Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 28, 2013
Do GPR Prepaid Cards Pose Significant Money Laundering Threats?
When it comes to laundering proceeds from illicit activities, criminals have historically had a number of financial instruments and methodologies at their disposal. These choices have ranged from payment products tied to demand deposit accounts such as checks, wires, and debit/ATM card transactions to money transfers via money transmitters. The birth of general purpose reloadable (GPR) prepaid cards in the early 1990s created yet another payment instrument that could potentially be used to clean dirty money.
Although no payment instrument—GPR prepaid cards included—is completely immune to money laundering, the payments industry can adopt risk measures to mitigate the attractiveness of these cards to criminals. But what makes a payment choice attractive to money launderers? Criminals generally seek the fastest method to move their ill-gotten proceeds the furthest away from their illegal activities. Ultimately, they want to distance themselves and their financial gain from the crime in the quickest way possible. Anonymity, accessibility, immediate liquidity, and transportability of funds are all payment characteristics that a money launderer finds attractive.
The Retail Payments Risk Forum dove into the regulatory environment and risk management practice of the GPR prepaid card industry, and wrote up findings in a paper available on the Atlanta Fed's website. Among the paper's findings is that, as GPR prepaid cards have grown in popularity and come under increased scrutiny by regulators, significant regulatory measures and industry-wide adopted practices have greatly reduced, but not eliminated, their money laundering risks. And while U.S. regulators and the card industry have made great strides with anti-money laundering measures, GPR prepaid cards issued internationally do not necessarily face the same stringent risk environment, so they pose significant money laundering risks.
For more details on the money laundering risk environment for GPR prepaid cards, read the paper.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Do GPR Prepaid Cards Pose Significant Money Laundering Threats?:
January 22, 2013
Parallel Paths or Course to Collision? Technology's Effects in the Payments Industry
I don't believe anyone would challenge the statement that the pace of technological change is faster than ever and is likely to increase its velocity going forward. I remember a conversation with my grandfather in the mid-1970s about the biggest changes he'd experienced in his lifetime, which spanned the first two-thirds of the 20th century. Those changes centered on the automobile and airplane (his lifelong vocation was a railroad machinist/mechanic), electricity for the masses, medicine, and radio and television. Today, we can look back just 10 years and see the exponential level of changes in technology that have impacted our everyday lives in these same areas—transportation, energy, medical care, and communications.
Many of these technological changes have affected the banking world, sometimes in ways that create conflicts among various service channels. Recent changes in the way that U.S. banking customers deposit funds, for example, have the potential to create such conflict across channels.
The all-time teller gets a new face
Since the widespread introduction of the full-service ATM in the United States in the early 1970s, this automated delivery channel has seen little change in functionality. Sure, there have been major technology changes that have improved the channel but not fundamentally changed it. Such improvements include the migration from offline to online transaction authorizations, the ATM's ability to dispense multiple denominations of currency instead of a fixed amount, improved display graphics and component reliability, and the sharing of ATMs through the emergence of regional, national, and international interchange networks. Past efforts in the U.S. to add additional functions and migrate the ATM more to a self-service kiosk have not met with great success. There appears to be another attempt to introducing such functions as remittances, bill payment, money orders, postage stamps and ticketing as ATM volume stagnates.
Deposits made through ATMs seldom represent more than 10 percent of total banking transaction volume, and are more often in the 5–8 percent range. Research has consistently shown that consumers are apprehensive about placing checks and currency in ATMs since ATMs do not verify the deposit envelope contents, as tellers do. Truth be told, banks generally didn't actively promote deposits through ATMs for economic reasons. Because deposit envelopes can be deposited empty, most banks required them to be processed under dual control. As a result, until relatively recently, the cost of handling a single ATM deposit was about $1.50 to $2.
A big breakthrough in ATM deposits was seen in 2006–07, when several of the largest U.S. banks began testing ATMs that could accept envelope-free deposits of checks and currency. This method offered consumers images of their checks or detailed listings of the deposited currency before the transaction was final. Because consumers had this opportunity to verify their deposits, they had a much higher level of comfort. Additionally, consumers could now make their deposits much later in the day and still have them included in that day's processing. These banks soon began widespread implementation of such functionality in a vast majority of their locations, and other top-tier banks followed suit. The reassurance of the deposit verification and the increased convenience has led to a sharp increase in deposit transactions through the ATMs equipped with this feature. Furthermore, studies show that the cost of a deposit transaction dropped below 50 cents.
It appeared like a win-win-win outcome. ATM channel managers and manufacturers both were pleased with the new functionality. And bank customers were obviously pleased, as evidenced by the increased deposit transaction volume through the ATM.
Meanwhile, in a parallel universe...
At the same time that ATMs were getting new functionality, the remote deposit capture product was being developed. This product was first offered to commercial bank customers that received moderate volumes of checks. Company employees scanned the checks on dedicated equipment and then transmitted the captured images to the bank. This product was made possible under the provisions of Check 21. Then the banks expanded the service to include low-volume check businesses using generic scanners that the business likely already possessed. And most recently, a number of banks have begun offering remote deposit capture to both consumer and commercial customers as part of their mobile banking service with the camera feature on a smartphone.
In our ever-changing technology environment, the role of product and channel management has never been more difficult. Products that are technology-dependent can have an extremely short lifecycle and face competition from other sources. Will the proliferation of the remote deposit mobile application dampen the demand for envelope-free deposit accepting ATMs, especially at the smaller banks? Will these technologies collide, or will they continue to move down parallel paths? How will this technology and others come to impact the future of the ATM? We would like to hear your perspective.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Parallel Paths or Course to Collision? Technology's Effects in the Payments Industry:
January 14, 2013
Data Collection and Privacy: A Continuing Discussion
During my childhood, my parents would frequently challenge me with "if-then" decisions, often in an effort to direct my behavior. They'd say, for example, "If you finish your homework early, then you can go out and play." Consumers are constantly faced with similar if-then choices related to disclosing their personal information as they conduct their business, whether online or in physical locations. Many of us have been confronted with this type of choice: "If you want to receive coupons or other special offers, then sign up for our loyalty card program (where we may track all your purchases and may provide that information to others for marketing purposes)." Or: "If you want to access this website, then you must agree to the following terms and conditions." Of course, the consumer can always decline the offer. However, the business doesn't want that to happen, so it generally looks for the right balance that would allow the consumer to feel comfortable while it realizes its goals.
The data privacy issue comes to the forefront with every announcement that some database has been hacked and customer information, including account numbers, has been compromised. Most recently, the state of South Carolina acknowledged that hackers had gained access to information for more than three million bank accounts, almost two million Social Security numbers, and about five thousand credit card numbers. The overall cost of recovering from such a large-scale incident—not only in direct costs including possible fines but also in reputational costs and diminished consumer confidence—can be substantial. Businesses and governmental agencies must continually work to strengthen their data security systems.
The primary privacy issues appear to be focused on overall informational privacy concerns and the lack of consistent and comprehensive state and federal laws. In February 2012, the White House released a privacy bill of rights policy document titled Consumer Data Privacy in a Networked World. This document is intended to serve as a legal baseline for all companies as to how they should treat consumer data and manage customer interactions. Then in March 2012, the Federal Trade Commission (FTC) issued a similar report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. The White House and FTC reports offer similar recommendations, including:
- Congress should enact baseline privacy protection legislation, and the industry should increase its self-regulation efforts.
- Consumers should be clearly provided a "Do Not Track" option. This mechanism would allow them to choose whether they wanted to allow websites to collect information about their Internet activity and use it to deliver targeted marketing messages or other behavioral advertising.
- The company should obtain a positive consent from a user before its uses collected data for a purpose other than for what it was collected.
- The website should allow users to view the data that has been collected by data brokers for marketing purposes and provide a mechanism for updating incorrect information.
It will be interesting to watch these activities over the next year to see at what pace the various data collection and privacy constituencies will examine and address these issues. In a future blog, I will examine in more detail the legislative and regulatory efforts that are underway to address these recommendations. The issues of security and privacy will continue to evolve in the banking and business industries and will be frequent topics of discussion in future Portals and Rails posts. We encourage your comments as this discussion continues.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 14, 2013 | Permalink
TrackBack URL for this entry:
Listed below are links to blogs that reference Data Collection and Privacy: A Continuing Discussion:
January 07, 2013
Boston Fed on mobile phone technology: "Smarter than we thought"
When it comes to mobile payments security, will the most secure solution win out, or will convenience rule the day? Mobile payment services are coming to market, however slowly, and as they do, security in supporting technology platforms is a critical consideration for merchants and consumers. In fact, many consumer surveys, such as this one released by the Federal Reserve Board, have reported that U.S. consumers consider security to be an important factor when deciding if they will use a mobile device to access financial information or engage in a payment service. Because security is a major contributor to the success and ultimate broad adoption of mobile payments, Boston Fed researchers examined how the primary technologies supporting mobile payments at the merchant point-of-sale address payments security. These technologies include near-field communication (or NFC) and cloud solutions.
This post looks at some of the high points of a paper written by the Boston Fed researchers about their analysis. The paper, published November 2012 and titled "Mobile phone technology: 'Smarter than we thought,'" discusses the unique characteristics of each technology and why security practices will vary accordingly.
NFC mobile payment options vary in security and convenience
The three primary approaches to NFC mobile payments all involve storing payment credentials in an encrypted smart card chip within the mobile phone. This chip, also known as the "secure element," may reside in the subscriber identity module (SIM) card, it may reside in the micro secure digital (SD)—or memory—card, or it may be hardwired into the actual device. Each of these approaches has benefits and disadvantages with respect to convenience and security.
For example, the SIM card's storage capability provides an additional layer of security. The wireless carrier can manage the SIM card remotely to prevent unauthorized access if the phone is lost or stolen or if the SIM card is removed. In other words, the mobile network operator controls access to the SIM card, which, depending on your perspective, may also be a drawback.
The memory card is also portable and communicates with apps to enable mobile payments. This method can be speedy to deploy. As a result, several U.S. banks, card networks, and transit authorities have piloted solutions using memory cards. However, these cards typically support only a single application or payment account, so they may not be the best long-term solution. Furthermore, their portability presents security concerns because there is no lock or PIN to prevent removal of the card from the phone and then subsequent unauthorized access to the payment information stored within it.
The third approach has the chip soldered into the hardware, making it relatively tamper-proof. Although it is less costly than the other NFC options, it provides no portability feature. So despite the stronger security features, this lack of portability makes this approach inconvenient because consumers cannot easily transfer payment credentials and applications when they switch phones.
Mobile payments in the cloud: A new security paradigm
While industry stakeholders were discussing the security options of NFC technology deployments, new alternatives emerged that rely on cloud computing. In cloud-based payment business models, the consumer's payment credentials are stored remotely on a server—which a merchant or payment services provider manages—as opposed to on the phone's hardware. Cloud-based services are less costly to deploy than NFC-based services. In addition, because they are hardware-agnostic, they are essentially portable and convenient for the consumer. In some ways, cloud-based payments can be more secure than in-phone solutions, since the consumer's payment credentials are not stored in the mobile phone and are not potentially exposed during transactions. However, it is still necessary to take steps to secure the remote storage of payment credentials and other important data. And, as the paper notes:
There are still many unknowns to be addressed. Because payments data can be compromised in the cloud, it is essential that: 1) payments data is not transmitted via SMS [short message service, or instant messaging] or email because these platforms are not encrypted; and 2) payments to the cloud are transmitted between secure, encrypted endpoints handled either by mobile carrier data networks or merchant-provided secure Wi-Fi hotspots, and are not transmitted unencrypted over any network.
Data privacy remains a critical concern
Cloud providers have a responsibility to protect consumer data. They must comply with privacy laws and obtain explicit permission before sharing data or mining it for other monetization opportunities. Ultimately, cloud providers must make sure that the underlying payment services are secure and resilient.
When it comes to new mobile payment methods in the cloud, how will we make sure that cloud service providers are fulfilling these responsibilities? This new paradigm requires new processes for vendor management, especially for banks in mobile payments. Banks will need to be able to demonstrate to regulators that they have conducted a comprehensive risk assessment on service offerings and done third-party due diligence at the onset of an outsourced relationship. Regulators must provide ongoing oversight for financial stability and fulfillment of contractual responsibility.
Complex business models likely will use combinations of technology
As the paper notes, it is likely that we will see hybrid models that use both NFC and the cloud for managing different pieces of information associated with a payments transaction. As we noted in a previous post, there are benefits and challenges to both NFC and cloud technologies. Numerous complex variables are at play when it comes to their security environments. As these technologies are likely to coexist, it will be important to understand the underlying security features as new mobile payment solutions come to market in the future.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Boston Fed on mobile phone technology: "Smarter than we thought":
- A Presumption of Innocence
- The Hill Tackles Cybersecurity
- Keeping Up with the Criminals: Improving Customer Authentication
- Not Seeing a Tree for the Forest
- Fed Survey Shows Mobile Banking on Rise in Southeast
- Leaving a Cybersecurity Legacy
- What Can Parenting Teach Us about Data Security?
- Safely Motoring the Payments Highway
- Balancing Security and Friction
- Squeezing the Fraud Balloon
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud