Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

June 23, 2014

Do Consumers REALLY Care about Payments Privacy and Security?

Consumer research studies have consistently shown that a top obstacle to adopting new payment technologies such as mobile payments is consumers' concern over the privacy and security protections of the technology. Could it be that consumers are indeed concerned but believe that the responsibility for ensuring their privacy and security falls to others? A May 2014 research study by idRADAR revealed the conundrum that risk managers often face: they know that consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.

The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge (see the chart).

Consumers Post Breach Actions

In response to another question, this one asking about the frequency at which they changed their passwords, more than half (58 percent) admitted that they changed their personal e-mail or online passwords only when forced or prompted to do so. Fewer than 10 percent changed it monthly.

When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge. At "Portals and Rails, we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.

Photo of Deborah Shaw

June 23, 2014 in consumer fraud, consumer protection, data security, identity theft, privacy | Permalink | Comments (1) | TrackBack (0)

June 16, 2014

Banking on the Financial Institutions as Gatekeepers

With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.

Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.

Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.

Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)

An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.

The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.

Photo of Deborah Shaw

June 16, 2014 in banks and banking, regulations, risk management | Permalink | Comments (0) | TrackBack (0)

June 09, 2014

Magic 8 Ball, Will We Ever Be Cashless?

Predictions of a cashless society have been broadcast sporadically throughout the decades. It became a popular concept in the United States in 1965 when Thomas J. Watson Jr., CEO of IBM, said, "In our lifetime, we may see electronic transactions virtually eliminate the need for cash." Watson believed, or hoped, that the newly released IBM mainframe computers would revolutionize financial transaction processing and make carrying cash unnecessary. Later that decade, the concept was expanded to a checkless/cashless society, with some predicting that both payment forms would be extinct by the 1980s.

Despite consumers' growing use of cards and the emergence of the ACH system, the cashless society concept took a bit of a detour during the 1980s and 1990s—ATMs and shared EFT networks proliferated, both offering tremendous convenience and making it very easy to distribute currency. When card-based point-of-sale (POS) programs also emerged, they offered an alternative to currency and checks, while also increasing the convenience of currency by allowing cash-back transactions. This expansion of currency convenience took place even as consumers were being warned of the dangers of coin and currency—the germs, the cocaine residue, the increased chance of robbery, and so on. Certainly this was a more intense negative campaign than the spontaneous combustion danger my mother warned me about when I was young. I'd received some birthday money that I was anxious to spend, and she declared that the money was "burning a hole in your pocket."

While the central banking authorities of some countries such as Sweden and Nigeria have announced a goal of moving to a less-cash society, consumers in the United States are seemingly moving in the opposite direction, as evidenced by some recent San Francisco Fed research. Researchers examined the data from the 2012 Diary of Consumer Payment Choice (DCPC) study by the Boston, Richmond, and San Francisco Federal Reserve Banks. The San Francisco Fed research included these key findings

  • Cash remains the most-used form of payment, accounting for 40 percent of payment transactions.
  • Cash is generally used for lower-value transactions. The average value of a cash transaction was only $21, compared with $168 for checks and $44 for debit cards.
  • Cash is used most often in gift and P2P (or "person-to-person") transfers, with food and personal care supply purchases second (see the chart).
    Figure 4: Payment Instrument Shares, by Spending Category
  • Contrary to the conventional wisdom of millennials' love for all things electronic, 40 percent of 18–24 year olds prefer cash over all other payment methods—the highest percentage of any age group.

Yes, card, ACH, and other electronic transactions are continuing to increase and gain larger shares of the overall consumer transaction mix while check usage remains in a steady decline. Despite the dire outlook for checks, my colleague Doug King pointed out in a recent post that check usage among P2P users actually increased, according to the latest Fed payments study. My Magic 8 ball is predicting that coin and currency are going to be around for quite some time. What does yours say?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 9, 2014 in cards, checks, currency | Permalink | Comments (0) | TrackBack (0)

June 02, 2014

Mobile Payments Fatigue

When I was an elementary school-aged kid, I looked forward to coming home from school and grabbing an ice cold Coca-Cola and a snack before venturing out into the neighborhood to play. And while I can't remember the exact discussions I had with friends around the lunch table when I was that age, I do remember our anticipation of the launch of New Coke in 1985. And oh my, how much my friends and I were disappointed when our lips first met New Coke. My reaction, with most others, was that we wanted our "old" Coke back.

Fast forward nearly 30 years and now my lunch discussions often revolve around payments. Each day I am reminded of my New Coke experience via an e-mail or news article touting or predicting an explosion in mobile payments. I'll admit it—I'm getting mobile payments fatigue. The payments industry has been anticipating mobile payments for years now, yet I find the developments to date mostly disappointing. Sure, I've made plenty of payments using a mobile device to purchase digital goods or even to purchase physical goods in an online marketplace. But outside of a few experiences of purchasing coffee with a closed-loop solution, my mobile device stays in my pocket when I'm making a purchase at the point-of-sale (POS) as I take out my reliable cards or cash.

And that is where my New Coke analogy comes into play. To many people, nothing was wrong with Coca-Cola, yet the coolness of a new product created a great level of expectation—which turned to immense disappointment. At the POS, payments are relatively seamless, yet the newness of mobile payments creates great anticipation, only to end up being disappointing and leaving me thinking, "What's wrong with my current payment choices?"

So much attention on mobile is focused on replacing a current payment form at the POS—perhaps the most seamless piece of the commerce experience. Often in mobile payment discussions, I hear that mobile payments are a technology solution looking for a problem rather than trying to solve a problem. However, I think the industry is looking in the wrong place as the problem isn't with the payment. It's with the overall experience in and around the POS. I believe mobile devices have the ability to transform this experience, but it's not by replacing my cards or cash as a payment method. It's by replacing the entire commerce experience. Are you experiencing mobile payment fatigue? And if so, what will it take to energize you?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 2, 2014 in emerging payments, innovation, mobile payments | Permalink | Comments (0) | TrackBack (0)

May 19, 2014

Choking on the Cost of Risk Management

In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.

While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.

The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.

By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.

To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.

Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?

Photo of Deborah ShawBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


May 19, 2014 in banks and banking, law enforcement, regulations, risk management | Permalink | Comments (0) | TrackBack (0)

May 12, 2014

The Art of Balancing Innovation and Regulation

Several factors have converged in recent years to add complexity to the regulatory oversight of retail payments. These elements include new regulation and oversight along with technology advances that have created new payment types. The challenge for regulators in an environment with an abundance of innovation is to align that innovation with appropriate regulation to ensure consumer protection, data security, and fraud mitigation, and to retain consumer confidence in payments.

The 2008 financial crisis led to an increased focus within the regulatory framework on retail payment risk factors. One new regulation was the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank). Dodd-Frank led to many changes—including the creation of a regulatory agency, the Consumer Financial Protection Bureau (CFPB), to focus exclusively on consumer protection. Since the CFPB was created, two of the payments types it has identified as deserving of its oversight are remittances and prepaid cards.

At the same time, evolving technology continues to change the nature of how consumers make payments—moving from the physical to the virtual—and has increased consumers' expectations for speed, control, information, and transparency. Options available for consumers to make payments and for businesses and financial institutions to participate in offering payment services have multiplied as Internet and mobile evolved, cloud-based solutions progressed, and virtual currencies expanded.

Technological advances have led to a retail payments system that is more transparent than ever before, in which all types of entities, from start-up companies to financial institutions, are able to innovate. Nonbank entities are flourishing in retail payments, challenging the historic role of financial institutions as primary payment participants by offering payments products and services in an ever-more complex payments landscape.

While some participants complain that there is too much regulation of payments practices, others call for more or different regulation when problems arise. Still others call for change because they believe the playing field is not level for all participants. Sometimes regulation can be a catalyst for innovation by legitimizing a payments practice after clarifying requirements for all participants. Whatever your perspective, it is a complex undertaking to attain the delicate balance between innovation and oversight.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 12, 2014 in innovation, mobile payments, regulations, regulators | Permalink | Comments (0) | TrackBack (0)

May 05, 2014

There's No Such Thing as a Good Data Breach

While data breaches have been a persistent problem for many years (see the chart), until recently, their stories would quickly fade from the headlines due to their limited reach. In the three or four months that have passed since the huge data breach at some major retailers, there have been many congressional committee hearings, several new federal legislative bills on data security issues, and countless panels and speakers at industry conferences and workshops discussing this growing problem. Unfortunately, the interactions have occasionally included a little finger-pointing, which doesn’t always lead to effective solutions. Recent efforts to bring banks and merchants together to address the problem hold some promise.

It is important to understand the number of breaches from a trends perspective, but it is more important to understand the magnitude of the breaches in terms of the number of records obtained and the type of data in those records. Because state and territorial laws with differing requirements generally control data breach notifications, the notification reporting information is often incomplete. Additionally, many data security industry experts suspect that data breaches are underreported or even not reported at all. After all, what company wants to confess to having incurred a data breach when the result will be fines and reputational damage?

In the health care industry, the 2013 implementation of the HIPAA Breach Notification Rule (45 CFR §§164.400–414) addressed this reporting concern by involving a monetary cost to the breached company. The rule requires a HIPAA-covered business and its associates to notify its customers and the U.S. Department of Health and Human Services of any breach or it could face significant financial penalties. Because of the stronger notification requirement, it was not surprising to see that the health care industry reported a 63 percent increase in data breaches in 2013 over 2012, according to the Identity Theft Resource Center (ITRC). Health care accounted for the largest share of breaches on an industry segment basis, surpassing the general business segment for the first time since the ITRC began tracking this data in 2005.

But notification requirements are post-event, not preventive. While no data security architecture can provide 100 percent protection, there clearly is the need for improved security in the handling and storage of sensitive data to prevent such breaches from occurring. As with any risk management program, the level of security depends on the sensitive nature of the information that could be monetized in some way by the criminal. Because of the large losses from the production of counterfeit cards, the public has made much of—and justifiably so—the retailer payment data breaches involving more than 40 million accounts.

We must also remember that there was an even larger data breach at the same time as the retailer's payment card data breach, this one involving 70 million accounts. But the criminals obtained such sensitive information as customer's name, address, phone number, and e-mail address—no payment information. Because the data was not related to payment transactions, the incident has not received as much attention. Still, criminals can use such data to foster identity theft operations that generally result in much higher losses and greater customer impact.

These incidents serve as a reminder that not all data breaches are alike and will require different prevention and response methods.

Portals and Rails is interested in what you think is the best way to address the prevention and notification aspects of data breaches.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 5, 2014 in data security, identity theft, privacy | Permalink | Comments (0) | TrackBack (0)

April 28, 2014

Is Personal Data Privacy Going, Going, Gone?

Since last December, it seems that not a week has gone by without a headline about another breach of consumers' payment or personal data. These articles—which are no longer limited to banking or IT industry publications—have created both weariness and concern among consumers. The market research firm GfK conducted a national survey of U.S. consumers in March 2014 to measure the impact of these breaches and better understand how consumers view and manage their personal data. They surveyed 1,000 individuals over the age of 18 and sorted the results by generation. Some of the findings I found most interesting were:

  • All generations are concerned about the protection of their personal data and, overall, 59 percent indicated that their concern has risen over the last 12 months.
    Question: Are you concerned about the protection of your personal data?
  • One-third of the survey participants indicated that they had been the victim of the misuse of their personal data at least once over the past year.
  • Over half (54 percent) of those surveyed don't believe the U.S. government is doing enough to protect their data, with two-thirds of the pre-boomers taking that position.
  • Overall, 80 percent of the respondents believe there should be additional regulations preventing organizations from reselling their personal data to third parties.
  • There is a strong demand from consumers for all consumer-facing industries to change their data privacy and personal data usage policies, but that demand is the highest for credit card companies and social networks.
  • Banks are in the top four trusted organizations regarding the protection of personal data but trailing health care organizations, online payment systems, and online retailers. Social networks, international businesses, and marketers and advertisers are the least trusted.
  • Although more than half of the participants do not agree with the tracking or recording of communication data without their permission, younger generations are not as concerned.
    Agreement with the statement: I accept that my communications data (e.g. phone, online) can be recorded without my approval to prevent crime.

So how are consumers behaving in light of this increased concern? Almost half (48 percent) indicated that they have changed their online practices and are avoiding the use of online auctions, online banking, and online social networks to reduce the likelihood that their personal data might be compromised or misused in some way. I have seen other research indicating that as much as 40 percent of a retailer's customers that have had their personal data compromised through a breach at that retailer will avoid that retailer, at least in the immediate term.

So what is the best approach to develop and maintain safeguards for consumer's personal information and transaction data? The private sector has always championed self-regulation through standards efforts such as PCI-DSS, but we all recognize that being compliant with a common minimum standard is not the same as being totally secure. There has been no shortage of recent congressional discussion on this issue, and future major breaches will likely add to the momentum such that it will be difficult to stop. Is that where you think we are headed—a regulatory fix coming from a legislative mandate? Let us hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 28, 2014 in consumer fraud, consumer protection, data security, regulations | Permalink | Comments (1) | TrackBack (0)

April 22, 2014

My Bleeding Heart

Over the past week, there has been much discussion about the OpenSSL coding flaw, the Heartbleed bug. OpenSSL is a commonly used implementation of Secure Sockets Layer (SSL). A diverse array of devices use OpenSSL to secure Internet communications. Heartbleed could allow someone to monitor log-in transactions as well as to grab and extract confidential data from affected websites and from hardware such as servers, mobile phones, and laptops. Research indicates that as many as 20 percent of all Internet sites could have been affected by this bug, including many high-profile sites. Google confirmed that phones operating Android 4.1.1 were also vulnerable to the bug, and they will remain so until the user installs its recent patch.

If there is a silver lining from the Heartbleed bug news, perhaps it is that the largest financial institutions have indicated they are not vulnerable. Even so, many smaller and mid-size banks and credit unions could still be vulnerable. Thus, the Federal Financial Institutions Examination Council issued a release urging financial institutions to incorporate patches on systems, applications, and devices that use OpenSSL. But unfortunately, this silver lining from the large banks isn’t enough to stanch this payments risk expert’s bleeding heart.

So what's the reason for my distress if the largest banks don’t appear to be vulnerable? I do not think that I am alone in admitting that I have used my credit card credentials all over the Internet. While I can count the number of cards that I have in my wallet, I couldn't begin to tell anyone the number of websites that those card credentials have been used or stored over the last two years—which is when Heartbleed appeared. Sure, I have a few go-to sites for online shopping, as I suspect many do, but I have used my cards and created accounts on many sites that I rarely visit or maybe even just visited once for a specific purchase. Are some of these sites vulnerable to this bug? I have a sinking feeling that the answer probably is "yes." And if my log-in credentials were extracted from websites other than my financial institution, I'll sheepishly admit that may be bad news as I have not always followed the best practice of maintaining separate IDs and passwords for each site. Is it really feasible to do that for so many sites?

No doubt talk and discussions in the days ahead will revolve around whether or not OpenSSL is a secure implementation of the SSL and transport layer security protocols. However, I think the heart (ahem) of the discussion of the Heartbleed bug should revolve around the use of passwords and card credentials on the Internet. This bug potentially exposes the flaws of relying on user IDs and passwords and highlights the vulnerability of using sensitive card data in the online environment. These flaws are well-documented, and fortunately, solutions are being discussed to mitigate these risks. My bleeding heart anxiously awaits their implementation.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2014 in cybercrime, mobile payments | Permalink | Comments (0) | TrackBack (0)

April 14, 2014

Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink | Comments (0) | TrackBack (0)