Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 25, 2013
What's Next in Mobile Payments?
I recently participated in two banking conferences that displayed the full spectrum of strategic options and plans of banks regarding mobile payments. The first event was the annual operations/technology conference of a statewide bankers' association with all the attendees being small- to mid-sized community banks. All these banks currently offer an online banking application to their customers; about half of these have customized their online banking application for mobile device usage. Only one bank indicated they had a mobile payments application currently in operation. I was surprised to find that only a couple other banks planned to offer a mobile payments application within the next 12–18 months.
Later in the day, a panel of four MBA graduate students from a prestigious business school of a private southeastern university gave their views on mobile payments. The objective of this panel was to help the bankers understand the key drivers of this demographic's banking relationships and needs. All four panel members indicated they frequently accessed their banks' online banking services with their mobile devices as well as their laptops and tablets. They also unanimously stated they would switch financial institutions if the banks didn't offer the service or if they began charging a fee for the service. Interestingly, only one panelist used the mobile payments application from his bank, and his usage was infrequent. The reasons the panel members gave for their disinterest in mobile payments included difficulty of use of a mobile phone versus a laptop or tablet for bill payment or little need for the service because they found their existing payment methods to be as or more convenient.
At the Bank Administration Institute's (BAI) Payments Connect 2013 conference the following week, a featured track of the two-and-a-half-day event was the wide range of marketing, operational, risk, and technology issues related to mobile banking and payments. The prognosis for mobile payments couldn't have been more optimistic, with a number of panelists declaring that the tipping point for mobile payments had been realized earlier in the year. They credited the adoption rate for smartphones and other indicators they believed to be key drivers. Of course, we have to realize that many expressing such optimism worked for a company that has a vested interest in the success of mobile payments. However, that optimism was supported by a number of research studies delivered during the conference that concluded that the rate of smartphone penetration, the growing volume of mobile payment transactions, and overall consumer attitudes would translate to successful mobile payments programs.
One of the questions bankers frequently asked during the BAI conference was what a panelist would recommend the bank do regarding their mobile payments strategy. While there were some slight variations, panelists consistently responded that banks should get involved now and try a number of different, small-scale strategies. Several panelists used the gambling analogy of placing a distributed number of bets of small amounts rather than going "all in" with one particular mobile payments scheme. They acknowledged that the technology winner(s) of mobile payments was far from certain at this point, with near field communication, QR codes, and cloud options all in different states of adoption and each with their individual advantages and disadvantages.
The practice of "spreading your bets" is certainly a valid risk management strategy, but how practical is such a strategy for small financial institutions? The large banks have their research-and-development budgets, IT development staff, and other resources that allow them to participate in multiple pilot programs, but smaller institutions do not have such resources. Most would be able to offer only a mobile payments program supported by their core application processing provider.
As with many new payment products in the past, larger banks have led the initial efforts, and the smaller banks followed suit after customer demand for the service became more certain and with the realization that not offer the service would put them at a competitive disadvantage. Could this be the reason many banks, especially the smaller ones, have been sitting on the sidelines for now until the mobile payments picture becomes a bit clearer? Let us know what you think.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference What's Next in Mobile Payments?:
March 18, 2013
March Madness on the Hardwoods, Mobile Madness in the Payments Arena
As an avid sports fan, I am eagerly anticipating college basketball's annual rite of spring commonly known as "March Madness." This nickname for the NCAA's Men's Division I basketball tournament is derived from the amazing finishes and upsets that regularly occur during the tournament each year. A big part of the intrigue around this tournament involves millions of people that will "fill out a bracket," meaning they prognosticate the winner of every game, ultimately choosing the winner of the tournament.
As I was thinking about the upcoming tournament, I realized a similar situation is developing with mobile payments at the point of sale (POS). It seems that every day, I read an article or blog with differing viewpoints on what company, wallet, or solution will come out as the "winner" for mobile payments at the POS. This got me thinking how a "bracket" would look for the mobile payments ecosystem. Interestingly, many of the attributes usually found with the successful basketball teams in March are similar to those attributes I believe are necessary for successfully competing in the mobile payments arena.
Fundamentals are extremely important
Teams that are fundamentally sound tend to perform well in the tournament. Fundamentally sound teams run an efficient offense with a high point per possession percentage and low turnover margin, rebound well, and make a high percentage of their free throw shots.
Likewise, in the mobile proximity payments arena, I expect the winner(s) will nail down the fundamentals of the transaction that consumers and merchants alike expect: ease and quickness. Just as basketball teams can employ innovative styles or plans, mobile payment providers are also developing the latest and greatest add-on to the payments experience. However, if both fail to deliver on basic fundamentals, success can be elusive.
Track record of successful risk taking
Besides excelling at the basic fundamentals, teams that make a high percentage of their three-point shots usually do well during March Madness. The three-point shot is the riskiest shot in the game, yet carries the highest reward. Teams who capitalize this risk with a high success rate are difficult to beat.
Besides the fundamentals of a payment transaction, it is no secret that consumers and merchants want more for paying with their mobile phone at the POS. Discounts, couponing, and instant offers through past purchase behavior and geolocation seem to be a major opportunity of differentiation with mobile payments. But I am not convinced these carrots are enough for any particular player to obtain widespread or mass mobile payment adoption. The player that is able to completely transform a consumer's shopping experience with the mobile phone will likely come out ahead. I believe this will require some risk taking by doing something different from the rest of the field beyond coupons, offers, and discounts. Perhaps this might be a mobile solution that allows a consumer to make a purchase and completely bypass the checkout line and POS while also updating the merchant's inventory level in real time. Established companies, as well as young companies led by teams or individuals, with a successful track record of risk taking should be considered closely.
A common phrase heard in many sports, basketball included, is "defense wins championships." Basketball teams that hold their opponents to a low field goal percentage and generate a high number of turnovers have proven to be extremely difficult to beat in the tournament.
In the world of payments, defense is all about mitigating fraud. For a mobile payments solution to be successful, it must be as secure. And I could even argue that it must be more secure than current payment methods. Research has consistently shown that consumers must perceive these payments to be secure if they are going to adopt them. Secure solutions developed by companies that are trusted by consumers stand to have a solid chance to move ahead in a "mobile payment POS bracket."
The winning team
Using the same attributes of successful tournament teams and applying them to the mobile payments POS space, I think the ultimate winner of a "mobile payment POS bracket" must offer at least the following three attributes in a cost-effective manner:
- Enable a quick and simple transaction.
- Greatly transform the shopping experience by being unique and different.
- Offer a secure solution that consumers will understand and trust.
More often than not, the traditional and established basketball powers come out on top of the tournament, but it's those unexpected upsets by upstarts and underdogs that put the "madness" in the NCAA Tournament. How will the situation for using mobile phones at the POS play out? Will an established payment provider come out on top of the "mobile payment POS bracket" or will an upstart be that "bracket buster"?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference March Madness on the Hardwoods, Mobile Madness in the Payments Arena:
March 11, 2013
The ATM: Disappearing Soon from a Location near You?
The ATM industry in the United States is facing a set of regulatory and operating rule deadlines that might impact the industry as much as similar deadlines did during 2005–08. Back then, ATM owners were required to upgrade their terminals to support the more secure Triple Data Encryption Standard (3DES) to safeguard ATM transaction messages during transmission. To comply, ATM owners faced the expense of hardware and software upgrades. Because a number of ATM independent sales organizations (ISOs) were operating older machines that required replacement rather than upgrades, they sold off their businesses claiming they could not support these additional expenses. Although the total number of ATMs is difficult to determine, most people in the industry agree that the 3DES requirement resulted in fewer of them.
Now it's "déjà vu all over again" for many ATM owners. Two recent changes to regulatory and operating rules require additional investment in their ATM fleets. The first of these is the accessibility provisions of the 2010 American with Disabilities Act (ADA) that include, but are not limited to, a voice guidance requirement, Braille signage, and input controls for visually-impaired individuals. These provisions were published in September 2010. ATM owners had a compliance date of March 2011 and an enforcement date of March 2012. An online Wall Street Journal article written near the 2012 deadline estimated that half of the ATMs in the United States did not fully comply with the new requirements. Because many ATM owners were in near compliance at the time of the deadline, the current level of incomplete compliance is not known. I understand, however, that several ATM owners, particularly ISOs with low-volume cash dispensers, have still not upgraded their ATMs. Despite a number of lawsuits filed by visually-impaired individuals against noncompliant ATM owners, many appear to be continuing to operate while hoping to go undetected. The act allows an exemption to an ATM owner if the upgrade would be an "undue burden," but the burden is on the owner to seek the exemption and prove the burden.
The second change comes from the recently announced liability-shift roadmaps for EMV chip implementation by Visa and MasterCard. MasterCard set a deadline of October 2016; Visa, a year later. Currently, the card issuer bears losses from fraudulent card transactions at the ATM. After those dates, if a counterfeit card is used at an ATM that has not been upgraded to handle EMV cards—in which case the ATM has to read the card's magnetic stripe back-up—the ATM owner will bear the loss resulting from that fraudulent transaction.
Even more pressing is MasterCard's liability shift for non-U.S.-issued Maestro card transactions at U.S. ATMs, scheduled for April 19, 2013. The National ATM Council, an industry group for ATM ISOs, has formally requested MasterCard to both delay this shift and push back the overall liability shift deadline to synchronize with Visa's 2017 date. Already struggling with the increased costs resulting from the upgrade decision, ISO ATM owners fear that absorbing counterfeit card losses would devastate their financial condition. I suspect that as many of them have done with the ADA requirements, many may continue to postpone upgrade expenses and just hope that their machines are not targeted. However, as I noted in a recent post, criminals tend to attack the weakest elements of their target.
ATM usage continues to face competition from debit POS (purchases and cash-back) as well as the expanding mobile payments channel. With ATMs being such a high fixed-cost operation, the impact of additional upgrade expense at a time when usage is decreasing is likely to take a toll on the number of operating ATMs. What do you think?
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The ATM: Disappearing Soon from a Location near You?:
March 04, 2013
Who Am I? Authentication Challenges
It's tax time again. I dread this time of year. It's not just because I don't like paying taxes—who does? It's because I am always a little nervous as a result of an experience my husband once had. Some years ago, my husband was the victim of identity theft and, every so often, we are forced to confront another attempted assault on our finances. We became aware of another assault two years ago when we attempted to file our federal tax return electronically and it was rejected. The IRS already had a record of a processed return under my husband's Social Security number (SSN). For now, we file our returns the old-fashioned way, printing and mailing them.
Juxtapose that low-tech solution against the high-tech approach that fraudsters use. Using ill-gotten SSNs, names, and birth dates, these identity thieves electronically file fraudulent returns as early as possible. They then nab the refunds quickly, either through receipt of a prepaid debit card from the IRS or through direct deposit into a bank account specifically used for obtaining the fraudulent refund, which they immediately cash out.
Filing of fraudulent tax returns has reached epidemic proportions. In 2012, a Treasury Inspector General for tax administration testified before Congress that the IRS detected and stopped almost one million fake returns for 2010, totaling $6.5 billion.
In recent years, the government, through legislation, has encouraged use of other identification methods and greater care in the storing and sharing of SSNs and other personally identifiable information. However, the SSN remains the preferred identification method. Knowing that criminals and taxes will never disappear, the issue then is with the authentication—that is, checking identity at the door.
The IRS is being proactive by requiring taxpayers to supply additional information. Perhaps the agency could use the same technology to combat the criminals that the criminals are using to initiate the crime. A recent Portals and Rails post looked at "Big Data" and discussed how financial institutions can profile consumer behavior to detect fraud. Could the IRS use Big Data techniques to help detect tax returns that seemingly have fraudulent characteristics? For example, the IRS could flag early filings, understanding that historically a particular filer's W-2 information is not available until as late as the end of March. However, the post also discussed the question of when data collection and behavior profiling crosses the line from marketing opportunities to privacy invasion, an issue the IRS would have to consider.
The integrity of mobile payments, online banking, card payments, and any other form of electronic payment rely on the authentication of the payer. Many authentication methods in the payments world are by necessity pretty sophisticated. But criminals are finding ways to compromise these methods, too. As we move headlong into the world of digital payments, proving genuine identity, or authentication, is vital.
By Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Who Am I? Authentication Challenges:
- The More Things Change, the More They Stay the Same
- The Current Tokenization Landscape in the United States
- “Customer, You Have the Conn”
- Is the Conventional Wisdom about EMV Migration Right?
- Follow the Money
- A Presumption of Innocence
- The Hill Tackles Cybersecurity
- Keeping Up with the Criminals: Improving Customer Authentication
- Not Seeing a Tree for the Forest
- Fed Survey Shows Mobile Banking on Rise in Southeast
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud