attacks against their targets. Botnet operators receive payment based on the number of compromised computers they use and the time required for the attack.
- Money mules—These players are in the most vulnerable group; they are the people on the street, retrieving the stolen funds and sending them, minus their cut, to the executives. Some law enforcement authorities have said that mules' share of the ill-gotten proceeds can be as high as 60 percent, depending on an operation's level of risk.
While these players are closely linked, they are generally separate criminal groups that have developed niche roles. The separation provides some safety to the executive group in that if members of one of the linked groups are arrested, executives can find another group to take their place so they can continue their illegal activities.
The major global criminal networks have proven to be formidable because of their resilience, but they are not invulnerable. Law enforcement agencies in the United States and other countries are working together to attack these networks through a variety of strategies. Unfortunately, in many cases, the core criminal leaders are physically located in safe havens, so called because local policies may prevent extradition or because governmental officials may be complicit or corrupt so they ignore the criminal activity as long as the targets of the crime are outside their borders.
Portals and Rails salutes the law enforcement personnel for their tireless efforts in this constant battle.