Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 20, 2015
Fed Survey Shows Mobile Banking on Rise in Southeast
In August 2014, the Retail Payments Risk Forum conducted a mobile banking and payments survey of financial institutions in the Sixth Federal Reserve District. (The Sixth District comprises Alabama, Florida, Georgia, and portions of Louisiana, Mississippi, and Tennessee.) The Federal Reserve's Board of Governors has annually conducted a national survey of mobile financial services for the last four years from the consumer perspective. We conducted this inaugural survey to determine the level and type of mobile financial services offered by financial institutions (FIs) in our region. (At the same time, the Federal Reserve Banks of Boston, Dallas, and Richmond conducted an identical survey of the financial institutions in their districts. (So far, only the results of the Dallas District's survey are available.)
Of the 189 validated responses, 75 percent were from banks and 25 percent from credit unions (CUs). Six of the respondents (five banks and one CU) indicated that they did not currently offer nor had any plans to provide mobile banking services. The two most important reasons given by the FIs for not offering the service were security and regulatory concerns.
The full survey report is available on the Retail Payments Risk Forum website, but some of the key findings from the survey include:
- While mobile banking was first launched in the United States in 2007, it is a relatively new service for many FIs in the Sixth District. Almost 23 percent launched it within the last year, and an additional 15 percent are planning to offer mobile banking within the next two years.
- The primary reason FIs selected for offering mobile banking was to retain customers. Some saw it as an opportunity to gain new customers.
- There is very little difference in the basic mobile banking functions that banks and credit unions offer.
- Sixth District FIs use more than 30 mobile banking application vendors, although there is a large concentration with three of these providers.
- Despite the current headlines, the respondents expressed little to no interest in using biometrics and tokenization. (But note that the survey was conducted before the Apple Pay rolled out.)
- Security concerns related to identity theft, data breaches, malware, and poor customer security practices remain primary concerns of FIs.
- With the possible exception of the remote deposit capability, FIs do not expect to charge customers for mobile banking or payment services.
- The mobile payments environment is nascent and highly fragmented in both the number of vendors and the wide range of technologies. This fragmentation has created some inertia while the FIs wait for the environment to sort itself out.
The Retail Payments Risk Forum plans to conduct this survey every two years in order to measure changing penetration and attitudes. If you have any questions concerning the survey results, please contact me via e-mail.
April 13, 2015
Leaving a Cybersecurity Legacy
On April 1, the current administration's fourth executive order related to cybersecurity was signed into action. This executive order shows an ongoing commitment to securing cyberspace. In 2009, the executive office released its Cyberspace Policy Review, which triggered a flurry of cybersecurity policy. (Relatedly, the government's "Buy Secure" initiative to increase payment security mandated the issuance of chip-and-PIN cards for all federal employees and benefits programs beginning in January 2015.) This week, Take On Payments summarizes the four cybersecurity-related executive orders that have ben signed over the last six months and what these orders could mean for the banking and payments industries.
Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (4/1/15)
Authorizes swift and severe sanctions by the Treasury Department to those engaged in malicious cyber activities that pose a significant threat to national security, foreign policy, economic health, or the financial stability of the United States. This action occurs regardless of where the offenders are domiciled, and can include the freezing of assets and denial of entry into the United States for individuals and entities. These malicious activities include, but are not limited to, distributed denial-of-service (DDOS) attacks and misappropriation of financial information for financial gain. According to an insider, attacks on banks and the financial sector, including the unauthorized access of payment credentials, would likely qualify as significant enough to warrant these new sanctions. While critics debate the enforceability of these sanctions, the banking and payments industry should find this development promising. Law enforcement is often challenged to bring these individuals to swift justice.
Promoting Private Sector Cybersecurity Information Sharing (2/13/15)
Encourages the Secretary of Homeland Security to establish information sharing and analysis organizations (ISAOs) as well as standards and guidelines to establish a robust information-sharing network related to cybersecurity incidents and risks. ISAOs can be organized on the basis of multiple attributes, including industry sector or region. Information sharing would take place both within and across ISAOs. Although the financial services industry has had some success with information sharing within their sector through organizations such as Financial Sector-Information and Security Center, the private sector generally remains challenged to share information across sectors. We hope this order will lead to the development of standards and better coordination to allow for information sharing of cybersecurity incidents and risks between the financial services sector and other industries.
Improving the Security of Consumer Financial Transactions (10/17/14)
Although cybersecurity wasn't the main focus of this executive order, two cybersecurity components are included in it. The first relates to the remediation of identity theft. It specifies that the Attorney General will issue guidance to promote regular submissions by federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance (NCFTA) Internet Fraud Alert System. Secondly, the order requires that all federal agencies that make personal data accessible develop a plan to implement multifactor authentication. While directed towards federal agencies, it is possible that this order will pressure financial institutions and other private industry entities within the payments industry to adopt similar compromised credential submission and multifactor authentication practices, if they have not already.
The current cybersecurity activity isn't just limited to executive orders. Several cyber-related bills have circulated the congressional floor the past several years. A future Take On Payments post will highlight several bills that have been introduced in 2015 on Capitol Hill and what they could mean for banking and payments.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 06, 2015
What Can Parenting Teach Us about Data Security?
My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.
As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.
However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.
In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 30, 2015
Safely Motoring the Payments Highway
I've ridden a motorcycle for 30-plus years and, except for a slight bump from behind by a car when I was stopped at a four-way stop sign, I have a perfect safety record. Some say I'm lucky. While there is probably some element of truth to that—I've made it through a number of dangerous situations over the years—I believe my good safety record is largely because early on in my riding days, I invested in proper safety clothing and took classes in motorcycle riding skills and safety. In addition, when I've been out on the road, risk management has played an integral role in my safety: I follow the Motorcycle Safety Foundation's recommended practice of S-I-P-D-E: scan, identify, predict, decide, and execute.
I recently took advantage of an early spring day and rode the North Georgia back roads. Later that evening, when I thought back over my day, I couldn't help but think of the parallel between motorcycling risk management and payments risk management. To maintain a good safety record in both, you should practice SIPDE. Here's how SIPDE can work with payments.
Scan: Constantly examine the environment you are in. Don't focus on a particular payment method or channel or you will get target fixation and be likely to miss threats to other payment types. How often have we heard that while resources were focused on responding to a distributed denial of service attack, the criminals took advantage of the distraction and executed some unauthorized transactions? When riding, I try to always be alert and I constantly move my sight lines to spot any dangers.
Identify: As you conduct your examination, identify all potential risks. Some may be immediately apparent, and some may be hidden. Some may be major threats, and others less serious. While most of the criminal threats will come from external elements, don't forget about insider fraud.
Predict: After you have identified the risks, run through scenarios as to potential outcomes given a variety of circumstances. I sometimes change my lane position to increase my visibility and always cover the brake lever to prepare for that emergency stop. You must certainly consider the worst-case scenario, but don't forget that an accumulation of less-severe situations may result in a loss that is just as big.
Decide: After weighing all the options and the likelihood of their panning out, determine your course of action so that you're ready if one of the scenarios becomes a reality. Reaction time is critical with motorcycle riding and dealing with criminal attacks.
Execute: Put into motion that course of action to deal with the risk. This is where your training, skills, and tools come into play, helping you to properly and completely execute your plan.
Just as when I ride and the environmental factors and potential threats around me are constantly changing, such is the case in our payments environment. We must constantly use our S-I-P-D-E skills to assess and react to the environment, whether that's the road you're riding on or the payments environment you're operating in.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Fed Survey Shows Mobile Banking on Rise in Southeast
- Leaving a Cybersecurity Legacy
- What Can Parenting Teach Us about Data Security?
- Safely Motoring the Payments Highway
- Balancing Security and Friction
- Squeezing the Fraud Balloon
- Who's to Stand in for Mom?
- Security at the ATM: We Have Some Educating to Do
- Payments Stakeholders: Can't We All Just Work Together?
- Introducing Take On Payments
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud