Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

March 31, 2014

Ignore Millennials at Your Own Risk

At a recent conference primarily for credit unions and small banks, I participated in an interesting discussion about the future role of banks and legacy payments for person-to-person (P2P) payments. Few of the attendants offered a P2P solution as part of their online or mobile banking platform and those that did claimed the product was seldom used, if at all. There was consensus that a majority of their customers just aren't interested in this product.

I recently wrote on this topic, hailing the check as an efficient form of P2P payment thanks in large part to mobile remote deposit capture. But perhaps my experience of writing a check to a 20-something babysitter was more of an anomaly than the norm. A recent survey that GOBanking Rates conducted reveals that nearly 40 percent of consumer banking customers never write checks and 61 percent of banking customers between the ages of 18 and 24 claim to never write checks. Another survey of 10,000 millennials (those born from 1981 to 2000) reveals that the banking industry is at the highest risk of disruption. Seventy percent of the respondents believe that the way we pay for things in five years will be totally different. One in three of the respondents believe they will not need a bank.

So what can financial institutions take away from my experience and these surveys? Two things stand out to me. First, there are still banking customers (young ones included) that continue to write checks or prefer to receive checks over alternatives from banks and nonbanks. Though I fully expect check usage to continue to decline, the complete demise of the check is a fantasy. Second, and most important, financial institutions that choose not to evolve in the payments space risk disintermediation or even becoming irrelevant. While their customers today may not want specific products or payment capabilities, the reality is that the makeup of a majority of these customers today won't be the same as in the future. A generation of potentially new customers has a very different view on payments and banking. Ignoring these future customers will lead to harsh realities for financial institutions. What is your institution doing in terms of payments to attract and keep millennials and avoid becoming a dinosaur?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 31, 2014 in banks and banking, emerging payments, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fce35a78970b

Listed below are links to blogs that reference Ignore Millennials at Your Own Risk:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 09, 2013

Improving Customer Authentication

The Retail Payments Risk Forum recently hosted payment industry participants at the Improving Customer Authentication forum. On July 31, banks, nonbank payment service providers, industry associations, law enforcement officials, and regulators listened as keynote speakers and panelists explored methods and technologies for improving customer authentication so that financial institutions and other payments stakeholders can better mitigate payments fraud. Forum goals were to help participants understand the challenges of current methods of authentication and the legal implications, as well as to explore emerging solutions, along with pros and cons, that can improve authentication in both the face-to-face and remote channels.

Some of the key learnings from the forum include:

  • Customer authentication is critical to proving identity, authority, and consent throughout the entire payment process.
  • Customer authentication can be achieved by any combination of factors within three categories. For best practice, different categories should be used:
    • Something you know (user ID, password)
    • Something you have (card, phone)
    • Something you are (biometrics, activity pattern)
  • Currently, no single, simple, legally approved method for authorizing a payment or ensuring that a particular payment is authorized exists.
  • New payment types are stretching the boundaries of the current payments infrastructure and have created weak points that are being probed and exploited by cybercriminals.
  • While overall payment card fraud levels, as expressed as a percentage of sales, are at an all-time low, certain categories of card fraud such as card-not-present (CNP) are significantly increasing.
  • Financial institutions are encouraged to build relationships with local and federal law enforcement officials and to report fraud—it is possible that a crime at your institution is part of a larger network of criminal activity.

For a more complete summary of the forum and to see video interviews with two of the forum speakers, go to the conference website.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 9, 2013 in authentication, biometrics, emerging payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019aff4777b1970c

Listed below are links to blogs that reference Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 03, 2013

Do Digital Currencies Need Bank Secrecy Act Regulations?

Nearly two years ago, a Portals and Rails post looked at digital currencies and posed the question, "Will the use of alternative currencies gain popularity in the criminal world?" It appears that the answer to the question is "yes." According to the recent indictment of a digital currency provider, the currency under question "was designed to give criminals a way to move money earned from credit card fraud, online Ponzi schemes, child pornography and other crimes without being detected by law enforcement," ultimately building up a $6 billion money laundering operation.

At the heart of the issue with this particular digital currency is its anonymous nature. Payment instruments that provide anonymity do attract the criminal element. Anonymity is a major reason cash remains king when it comes to payments for illicit activities. The anonymity that prepaid cards provided in their earlier years attracted the criminal element, which ultimately resulted in regulators attaching Bank Secrecy Act/anti-money laundering (BSA/AML) regulations to these instruments.

There is no doubt that digital currency has benefits over paper and coins. The convenience of not having to lug around paper and coins is appealing to me, as is the fact that I wouldn't feel the need to scrub my hands after handling digital currency since it's no secret that paper money and coins are dirty. I am all for the success of digital currencies and can't wait for them to become more mainstream. But I believe that as long as any digital currency continues to support anonymity, it will be difficult for that to happen.

While regulation can stifle innovation, I believe that BSA/AML regulation of digital currencies could help increase the adoption of this type of payment instrument by the mainstream. One need look no further than the prepaid card industry to understand the potential impact. Many factors have played into that industry’s phenomenal growth rate, but the BSA/AML regulatory requirements also played a role by providing a credibility to prepaid cards that did not exist in their infancy.

What are your thoughts on the need for BSA/AML regulation of digital currencies?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 3, 2013 in cybercrime, emerging payments, money laundering, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901cef3bcf970b

Listed below are links to blogs that reference Do Digital Currencies Need Bank Secrecy Act Regulations?:

Comments

Great Post.
In my opinion all e-currencies need to be regulated, specially the more popularly used ones. It will be sad to see another one going down like LR.

Posted by: Bhagesh Nair | June 04, 2013 at 04:48 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 22, 2013

Parallel Paths or Course to Collision? Technology's Effects in the Payments Industry

I don't believe anyone would challenge the statement that the pace of technological change is faster than ever and is likely to increase its velocity going forward. I remember a conversation with my grandfather in the mid-1970s about the biggest changes he'd experienced in his lifetime, which spanned the first two-thirds of the 20th century. Those changes centered on the automobile and airplane (his lifelong vocation was a railroad machinist/mechanic), electricity for the masses, medicine, and radio and television. Today, we can look back just 10 years and see the exponential level of changes in technology that have impacted our everyday lives in these same areas—transportation, energy, medical care, and communications.

Many of these technological changes have affected the banking world, sometimes in ways that create conflicts among various service channels. Recent changes in the way that U.S. banking customers deposit funds, for example, have the potential to create such conflict across channels.

The all-time teller gets a new face
Since the widespread introduction of the full-service ATM in the United States in the early 1970s, this automated delivery channel has seen little change in functionality. Sure, there have been major technology changes that have improved the channel but not fundamentally changed it. Such improvements include the migration from offline to online transaction authorizations, the ATM's ability to dispense multiple denominations of currency instead of a fixed amount, improved display graphics and component reliability, and the sharing of ATMs through the emergence of regional, national, and international interchange networks. Past efforts in the U.S. to add additional functions and migrate the ATM more to a self-service kiosk have not met with great success. There appears to be another attempt to introducing such functions as remittances, bill payment, money orders, postage stamps and ticketing as ATM volume stagnates.

Deposits made through ATMs seldom represent more than 10 percent of total banking transaction volume, and are more often in the 5–8 percent range. Research has consistently shown that consumers are apprehensive about placing checks and currency in ATMs since ATMs do not verify the deposit envelope contents, as tellers do. Truth be told, banks generally didn't actively promote deposits through ATMs for economic reasons. Because deposit envelopes can be deposited empty, most banks required them to be processed under dual control. As a result, until relatively recently, the cost of handling a single ATM deposit was about $1.50 to $2.

A big breakthrough in ATM deposits was seen in 2006–07, when several of the largest U.S. banks began testing ATMs that could accept envelope-free deposits of checks and currency. This method offered consumers images of their checks or detailed listings of the deposited currency before the transaction was final. Because consumers had this opportunity to verify their deposits, they had a much higher level of comfort. Additionally, consumers could now make their deposits much later in the day and still have them included in that day's processing. These banks soon began widespread implementation of such functionality in a vast majority of their locations, and other top-tier banks followed suit. The reassurance of the deposit verification and the increased convenience has led to a sharp increase in deposit transactions through the ATMs equipped with this feature. Furthermore, studies show that the cost of a deposit transaction dropped below 50 cents.

It appeared like a win-win-win outcome. ATM channel managers and manufacturers both were pleased with the new functionality. And bank customers were obviously pleased, as evidenced by the increased deposit transaction volume through the ATM.

Meanwhile, in a parallel universe...
At the same time that ATMs were getting new functionality, the remote deposit capture product was being developed. This product was first offered to commercial bank customers that received moderate volumes of checks. Company employees scanned the checks on dedicated equipment and then transmitted the captured images to the bank. This product was made possible under the provisions of Check 21. Then the banks expanded the service to include low-volume check businesses using generic scanners that the business likely already possessed. And most recently, a number of banks have begun offering remote deposit capture to both consumer and commercial customers as part of their mobile banking service with the camera feature on a smartphone.

In our ever-changing technology environment, the role of product and channel management has never been more difficult. Products that are technology-dependent can have an extremely short lifecycle and face competition from other sources. Will the proliferation of the remote deposit mobile application dampen the demand for envelope-free deposit accepting ATMs, especially at the smaller banks? Will these technologies collide, or will they continue to move down parallel paths? How will this technology and others come to impact the future of the ATM? We would like to hear your perspective.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 22, 2013 in emerging payments, innovation, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c36231934970b

Listed below are links to blogs that reference Parallel Paths or Course to Collision? Technology's Effects in the Payments Industry:

Comments

Banks and Financial institutions invest heavily in improving customer convenience and customer experience. Envelope free ATMs are one such facility that has gained significance off-late. In emerging markets like India, ATMs function well as a self-servicing kiosk. Many ATMs in India support P2P transfers and even opening of "fixed deposit" accounts. Pilots are underway to provide options to open Mutual Fund accounts. Obviously these services attract more customers to the ATM outlets.

On the other hand, remote deposit captures have gained significant acceptance in the market recently. With the smartphones volumes increasingly eating into the feature phone’s market share, “remote deposit capture” is set to gain more popularity, given its sheer convenience to the customer.

At the same time, one has to bear in mind the preferences of Gen Y. Today, customers want everything “on the move”. The advent of mobile technology only accelerates this process. With more innovations coming up in mobile based micro payments, the usage of cash will decrease gradually. It may even reach a negligible size down the years. Paper based checks are already on the decline and will meet its natural death soon – Regulatory bodies in some European countries had mandated the stoppage of check payments long back. With papers based payments going down, the demand for remote deposit capture will also decline.

So when we compare envelope free ATMs with remote deposit captures, my take is that both will meet their natural death soon – may be in a few years. However, in the current scenario, given the nature of Gen Y, remote deposit capture will stand to gain over envelope free ATMs.

Posted by: Pari | January 29, 2013 at 09:33 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 26, 2012

Highlights from a Conference on Technology and Payments

The retail payments landscape is rapidly evolving as technological advances promote new electronic payment methods. On October 15–16, the Risk Forum convened at the Atlanta Fed a diverse gathering of stakeholders in the payments industry. Industry representatives were from telecommunication firms, airlines, standards bodies, payments processors, and coffee house retailers, as well as the more traditional players.

Federal Reserve Bank of Atlanta President and CEO Dennis Lockhart kicked off the event. His opening remarks focused on the Federal Reserve System's role as a central bank in the country's retail payment system, both as a payments operator and as the country's guardian of financial stability. In the latter role, the Fed aims to preserve the integrity of both the retail and wholesale payments systems. Lockhart stressed that although this role has national strategy overtones, it is not intended to stifle innovation and competition but rather to support a market-oriented approach to payment developments. By noting the vulnerabilities that the fast pace of change and innovation in the industry create, Lockhart set the stage for the day's session, the highlights of which we are sharing here. You can find the complete presentation materials on the Atlanta Fed website.

Technology developments in card-based payments
Legacy plastic cards are likely to remain important for some time. Nevertheless, significant changes are under way. These technological changes were the focus of this panel. The U.S. payments industry is struggling to collectively shift from magnetic stripe-enabled card payments to a more secure and interoperable environment. Panelists discussed the challenges posed by the planned U.S. migration to chip-enabled cards and to the EMV standards already adopted in most of the globe's major developed countries. They discussed the potential shift in fraud to card-not-present payments in the shift from mag-stripe cards. Panelists said that fraud mitigation in the future U.S. EMV environment will require additional data analysis tools, including the use of better encryption methods and tokenization. They also touched on the benefits of PIN versus signature authentication.

The evolution of technology standards in retail payments
Technology standards provide the cohesion to ensure the critical mass needed for successful payment network adoption. At the same time, the myriad of new market solutions, patent issues, and even standards bodies themselves challenges industry cooperation and consensus building, slowing the standards development process. Panelists discussed the activities of various standards bodies that touch retail payments today. They also talked about how they are working to galvanize industry stakeholders to agree and employ standards that foster security and interoperability.

Mobile payment developments at the point of sale
This panel of experts reviewed technological developments in the mobile channel for payments at the merchant's point of sale (POS), including the rollout of several mobile wallet initiatives. Panelists discussed the challenges associated with the highly dynamic nature of the technologies. They noted that new complex business models are resulting in many different types of payment solutions, creating a confusing ecosystem for mobile proximity payments.

Panelists noted that the many new, thought-provoking products out in the market place today create many unknowns, not only with respect to security, but also future viability. They agreed that it is hard to predict which solutions have true scalability. An interesting discussion took place on the success of new payments such as Square, which changed the proverbial game by expanding the population of merchants that can accept card payments and by repurposing the mobile handset into a payment acceptance device. The panel also discussed how Starbucks unwittingly assumed the role of a payments pioneer when they moved to the mobile channel. Their original aim was not to adopt a new payments method but rather to increase customer loyalty and convenience.

The merits and challenges with the upcoming EMV migration were also top of mind for the panel.

Technology trends in mobile payment transfers
U.S. mobile payment developments have generally centered on payments at the POS. However, remote mobile payments, or person-to-person mobile transfers, are also taking form as a business model. Panelists discussed how nonbank players are entering the money transmission space hoping to leverage new mobile technologies. They explored the current environment for domestic and cross-border mobile transfer payment activity, analyzing the changing roles of payment service providers and the subsequent regulatory and policymaking considerations.

Panelists noted that we are seeing a huge paradigm shift in mobile money, with prepaid airtime credits looking more and more like currency in developing countries. Some countries permit payment service providers to provide airtime cash-out; Kenya's M Pesa is one of these providers. The lack of system interoperability across borders and liquidity management considerations are barriers to a global, scalable airtime transfer system. Panelists also noted, however, that airtime transfers are increasingly becoming a natural complement to traditional remittances.

In addition, traditional remittance providers are partnering with telecom firms to deliver services in emerging markets. These providers also work with banks in more developed countries, like the United States, to use the mobile channel in more efficient ways.

Technology threats and mitigants in electronic payment systems
Whether through scams such as “Obama Will Pay Your Bills” or corporate account takeovers, criminals are increasingly using electronic payments networks to perpetrate fraud. Panelists stressed that industry stakeholders must themselves become more sophisticated in order to develop solutions to better detect and mitigate these risks. Future fraud detection will require more sophisticated approaches to address growing vulnerabilities in web applications. Panelists also stressed that financial institutions must validate transactions to enforce rules and limits and to manage fraud.

Conclusion
The Risk Forum uses events such as this to encourage dialogue and share critical business intelligence among participants. We can then use information that comes out of such discussions to inform our work with the payments industry as we collectively work on better solutions to detect and mitigate risk. Expect to see more discussion in future posts. As always, we value your responses.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

November 26, 2012 in chip-and-pin, collaboration, cybercrime, emerging payments, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c33fde72b970b

Listed below are links to blogs that reference Highlights from a Conference on Technology and Payments:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 30, 2012

Even an Outsourced Cloud Can Have a Silver Lining: Shedding Light on Cloud Payments Risk Management

Outsourcing is not new in financial services. Banks continue to improve their operational efficiency—and even lower their risk exposures—by engaging third-party service providers to perform specific functions they used to manage internally. Now, technological advances are enabling financial institutions and other payment providers to shift certain data management functions to the cloud, an outsourcing practice we discussed in an earlier Portals and Rails post. Cloud outsourcing provides operational cost savings to the end user community, but these new services introduce new risks in payment systems.

On July 10, 2012, the Federal Financial Institutions Examination Council (FFIEC) published a statement on cloud computing to supplement its Outsourcing Technology Services booklet. The aim of the statement is to help financial institutions better understand the fundamental risks associated with these new services and the need for robust vendor management.

Cloud computing basics
The term "cloud computing" in its most basic sense describes a service that stores and processes data on a remote network. Cloud service providers are entrusted with ensuring the security of end user data within that remote network.

A notable feature of cloud computing is its deployment model. Risk profiles may differ, making some models more appropriate for some services than others. Some models may include private clouds operated for a single organization, community clouds that are shared by several organizations, or combinations of the two for hybrid business models.

According to a recent paper authored by Dan Schutzer, chief technology officer of BITS, small devices like mobile handsets have limited storage while communications networks are becoming faster and more efficient. These factors have led to more businesses offering services that allow data to reside in remote servers, or in "the cloud." He cites public cloud examples like Flikr, which allows consumers to store photos in the cloud, and Google Docs, which allows consumers to manage documents remotely.

Risk management in cloud computing
Arguably, the data in these examples may not be as sensitive as that managed by financial institutions and others involved in payment processing. The FFIEC statement notes that as financial institutions consider a cloud computing model in their outsourcing strategies, risk management and third-party oversight to protect sensitive personal consumer data become increasingly important.

The FFIEC statement maps the key elements of risk management articulated in the existing interagency guidance. It starts with due diligence, noting that financial institutions are responsible for ensuring that third-party activity is conducted according to applicable law and regulation, just as if they bank retained those functions in-house. It also discusses the key elements to consider in ongoing vendor management and business continuity planning.

The vendor management challenge
A major takeaway for financial institutions and other payment providers is in the part of the FFIEC statement that discusses "legal, regulatory, and reputational considerations":

The nature of cloud computing may increase the complexity of compliance with applicable laws and regulations because customer data may be stored or processed overseas. A financial institution’s ability to assess compliance may be more complex and difficult in an environment where the cloud computing service provider processes and stores data overseas or comingles the financial institution’s data with data from other customers that operate under diverse legal and regulatory jurisdictions.

While the risk management fundamentals for cloud computing remain the same, the increasing complexity of the operating environment will challenge the effectiveness of vendor management programs going forward. As outsourcing relationships expand geographically, the expertise required to oversee those activities will increase as well. Furthermore, third-party service providers may have outsourced relationships themselves, requiring inclusion of those downstream oversight processes in the financial institution’s vendor management program.

The FFIEC guidance provides a good description of these risks and challenges to consider in selecting and managing a cloud computing strategy, but also notes that "cloud computing may not be appropriate for all financial institutions."

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

July 30, 2012 in emerging payments, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017743c6d32b970d

Listed below are links to blogs that reference Even an Outsourced Cloud Can Have a Silver Lining: Shedding Light on Cloud Payments Risk Management:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 09, 2012

Can clouds and contactless chips coexist?

Mobile wallets have started to make their way into the market this year. Inevitably, industry stakeholders are joining opposing camps on the technology that these wallets use to keep payment information and other personal data safe and secure: contactless chips or cloud-based technology. The chips are embedded in a mobile handset that communicates with a terminal via near field communication (NFC), while the cloud-based technology involves an application downloaded to the mobile handset.

If the critical mass necessary for the successful adoption of a payment system relies on acceptance interoperability and technical standardization, can these two solutions coexist in a future mobile payments system? Or will technology debates threaten near-term interoperability and consumer adoption?

Coexistence
The first generation of mobile wallet trials such as Isis and Google are using contactless NFC technology. This is not surprising as early discussions found consensus on the need to move as an industry to NFC for mobile payments. In fact, as my coauthors and I noted in our 2011 paper, "Mobile Payments in the United States: Mapping out the Road Ahead," one of the key tenets agreed upon at the time by industry stakeholders for a safe and secure mobile payments system was the use of contactless NFC technology.

However, since that time, new mobile providers have been rolling out wallets that do not use NFC. Instead, they rely on store payment credentials in remotely based servers, more commonly referred to as the "cloud." The PayPal wallet, for example, leverages consumers' existing PayPal accounts where payment credentials are stored.

Benefits and challenges
Numerous complex variables are at play in the debate on NFC versus the cloud. A recently published TSYS whitepaper authored by Scot Yarbrough and Simon Taylor, "The Future of Payments: Is it in the Cloud or NFC?," provides a comprehensive explanation of the benefits and the challenges that opposing business models face.

The authors summarize the case for NFC by noting that it is backed by the major card networks and offers the capability to store and send information other than payment, such as contacts and videos. The case for payments in the cloud has a supply-side incentive in that the infrastructure costs are much lower for the merchants at the point of sale.

Both systems face challenges, of course, as evidenced by the current low adoption levels for any particular wallet. The TSYS authors note that cloud technology payments may offer so many different choices, "how many ways to pay will the consumer want to learn and adopt, especially when he or she can simply reach into their pocket, pull out their credit or debit card and pay?"

They also note that NFC is also not without flaws. Building consumer experience will require compelling value propositions to encourage new payment behaviors. Further, the complexity of the ecosystem to manage the payment credentials in the chip inside the mobile device among various players in the business model creates economic challenges as well.

Conclusion
In the near term, cloud-based solutions will likely disrupt the payments landscape as merchants look to manage their share of the infrastructure investment for new payments. As wallet providers identify efficiencies and optimal security propositions for data residence and transit, it is possible that hybrid business models will emerge. Finally, the TSYS authors aptly note that future game changers will likely alter the current argument completely. Will merchant investment costs matter in a future where the mobile handset is also the merchant's acceptance terminal?

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

July 9, 2012 in contactless, emerging payments, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0177432b8bd4970d

Listed below are links to blogs that reference Can clouds and contactless chips coexist?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 18, 2012

MintChip: Sounds like ice cream, but it's actually money

A common topic of conversation in payments for many years has been the notion of a cashless society. Although it is hard to imagine a truly cashless society, it is easy to envision what Ron Shevlin, an analyst with the Aite Group, recently referred to as a "less-cash society." Established alternatives to cash, such as credit, debit, and prepaid cards, have been steadily replacing cash payments for years. However, there still remain individuals who prefer cash to other payment means for a variety of reasons, including the anonymity cash provides.

As an alternative to cash payments, new digital currencies have been conceived. While these digital currencies allow for anonymity like cash, they have traditionally not been backed by an asset or a central back. At least up until now. In April, the Royal Canadian Mint (The Mint) announced the development of MintChip, a digital currency backed by the Canadian dollar. The Mint is currently accepting MintChip payment applications from software developers.

Prior to the MintChip announcement, The Mint made headlines as the Canadian government announced in March the elimination of the penny. The Mint produced its last penny on May 4 with the goal of removing the penny from circulation by the fall of this year. So within several months, the Canadian Mint quits producing the penny while developing a new digital currency.

I believe that The Mint is sensing a true opportunity with MintChip in light of a threat to its traditional business as the world moves to a less-cash society. Faced with the threat of a loss of production in coins, the Mint is attempting to capitalize on the demand for a digital currency to make micropayments for goods and services in both the online and physical world. And while MintChip might not provide as much anonymity as other digital currencies, such as BitCoin and Liberty Reserve (which we looked at in an October 2011 post), its backing by the Canadian dollar might make it a more viable alternative to cash and coins.

It will be interesting to watch the developments of MintChip over the next several months as The Mint will select the best applications submitted by outside developers. Should MintChip gain traction in Canada, it is feasible that The Mint will port this concept to other countries where it currently manages the production of coins. (Over time, Canada has made coins for almost two dozen countries, including the Bahamas, Bermuda, Cayman Islands, Iran, and Venezuela.)

The global opportunity in the digital currency space is enormous: there were six billion mobile subscriptions across the globe at the end of 2011, according to the International Telecommunication Union. If MintChip proves to be successful, would the United States Mint attempt to follow suit? And what, if any, would be the regulatory challenges and implications of a digital currency produced by the United States Mint and backed by the U.S. dollar?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 18, 2012 in emerging payments, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016767a69aee970b

Listed below are links to blogs that reference MintChip: Sounds like ice cream, but it's actually money:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 21, 2012

Security in the mobile wallet: Is it good enough yet?

For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.

image of fat wallet

But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.

Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.

A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:

"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."

It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.

Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.

table of Mobile Application Security by Type of Application

Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.

Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d

Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 18, 2011

Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference

On November 15–16, 2010, law enforcement, regulators, and other selected payments experts gathered once again to exchange ideas, research, and business expertise at the "Emerging Risks in Emerging Payments" conference at the Atlanta Fed. The conference provided a platform for sharing retail payments knowledge and insights among payment industry participants, regulators, and law enforcement. The conference also expanded networking opportunities for industry stakeholders essential to the payments industry, all of whom have a common interest in improving the detection and mitigation of emerging risks and fraud in emerging retail payments systems.

Opening remarks were made by Patrick Barron, first vice president of the Atlanta Fed. He was followed by Richard Oliver, executive vice president and director of the Retail Payments Risk Forum. Five expert panels with representatives from law enforcement, corporations, service providers, and other stakeholders discussed a range of themes related to emerging risks in emerging payments. Each panel provided a high-level overview of the state of the retail payments environment.

The following brief summary captures some of the key themes discussed during the event. Additional presentation materials are available on the Atlanta Fed's website.

Emerging trends in retail payments
Recent technological advances have changed the way retail payments are conducted. For instance, innovations in the card space are providing better ways to combat card fraud. Countries that have adopted Europay, MasterCard, and VISA (EMV) have seen a marked reduction in skimming fraud compared with countries that use magstripe cards, including card-not-present transactions over the Internet.

The mobile payments panelists predict that consumers will eventually migrate to mobile wallets—the speed and convenience of payment both for the merchant and consumer enhance this likelihood. However, the panelists agreed that some of the challenges to mobile payment adoption in the United States include lack of standardization, merchant investment hurdles, perceived security requirements, and lack of a clear value proposition for consumers.

Emerging risks in retail payments
Innovation introduces new risk factors. Several panelists highlighted the ongoing importance of protecting consumer information as the sophistication of financial crimes continues to increase. For instance, one panelist explained that in the card space, virtual prepaid cards can be funded by a transfer from another card or by phone or Internet, often times anonymously. In some cases, illicit funds can become instantly available from ATMs in more than 200 countries, without sharing confidential or bank information, which makes it very difficult for law enforcement to trace and monitor these funds.

Another panelist discussed the risk profiles of the different person-to-person (P2P) business models. For example, while the mobile channel is emerging as a viable method for P2P payments, telecom customer data—and, to a lesser extent, e-mail addresses—have become reliable ways to identify individuals to receive messages. However, they are not 100 percent reliable public directories. Some of the key risk distribution issues in a P2P environment include unauthorized transactions, intermediary error (such as misdirected payments), and fraud.

Additionally, panelists discussed the emergence of payments in the social network realm. One panelist discussed how fraudsters use social network sites and the data they gather from those sites to commit cybercrimes such as identity theft and "clickjacking scams," which trick users into clicking on ads and other sites that divert them from safe and reputable sites. Another panelist discussed the rapidly growing new segment of social network "businesses" that leverage the payments platform but turn out to be shell or fraudulent businesses.

How to address emerging risks in new retail payments?
Fraud and risk detection and mitigation must keep pace with emerging payments trends. Advances in payments technology enable new ways to conduct retail payments but can also create new channels for criminals to exploit and commit payments crimes.

The panelists highlighted these issues and more while proffering ways for regulators, law enforcement, and others to work together towards mitigating and deterring risks and fraud in the emerging payments environment. All in attendance recognized that the challenges ahead are common to all parties involved, and information sharing along with collaborative action is imperative for achieving the goal of ensuring a safe and efficient payments system.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 18, 2011 in emerging payments, mobile payments, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e1b52c4c970b

Listed below are links to blogs that reference Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in