Portals and Rails

About


Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

October 06, 2014


Starting Off on the Right Note with Mobile Enrollment

In Rogers and Hammerstein’s Sound of Music, the classic song “Do-Re-Mi” begins “Let's start at the very beginning / A very good place to start...” Such a suggestion is essential in ensuring that the person enrolling in a payments system is, in fact, who he or she claims to be. The USA Patriot Act requires financial institutions (FIs) to develop a formal customer identification program that validates the customer when the account is opened. This program must specify the documentation that is used for authentication.

However, once the account is open, FIs have greater latitude in their procedures for identifying customers when the FIs handle account access requests, such as when a customer requests a change of address or enrolls in a third-party program that uses a card that the FI has issued to the customer. At that stage, it’s up to an FI’s own risk-management policies as to what documentation to require.

This situation can be risky. For example, let’s look at what happens when a customer wants to add a payment card to a mobile wallet that a third party operates. When the customer adds the card—enrolls with the third party—how can the FI that issued the card know that not only the payment card being added but also the mobile phone itself belongs to the right individual? How can the issuer efficiently and effectively ensure that the payment card information being loaded on a phone hasn’t been stolen? Adding any sort of verification process increases the friction of the experience and can result in the legitimate user abandoning the process.

Most mobile wallet operators use several techniques to validate that both the mobile phone with the wallet and the payment card belong to the rightful customer. (These operators send a request to the issuing FI as part of their enrollment process.) Some FIs require the operator to have customers submit their payment card information along with their cards’ security code and additional data, such as the last four digits of the social security number. Others may require just the payment card number, expiration date, and card security code, although such a minimal requirement offers little protection against a stolen card being added to a criminal’s phone. Still others require the customer to submit a photo of the payment card taken with their phone to verify possession of the card. If the issuer can obtain some of the phone’s device information, it can increase the level of confidence that the authorized cardholder is using their phone.

Regardless of what process is used, having strong identification controls during the initial enrollment step is essential to a sound risk management program.

Photo of Douglas A. King

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 6, 2014 in authentication, financial services, mobile banking, mobile payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d078369c970c

Listed below are links to blogs that reference Starting Off on the Right Note with Mobile Enrollment:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 21, 2012


Security in the mobile wallet: Is it good enough yet?

For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.

image of fat wallet

But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.

Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.

A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:

"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."

It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.

Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.

table of Mobile Application Security by Type of Application

Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.

Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d

Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 05, 2011


The future of mobile payments

Although mobile payments have been much slower to develop in the United States than many industry observers had predicted, there have been a number of encouraging recent developments. Starbucks, for example, has processed more than 20 million mobile payments since launching its app, and the Chicago Transit Authority's new fare collection system will be able to accept mobile payments starting in 2013. Still, despite these small successes, the United States has not seen the mobile phone really take off as a vehicle for point-of-sale payments.

The Retail Payments Risk Forum recently interviewed David Evans, a payments industry consultant and the founder of Market Platform Dynamics, in a podcast exploring some of the challenges facing widespread mobile payments adoption. Evans maintained that a couple of obstacles have kept mobile payments from taking off in the United States. "Barrier number one is that there is not a very persuasive mobile payments alternative for consumers to use at the point of sale, and the second is that there's really not the technology at the point of sale capable of processing a mobile payments-type transaction."

In addition to these barriers, he said, is the simple fact that most consumers are satisfied with the way things are. Evans explained, "I can pull out a credit or a debit card at the point of sale, I can swipe it, and it works beautifully. Takes about a second. No fuss, no muss—the clerk knows what to do. The technology is all there. So we have this wonderful system that works really well right now that's extremely efficient." To change the status quo, a compelling value proposition must emerge for all parties. "Someone's going to have to come up with a really great alternative that adds value to the merchant and adds value to the consumers to make both of them want to do something different than [what] they are currently doing," said Evans.

Regarding the prospects for mobile payments outside the United States, Evans said, "I think that where we are going to see mobile payments take off around the world is primarily in countries that do not already have a very well-developed payment card industry with acceptance at the point of sale and that have very well-developed mobile phone systems."

The role of different types of market players has been a major source of debate among those forecasting mobile payments. Many disagree how the mobile carriers, such as Verizon and AT&T, will fit into the new landscape. Evans predicted that "the likely role of the carriers in payments is basically being a pipe." He stressed that mobile carriers do not have the expertise to operate mobile payments and are more likely to become pipes for others who will develop mobile payments alternatives.

When asked about his predictions about the type of technology that will ultimately support mobile payments, Evans said that it was still too early to know. However, he did say that "it's really the solution that is going to drive the adoption of a particular acceptance technology at the point of sale, rather than the acceptance technology driving the solution." There are clearly still a lot of unknowns with regards to mobile payments, and Evans wisely concluded that "we should talk about this in 10 years when we may actually know the answer!"

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

December 5, 2011 in mobile payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0153940f0841970b

Listed below are links to blogs that reference The future of mobile payments:

Comments

I completely agree with Evan's statement: Someone's going to have to come up with a really great solution that adds value to the interaction. The majority of consumers are not going to adopt mobile payments because it's cool to pay for something with your smartphone. Early adopters will, but the rest of us won't. We will adopt mobile payments when it is clearly more valuable (more convenient, more fun, etc).

I think a good example of this is Square's Card Case mobile payment app which allows consumers to pay for stuff through their Square account without ever taking the phone out of their pocket.

To read more about this, you can check out my blog post on the subject here: http://www.zootweb.com/blog/index.php/mobile-disruptive-innovation/756/

Posted by: Alex Johnson | January 18, 2012 at 11:50 AM

I fully agree with Mr Evans - it will take something really ground-breaking to change the way we pay for our shopping. None of the alternatives being proposed or in some cases rolled out right now seems to have what is takes to stop us from using cash and cards in most transactions.

Posted by: Merchant Services | December 07, 2011 at 06:18 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 28, 2011


Portals and Rails welcomes new director of Retail Payments Risk Forum

On August 31, we said farewell to our director, Rich Oliver, when he officially retired from the Retail Payments Risk Forum after 38 years with the Federal Reserve. With his many accomplishments and significant contributions to the Fed, to the Forum, and to research in the payments industry, Rich left behind some pretty big shoes, and we've been looking for someone to fill them. Well, we've found someone more than capable of walking in these shoes, and we'd like to invite you to join the Portals and Rails team in welcoming the Forum's new director, Mary Kepler. On December 1, Mary will step into her new shoes—uh, role—overseeing the Forum and maintaining District and System-level relationships with industry executives and organizations in the payments arena and in payments risk and fraud prevention.

Now, we're not to going to divulge Mary's shoe size, because we're really only speaking metaphorically here and would never comment on anything so personal in such a public forum, but we can tell you about Mary's path that has brought her to us. She certainly comes to her new position with a variety of relevant experience, most recently as the vice president of Financial Management and Planning (FM&P) here at the Atlanta Fed.

Mary originally came to the Atlanta Fed in 1992, moving from the Kansas City Fed, so she has a long history with us. She joined the Atlanta Fed in Supervision and Regulation department and was soon promoted to relationship manager with the AmSouth Bancorporation. In 1998, she moved to the automation operations department, where she was assistant vice president until 2002, when she became vice president. Mary joined the Retail Payments Office in 2003 and for two years served as the Federal Reserve System liaison to the U. S. Treasury Department for retail payment services that the System provides to the U.S. Treasury.

From 2005 to 2006, Mary was senior human resources officer. She chaired the Bank's Human Resources Committee and was an advisor to the Bank's Management Committee. She then became senior officer over FM&P.

As you can see, Mary comes to the Retail Payments Risk Forum well qualified. We look forward to embarking on this next phase of our journey under her capable, proven leadership. So please help us congratulate Mary on her new position, wish her continued success, and tell her she wears her new shoes well.

By Cynthia Merritt, assistant director, Douglas A. King, payments risk expert, and Jennifer C. Windh, payments risk analyst, all of the Retail Payments Risk Forum

November 28, 2011 in payments, payments risk, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01543788a5ad970c

Listed below are links to blogs that reference Portals and Rails welcomes new director of Retail Payments Risk Forum:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 07, 2011


International Fraud Awareness Week is here

According to the Association of Certified Fraud Examiners (ACFE), organizations worldwide lose roughly 5 percent of annual revenues to fraud. That's huge. A theme that we return to again and again in Portals and Rails is the fact that technology is making our lives—including the ways we transact consumer payments—more efficient and secure. But these new technologies also offer fraudsters new and sometimes better ways to perpetrate crime.

Fraud Awareness WeekIn an effort to promote fraud awareness and education, starting November 7, the ACFE is sponsoring International Fraud Awareness Week, a "time dedicated to fraud awareness, detection, and prevention." So in keeping with this theme, we are using this space to refocus on some of the issues around payments fraud in the United States.

U.S. payments fraud is on the rise but hard to measure
Unlike other countries, the United States does not have a single, uniform repository for collecting fraud loss data. Industry analysts primarily base their concerns about the industry on anecdotes from law enforcement, financial intelligence agencies, and regulators. In addition, recent media accounts of check fraud, corporate account takeovers, payment card breaches, card payment terminal skimming, and the like leave no doubt that in the retail payments arena, leave no doubt that the problem of fraud is universal and growing.

Also validating the growing concern are proxies such as fraud surveys from organizations like the American Bankers Association (ABA), which measures deposit account fraud in banks, and the Association for Financial Professionals, which works with corporations to measure their fraud loss experience. However, more information may be needed as payment systems grow more complex, provide new alternative solutions and access new electronic channels.

Internal fraud is growing globally
The global economic downturn has led to an increased incidence of payments fraud. Sometimes financially distressed employees—rationalizing their behavior in light of dire circumstances—commit frauds within a business, effectively stealing from their employers. For example, employees in financial institutions who have access to large amounts of customer data may use their insider access to commit fraud. In one of our podcasts, an expert noted that internal fraud is more growing more common—and complex—as criminal rings increasingly place their people within legitimate organizations, where they can then steal data. Once they have the data, they can use it to commit a variety of frauds, including identity theft and payment crimes, such as card counterfeiting and counterfeit checks, to name just a few.

Fraud awareness week highlights old-school solutions
The International Fraud Week web page highlights resources for fraud prevention and education that businesses and consumers can tailor to their own particular needs. For example, the site offers a link to a Fraud Prevention Check-Up, which provides a framework for business to assess their risk and evaluate the strength of their fraud mitigation environment. Another anti-fraud resource is a presentation with tips to help organizations prevent and detect fraud.

To that same end, Portals and Rails in an earlier blog offered a recommendation for businesses to be proactive by adopting relatively simple control processes. For example, basic checklists like the one that follows can help organizations comply with ACH rules and regulations, avoid human error, and reduce fraud.

Electroic Payment Checklist

International Fraud Awareness Week activities
To help raise awareness around fraud, the ACFE recommends that businesses participate year round in its blog and in other social media initiatives, such as forums for dialoguing and sharing ideas on fraud detection and mitigation. It also suggests that organizations spread the word to colleagues and clients about International Fraud Awareness Week and the resources available to promote strong fraud risk management program development.

One thing we know for certain, and can't say enough, is that our payment systems are growing more and more complex, in terms both of sophisticated technologies and of multiple new nonbank service partners entering the mix. With this constant change and development, the payment distribution chain will undoubtedly contain more points of potential vulnerability to risk and fraud. Taking basic preventive measures and increasing industry awareness through the activities and resources highlighted during International Fraud Awareness Week can go a long way to combating payment-related risks and fraud.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

November 7, 2011 in crime, fraud, identity theft, payments risk, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015392dfd1e6970b

Listed below are links to blogs that reference International Fraud Awareness Week is here:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 24, 2011


Keeping pace as money transmitters proliferate

As the United States migrates from paper-based retail payments to electronically enabled methods, we are witnessing a proliferation of entrepreneurial and innovative nonbank stakeholders entering the retail payments market. As my colleague discussed in a previous post, these nonbanks provide a variety of services that banks can use to create more efficient payment systems. But the fast pace of technological change and the ease with which these new companies can enter the retail payments arena may also be translating into new risk vulnerabilities for the nation's retail payments systems.

There are many different types of nonbanks in U.S. payments systems today, including technology developers, aggregators, agents, third-party service providers, and money service businesses (MSB) and transmitters. As technology enables more nimble and innovative payments, the role of MSBs and, in particular, money transmitters is growing more important.

Am I an MSB?
According to this table from the Financial Crimes Enforcement Network (FinCEN), certain products or service offerings may dictate the capacities in which a business might fit the definition of an MSB. Note that money transmitters represent a specific type of MSB that engages primarily in funds transfer services.


The innovations that PayPal introduced illustrate the value that transmitters add to the payment system through the provision of nimble service offerings that respond to consumer payment needs. Over time, PayPal has evolved into a mainstream payment service provider and household name, and has demonstrated a commitment to risk management and regulatory compliance across all the jurisdictions in which it operates. But PayPal's commitment contrasts with the overall state of the industry of MSBs, whose efforts are not completely transparent. MSBs and transmitters today operate in a fragmented regulatory environment determined by the specific governing laws, licensing requirements, and permissible business activities of each U.S. state.

As money transmitters become more prevalent players in our nation's payment system, is it time to reassess their regulatory environment and consider the potential benefits of a national supervisory framework?

Transmitters and the U.S. regulatory structure
Money transmitters are required to register with FinCEN and to comply with federal laws for anti-money-laundering and counterterrorist-financing provisions of the Bank Secrecy Act. In addition, 48 states require the licensing of money transmitters before they can do business. For money transmitters that operate in more than one state and across state lines, differences in state legal requirements create challenges to developing effective enterprise-wide compliance and risk-management programs. Furthermore, monitoring changes in various state legal regimes can be extremely complicated, not to mention costly.

Ironically, state regulatory authorities governing money transmitter businesses are generally budget-strapped in today's economically distressed environment, and lack the financial resources for taking action against all but the most egregious of bad actors. Unlike the prudential regulatory governance employed by the agencies of the Federal Financial Institutions Examination Council for the nation's mainstream financial institutions, regulatory response for the oversight of money transmitters is prompted instead by complaints to state authorities, or by the filing of suspicious activity reports to FinCEN.

Future regulatory considerations
There are many risks to consider in this nascent segment of the retail payments industry. With the ease of entry into the market for money transmitters and the potential lack of funding in some states for comprehensive regulatory oversight, some startups may circumvent licensing and capital requirements by merely opening for business, undetected by state authorities. FinCEN has issued advisories requesting that financial institutions that discover such businesses file suspicious activity reports (SARs) as a means of mitigating unlicensed and potentially illegal activity. Unfortunately, as technology supports more sophisticated advancements in electronic payments as well as new alliances between carriers and money transmitters, regulatory efforts will become increasingly difficult.

The newly established Consumer Financial Protection Bureau is empowered to exercise enforcement authority for improper conduct on behalf of money transmitters, but the task is daunting, considering the disproportionate state-by-state regulatory framework currently in place. Is it time to consider a more consistent, national approach to the legal and regulatory oversight of money transmitters? And, considering the onerous compliance costs that the current environment imposes, would money transmitters in fact welcome a more consistent, uniform environment?

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

 

October 24, 2011 in money services business (MSB), payments risk, payments systems, regulators, transmitters | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0162fbe1f446970d

Listed below are links to blogs that reference Keeping pace as money transmitters proliferate:

Comments

You are right to ask the question Cindy. A national framework that works to separate payments and other banking businesses ought to be a straightforward first step toward a more efficient payment sector. Innovation in the "money transmitter" segment should be decoupled from the areas of systemic risk (eg, credit creation).

Posted by: twitter.com/dgwbirch | October 29, 2011 at 04:58 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 17, 2011


As payments system evolves, "funny" money is still no laughing matter

Counterfeit money in the United States has been in circulation since colonial America. During the Revolutionary War, counterfeiting of Continental American money became so rampant that the currency became worthless. Hence, the phrase "not worth a Continental" was born. Counterfeiting continued after the country's independence from the British, so the government established the U.S. Secret Service in 1865 to suppress it. It was only later that the agency was also tasked with the highly visible and publicized mission of protecting national leaders, most notably the president, and visiting foreign leaders.

Since the establishment of the Secret Service, payment types have advanced from paper bills to checks and card-based payments. Alongside the advancement of our nation's payment methods, the security features of each payment type are evolving to combat attempts at counterfeiting. Yet today, 111 years after the Secret Service was established, counterfeiting remains a threat to the U.S. payments system. This blog examines the security technological advances currently deployed and those in development to fight counterfeiting schemes in consumer payments.

Counterfeit currency
In 1865, approximately one-third of all currency in circulation was counterfeit. Today, counterfeit currency is estimated to represent only 3/100ths of 1 percent of total currency—yet the crime of counterfeiting currency remains popular. According to its Fiscal Year 2010 Annual Report, the Secret Service made more than 3,000 domestic and international arrests for counterfeiting offenses in 2010, resulting in the removal of more than $261 million in counterfeit currency from circulation. This amount is an increase of more than 150 percent from the 2008 level of $103 million. Continued advancements in computer and printing technologies aid counterfeiters in producing hard-to-detect counterfeit bills. It is also important to note that counterfeit bills do not have to be perfect. These bills just need to be good enough for the counterfeiters to exchange once to another party to be deemed successful.

To mitigate the production of counterfeit currency and to help detect it, the U.S. Department of the Treasury constantly enhances paper currency's security features. Newer features such as color-shifting ink, watermarks, and security threads have made paper currency more difficult for criminals to counterfeit accurately.

Counterfeit checks
Much like paper currency, checks became an important payment instrument in the United States following the Revolutionary War. And as is the case with paper currency, checks are also a common target for counterfeiters. Even as check usage continues to decline, check fraud continues to increase and remains one of the largest threats to businesses today, according to the 2011 AFP Payments Fraud and Control Survey: Report of Survey Results. Also according to this report, the counterfeiting of nonpayroll checks using an organization's MICR line data remains the most widely used technique to commit check fraud.

Counterfeit cards
Since the first credit card was introduced in the United States in 1958, card-enabled debit and credit payments have become many consumers' preferred payment methods. But just as payments migrated from paper to electronic methods such as debit and credit cards, counterfeiting fraud schemes have shifted from paper as well. Today's payments fraud-related headlines are flooded with stories of card-skimming schemes to produce counterfeit cards. Fraudsters are using skimming devices on point-of-sale (POS) terminals and at ATMs to capture card numbers. As my colleague Cynthia Merritt previously discussed in an earlier post, these skimming devices are becoming more sophisticated. According to Verizon's 2011 Data Breach Investigations Report, tampering of ATMs and POS terminals accounted for 98 percent of physical data breaches in 2010. The report notes that these tampering attacks, which have been occurring for years, are on the rise.

Despite the continued evolution of payment types and their corresponding security features, counterfeiters persist in finding ways to harm the payments system, regardless of payment type. Although the industry can and should strive to eliminate the success of counterfeiters, history shows us that the task is all but impossible. It will be very interesting to see the effect that new security enhancements as they develop will have on counterfeiting trends in the United States. For me, I am eagerly anticipating the effect that dynamic data chip-enabled transactions will have on the skimming and counterfeiting of payment cards should the industry adopt the technology.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 17, 2011 in check fraud, crime, fraud, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8c5020ad970d

Listed below are links to blogs that reference As payments system evolves, "funny" money is still no laughing matter:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 11, 2011


High-impact events in a warming world: Business continuity planning for retail payments

Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.

Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.

Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:

The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.

The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.

In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

October 11, 2011 in banks and banking, financial services, payments systems, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8c2dacc2970d

Listed below are links to blogs that reference High-impact events in a warming world: Business continuity planning for retail payments:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 15, 2011


Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud

It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.

Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.

Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.

Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.

Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.

Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.

Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.

Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

August 15, 2011 in consumer protection, fraud, payments systems, regulators, risk, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0154348a930e970c

Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 23, 2011


The dilemma of measuring fraud in the U.S. payments system

Growing up, I was fascinated with books about animals, particularly those focusing on totally unique and strange Australian animals. Kangaroos, wallabies, duck-billed platypuses, and spiny echidnas caught my fancy because they were unique, existing nowhere else on the planet. Perhaps one reason I am so fascinated with the U.S. payments system is that it is totally unique and replicated nowhere else in the world.

Limited government engagement in payments system policies
While part of its uniqueness stems from its size and scope, the true novelty of the U.S. payments system lies in its exceedingly free market roots. That is, relative to most other developed countries, our system is very lightly regulated. Certainly, there are a reasonable number of regulations that afford consumer protection, but in the nearly 30 years from 1980 to 2009, Congress only occasionally addressed payments system issues, most notably with the Expedited Funds Availability Act of 1988 and the Check Truncation Act of 2003. One would normally expect infrequent legislative engagement in situations where a strong government regulator was in place, making legislative activity unnecessary, but there is no government agency specifically charged with regulating the overall U.S. payments system.

This arrangement has created an environment where innovation flourishes, but it also has allowed for a bit of a void when the evolution of the payment system creates public policy issues, either internally or with respect to global compatibility. Recent history bears witness to this point as Congress has suddenly become more engaged in passing the CARD Act of 2009, the overdraft legislation of 2009, and the debit card interchange legislation housed in the Durbin Amendment to the Dodd-Frank financial reform legislation of 2010. While each of these efforts was directed at increasing transparency and promoting choice for consumer and business users of the payments system, there has been little effort to address another important public policy issue—the increasing concern over risk and fraud in the payments system.

Through the creation of the National Strategy for Trusted Identities in Cyberspace, the current administration has proactively addressed growing concerns over ID theft in an increasingly electronic and globally accessible payments system. But many other tangential and separate fraud issues loom on the horizon. In tough economic times, however, organizations make difficult choices about the business case behind any fraud mitigation investments. Individual organizations generally have the data necessary to conduct such assessments, but from a broader national viewpoint, precious little data exist on which to base needed public policy analysis. For example, when the Federal Reserve Board, via the aforementioned Durbin Amendment, was handed the responsibility to oversee debit card interchange and fraud management issues, they had no choice but to begin their work by developing and distributing extensive surveys so they could get a handle on experiences in the marketplace.

Lack of a public fraud measurement systems
Much of what exists publicly today in terms of payments system measurements and metrics for fraud comes from independent survey work initiated by trade associations or consultants, such as the American Bankers Association, the Independent Community Bankers Association, and the Association for Financial Professionals. While the data flowing from these efforts is extremely helpful, each survey has its own focus, methodologies differ, and voluntary participation levels vary the statistical accuracy of results.

In other countries, the government, central bank, or bank-centered payments authorities systematically and accurately gather and report fraud data, and then publish such data for all to use as they go about managing their payments portfolios and making investment decisions in technology. Recently, I have engaged in discussions with many payments leaders about the dilemma of not having good data on which to base fraud-mitigation decisions related to growing concerns about the use of chip-and-pin card technology being implemented across the globe versus the magnetic-stripe technology used in the United States.

As a result, U.S. decision makers have to examine instances of card fraud mitigation in the United Kingdom, or the Netherlands, or Brazil, or Canada, and opine on whether these foreign experiences are pertinent to this country. Moreover, while we have seen some results of surveys looking at fraud losses, there is almost no public data with respect to the perhaps more critical factor of the costs of managing fraud.

Is it time to address the issue?
I have heard increasing industry concern about this lack of data, to the point where it may be time to ask how such a limitation can be addressed. My sense is that any voluntary private sector effort will continue to be snubbed by respondents who have neither the time nor the inclination to share data that they fear may be made public at the individual respondent level. Additionally, entities that could conduct such work are not positioned to address fraud across all channels, but are likely to focus on a single channel, such as check or credit card.

Perhaps it is time for the government or collective industry groups to address this shortcoming and organize an effort to design and support an approach to collecting statistically accurate, cross-channel payments fraud data to be publically shared. Metrics stemming from a data-gathering initiative could go a long way toward helping a troubled industry wrestle with the business case behind more aggressive fraud-management efforts.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

May 23, 2011 in fraud, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538ea8aee5970b

Listed below are links to blogs that reference The dilemma of measuring fraud in the U.S. payments system:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


December 2014


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad