Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 30, 2015
Safely Motoring the Payments Highway
I've ridden a motorcycle for 30-plus years and, except for a slight bump from behind by a car when I was stopped at a four-way stop sign, I have a perfect safety record. Some say I'm lucky. While there is probably some element of truth to that—I've made it through a number of dangerous situations over the years—I believe my good safety record is largely because early on in my riding days, I invested in proper safety clothing and took classes in motorcycle riding skills and safety. In addition, when I've been out on the road, risk management has played an integral role in my safety: I follow the Motorcycle Safety Foundation's recommended practice of S-I-P-D-E: scan, identify, predict, decide, and execute.
I recently took advantage of an early spring day and rode the North Georgia back roads. Later that evening, when I thought back over my day, I couldn't help but think of the parallel between motorcycling risk management and payments risk management. To maintain a good safety record in both, you should practice SIPDE. Here's how SIPDE can work with payments.
Scan: Constantly examine the environment you are in. Don't focus on a particular payment method or channel or you will get target fixation and be likely to miss threats to other payment types. How often have we heard that while resources were focused on responding to a distributed denial of service attack, the criminals took advantage of the distraction and executed some unauthorized transactions? When riding, I try to always be alert and I constantly move my sight lines to spot any dangers.
Identify: As you conduct your examination, identify all potential risks. Some may be immediately apparent, and some may be hidden. Some may be major threats, and others less serious. While most of the criminal threats will come from external elements, don't forget about insider fraud.
Predict: After you have identified the risks, run through scenarios as to potential outcomes given a variety of circumstances. I sometimes change my lane position to increase my visibility and always cover the brake lever to prepare for that emergency stop. You must certainly consider the worst-case scenario, but don't forget that an accumulation of less-severe situations may result in a loss that is just as big.
Decide: After weighing all the options and the likelihood of their panning out, determine your course of action so that you're ready if one of the scenarios becomes a reality. Reaction time is critical with motorcycle riding and dealing with criminal attacks.
Execute: Put into motion that course of action to deal with the risk. This is where your training, skills, and tools come into play, helping you to properly and completely execute your plan.
Just as when I ride and the environmental factors and potential threats around me are constantly changing, such is the case in our payments environment. We must constantly use our S-I-P-D-E skills to assess and react to the environment, whether that's the road you're riding on or the payments environment you're operating in.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 23, 2015
Balancing Security and Friction
Several weeks ago, my colleague, Dave Lott, wrote a post addressing the question "Does More Security Mean More Friction in Payments?" Having had several weeks to ponder this concept while attending multiple payments conferences and participating in similar discussions, I can say that I believe that securing payments does mean more friction. Friction may not be seen as good for commerce, but it can be good for security. An enormous challenge that those in the payments industry face is determining the right balance of friction and security. This challenge is heightened since consumers have a range of choices in payment types, yet do not often bear financial liability for fraudulent transactions.
It is absolutely critical to secure the enrollment or provisioning of the payment instrument on the front end. However, this introduces friction before a payment transaction is even attempted. And if consumers deem the process too onerous, they can reject that payment instrument or seek alternative providers. The recent media coverage of fraud occurring through Apple Pay highlights the challenge in the onboarding process. Consumers and pundits have raved about the ease of provisioning a card to their Apple Pay wallet through what they already have on file with iTunes. But fraudsters have taken advantage of this easy onboarding process. I should stress that this isn't just a mobile payments or Apple Pay problem—fraudsters are well-versed in opening bank accounts, credit cards, and other payment instruments using synthetic or stolen identities.
Let's assume that a person's payment credentials are in fact legitimate. Verifying that legitimacy introduces more friction into the payment process. A transaction that requires no verification obviously comes with the least friction, but it is the riskiest. Signatures and PINs bring a small amount of friction to the process, with very different results in terms of fraud losses. We don't know yet what kind of friction, if any, different biometric solutions create during both provisioning and the transaction. Issuers must enable the various forms of verification, and it is up to the merchants to implement solutions that will use various verification methods. Yet consumers, who bear less of the risk of financial loss from fraudulent transactions than the merchants, can choose which payment method, and sometimes which verification method, to use—and they often do so according to the amount of friction involved, with little to no regard for the security.
Issuers and merchants will offer the right balance of friction and security based on the risks they are willing to take and the investments they make in security processes and solutions. But it is the consumer who will ultimately decide just by accepting or rejecting the options. With limited or no financial liability, consumers are often willing to trade off security in favor of less friction—and the financial institutions and merchants have to bear the losses. So I'll ask our Take On Payments readers, how do you balance friction and security in this environment?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 16, 2015
Squeezing the Fraud Balloon
A number of our posts over the last year have discussed the U.S. migration to EMV (chip) cards. As we've mentioned, one of the primary motivations for the migration has been the ease with which fraudsters in our magnetic-stripe environment can create counterfeit payment cards. Other posts have mentioned that ubiquitous tenant of the criminal world—the person always on the lookout for the weakest link or the easiest target. And that criminal does not close up shop and go away in the chip-card world. There is clear evidence from other countries that criminals, after an EMV migration, look for, and find, other targets of opportunity—just as when you squeeze a balloon, you're constricting the middle, but both ends simultaneously expand.
One major area that criminals target post-EMV is online commerce, an activity referred to as card-not-present (CNP) fraud. However, criminals also target two other areas, according to speakers at the recent 2015 BAI Payments Connect conference: checks and account applications. Well before the EMV card liability shift occurs in the United States (October 1, 2015), a number of financial institutions have reported a marked increase in counterfeit checks and duplicate-item fraud, usually by way of the mobile deposit capture service. In many cases, the fraud takes place on accounts that have been open for more than six months, long enough to allow the criminal to have established an apparent pattern of "normalcy," although there are reports of newly opened accounts being used as well.
Canadian financial institutions report that fraudulent applications for credit and checking accounts have increased as much as 300 percent since that country's EMV liability shift. Criminals are opening checking accounts to perpetrate overall identity theft fraud as well as to create conduits for future counterfeit check or kiting fraud. And they're submitting fraudulent credit applications to purchase automobiles or other merchandise that they can then sell easily.
The time to examine and improve your fraud detection capabilities across all the channels customers use is now. Financial institutions should already be evaluating their check acceptance processes and account activity parameters to spot problem accounts early. Likewise, financial institutions should make sure their KYC, or know-your-customer, processes and tools are adequate to handle the additional threat that the credit and account application channel may experience. Be proactive to prevent the fraud in the first place while ensuring you have the proper detection capabilities to react quickly to potential fraudulent attempts. If we want to constrict the balloon of fraud, we're going to have to constrict the whole thing with consistent, equal pressure.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 09, 2015
Who's to Stand in for Mom?
You have likely heard about the fraud that's clouding one of the newest mobile payment solutions. Credit where it is due, the security underpinning the mobile payments themselves represents an amalgamation of strong advances including such things as tokenization, biometric authentication (at the time of the transaction), encryption, and on-device secure storage. The problem that's generating the latest buzz pivots around a gap in authentication—specifically, verification of the legitimacy of those registering the cards that will be used to effect subsequent transactions. Truth is, this isn't a misstep by a singular entity. We've seen this trouble pop up in any number of payment channels.
Some institutions have put a lot of thought into enrollment authentication while others may have felt a need to rush to market at the expense of developing a fully effective authentication process. In November 2014, First Annapolis Consulting/M & A Advisory Services documented various approaches in use by issuers and followed up this past February with emerging best practices and recommendations.
To tack in the way I want for this topic, I will quote a thought provided in one of our recent forums that was given by Peter Tapling, president and CEO of Authentify Inc.: authentication is proving "you are who your mother says you are." This could be key to the best practice of all. But if moms everywhere prove disinclined to authenticate all of us rascals at the provisioning stage (and let's be frank, they're a little busy) can another stand for Mom in this place?
Since we're talking about payments, banks seem a logical option. Consider these highlights of their responsibilities related to "customer due diligence" (CDD) as detailed by the Federal Financial Institutions Examination Council:
- The concept of CDD begins with verifying the customer's identity….
- The cornerstone of a strong… compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all (emphasis added) customers…
- CDD policies, procedures, and processes are critical to the bank because they can aid in:
- Avoiding criminal exposure from persons who use or attempt to use the bank's products and services for illicit purposes.
- Adher(ing) to safe and sound banking practices….
- Provid(ing) guidance for resolving issues when insufficient or inaccurate information is obtained.
The context of the excerpt above is BSA/AML—or Bank Secrecy Act/anti-money laundering—compliance and is generally applied to customers in the business space. However, it seems reasonable to think the skill set might be brought to bear wherever there is need. Banks are clearly best positioned to determine who is setting up a payment and whether or not that person should be. Yet the responsibility is a broad one. Those party to any payment solution, including innovators, provisioning banks, and consumers, should demand that new and extant solutions include enrollment authentication that is well considered and properly coordinated using the best techniques for thwarting fraud. To get the best authentication, it's about who you know—and also, who knows you, besides your mother.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
- Safely Motoring the Payments Highway
- Balancing Security and Friction
- Squeezing the Fraud Balloon
- Who's to Stand in for Mom?
- Security at the ATM: We Have Some Educating to Do
- Payments Stakeholders: Can't We All Just Work Together?
- Introducing Take On Payments
- Does More Security Mean More Friction in Payments?
- Tackling Fraud with Data
- Phone Scams: Still Calling Around
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud