Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

June 09, 2014

Magic 8 Ball, Will We Ever Be Cashless?

Predictions of a cashless society have been broadcast sporadically throughout the decades. It became a popular concept in the United States in 1965 when Thomas J. Watson Jr., CEO of IBM, said, "In our lifetime, we may see electronic transactions virtually eliminate the need for cash." Watson believed, or hoped, that the newly released IBM mainframe computers would revolutionize financial transaction processing and make carrying cash unnecessary. Later that decade, the concept was expanded to a checkless/cashless society, with some predicting that both payment forms would be extinct by the 1980s.

Despite consumers' growing use of cards and the emergence of the ACH system, the cashless society concept took a bit of a detour during the 1980s and 1990s—ATMs and shared EFT networks proliferated, both offering tremendous convenience and making it very easy to distribute currency. When card-based point-of-sale (POS) programs also emerged, they offered an alternative to currency and checks, while also increasing the convenience of currency by allowing cash-back transactions. This expansion of currency convenience took place even as consumers were being warned of the dangers of coin and currency—the germs, the cocaine residue, the increased chance of robbery, and so on. Certainly this was a more intense negative campaign than the spontaneous combustion danger my mother warned me about when I was young. I'd received some birthday money that I was anxious to spend, and she declared that the money was "burning a hole in your pocket."

While the central banking authorities of some countries such as Sweden and Nigeria have announced a goal of moving to a less-cash society, consumers in the United States are seemingly moving in the opposite direction, as evidenced by some recent San Francisco Fed research. Researchers examined the data from the 2012 Diary of Consumer Payment Choice (DCPC) study by the Boston, Richmond, and San Francisco Federal Reserve Banks. The San Francisco Fed research included these key findings

  • Cash remains the most-used form of payment, accounting for 40 percent of payment transactions.
  • Cash is generally used for lower-value transactions. The average value of a cash transaction was only $21, compared with $168 for checks and $44 for debit cards.
  • Cash is used most often in gift and P2P (or "person-to-person") transfers, with food and personal care supply purchases second (see the chart).
    Figure 4: Payment Instrument Shares, by Spending Category
  • Contrary to the conventional wisdom of millennials' love for all things electronic, 40 percent of 18–24 year olds prefer cash over all other payment methods—the highest percentage of any age group.

Yes, card, ACH, and other electronic transactions are continuing to increase and gain larger shares of the overall consumer transaction mix while check usage remains in a steady decline. Despite the dire outlook for checks, my colleague Doug King pointed out in a recent post that check usage among P2P users actually increased, according to the latest Fed payments study. My Magic 8 ball is predicting that coin and currency are going to be around for quite some time. What does yours say?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 9, 2014 in cards, checks, currency | Permalink | Comments (0) | TrackBack (0)

June 02, 2014

Mobile Payments Fatigue

When I was an elementary school-aged kid, I looked forward to coming home from school and grabbing an ice cold Coca-Cola and a snack before venturing out into the neighborhood to play. And while I can't remember the exact discussions I had with friends around the lunch table when I was that age, I do remember our anticipation of the launch of New Coke in 1985. And oh my, how much my friends and I were disappointed when our lips first met New Coke. My reaction, with most others, was that we wanted our "old" Coke back.

Fast forward nearly 30 years and now my lunch discussions often revolve around payments. Each day I am reminded of my New Coke experience via an e-mail or news article touting or predicting an explosion in mobile payments. I'll admit it—I'm getting mobile payments fatigue. The payments industry has been anticipating mobile payments for years now, yet I find the developments to date mostly disappointing. Sure, I've made plenty of payments using a mobile device to purchase digital goods or even to purchase physical goods in an online marketplace. But outside of a few experiences of purchasing coffee with a closed-loop solution, my mobile device stays in my pocket when I'm making a purchase at the point-of-sale (POS) as I take out my reliable cards or cash.

And that is where my New Coke analogy comes into play. To many people, nothing was wrong with Coca-Cola, yet the coolness of a new product created a great level of expectation—which turned to immense disappointment. At the POS, payments are relatively seamless, yet the newness of mobile payments creates great anticipation, only to end up being disappointing and leaving me thinking, "What's wrong with my current payment choices?"

So much attention on mobile is focused on replacing a current payment form at the POS—perhaps the most seamless piece of the commerce experience. Often in mobile payment discussions, I hear that mobile payments are a technology solution looking for a problem rather than trying to solve a problem. However, I think the industry is looking in the wrong place as the problem isn't with the payment. It's with the overall experience in and around the POS. I believe mobile devices have the ability to transform this experience, but it's not by replacing my cards or cash as a payment method. It's by replacing the entire commerce experience. Are you experiencing mobile payment fatigue? And if so, what will it take to energize you?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 2, 2014 in emerging payments, innovation, mobile payments | Permalink | Comments (0) | TrackBack (0)

May 19, 2014

Choking on the Cost of Risk Management

In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.

While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.

The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.

By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.

To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.

Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?

Photo of Deborah ShawBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


May 19, 2014 in banks and banking, law enforcement, regulations, risk management | Permalink | Comments (0) | TrackBack (0)

May 12, 2014

The Art of Balancing Innovation and Regulation

Several factors have converged in recent years to add complexity to the regulatory oversight of retail payments. These elements include new regulation and oversight along with technology advances that have created new payment types. The challenge for regulators in an environment with an abundance of innovation is to align that innovation with appropriate regulation to ensure consumer protection, data security, and fraud mitigation, and to retain consumer confidence in payments.

The 2008 financial crisis led to an increased focus within the regulatory framework on retail payment risk factors. One new regulation was the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank). Dodd-Frank led to many changes—including the creation of a regulatory agency, the Consumer Financial Protection Bureau (CFPB), to focus exclusively on consumer protection. Since the CFPB was created, two of the payments types it has identified as deserving of its oversight are remittances and prepaid cards.

At the same time, evolving technology continues to change the nature of how consumers make payments—moving from the physical to the virtual—and has increased consumers' expectations for speed, control, information, and transparency. Options available for consumers to make payments and for businesses and financial institutions to participate in offering payment services have multiplied as Internet and mobile evolved, cloud-based solutions progressed, and virtual currencies expanded.

Technological advances have led to a retail payments system that is more transparent than ever before, in which all types of entities, from start-up companies to financial institutions, are able to innovate. Nonbank entities are flourishing in retail payments, challenging the historic role of financial institutions as primary payment participants by offering payments products and services in an ever-more complex payments landscape.

While some participants complain that there is too much regulation of payments practices, others call for more or different regulation when problems arise. Still others call for change because they believe the playing field is not level for all participants. Sometimes regulation can be a catalyst for innovation by legitimizing a payments practice after clarifying requirements for all participants. Whatever your perspective, it is a complex undertaking to attain the delicate balance between innovation and oversight.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 12, 2014 in innovation, mobile payments, regulations, regulators | Permalink | Comments (0) | TrackBack (0)

May 05, 2014

There's No Such Thing as a Good Data Breach

While data breaches have been a persistent problem for many years (see the chart), until recently, their stories would quickly fade from the headlines due to their limited reach. In the three or four months that have passed since the huge data breach at some major retailers, there have been many congressional committee hearings, several new federal legislative bills on data security issues, and countless panels and speakers at industry conferences and workshops discussing this growing problem. Unfortunately, the interactions have occasionally included a little finger-pointing, which doesn’t always lead to effective solutions. Recent efforts to bring banks and merchants together to address the problem hold some promise.

It is important to understand the number of breaches from a trends perspective, but it is more important to understand the magnitude of the breaches in terms of the number of records obtained and the type of data in those records. Because state and territorial laws with differing requirements generally control data breach notifications, the notification reporting information is often incomplete. Additionally, many data security industry experts suspect that data breaches are underreported or even not reported at all. After all, what company wants to confess to having incurred a data breach when the result will be fines and reputational damage?

In the health care industry, the 2013 implementation of the HIPAA Breach Notification Rule (45 CFR §§164.400–414) addressed this reporting concern by involving a monetary cost to the breached company. The rule requires a HIPAA-covered business and its associates to notify its customers and the U.S. Department of Health and Human Services of any breach or it could face significant financial penalties. Because of the stronger notification requirement, it was not surprising to see that the health care industry reported a 63 percent increase in data breaches in 2013 over 2012, according to the Identity Theft Resource Center (ITRC). Health care accounted for the largest share of breaches on an industry segment basis, surpassing the general business segment for the first time since the ITRC began tracking this data in 2005.

But notification requirements are post-event, not preventive. While no data security architecture can provide 100 percent protection, there clearly is the need for improved security in the handling and storage of sensitive data to prevent such breaches from occurring. As with any risk management program, the level of security depends on the sensitive nature of the information that could be monetized in some way by the criminal. Because of the large losses from the production of counterfeit cards, the public has made much of—and justifiably so—the retailer payment data breaches involving more than 40 million accounts.

We must also remember that there was an even larger data breach at the same time as the retailer's payment card data breach, this one involving 70 million accounts. But the criminals obtained such sensitive information as customer's name, address, phone number, and e-mail address—no payment information. Because the data was not related to payment transactions, the incident has not received as much attention. Still, criminals can use such data to foster identity theft operations that generally result in much higher losses and greater customer impact.

These incidents serve as a reminder that not all data breaches are alike and will require different prevention and response methods.

Portals and Rails is interested in what you think is the best way to address the prevention and notification aspects of data breaches.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 5, 2014 in data security, identity theft, privacy | Permalink | Comments (0) | TrackBack (0)

April 28, 2014

Is Personal Data Privacy Going, Going, Gone?

Since last December, it seems that not a week has gone by without a headline about another breach of consumers' payment or personal data. These articles—which are no longer limited to banking or IT industry publications—have created both weariness and concern among consumers. The market research firm GfK conducted a national survey of U.S. consumers in March 2014 to measure the impact of these breaches and better understand how consumers view and manage their personal data. They surveyed 1,000 individuals over the age of 18 and sorted the results by generation. Some of the findings I found most interesting were:

  • All generations are concerned about the protection of their personal data and, overall, 59 percent indicated that their concern has risen over the last 12 months.
    Question: Are you concerned about the protection of your personal data?
  • One-third of the survey participants indicated that they had been the victim of the misuse of their personal data at least once over the past year.
  • Over half (54 percent) of those surveyed don't believe the U.S. government is doing enough to protect their data, with two-thirds of the pre-boomers taking that position.
  • Overall, 80 percent of the respondents believe there should be additional regulations preventing organizations from reselling their personal data to third parties.
  • There is a strong demand from consumers for all consumer-facing industries to change their data privacy and personal data usage policies, but that demand is the highest for credit card companies and social networks.
  • Banks are in the top four trusted organizations regarding the protection of personal data but trailing health care organizations, online payment systems, and online retailers. Social networks, international businesses, and marketers and advertisers are the least trusted.
  • Although more than half of the participants do not agree with the tracking or recording of communication data without their permission, younger generations are not as concerned.
    Agreement with the statement: I accept that my communications data (e.g. phone, online) can be recorded without my approval to prevent crime.

So how are consumers behaving in light of this increased concern? Almost half (48 percent) indicated that they have changed their online practices and are avoiding the use of online auctions, online banking, and online social networks to reduce the likelihood that their personal data might be compromised or misused in some way. I have seen other research indicating that as much as 40 percent of a retailer's customers that have had their personal data compromised through a breach at that retailer will avoid that retailer, at least in the immediate term.

So what is the best approach to develop and maintain safeguards for consumer's personal information and transaction data? The private sector has always championed self-regulation through standards efforts such as PCI-DSS, but we all recognize that being compliant with a common minimum standard is not the same as being totally secure. There has been no shortage of recent congressional discussion on this issue, and future major breaches will likely add to the momentum such that it will be difficult to stop. Is that where you think we are headed—a regulatory fix coming from a legislative mandate? Let us hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 28, 2014 in consumer fraud, consumer protection, data security, regulations | Permalink | Comments (1) | TrackBack (0)

April 22, 2014

My Bleeding Heart

Over the past week, there has been much discussion about the OpenSSL coding flaw, the Heartbleed bug. OpenSSL is a commonly used implementation of Secure Sockets Layer (SSL). A diverse array of devices use OpenSSL to secure Internet communications. Heartbleed could allow someone to monitor log-in transactions as well as to grab and extract confidential data from affected websites and from hardware such as servers, mobile phones, and laptops. Research indicates that as many as 20 percent of all Internet sites could have been affected by this bug, including many high-profile sites. Google confirmed that phones operating Android 4.1.1 were also vulnerable to the bug, and they will remain so until the user installs its recent patch.

If there is a silver lining from the Heartbleed bug news, perhaps it is that the largest financial institutions have indicated they are not vulnerable. Even so, many smaller and mid-size banks and credit unions could still be vulnerable. Thus, the Federal Financial Institutions Examination Council issued a release urging financial institutions to incorporate patches on systems, applications, and devices that use OpenSSL. But unfortunately, this silver lining from the large banks isn’t enough to stanch this payments risk expert’s bleeding heart.

So what's the reason for my distress if the largest banks don’t appear to be vulnerable? I do not think that I am alone in admitting that I have used my credit card credentials all over the Internet. While I can count the number of cards that I have in my wallet, I couldn't begin to tell anyone the number of websites that those card credentials have been used or stored over the last two years—which is when Heartbleed appeared. Sure, I have a few go-to sites for online shopping, as I suspect many do, but I have used my cards and created accounts on many sites that I rarely visit or maybe even just visited once for a specific purchase. Are some of these sites vulnerable to this bug? I have a sinking feeling that the answer probably is "yes." And if my log-in credentials were extracted from websites other than my financial institution, I'll sheepishly admit that may be bad news as I have not always followed the best practice of maintaining separate IDs and passwords for each site. Is it really feasible to do that for so many sites?

No doubt talk and discussions in the days ahead will revolve around whether or not OpenSSL is a secure implementation of the SSL and transport layer security protocols. However, I think the heart (ahem) of the discussion of the Heartbleed bug should revolve around the use of passwords and card credentials on the Internet. This bug potentially exposes the flaws of relying on user IDs and passwords and highlights the vulnerability of using sensitive card data in the online environment. These flaws are well-documented, and fortunately, solutions are being discussed to mitigate these risks. My bleeding heart anxiously awaits their implementation.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2014 in cybercrime, mobile payments | Permalink | Comments (0) | TrackBack (0)

April 14, 2014

Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink | Comments (0) | TrackBack (0)

April 07, 2014

Learning from Experience to Handle Suspicious Payment Transactions

In a post earlier this year, we addressed the difficulty of identifying and tracking remotely created checks (RCCs) in the payments stream. Electronic payment orders (EPOs), which are electronic images of "checks" that never exist in paper form, are another payment vehicle difficult to identify and track. EPOs can be created by the payee as an image of an RCC, or created and electronically signed by the payer.

Financial institutions have to address all suspicious payment transactions, whether they occur with traditional payments, like checks and ACH or these new variants, the RCCs and EPOs. Institutions rely on a variety of ways to become aware of suspicious payment transactions:

  • The institution's anomaly detection processes highlight transaction patterns that are atypical for a customer.
  • A bank customer contacts the bank after identifying an unauthorized transaction on the bank statement.
  • Consumer complaints about a business suddenly increase.
  • Another institution contacts the bank with concerns about a particular business.
  • The bank becomes aware of legal actions taken against a business.
  • Returns for a business's payment transactions increase.

Regardless of payment type, institutions can apply the simple approach in this diagram to handling suspicious payment transactions.

diagram on handling suspicious payment transactions

When an institution becomes aware of suspicious transactions, its first step is to take care of the customer. This may include returning transactions, placing stop payments, monitoring account activity, addressing security protocols, or changing authentication tools.

The next step would be to reach out to other institutions, law enforcement, and regulators. Other institutions may not be aware of the issue and can assist with resolving the customer’s concern and addressing the underlying cause of the problem. Support for information sharing between financial institutions includes the safe harbor provisions within Section 314(b) of the U.S. Patriot Act. Submitting suspicious activity reports, or SARs, and contacting appropriate law enforcement such as the local police or FBI enables law enforcement to address fraudulent behavior, monitor the extent of the fraud, and address areas of concern that are affecting multiple institutions. Information-sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, are other important avenues.

Critical to the approach is the importance of the affected institution consistently adjusting its identification processes based on its experiences with suspicious transactions. For example, if the anomaly detection system has default settings for origination volume or return rates, and the institution learns that those settings were ineffective in identifying a problem, then the institution should adjust the settings.

As the payments industry continues to evolve, with newer payment types such as RCCs and EPOs, criminals will find new ways to use them to their benefit. And as perpetrators of fraudulent payments adjust their approaches, a financial institution must also be a "learning" institution and adjust its approach to identifying the suspicious payments.

How often does your institution adjust its processes for handling suspicious transactions based on current fraud experiences?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 7, 2014 in fraud, payments, remotely created checks | Permalink | Comments (0) | TrackBack (0)

March 31, 2014

Ignore Millennials at Your Own Risk

At a recent conference primarily for credit unions and small banks, I participated in an interesting discussion about the future role of banks and legacy payments for person-to-person (P2P) payments. Few of the attendants offered a P2P solution as part of their online or mobile banking platform and those that did claimed the product was seldom used, if at all. There was consensus that a majority of their customers just aren't interested in this product.

I recently wrote on this topic, hailing the check as an efficient form of P2P payment thanks in large part to mobile remote deposit capture. But perhaps my experience of writing a check to a 20-something babysitter was more of an anomaly than the norm. A recent survey that GOBanking Rates conducted reveals that nearly 40 percent of consumer banking customers never write checks and 61 percent of banking customers between the ages of 18 and 24 claim to never write checks. Another survey of 10,000 millennials (those born from 1981 to 2000) reveals that the banking industry is at the highest risk of disruption. Seventy percent of the respondents believe that the way we pay for things in five years will be totally different. One in three of the respondents believe they will not need a bank.

So what can financial institutions take away from my experience and these surveys? Two things stand out to me. First, there are still banking customers (young ones included) that continue to write checks or prefer to receive checks over alternatives from banks and nonbanks. Though I fully expect check usage to continue to decline, the complete demise of the check is a fantasy. Second, and most important, financial institutions that choose not to evolve in the payments space risk disintermediation or even becoming irrelevant. While their customers today may not want specific products or payment capabilities, the reality is that the makeup of a majority of these customers today won't be the same as in the future. A generation of potentially new customers has a very different view on payments and banking. Ignoring these future customers will lead to harsh realities for financial institutions. What is your institution doing in terms of payments to attract and keep millennials and avoid becoming a dinosaur?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 31, 2014 in banks and banking, emerging payments, innovation | Permalink | Comments (0) | TrackBack (0)